Security

Firewall configuration with system-config-firewall

On a Fedora system, the default firewall configuration tool is simply called Firewall Configuration. Vincent Danen shows you how to use this simple GUI interface to set up and configure your firewall.

Since the 2.4 kernel, Linux has used iptables to configure firewall rules in the kernel. There are a number of tools that allow one to configure the firewall: iptables on the command-line, Shorewall, and a number of other GUI tools. On a Fedora system, the default firewall configuration tool is simply called Firewall Configuration, which can be found on the command-line by executing "system-config-firewall" or System | Administration | Firewall in the GNOME menus.

This GUI allows you to set which services are allowed to be accessed via the Internet using a very simple interface. It defines a number of trusted services pre-configured; to allow access, you simply need to check the box next to the entry. Each entry lists the service name, the port and protocol, and any additional iptables modules (conntrack helpers) it uses. So if you wanted to allow SSH access to the system, you would check off the box next to the SSH service as in Figure A.

You can move beyond simple service-level filtering, however. With the Trusted Interfaces section, you can define, on a multi-interface system, which interfaces are trusted. A trusted interface is one that does not have any firewall rules applied; for instance if eth0 faced the Internet and eth1 faced the local network, you might select that the eth1 interface is trusted. This would allow all connections coming in on the eth1 interface, while applying the firewall rules to all of the other interfaces.

The Other Ports section allows you to add new ports to filter that are not in the Trusted Services list. It pulls up a scrollable interface that lists the ports and protocols as defined in /etc/services, so all known ports and protocol types will be listed here. If there is a custom service you want that is not listed, select User Defined and provide the port and protocol manually.

With the Firewall Configuration GUI, you can also define masquerading, which allows you to use the system as a router; meaning you can use it as a gateway to forward connections from other local machines through it to the Internet. You can also define port forwarding; for instance, any incoming connections on port 22 would get forwarded to another defined host, great for allowing specific access to systems behind the firewall. You can define the incoming interface, protocol, and port to forward on, and then which IP address to forward to and an optional other port (i.e., forwarding connections to port 522 on the eth0 interface to port 22 on 192.168.1.2).

Finally, you can also change how the firewall will handle ICMP (Internet Control Message Protocol) packets. By default, all ICMP types are permitted, but here you can decide whether the system will respond to ping and other ICMP packets.

When you make changes to the firewall, use the Apply button to save them and the Reload button to refresh and activate the firewall rules. If you want to take a look at the actual iptables commands, the tool saves them to /etc/sysconfig/iptables which is used by the iptables-restore command to load the firewall rules. If you are familiar enough with iptables commands, you can edit this file directly rather than using the GUI.

On the command-line, use "service iptables restart" to reload the firewall, and "service iptables stop" to disable the firewall completely.

Iptables has a lot of different commands and can be used to create some very sophisticated firewall rules as tools like Shorewall prove. Shorewall, however, can be complicated to set up correctly, so while it is a good tool, it is really only useful for dedicated firewalls or servers. The Firewall Configuration GUI, on the other hand, is simple enough that anyone can use it to create customized firewalls for any Linux system, and powerful enough that you don't really need anything else.

Get the PDF version of this tip here.

About

Vincent Danen works on the Red Hat Security Response Team and lives in Canada. He has been writing about and developing on Linux for over 10 years and is a veteran Mac user.

2 comments
eldergabriel
eldergabriel

The article even mentions a few tips for command-line enthusiasts and more advanced sysadmins. Fedora had been missing a decent built-in firewall management gui for a while, but they've certainly delivered. At some point, it'd be interesting to read a comparison between system-config-firewall and ubuntu's gufw. That might be an invitation for some people to argue, tho!

Editor's Picks