On Tue, 2009-04-21 at 19:17 -0700, Antonio Olivares wrote: > According to some users, Fedora has a default firewall that adds basic > protection. There is no service "firewall", but some users have > pointed out that iptables takes care of this. "Firewall" being a description of a function, rather than the name of something in particular. > [root@localhost ~]# service iptables status > Table: filter > Chain INPUT (policy ACCEPT) > num target prot opt source destination > 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED > 2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 > 3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 > 4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 > 5 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited > > Chain FORWARD (policy ACCEPT) > num target prot opt source destination > 1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited > > Chain OUTPUT (policy ACCEPT) > num target prot opt source destination > > > Which traffic if any is allowed to come in to our computers if and > when we do get on the internet? You might want to say what you're wanting to do (allow more, deny more). The above output told you the answer to that. The target column it telling you how it'll treat a connection (accept or reject it in some manner), "prot" is which protocol (UDP and/or TCP and/or ICMP), the 0.0.0.0/0 source means from *anywhere* and the 0.0.0.0/0 destination means to anywhere, followed by some conditions. Input rules affect connections coming in to the network. The first rule says *any* and *all* traffic can come through so long as it's related to something else, or an already established connection (e.g. you turn on the firewall, or restart it, and you don't interrupt things that are currently established). And, by inference, any new attempts to connect won't be accepted. The second rule allows all ICMP traffic, no matter what, unconditionally. The third rule allows all traffic, no matter what. Which contradicts the first rule. Something's been badly set up, here. The fourth rule will allow new connections to port 22 using TCP to come through. This is an exception to the first rule, rule four will allow port 22 through rule one's blockage of new connections. The firth rule will reject all traffic that makes it through the list of above rules, and hasn't been judged by any of them, a catch-all. It's a "reject" which actively rejects the traffic, stating it's prohibited. Which is a different action to just ignoring the traffic. It'll cause the other end to abandon attempts, rather than keep waiting, if the other end is behaving properly. Forwarding rules affect forwarding traffic through the network, traffic that is passed through with some change in direction (to a different port, or to a different address), i.e. routing. Your first and only rule for it rejects it. You don't appear to have any output rules, which means there's no restrictions on outbound traffic (traffic leaving the computer). > We can use system-config-??? to configure simple iptables to change > stuff around and/or get webmin? A hint: system-config-<tab><tab> (hit the tab key twice after typing the second dash into the console) system-config-authentication system-config-network-gui system-config-date system-config-network-tui system-config-display system-config-printer system-config-firewall system-config-printer-applet system-config-firewall-tui system-config-selinux system-config-keyboard system-config-services system-config-language system-config-time system-config-network system-config-users system-config-network-cmd On my system, I've got two applications installed for playing with the firewall. The "-tui" one is a text interface, which I can use when there's no GUI available to me (e.g. simple text network connections from remote). > I know that by default Fedora provides a good basic firewall, but are > there any howto's/readme's as to how to learn more about Firewalls in > Fedora. If you want to set rules by hand, learn about iptables. If you want to use an interface, there's firestarter, and various other packages. -- [tim@localhost ~]$ uname -r 2.6.27.21-78.2.41.fc9.i686 Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists. -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
