LinuxQuestions.org - no firewall option in RHL

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - no firewall option in RHL (https://www.linuxquestions.org/questions/linux-security-4/no-firewall-option-in-rhl-181088/)

no firewall option in RHL

hello

noticed at installation time of red hat linux 8, there are three options: high, medium and "no firewall"

what does "no firewall means" exactly in practical & technical tems?

we have some problems with the "firewall configuration" option in the setup tool ( typing setup at cmd prompt). It appears that modifying the FW config option within the setup tool, unless the specific ports & services are retyped or allowed again, it does not keep previous configured settings.

This has caused us to select the "no firewall" option at rhl 8 installation but it says that: "no firewall allows complete access and does no security checking." mmmm, does no security checking??

what happens then if no firewall option is selected? some our users do not like the idea of a "firewall" in this system, however, i think the setup tool will always have the option to go into the "firewall configuration" & modify settings there. The "firewall configuration" will always be there in the setup tool.

any thoughts, opinions?

thanks!

Yup. All ports are open and listening (provided there is a service on those ports). If you have apache installed, anyone can get to the web pages (unless you modified httpd.conf), but if you have those ports blocked by your firewall, only the localhost can get to the web pages.
Try running lokkit from the command line. You can select custom and allow http, ssh, telnet, etc. If you are going to make this a print server, open port 515. For anything else, you will have to look up the port numbers.

On the security note, I run a firewall on every one of my systems and allow traffic for only the services I wish to expose and block the rest. Even the exposed ones are only allowed from inside our network.

Also an FYI. In Redhat 8.0 there is a bug in the graphical firewall configuration tool that when opened, it will always display the firewall level as "high" regardless of what level you actually have it set on. Changing the settings in the tool will still affect the firewall though.

Ok.
So, there's no way to uninstall the setup tool?

The lokkit actually takes me back to the same Firewall Configuration interface. It might be modifying the same files as in when using the setup tool.

Any way to uninstall this "setup" thing? I wouldn't take it off since opening the system with "no firewall" option is not good, but it will be great to find out if the setup program can be taken off the system.
Thanks again!

I believe it's part of the setuptool rpm (do rpm -qa | grep setuptool). I don't understand why you'd want to remove it though? If you would rather just use lokkit/redhat-config-securitylevel or even just use iptables from the command line, you can do so. I guess my question is how would you benefit from removing the setup tool?

OK.
So, if chossing no firewall at install time,or simply uninstalling the setuptool, this means I would have to modify files directly, right? I guess so. Is this the /etc/sysconfig/iptables file?
It doesn't look that easy to modify.
Thanks again!

I'm not entirely sure about the relationship between the setup tool and redhat-config-securitylevel. It would appear that when you are using the setup tool and choose to modify the firewall, the setup tool actually switches to redhat-config-securitylevel. So I don't really know what effect removing setup tool will have. If I had to guess, you could likely still use redhat-config-securitylevel. In fact, you can invoke redhat-config-security level or lokkit by themselves without using setup tool.

As far as editing the /etc/sysconfig/iptables file, you should never directly edit that file. Sometimes you can get away it, but editing it can cause problems even if the rules you add are syntactically correct. Usually most people will either manipulate the firewall rules using the command line or by putting them into a script. I recommend the second option, because they are easier to manipulate in that format.

If you choose no firewall during the install configuration, all of the firewall programs will still be installed on your system, however no firewall script will be generated and the firewall will not be activated. If you change your mind, you can still activate or de-activate the firewall at anytime.

If you are more specific about what you are trying to accomplish, maybe we could point you in the right direction?

Dear All,
The main issue arose (past tense of arise?) by the setup tool not retaining previous settings even when nothing was modified in the firewall configuration section.
Anyway, it boils down to the iptables program. It seems this is modified by either of these tools. Someone wanted the setuptool to be removed, but since it wasn't that the main "problem", then a suggestion to take the iptables off the system was voiced, which i think it's nuts even if a system is sitting (like a duck) inside the network. We'll resort to leaving the setup tool & specifiy necessary ports, services & leave alone. There's also other security options like TCP Wrappers, etc..
Thanks to all for the responses, very informational.