11.5 Implementing a Basic Firewall

Sometimes you may want a host to provide certain services to only local clients or clients on other hosts of a network that you control. If your network is connected to the Internet, you can use a firewall to prevent undesired access to services. A Linux firewall depends on certain kernel facilities to examine incoming and outgoing packets. Packets that fail to pass specified rules can be rejected, preventing undesired access to private services. Unlike TCP Wrappers, a firewall does not require special support from applications or services it protects. And, a firewall can work with protocols other than TCP, such as UDP and ICMP.

11.5.1 Configuring the Firewall

To configure a firewall, launch the Security Level Tool by choosing System Settings Security Level from the main menu.

The Security Level Tool (Figure 11-17) appears.

Figure 11-17. The Security Level Configuration dialog box

The Security Level Configuration dialog box lets you enable or disable the firewall. In addition, you can specify that requests for any of several predefined services are allowed to freely transit the firewall. To do so, simple enable the checkbox associated with the name of the service.

By allowing service requests to transit the firewall, you may expose your system to network-based attacks. Therefore, don't specify trusted services casually or unnecessarily.

You can use the Trusted devices checkbox to specify that packets originating from the specified device will not be blocked by the firewall. This facility is useful when a host has two network adapters: one associated with a public network, such as the Internet, and another associated with a private network. By specifying the network adapter associated with the private network as a trusted device, you permit clients on the private network free access to services, while blocking clients on the public network from access other than that permitted by the firewall configuration.

11.5.2 Controlling the Firewall

For the firewall to be effective, it must be enabled and the associated iptables service must be running. To start, stop, or restart the iptables service, you can use the Service Configuration Tool. Generally, you should use the Tool to associate the iptables service with runlevels 2-5, so that your system is protected when networking is active.