On 04/05/2010 11:33 AM, Michael Miles wrote: > On 04/05/2010 10:15 AM, Mikkel wrote: >> On 04/05/2010 11:51 AM, Michael Miles wrote: >> >>> On 04/05/2010 09:34 AM, Mikkel wrote: >>> >>>> On 04/05/2010 11:16 AM, Michael Miles wrote: >>>> >>>> >>>>> I'm not too bad with firewalls but I am used to more detailed firewall >>>>> software. >>>>> I just came from the hell they call Win 7 and I was using Bitdefender >>>>> for the last couple of years. >>>>> I'm just using the firewall that comes with Fedora 12, is there better >>>>> firewall software out there. >>>>> >>>>> >>>>> >>>> Not for the actual firewall, but there are different front-ends for >>>> configuring it. You can pick the one that works best for you, or >>>> write your own firewall rules by hand. >>>> >>>> The actual firewall is part of the kernel. What the firewall >>>> software does is help you configure that firewall. When I played >>>> with Windows, the firewall was an add-on - kind of an afterthought. >>>> I don't know if this is still true. >>>> >>>> Mikkel >>>> >>>> >>> It is all add on with windows >>> >>> I tell you my 4 core Phenom II 945 has more than doubled speed going >>> from Win 7 x64 to Fedora 12. >>> >>> These front ends for the firewall in Fedora. Is there one in particular >>> the you use >>> >>> Michael >>> >> I usually use system-config-firewall, as the needs on my desktop and >> laptop are fairly simple. I do have 2 sets of rules for the laptop, >> depending on weather I am home or traveling. When I am home, the >> network is behind a hardware firewall as well. But your needs may >> differ from mine. >> >> On a side note, if you want to see the firewall rules set up by the >> front end, take a look a /etc/sysconfing/iptables and ip6tables. You >> can also run "iptables -L" to see the rules currently in affect. The >> iptables command will also let you modify rules without going >> through a GUI. >> >> Mikkel >> > It looks like the default desktop config for firewall lets everything > through > > Chain INPUT (policy ACCEPT) > target prot opt source destination > ACCEPT all -- anywhere anywhere state > RELATED,ESTABLISHED > ACCEPT icmp -- anywhere anywhere > ACCEPT all -- anywhere anywhere > ACCEPT all -- anywhere anywhere > ACCEPT ah -- anywhere anywhere > ACCEPT esp -- anywhere anywhere > ACCEPT udp -- anywhere 224.0.0.251 state NEW > udp dpt:mdns > ACCEPT udp -- anywhere anywhere state NEW > udp dpt:ipp > ACCEPT udp -- anywhere anywhere state NEW > udp dpt:netbios-ns > ACCEPT udp -- anywhere anywhere state NEW > udp dpt:netbios-dgm > REJECT all -- anywhere anywhere reject-with > icmp-host-prohibited > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > ACCEPT all -- anywhere anywhere state > RELATED,ESTABLISHED > ACCEPT icmp -- anywhere anywhere > ACCEPT all -- anywhere anywhere > ACCEPT all -- anywhere anywhere > REJECT all -- anywhere anywhere reject-with > icmp-host-prohibited > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > > > > > This is my iptables file > > :INPUT ACCEPT [0:0] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [0:0] > -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > -A INPUT -p icmp -j ACCEPT > -A INPUT -i lo -j ACCEPT > -A INPUT -i eth+ -j ACCEPT > -A INPUT -p ah -j ACCEPT > -A INPUT -p esp -j ACCEPT > -A INPUT -m state --state NEW -m udp -p udp --dport 5353 -d 224.0.0.251 > -j ACCEPT > -A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT > -A INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT > -A INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT > -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > -A FORWARD -p icmp -j ACCEPT > -A FORWARD -i lo -j ACCEPT > -A FORWARD -i eth+ -j ACCEPT > -A INPUT -j REJECT --reject-with icmp-host-prohibited > -A FORWARD -j REJECT --reject-with icmp-host-prohibited > COMMIT > > > > And ip6tables > > > :INPUT ACCEPT [0:0] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [0:0] > -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > -A INPUT -p ipv6-icmp -j ACCEPT > -A INPUT -i lo -j ACCEPT > -A INPUT -i eth+ -j ACCEPT > -A INPUT -m ipv6header --header ah -j ACCEPT > -A INPUT -m ipv6header --header esp -j ACCEPT > -A INPUT -m state --state NEW -m udp -p udp --dport 5353 -d ff02::fb -j > ACCEPT > -A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT > -A INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT > -A INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT > -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > -A FORWARD -p ipv6-icmp -j ACCEPT > -A FORWARD -i lo -j ACCEPT > -A FORWARD -i eth+ -j ACCEPT > -A INPUT -j REJECT --reject-with icmp6-adm-prohibited > -A FORWARD -j REJECT --reject-with icmp6-adm-prohibited > COMMIT Make sure you do "iptables -L -n -v". You'll find that a lot of the open ports are actually restricted to lo (the loopback) on a standard install, and the "ESTABLISHED,RELATED" stuff is to permit two-way I/O initiated by the local machine (e.g. web browsing and the like). ---------------------------------------------------------------------- - Rick Stevens, Systems Engineer, C2 Hosting ricks@xxxxxxxx - - AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 - - - - Lottery: A tax on people who are bad at math. - ---------------------------------------------------------------------- -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
