A firewall sits between your computer and the network, and determines which resources on your computer remote users on the network are able to access. A properly configured firewall can greatly increase the out-of-the-box security of your system.
Choose the appropriate security level for your system.
High Security - By choosing High Security, your system will not accept connections that are not explicitly defined by you. By default, only the following connections are allowed:
DNS replies
DHCP - so any network interfaces that use DHCP can be properly configured.
Using this High Security will not allow the following:
Active mode FTP (Passive mode FTP, used by default in most clients, should work fine.)
IRC DCC file transfers
RealAudio(tm)
Remote X Window System clients
If you are connecting your system to the Internet, but do not plan to run a server, this is the safest choice. If additional services are needed, you can choose Customize to allow specific services through the firewall.
Medium Security - Choosing Medium Security will not allow your system to have access to certain resources. By default, access to the following resources are not allowed:
Ports lower than 1023 - these are the standard reserved ports, used by most system services, such as FTP, SSH, telnet, and HTTP.
NFS server port (2049)
The local X Window System display for remote X clients
The X Font server port (This is disabled by default in the font server.)
If you want to allow resources such as RealAudio(tm), while still blocking access to normal system services, choose Medium Security. You can choose Customize to allow specific services through the firewall.
No Firewall - No firewall allows complete access and does no security checking. It is recommended that this only be selected if you are running on a trusted network (not the Internet), or if you plan to do more detailed firewall configuration later.
Unless you plan to customize your firewall, make sure Use default firewall rules is selected.
Choose Customize to add trusted devices or to allow additional incoming interfaces.
Trusted Devices - Checking these for any of your devices allows all traffic coming from that device to be allowed.
It is not recommended to enable this for devices that are connected to public networks, such as the Internet.
Allow Incoming - Enabling these options allow the specified services to pass through the firewall. Note, during a workstation-class installation, the majority of these services are not present on the system.
WWW (HTTP) - HTTP is the protocol used by Apache to serve Web pages. If you plan on making your Web server publicly available, enable this option.
FTP - FTP is a protocol used for remote file transfer. If you plan on making your FTP server publicly available, enable this option.
SSH - Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications.
DHCP - This allows DHCP queries and replies, and allows any network interfaces that use DHCP determine their IP address. DHCP is normally enabled.
Mail (SMTP) - This allows incoming SMTP mail delivery. If you need to allow remote hosts to connect directly to your machine to deliver mail, enable this option. Do not enable this if you collect your mail from your ISP's server by POP3 or IMAP, or if you use a tool such as fetchmail. Note that an improperly configured SMTP server can allow remote machines to use your server to send spam.
Telnet - Telnet is a protocol for logging into remote machines. It is unencrypted, and provides little security from network snooping attacks.
Other ports - You can specify that other ports not listed here be allowed through the firewall. The format to use is 'port:protocol' (for example, nfs:udp for a single port or nfs:udp,gopher:tcp for multiple ports).