Firewall configuration with system-config-firewall

By Vincent Danen
Since the 2.4 kernel, Linux has used iptables to configure firewall rules in the kernel. There are a
number of tools that allow one to configure the firewall: iptables on the command-line,
Shorewall, and a number of other GUI tools. On a Fedora system, the default firewall
configuration tool is simply called Firewall Configuration, which can be found on the command-
line by executing "system-config-firewall" or System | Administration | Firewall in the GNOME
menus.
This GUI allows you to set which services are allowed to be accessed via the Internet using a
very simple interface. It defines a number of trusted services pre-configured; to allow access, you
simply need to check the box next to the entry. Each entry lists the service name, the port and
protocol, and any additional iptables modules (conntrack helpers) it uses. So if you wanted to
allow SSH access to the system, you would check off the box next to the SSH service as in
Figure A.

You can move beyond simple service-level filtering, however. With the Trusted Interfaces
section, you can define, on a multi-interface system, which interfaces are trusted. A trusted
interface is one that does not have any firewall rules applied; for instance if eth0 faced the
Internet and eth1 faced the local network, you might select that the eth1 interface is trusted. This
would allow all connections coming in on the eth1 interface, while applying the firewall rules to
all of the other interfaces.
The Other Ports section allows you to add new ports to filter that are not in the Trusted Services
list. It pulls up a scrollable interface that lists the ports and protocols as defined in /etc/services,
so all known ports and protocol types will be listed here. If there is a custom service you want
that is not listed, select User Defined and provide the port and protocol manually.
With the Firewall Configuration GUI, you can also define masquerading, which allows you to
use the system as a router; meaning you can use it as a gateway to forward connections from
other local machines through it to the Internet. You can also define port forwarding; for instance,
any incoming connections on port 22 would get forwarded to another defined host, great for
allowing specific access to systems behind the firewall. You can define the incoming interface,
protocol, and port to forward on, and then which IP address to forward to and an optional other
port (i.e., forwarding connections to port 522 on the eth0 interface to port 22 on 192.168.1.2).
Finally, you can also change how the firewall will handle ICMP (Internet Control Message
Protocol) packets. By default, all ICMP types are permitted, but here you can decide whether the
system will respond to ping and other ICMP packets.
When you make changes to the firewall, use the Apply button to save them and the Reload
button to refresh and activate the firewall rules. If you want to take a look at the actual iptables
commands, the tool saves them to /etc/sysconfig/iptables which is used by the iptables-restore
command to load the firewall rules. If you are familiar enough with iptables commands, you can
edit this file directly rather than using the GUI.
On the command-line, use "service iptables restart" to reload the firewall, and "service iptables
stop" to disable the firewall completely.
Iptables has a lot of different commands and can be used to create some very sophisticated
firewall rules as tools like Shorewall prove. Shorewall, however, can be complicated to set up
correctly, so while it is a good tool, it is really only useful for dedicated firewalls or servers. The
Firewall Configuration GUI, on the other hand, is simple enough that anyone can use it to create
customized firewalls for any Linux system, and powerful enough that you don't really need
anything else.