Fedora Linux

interface and IP forwarding is turned on to pass packets between the interfaces (for example, in a system serving as a router).

OUTPUT

Filters packets that are outbound from this system.

RH-Firewall-1-INPUT

This is the chain of rules configured by the firewall system. Notice that this chain is included into the chains for INPUT and FORWARD.  

In this example, IPP (Internet Print Protocol, used by CUPS), MDNS (multicast DNS, used by Avahi), and SSH connections are all permitted; only SSH was configured for the firewall, demonstrating that not all services are configured through the firewall configuration tools.

Since the policy for each chain is ACCEPT, flushing (clearing) the rules will result in all packets being accepted. This is exactly what the iptables -F command does, which is executed when the iptables service is stopped.

The graphical firewall configuration tool is system-config-securitylevel (which, in recent versions, also handles SELinux configuration). The character-based version is system-config- securitylevel-tui , which is also known as lokkit . Both of these tools save the firewall configuration in /etc/sysconfig/system-config-securitylevel and, from that configuration, derive a set of iptables rules that are saved in /etc/sysconfig/iptables . That file, in turn, is used by the iptables service ( /etc/init.d/iptables ) to configure the firewall; options that control the operation of the iptables service are stored in /etc/sysconfig/iptables- config .

iptables is actually an unusual service. Most other servicessuch as cups , httpd , or gpm have a server process that begins running when the service is started and that is stopped when the service is stopped; iptables , on the other hand, just configures the iptables facility in the kernel when the service is started or stopped, so there's no actual process running when the firewall is active.

8.1.3. What About...

8.1.3.1. ...more complex firewall rules?

The firewall interface provided by Fedora's system-config-securitylevel supports only the filtering of inbound (and forwarded) packets and is quite simple. However, the iptables mechanism supports much more complex filtering. Fedora Extras provides several alternate tools for firewall configuration, including firestarter , fwbuilder , and shorewall .

8.1.4. Where Can I Learn More?

? The manpages for iptables

? The home page for iptables at http://netfilter.org

8.2. Using SELinux

Security Enhanced Linux (SELinux) is installed and enabled by default in Fedora Core. SELinux controls what a program is and is not allowed to do, enforcing security policy through the kernel. This prevents an attacker from using a compromised program to do something it was not intended to do.

Although SELinux can at times be challenging to configure, it dramatically improves protection against some common system attacksso a little bit of effort can pay off in a big way.

8.2.1. How Do I Do That?

SELinux is managed using the same graphical tool used to manage the firewall. Click System>Administration>'Security Level and Firewall' to start it, then select the SELinux tab, shown in Figure 8- 5.

Figure 8-5. Graphical configuration tool for SELinux

There are three possible values for SELinux Setting:

Enforcing

Fully enables SELinux. Any attempted operation that violates the current security policy is blocked.

Permissive

Enables SELinux security checks but does not enforce the security policy; operations that violate the current security policy are permitted, but an error message is logged to record the event. This is useful if you have previously disabled SELinux and want to evaluate the potential impact before you enable it.

Disabled

Completely disables SELinux.

If you enable SELinux (using Enforcing or Permissive mode), expand the Modify SELinux Policy section by clicking the triangle. The SELinux policy configuration categories will appear, as shown in Figure 8-6 .

Figure 8-6. SELinux policy configuration categories

Each of these categories contains a number of options (represented as checkboxes) called booleans . Each boolean may be set on (checked) or off (unchecked).

To expand the options in any category, click on the arrow in front of that category. In Figure 8-6 , the Admin category has been expanded, and the window width has been resized to fully show each option.

After selecting or deselecting booleans as desired, click OK. Changes in boolean values will take effect immediately, but changing the SELinux setting to or from Disabled will take effect only when the system is booted.