I'm seeing a lot of helpful threads in the forum which offer suggestions and links to external sites about doing an iptable configuration. And that's fine. But I wonder, do I need to run any iptable scripts or make any changes? Is the default firewall setup on the various versions of Red Hat, particularly RHEL 3 enough? Is it secure enough or do I need to learn about working in command line directly with iptables. I'd like to just click "Enable firewall" and feel secure..Is that realistic for home office use..What is the security level provided by a default firewall in RH. Thanks for any feedback.

You can use a program called nmap (usually bundled with Linux distributions for security). Go to console mode (open a terminal) and type in nmap localhost. That will scan all your ports and provide a statistic on which ports are opened and which are filtered or masked. This way you can answer your own question on how secure the firewall actually is. If you are not running any servers all ports should be closed or filtered (to allow only specific IPs).

Post your nmap results here and we'll tell you if you are secure or not

Thanks for your response. Okay my nmap localhost results are as follows. First the results say that the 1598 ports scanned but not shown below are in closed state. And then I see..

Port State Service
22/tcp open ssh
631/tcp open ipp
6000/tcp open X11

What's the nature of your connection to the Internet? If you're behind a DSL modem or something else that does Network Address Translation, then you're in the clear anyway. The port 22 ssh isn't going to cause you problems because people have to attach with an SSH-enabled client and log in using a valid login. If you have an obvious password for root, then you'd want to close that port or pick a better password.

Someone with more experience is going to have to give you word on ipp, I don't recognize that service.

The X11 port probably isn't necessary to be open unless you want to run X remotely.

HTH!

John

You can close port 631. Also for the root password for ssh, disable root login immediately, allowing root login is very very dangerous and not recommended. Login with your username and then su to root.

-twantrd

And just for the record ;-), how do you disable a login so that another login has to be used initially?

port 631? isn't it used by the USB CUPS printing protocol?

JMCraig,

There's not really a way *at least that I know of* that disables a login so that another login must be used initially for normal accounts. In any case, there's really no need to do such a thing. If you have an account called "jmcraig" that you want to restrict certain rights, use chroot. Other possibilities are using a shell that has limited rights already and customizing it.

Aka Shiva,

port 631 is ipp which is internet printing protocol. Cups does use this but i was pretty darn sure (like 99.9%) that he didn't have a printer attached to his computer? Why was I sure...i have no idea . Ok, so let me correct myself....if you have a printer attached, block port 631 from the outside world but let your lan see it.

-twantrd

Thanks for everyone's responses. Sorry for my own delay here..

JMCraig, thanks for your feedback. I have no need to access X remotely. How do I close or blocak that port 6000? In one instance I am behind a hardware firewall anyway so I guess you would call that "in the clear". Do you mean clear as in safe or wide open? I assume you mean safe...

Thanks twantrd for the feedback about port 631. How do I close that port? Actually I do have a printer which I like to attach to the machine to print files so I am interested in your suggestion about blocking it from the outside but leaving it open on a lan.

Thanks again.

About the hardware firewall..Of course that won't be present when I connect to the internet using the wireless card from some other location than my office. Which is why I am asking about Red Hat's software firewall.

Since you want to run that service but not allow outside connections to that port, look at iptables. Documentation is everywhere on the internet. Let us know if you need additional help.

-twantrd