Help with the system-config-firewall tool

I am having some trouble understanding the "system-config-firewall" tool in Red Hat and CentOS. Why are HTTP disabled and SSH enabled by default in the Trusted Services category?

 

Those are listening services that are blocked, not outbound communications. Your browser's HTTP requests are allowed by default, as are all other connections started by your computer. What's disallowed are connections that originate from other machines. If you have an HTTP server like Apache running, for instance, the default firewall configuration will block external access to it, so that you don't accidentally expose your desktop to remote network attacks.

Most Linux firewall configurations do not attempt to block outbound traffic, because doing so is very inconvenient and usually not very useful. iptables isn't fine-grained enough, and anyway effective outbound control requires a mandatory access control framework such as AppArmor in order to amount to anything.

 

Do you recommend trying AppArmor?

 

Not really; on a desktop I don't think it's time well spent. Setting up sane restrictions for desktop programs is difficult, and the returns are not very good.

My recommendations are as follows:

- Firewall: leave it on, there's no reason not to. Most distros don't ship with open ports by default, but iptables provides some assurance against a badly configured application opening up a port.

- Browser: if you use Firefox, install Noscript. If you're using Chrome, or any other browser, enable click-to-play. Even if you're using Firefox and don't want to install Noscript, you really should enable click-to-play for plugins, so that Java and Flash content don't run automatically on untrusted sites.

- General precautions: like on Windows. Think twice about opening or installing anything from a source you've never heard of, about plugging in USB sticks of dubious heritage, etc.

For normal use there's not much else to do; Linux is more or less as secure as Windows 7 by default, and much less frequently targeted by ITW malware.

If you feel paranoid though, you could also install a GrSecurity or PaX hardened kernel. This requires much less configuration than AppArmor, and has more stopping power for the effort involved when dealing with memory exploits. (AppArmor contains the effects of exploits, PaX and GrSecurity prevent them from succeeding in the first place.)

Note however that no major distro ships PaX or GrSec kernels, so you'd have to patch and compile your own. That's not terribly hard, but it is time consuming.

Also note that memory protection features are not a panacea, as they do nothing at all to prevent exploits stemming from flaws in program logic. Many Java exploits are (IIRC) in this category, and Java exploits are (IIRC) the most common group of online exploits by some margin.