Firewall Configuration

[bilyo]

Hi,
I just got pclos 2010 with kde installed and, so far, I'm pretty impressed.  I understand that to activate the firewall I just need to make sure that all items in the PCC configuration list are unchecked.  Can anyone point me to some documentation that explains the function of the various services in the list and when/why each needs to be checked or unchecked.  I'm aware that elsewhere in the PCC there is a list of services with very brief explanations.  I need something more comprehensive.
Thanks,
bilyo

[Joble]

Maybe someone can give a more comprehensive rundown but as an example:
http uses port 8080
Allowing http access will allow computers from the network (local or internet) to access port 8080 on your computer if you have an http server running.
Blocking access to port 8080 in your firewall prevents this.

Each of those services listed uses a different port which must be opened of you want to provide those services from your computer.

And.... That's about the extent of my networking/firewall knowledge at this point.

[OldJimbo]

Yep uncheck the top box (let Internet connect to everything) and you have a working firewall since IPTables is a start up item.
You are not likely to have any servers running which the Internet (people from outside) needs to connect to. You might have to check the bit-torrent box if you use it - but obviously letting anything past the firewall has its hazards.
Remember you only check boxes to let people get IN WITHOUT a request first going OUT. . The whole purpose of the firewall is watch for packets going out for certain ports - and then accept packets in which match those.

Many of us prefer Firestarter.
-You install from repository
- You start it and give some basic preferences which you save. I like to have it minimize to tray on close.
- If you like it then start PCC (Control Center) and:
1. turn off the regular firewall. IE let Internet connect to everything. Now Firestarter is doing the work.
2. In services stop IP Tables starting at boot, since Firestarter has its own tables. Make sure that Firestarter is set to load at boot.

[bilyo]

Thanks for the info.  That helps.  However, for my education, I would still like to find something comprehensive for newbies on the subject.  For instance: what is an HTTP server and when/why would I have one?  And, similar discussions for the other services.
Thanks again,
bilyo

[YouCanToo]

Thanks for the info.  That helps.  However, for my education, I would still like to find something comprehensive for newbies on the subject.  For instance: what is an HTTP server

A http server is also know as a web server. All the websites that you visit are running on http servers. This very forum is running on a http server.

and when/why would I have one?

Most normal end users really have no need for one. Most end users do things like play music, surf the web and read email. For these type of activities there is no need to have or run a http server.  On the other hand there are the users that want to experiment or perhaps want to run their own website(s) and that requires a httpd server. If you were to run a public repository, like I do, that requires the use of a web server.

FWIW the Apache web server is not installed by default in PCLinuxOS.

 And, similar discussions for the other services.
Thanks again,
bilyo

[menotu]

Have a read on this site - its pretty comprehensive but covers most aspects of a firewall

http://en.wikipedia.org/wiki/Firewall_%28computing%29

[OldJimbo]

For instance: what is an HTTP server and when/why would I have one?  And, similar discussions for the other services.

I choose to run a couple of websites. A web server must provide the information of these sites. The web server which provides this information for me is Yahoo. I couldn't run these sites from home because of throttling.
If throttling didn't exist then I would still subcontract websites. I'm sure not going to get up a few times each night to save $100/year in security.
If you need to get into your site remotely then set up an ssh key or an ssl certificate. Yes there will be 1000+ people each second trying to guess a password - far more if you have a router. No-one will guess a key or certificate.

Many of us get a cheap router and use that between the modem and computer - wired. My $38.00 Linksys has worked well for years. It's 300 days up-time, now so obviously I don't spend time on it. Anyway a person who gets the correct router can put third party firmware on it and set it up as a firewall. I'm connected to my router via cat V. cable   Of the stuff which gets by my router firewall - and is then caught by my machine Firestarter Firewall - only 2% is interesting.

A person can be power-saving and get a plug computer - or they can just get an old computer from the dump and refurbish. If a person puts their webserver/bit-torrent/FTP machine on the far side of the firewall then their actual computer is not threatened. That being so and servers on the Internet being taken over due to lack of patching - I'm not hearing anyone here saying that their PCLinuxOS computer has been taken over lately. If I ran Windows then I'd probably want a security appliance such as Astaro - and education of everyone using the box. But - a person can fire up an old box on the network and just do banking. If it's a Linux box then it will require a password- and at an hour a month it won't be more than a problem with space.

[bilyo]

Thanks all for the info.  I'll give the wikipedia link a try.
bilyo