GNOME Lokkit User's Guide

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. You may obtain a copy of the GNU Free Documentation License from the Free Software Foundation by visiting their Web site or by writing to: Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.

Many of the names used by companies to distinguish their products and services are claimed as trademarks. Where those names appear in any GNOME documentation, and those trademarks are made aware to the members of the GNOME Documentation Project, the names have been printed in caps or initial caps.

Table of Contents
1. Introduction
2. Basic Configuration
3. Local Hosts
4. DHCP
5. Services
6. Activating the firewall
7. Avoiding Being An Open Mail Relay
8. Configuring Applications
9. Bugs and Limitations
10. Credits

Chapter 1. Introduction

Lokkit is an attempt to provide firewalling for the average Linux end-user. Instead of the user having to configure firewall rules, the Lokkit program asks a small number of simple questions and writes a firewall rule-set for you.

Lokkit is not designed to configure arbitrary firewalls. To make it simple to understand it is designed solely to handle typical dial-up user and cable modem setups. It is not the answer to a complex firewall configuration, and it is not the equal of an expert firewall designer.

Lokkit will walk you through a set of choices for your firewall. At any stage you can go back and alter your earlier settings. At the end you can accept or reject the settings.

Chapter 2. Basic Configuration

There are three basic configuration settings you can choose.

High security

The high-security option blocks all incoming connections to your machine except for a few basic services which you get to select. This gives maximum coverage for security but will stop IRC DCC sessions completely and ICQ from working without a proxy. It will also affect ftp and realaudio , although these can be set up to work in this mode via the preferences dialogues. It will also be likely to affect Quake.

Low security

The low security mode screens only system sevices (including your X windows sessions and NFS) from the outside world. This will not generally interfere with other facilities such as ICQ and Realaudio.

Disable firewall

Selecting this will do exactly what it says: it will turn the firewall off, leaving you unprotected. There may be times when you want to do this. These might include:

You want to test whether a problem is related to your firewall or not.
Your machine is no longer connected directly to the net: perhaps a newer machine is now the firewall.

Selecting this option will take you to the Activate Firewall page to confirm it. You will not be asked any other questions.

Chapter 3. Local Hosts

If you have other machines attached to an ethernet (for example a home LAN, other machines in the office, or your cable modem), Lokkit will notice them. For each ethernet interface it finds, you will be offered the chance to 'trust' this network. This means the firewall rules will not be applied when machines on this network are talking to your Linux server. However, your Linux server will apply the same protection to machines on this ethernet as it does to itself.

If the other machines are behind the firewall and do not talk directly to the internet then you can select Yes.

If the ethernet is for your cable modem, however, you should select No.

Chapter 4. DHCP

DHCP is the Dynamic Hostname Configuration Protocol, which is a way of being assigned an internet address. It is very common with cable modems. If you use this when connecting to the net (if you are not sure, ask your provider), you must select Yes when asked about it, or you will not be able to establish an internet connection.

Chapter 5. Services

You can refine exactly what services people have access to on your machine in more detail by selecting Yes to the question about selecting services to enable.

The services are explained by Lokkit as you go through the choices. Currently you can select from:

Web server

This is not needed for you to view pages on other machines or for you to view or edit pages on your own machine. It is only necessary if you want other people to be able to view webpages on your machine.

Incoming mail

If email arrives straight onto your machine, you will need this. If email arrives on your ISP's server and you collect it over IMAP or POP3 or with a tool such as fetchmail, you do not need to enable this.

Secure shell

If you have secure shell -- ssh -- installed on your machine, you will want to enable this. It is possible to configure this even more tightly by creating a list of hosts which are allowed to connect to your machine via ssh. Lokkit will not do this for you, but you can find the details in the documentation for ssh: typically in either the manual page (man ssh) or in the files in the /usr/doc/ssh directory.

Until recently, few distributions shipped this program because of export restrictions. Since the end of the year 1999, however, several distributions have begun carrying it. If you have a recent installation, you may find it is already installed. Other people will have to install the package themselves.

Telnet

The telnet command is a very common tool but it does have security problems, because people can listen in to it. If you are very very paranoid, or never log in to your home machine from outside, you may want to consider turning it off altogether, especially if you have ssh installed.

