Red Hat Linux also offers you firewall protection for enhanced system security. A firewall sits between your computer and the network, and determines which resources on your computer remote users on the network are able to access. A properly configured firewall can greatly increase the out-of-the-box security of your system.
Choose the appropriate security level for your system.
High Security — By choosing High Security, your system will not accept connections that are not explicitly defined by you. By default, only the following connections are allowed:
DNS replies
DHCP — so any network interfaces that use DHCP can be properly configured.
Using this High Security will not allow the following:
Active mode FTP (Passive mode FTP, used by default in most clients, should work fine.)
IRC DCC file transfers
RealAudio(tm)
Remote X Window System clients
If you are connecting your system to the Internet, but do not plan to run a server, this is the safest choice. If additional services are needed, you can choose Customize to allow specific services through the firewall.
Medium Security — Choosing Medium Security will not allow your system to have access to certain resources. By default, access to the following resources are not allowed:
ports lower than 1023 — these are the standard reserved ports, used by most system services, such as FTP, SSH, telnet, and HTTP.
NFS server port (2049)
the local X Window System display for remote X clients
the X Font server port (This is disabled by default in the font server.)
If you want to allow resources such as RealAudio(tm), while still blocking access to normal system services, choose Medium Security. You can choose Customize to allow specific services through the firewall.
No Firewall — No firewall allows complete access and does no security checking. It is recommended that this only be selected if you are running on a trusted network (not the Internet), or if you plan to do more detailed firewall configuration later.
Unless you plan to customize your firewall, make sure Use default firewall rules is selected.
Choose Customize to add trusted devices or to allow additional incoming interfaces.
Trusted Devices — Checking these for any of your devices allows all traffic coming from that device to be allowed. For example, if you are running a local network, but are connecting to the Internet via a PPP dialup, you could check that eth0 is trusted to allow any traffic coming from your local network.
It is not recommended to enable this for devices that are connected to public networks, such as the Internet.
Allow Incoming — Enabling these options allow the specified services to pass through the firewall. Note, during a workstation-class installation, the majority of these services are not present on the system.
DHCP — This allows DHCP queries and replies, and allows any network interfaces that use DHCP determine their IP address. DHCP is normally enabled.
SSH — Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.
Telnet — Telnet is a protocol for logging into remote machines. It is unencrypted, and provides little security from network snooping attacks. Enabling telnet is not recommended. You need the telnet-server package installed for this option to be useful.
WWW (HTTP) — HTTP is the protocol used by Apache to serve Web pages. If you plan on making your Web server publicly available, enable this option. This option is not required for viewing pages locally or developing Web pages. You need the Apache package installed for this option to be useful.
Mail (SMTP) — This allows incoming SMTP mail delivery. If you need to allow remote hosts to connect directly to your machine to deliver mail, enable this option. You do not need to enable this if you collect your mail from your ISP's server by POP3 or IMAP, or if you use a tool such as fetchmail. Note that an improperly configured SMTP server can allow remote machines to use your server to send spam.
FTP — FTP is a protocol used for remote file transfer. If you plan on making your FTP server publicly available, enable this option. You need the wu-ftpd (and possibly anonftp) packages installed for this option to be useful.
Other ports — You can specify that other ports not listed here be allowed through the firewall. The format to use is 'port:protocol'. For example, if you wanted to allow IMAP access through your firewall, you can specify 'imap:tcp'. You can also specify numeric ports explicitly; to allow UDP packets on port 1234 through, specify '1234:udp'. To specify multiple ports, separate them by commas.