Question(s) default firewall in Fedora

Tim ignored_mailbox at yahoo.com.au
Thu Apr 23 02:43:15 UTC 2009 

On Tue, 2009-04-21 at 19:17 -0700, Antonio Olivares wrote:
> According to some users, Fedora has a default firewall that adds basic
> protection.  There is no service "firewall", but some users have
> pointed out that iptables takes care of this. 

"Firewall" being a description of a function, rather than the name of
something in particular.

> [root at localhost ~]# service iptables status
> Table: filter
> Chain INPUT (policy ACCEPT)
> num  target     prot opt source               destination         
> 1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
> 2    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
> 3    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
> 4    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
> 5    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 
> 
> Chain FORWARD (policy ACCEPT)
> num  target     prot opt source               destination         
> 1    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 
> 
> Chain OUTPUT (policy ACCEPT)
> num  target     prot opt source               destination         
> 
>
> Which traffic if any is allowed to come in to our computers if and
> when we do get on the internet?

You might want to say what you're wanting to do (allow more, deny more).

The above output told you the answer to that.  The target column it
telling you how it'll treat a connection (accept or reject it in some
manner), "prot" is which protocol (UDP and/or TCP and/or ICMP), the
0.0.0.0/0 source means from *anywhere* and the 0.0.0.0/0 destination
means to anywhere, followed by some conditions.

Input rules affect connections coming in to the network.

The first rule says *any* and *all* traffic can come through so long as
it's related to something else, or an already established connection
(e.g. you turn on the firewall, or restart it, and you don't interrupt
things that are currently established).  And, by inference, any new
attempts to connect won't be accepted.

The second rule allows all ICMP traffic, no matter what,
unconditionally.

The third rule allows all traffic, no matter what.  Which contradicts
the first rule.  Something's been badly set up, here.

The fourth rule will allow new connections to port 22 using TCP to come
through.  This is an exception to the first rule, rule four will allow
port 22 through rule one's blockage of new connections.

The firth rule will reject all traffic that makes it through the list of
above rules, and hasn't been judged by any of them, a catch-all.  It's a
"reject" which actively rejects the traffic, stating it's prohibited.
Which is a different action to just ignoring the traffic.  It'll cause
the other end to abandon attempts, rather than keep waiting, if the
other end is behaving properly.

Forwarding rules affect forwarding traffic through the network, traffic
that is passed through with some change in direction (to a different
port, or to a different address), i.e. routing.  Your first and only
rule for it rejects it.

You don't appear to have any output rules, which means there's no
restrictions on outbound traffic (traffic leaving the computer).

> We can use system-config-??? to configure simple iptables to change
> stuff around and/or get webmin?

A hint:  system-config-<tab><tab>
(hit the tab key twice after typing the second dash into the console)

system-config-authentication  system-config-network-gui
system-config-date            system-config-network-tui
system-config-display         system-config-printer
system-config-firewall        system-config-printer-applet
system-config-firewall-tui    system-config-selinux
system-config-keyboard        system-config-services
system-config-language        system-config-time
system-config-network         system-config-users
system-config-network-cmd     

On my system, I've got two applications installed for playing with the
firewall.  The "-tui" one is a text interface, which I can use when
there's no GUI available to me (e.g. simple text network connections
from remote).

> I know that by default Fedora provides a good basic firewall, but are
> there any howto's/readme's as to how to learn more about Firewalls in
> Fedora.

If you want to set rules by hand, learn about iptables.  If you want to
use an interface, there's firestarter, and various other packages.

-- 
[tim at localhost ~]$ uname -r
2.6.27.21-78.2.41.fc9.i686

Don't send private replies to my address, the mailbox is ignored.  I
read messages from the public lists.

More information about the fedora-list mailing list