Chapter 6. Activating the firewall

This is the final stage in Lokkit. When you select Finish, the firewall rules will be written and the firewall put into place. It is a very good idea to be at the machine, physically, just in case you want to alter them. If you have disabled remote access then you will have to be at the machine to re-run Lokkit.

Selecting Cancel will exit the program without activating your choices.

You can of course select Back to cycle back through and adjust choices you made earlier.

Chapter 7. Avoiding Being An Open Mail Relay

A mail relay is a machine which lets other machines send email through it. This is not necessarily bad. You can decide which other machines to permit to do this. But it is possible to be an open mail relay which lets anyone send email through your machine. Spammers love such machines, and if you accidentally allow open relaying, sooner or later, a spammer will use your machine's facilities to forward spam mail. This is a very nasty experience.

Services exist now to check your mail setup to make sure it is not accidentally an open relay. If you have configured Lokkit so that your mail port is open, Lokkit will offer to check for relaying for you. If you select OK at the Check for relaying? dialogue box, then Lokkit will connect to a test program at the Relay Spam Stopper site. This site attempts to relay email via your machine in several different ways. It should be not able to manage this.

Lokkit will tell you what the test results were. If you are using an up-to-date distribution with all the latest package updates, you will probably be fine. If you have an old distribution, one without updated mail packages, or if you have made changes to the mail configuration, then you may not be. Lokkit is not clever enough to correct your email setup, but if the results of this test say you have an open relay, then you will almost always be able to correct this by going to your distributor's website and checking for, downloading and applying all the latest updates for whatever mail transfer agent your machine uses. It will almost certainly be exim (for Debian users, for example) or sendmail (for Red Hat users). You may also want to check for updates for any programs which are used to configure things: for example, linuxconf, or SuSE's yast.

Chapter 8. Configuring Applications

All security becomes a trade-off. The more secure your machine is, the more inconvenient some things become. Applying extremely strict rules with Lokkit will mean that you need to learn new ways to do some things. The most commonly-used applications which are affected are listed here:

FTP has two modes of operation, one of which is firewall-friendly. Modern FTP clients tend to support the friendly mode (really called passive mode).

Netscape automatically uses passive mode for FTP.
The command-line ftp client will use passive mode if run as pftp not ftp.
The ncftp client will use it when run as ncftp followed by set passive yes at the prompt. (The ncftpget command for getting just one file can be started in passive mode as ncftpget -F)
The GNOME ftp client, gftp, will use passive mode. Start it via Programs->Internet->gFTP. Passive mode will probably be enabled by default, but you can check by selecting FTP->Options. There will be a checkbox for Passive file transfers. You want this to be checked.

Realaudio and RealPlayer default to using UDP which is hard to firewall. For RealPlayer, you can change it to TCP, which passes firewalls, by following the directions at real.com's Knowledge Base. Essentially, you want to change all mentions of "stream type" from "UDP" to "TCP" in the Preferences dialogue box.

When using IRC clients, you will be unable to make DCC connections. There is no way around this.

Networked Quake will also be affected. There are workarounds for this but they are complicated. The author does not play Quake so would appreciate suggestions on this which are simpler than the Linux IP-Masq-HOWTO document.

Chapter 9. Bugs and Limitations

You cannot compare "before" and "after" rules with Lokkit. Lokkit writes the rules to a file it calls /etc/sysconfig/firewall. The format of the file may vary with OS (if it migrates :)). Any later non-Red Hat versions may well put this file in a different place: if you are using Debian, for example, you will need to hunt about for the file.
You need Red Hat Linux or a Linux distribution which uses Red Hat-style init files or a distribution using Debian init files.
You need to have a Linux kernel with IPFW or IPChains enabled: this is default for most distributions and will (probably) only affect people who roll their own kernels.
In theory, a non-Linux port should just require adding a new writer module for your OS, provided that it has vaguely sane firewall facilities.
Apparently the lack of Quake is a Very Serious Bug!

Chapter 10. Credits

GNOME Lokkit was written by Alan Cox (<alan@redhat.com>). Please send all comments, suggestions, improvements and bug reports to him at that address: and not to the GNOME bug-tracker.

This manual was written by Alan Cox (<alan@redhat.com>) and Telsa Gwynne (<telsa@linuxchix.org>). Please send all comments and suggestions regarding it to the authors at the addresses above, or to the GNOME Documentation Project by emailing <docs@gnome.org>.