En brannmur sitter mellom systemet og nettverket, og avgjør hvilke ressurser på systemet som kan aksesseres fra nettverket. En riktig konfigurert brannmur kan forbedre sikkerheten for et nyinstallert system betraktelig.
Velg et passende sikkerhetsnivå for ditt system.
Ingen brannmur — «Ingen brannmur» gir full tilgang til tjenester og gjør ingen sikkerhetskontroller som deaktiverer tilgang til spesifikke tjenester. Det anbefales kun å bruke dette valget hvis maskinen kjører i et nettverk en kan stole på (ikke Internett) eller man planlegger å utføre en mer detaljert brannmurkonfigurering senere.
Enable firewall — If you choose Enable firewall, connections are not accepted by your system (other than the default settings) that are not explicitly defined by you. By default, only connections in response to outbound requests, such as DNS replies or DHCP requests, are allowed. If access to services running on this machine is needed, you can choose to allow specific services through the firewall.
Hvis du kobler systemene dine opp mot Internett, men ikke planlegger å kjøre en tjener, er dette det sikreste valget.
Next, select which services, if any, should be allowed to pass through the firewall.
Hvis dette alternativet aktiveres tillates de spesifiserte tjenestene gjennom brannmuren. Det er verdt å merke seg at disse tjenestene kanskje ikke er installert på systemet som forvalg. Aktiver alle alternativer du vil trenge.
WWW (HTTP) — The HTTP protocol is used by Apache (and by other Web servers) to serve webpages. If you plan on making your Web server publicly available, enable this option. This option is not required for viewing pages locally or for developing webpages. You must install the httpd package if you want to serve webpages.
Enabling WWW (HTTP) does not open a port for HTTPS. To enable HTTPS, specify it in the Other ports field.
FTP — The FTP protocol is used to transfer files between machines on a network. If you plan on making your FTP server publicly available, enable this option. You must install the vsftpd package for this option to be useful.
SSH — Secure SHell (SSH) is a suite of tools for logging into and executing commands on a remote machine. If you plan to use SSH tools to access your machine through a firewall, enable this option. You need to have the openssh-server package installed in order to access your machine remotely, using SSH tools.
Telnet — Telnet is a protocol for logging into remote machines. Telnet communications are unencrypted and provide no security from network snooping. Allowing incoming Telnet access is not recommended. If you do want to allow inbound Telnet access, you must install the telnet-server package.
E-post (SMTP) — Hvis du ønsker å tillate inngående e-post gjennom brannveggen slik at andre systemer kan koble seg opp mot denne maskinen for å levere e-post, må du aktivere dette valget. Du trenger ikke aktivere dette hvis du skal hente e-post fra din ISP vha. POP3 eller IMAP, eller hvis et annet verktøy som fetchmail brukes for å hente e-posten. En feilkonfigurert SMTP-tjener kan la andre systemer bruke dette systemet for å sende spam.
You can allow access to ports which are not listed here, by listing them in the Other ports field. Use the following format: port:protocol. For example, if you want to allow IMAP access through your firewall, you can specify imap:tcp. You can also explicitly specify numeric ports; to allow UDP packets on port 1234 through the firewall, enter 1234:udp. To specify multiple ports, separate them with commas.
Finally, select any devices which should allow access to your system for all traffic from that device.
Selecting any of these trusted devices excludes them from the firewall rules. For example, if you are running a local network, but are connected to the Internet via a PPP dialup, you can check eth0 and any traffic coming from your local network is allowed. Selecting eth0 as trusted means all traffic over the Ethernet is allowed, but the ppp0 interface is still firewalled. If you want to restrict traffic on an interface, leave it unchecked.
Det anbefales ikke å gjøre enheter som er koblet til offentlig tilgjengelige nettverk, slik som Internett, til enheter du stoler på.