User guide
Personal Firewalls
37
Other services like finger and rwhod reveal information about users of the system.
Examples of inherently insecure services include rlogin, rsh, telnet, and vsftpd.
All remote login and shell programs (rlogin, rsh, and telnet) should be avoided in favor of SSH.
Refer to Section 2.1.7, “Security Enhanced Communication Tools” for more information about sshd.
FTP is not as inherently dangerous to the security of the system as remote shells, but FTP servers
must be carefully configured and monitored to avoid problems. Refer to Section 2.2.6, “Securing FTP”
for more information about securing FTP servers.
Services that should be carefully implemented and behind a firewall include:
• finger
• authd (this was called identd in previous Red Hat Enterprise Linux releases.)
• netdump
• netdump-server
• nfs
• rwhod
• sendmail
• smb (Samba)
• yppasswdd
• ypserv
• ypxfrd
More information on securing network services is available in Section 2.2, “Server Security”.
The next section discusses tools available to set up a simple firewall.
2.1.6. Personal Firewalls
After the necessary network services are configured, it is important to implement a firewall.
Important
You should configure the necessary services and implement a firewall before connecting to the
Internet or any other network that you do not trust.
Firewalls prevent network packets from accessing the system's network interface. If a request is made
to a port that is blocked by a firewall, the request is ignored. If a service is listening on one of these
blocked ports, it does not receive the packets and is effectively disabled. For this reason, care should
be taken when configuring a firewall to block access to ports not in use, while not blocking access to
ports used by configured services.
For most users, the best tool for configuring a simple firewall is the graphical firewall configuration
tool which ships with Red Hat Enterprise Linux: the Firewall Configuration Tool (system-config-