[lug] Firewall help

D. Stimits stimits at idcomm.com
Thu Jan 31 10:43:10 MST 2002

> Dear luggers,
> I am in the unfortunate position of having a linux box with the security
> portection set on high. The box is running Red Hat 7.0 and it was
> installed with max security meaning it rejects everything - ssh,
> ftp..everything.
> This is a serious pain and I want to change it on the fly, but I am
> getting nowhere. I have tried searching for info on this problem but can't
> find anything really on the web. I've tried messing around with the
> firewall-config application, but have gotten nowhere. Seems like there
> should be an easy way to reset the security or allow specific IPs entry or
> even to allow certain programs to run like ssh and ftp.
> If you have any pointers for me on this, I would be greatful. And if there
> a source I should check out for information on security, I am all eyes.
> Thanks in advance for any assistance. -Scott

I never use the tools, I just edit the rule files directly. The
configuration will be in /etc/sysconfig/ for firewalling. For allowing
xinetd based services, that is /etc/xinetd.d/ for individual services,
and some initial values in /etc/xinetd.conf.

For firewalling, you have to know if you are using ipchains or iptables.
As root, cd to /etc/rc.d/init.d/. Run both of these...one will have
output, the other that is not active won't (unless they are both
inactive, then neither will say anything):
  ./iptables status
  ./ipchains status

If you use ipchains, go to /etc/sysconfig/, and edit file ipchains. If
iptables is active, same directory, file iptables. Be sure to save a
backup before playing with it. If you make a change, go back to
/etc/rc.d/init.d/ and do (depending on which you use):
  ./iptables restart
  ./ipchains restart

NOTE: If you have a bad rule, and the restart is not successful, it will
not tell you under many circumstances, you only know it worked if it
explicitly tells you it worked. For ipchains, a good test is
"/sbin/ipchains -L -n", and if it shows rules, it is active.

None of which of course helps you with specific rules. But if you
experiment with that, and then come up with a specific service you can
use as an example, you can ask about how to work with that particular
one, using ipchains or iptables (specify which).

Now as far as xinetd services, you'll see one file for each service it
works with (xinetd does NOT control ALL network services; some, like
sshd, do things without xinetd). If a file has a "disable" line in it,
check to see it say "yes" or "no". You can restart after any edits
there, cd to /etc/rc.d/init.d/, and run "./xinetd restart".

To some extent, services at various runlevels might be useful to view as
a summary, especially xinetd. To do that, run "/sbin/chkconfig --list".

D. Stimits, stimits at idcomm.com

> ------------------------------------------------------------------------------
> Scott T. Kelley, Ph.D.                  E-mail: Scott.Kelley at Colorado.edu
> Dept. MCD Biology                       Phone : 303-735-1808
> Campus Box 347                          Fax   : 303-492-7744
> University of Colorado
> Boulder, CO  80309-0347
> U.S.A.
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug

More information about the LUG mailing list