lokkit is the firewall tool that comes with the installation GUI. You can start it from the shell by typing:
bash# lokkit
You can also start it from the setup menu mentioned in Chapter 7 by typing:
bash# setup
After lokkit you have firewall-config. This one must be run from a GUI. That is the biggest drawback from this utility. If you are in X you can start this command from a terminal window by typing:
bash# firewall-config
The last and most powerful program is emacs (or vi). You can edit and create your own firewall rules by typing:
bash# emacs /etc/sysconfig/ipchains
In this emacs session you can custom create your own firewall rules. Here are some example rules:
-A input -s 0.0.0.0/0 -d 0.0.0.0/0 111:111 -p 6 -j REJECT -l -A input -s 0.0.0.0/0 -d 0.0.0.0/0 67:69 -i eth0 -p 17 -j DENY -A forward -s 10.0.0.0/8 -d 0.0.0.0/0 -j MASQ
In the above examples the -A input tells where the packet came from and what it is doing. -s is the source ip/mask. -d is the destination ip/mask. 111:111 is a port range. -i eth0 refers to the network interface. -p refers to the protocal. Protocols are listed in the /etc/protocol file. -j DENY is the action that the rule is to take.
The first rule tells all computers that try to connect to tcp port 111 that the port is closed and logs the event. The second rule ignores all computers trying to connect to udp ports 67 to 69. The last rule forwards and masqurades all packets coming from the 10.x.x.x range to the servers own ip address and sends them on their way. In order for the third rule to work you also need to have routing enabled. This is talked about a little bit more in Chapter 10.