Two Options for Building a Firewall
You have two options for building a firewall:
- Use a utility (iptables) based on the packet filtering rule language. The utility is for administrators who are confident regarding the packet filtering rules set. This document provides an overview (and does not provide step-by-step instructions) regarding usage of the utility.
- Use a custom, simplified command (set_fwlevel). The command includes preset firewall settings. This document does provide an overview (as well as step-by-step instructions) regarding usage of the command. The command requires less detailed administrative knowledge on your part.
If you utilize the ip_tables utility, do not also use the set_fwlevel command. The command may override the configuration you have set with the utility.
Overview of the iptables Command-Line Utility
The iptables command line utility (and generic table structure) enables knowledgeable administrators to configure your account to utilize the packet filtering rule set. The utility is developed, distributed, and maintained by the Netfilter Core Team (http://www.netfilter.org). The utility is distributed under the terms of GNU is not UNIX General Public License (GNU GPL).
Overview of the set_fwlevel Command
Your account provides a set of preset firewall security settings to establish an appropriate level of firewall security as well as to specify the services, ports, and protocols you wish those settings to apply to. The set_fwlevel command and supported arguments enable you to perform these tasks without extensive knowledge of the iptables command-line utility. The command includes preset security settings which enable you to build a Red Hat Enterprise Linux (RHEL)-compatible firewall without knowing the packet filtering rule language. The command is a customized one which is unique to Linux VPS.
The set_fwlevel command enables you to specify which of the preset security settings you wish to apply to your account. The following provides an example of the command as it is enabled for your account:
set_fwlevel level [serverType]
set_fwlevel 0|1|2|3 [m|w]
File Locations
The following table describes the rules files and provides the locations of the rules files.
| Description |
Location |
| You can issue the set_fwlevel command and utilize preset security level. |
usr/local/sbin/set_fwlevel |
| When you issue the set_fwlevel command, the rules which are currently loaded are backed up. |
/root/.iptables/iptablesBK. |
| When you issue the set_fwlevel command, rules information is moved from the location where it was previously stored. |
/etc/sysconfig/iptables |
| When you issue the set_fwlevel command, rules information is moved to a new location. |
etc/sysconfig/iptables.bk. |
Services Affected By Your Firewall Security Settings
The preset firewall security settings enable you to specify that there are no firewall rules regarding the services processed by your account. There are also several settings which enable you to specify that firewall rules do apply. In those cases, the setting you specify indicates that certain services in the following list are allowed or disallowed:
- Domain name server (DNS) client
- Hypertext Transfer Protocol (HTTP)
- Internet Message Access Protocol (IMAP)
- Network Time Protocol (NTP) client
- Outbound Auth (or identd)
- Post Office Protocol, version three (POP3)
- Secure Shell (SSH)
- Secure Socket Layer (SSL)-enabled File Transfer Protocol (FTP-S)
- Simple Mail Transfer Protocol (SMTP)
- SSL-enabled HTTP (HTTP-S)
- SSL-enabled IMAP (IMAP-S)
- SSL-enabled POP3 (POP3-S)
- SSL-enabled SMTP (SMTP-S)
- SSL-enabled Telnet (Telnet-S)
- Web cache
Protocols Affected by Your Firewall Security Settings
The following protocols are the ones which your firewall security settings affect:
- Transmission Control Protocol (TCP)
- User Datagram Protocol (UDP)
|
