On 04/05/2010 10:15 AM, Mikkel wrote: > On 04/05/2010 11:51 AM, Michael Miles wrote: > >> On 04/05/2010 09:34 AM, Mikkel wrote: >> >>> On 04/05/2010 11:16 AM, Michael Miles wrote: >>> >>> >>>> I'm not too bad with firewalls but I am used to more detailed firewall >>>> software. >>>> I just came from the hell they call Win 7 and I was using Bitdefender >>>> for the last couple of years. >>>> I'm just using the firewall that comes with Fedora 12, is there better >>>> firewall software out there. >>>> >>>> >>>> >>> Not for the actual firewall, but there are different front-ends for >>> configuring it. You can pick the one that works best for you, or >>> write your own firewall rules by hand. >>> >>> The actual firewall is part of the kernel. What the firewall >>> software does is help you configure that firewall. When I played >>> with Windows, the firewall was an add-on - kind of an afterthought. >>> I don't know if this is still true. >>> >>> Mikkel >>> >>> >> It is all add on with windows >> >> I tell you my 4 core Phenom II 945 has more than doubled speed going >> from Win 7 x64 to Fedora 12. >> >> These front ends for the firewall in Fedora. Is there one in particular >> the you use >> >> Michael >> > I usually use system-config-firewall, as the needs on my desktop and > laptop are fairly simple. I do have 2 sets of rules for the laptop, > depending on weather I am home or traveling. When I am home, the > network is behind a hardware firewall as well. But your needs may > differ from mine. > > On a side note, if you want to see the firewall rules set up by the > front end, take a look a /etc/sysconfing/iptables and ip6tables. You > can also run "iptables -L" to see the rules currently in affect. The > iptables command will also let you modify rules without going > through a GUI. > > Mikkel > It looks like the default desktop config for firewall lets everything through Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT ah -- anywhere anywhere ACCEPT esp -- anywhere anywhere ACCEPT udp -- anywhere 224.0.0.251 state NEW udp dpt:mdns ACCEPT udp -- anywhere anywhere state NEW udp dpt:ipp ACCEPT udp -- anywhere anywhere state NEW udp dpt:netbios-ns ACCEPT udp -- anywhere anywhere state NEW udp dpt:netbios-dgm REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination This is my iptables file :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -i eth+ -j ACCEPT -A INPUT -p ah -j ACCEPT -A INPUT -p esp -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT -A FORWARD -p icmp -j ACCEPT -A FORWARD -i lo -j ACCEPT -A FORWARD -i eth+ -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT And ip6tables :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p ipv6-icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -i eth+ -j ACCEPT -A INPUT -m ipv6header --header ah -j ACCEPT -A INPUT -m ipv6header --header esp -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 5353 -d ff02::fb -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT -A FORWARD -p ipv6-icmp -j ACCEPT -A FORWARD -i lo -j ACCEPT -A FORWARD -i eth+ -j ACCEPT -A INPUT -j REJECT --reject-with icmp6-adm-prohibited -A FORWARD -j REJECT --reject-with icmp6-adm-prohibited COMMIT Michael -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
