Kevin Waterson wrote: > Hi gang, > I have a fedora machine running a few services > httpd, ftpd, sshd rsync dns > When I connected to Bigpond cable, I could not access the machine. > Access was denied for all the above services. > > So, I disabled the firewall using system-config-securitylevel-tui as > I have only ssh access to the remote machine.
local$ ssh -X remote remote$ system-config-security will allow you to run the GUI tools. Don't sudo before running the tool as that will stuff your X security and the tool won't start. > This fixed the problem and I (and others) can access the machine. The problem > now is that I have a machine running without the firewall. How can I customize > this with ssh? The iptables configuration is stored in /etc/sysconfig/iptables. This is not a format designed to be edited, although you can if you are careful. If you can drive the iptables firewall program then # service iptables start # iptables ... # service iptables save You may need to add any Netfilter modules you need to /etc/sysconfig/iptables-config (such as ip_nat_ftp or whatever. For the list see /lib/modules/*/kernel/net/ipv4/netfilter/ip_nat_*.ko). Similarly you can use any GUI tool with a "install now" option in place of the iptables command and simply use "service iptables save" when done. The Red Hat system-config-security is OK for configuring a firewall for a host or server with a single interface. It's rather useless for configuring a router and doesn't understand scenarios with multiple interfaces with differing security policies (eg, inside, outside, DMZ). It doesn't back up your old /etc/sysconfig/iptables, so you might want to do that first. Fedora comes with fwbuilder in Extras, which works as long as you know what you are doing. Also, most Fedora packages obey /etc/hosts.[allow|deny] so it's worthwhile configuring that for an extra layer of security. Finally, FC6 does IPv6 so remember to give a rule for that too (if only to allow all from localhost and deny all other). Cheers, Glen -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
