Saturday, 20 February 2010

Linux How to: Configure Firestarter firewall front-end (re-post)

Original Article: 17/03/08
Call me a heretic, but I happen to believe that if Tux had intended man to type, he wouldn't have given us Gnome and KDE! I don't think that disqualifies me as a hardcore Linux user, I just have better things to do than endlessly type command strings (badly). My reluctance to use a terminal applies especially to my firewall...

One of the great features included in Linux by default is the IPtables software firewall which does a good job of protecting the PC from unwanted intrusions whilst on-line. Sadly, its' command-lines are complex and even experienced Linux users can struggle to configure it. So I looked around for a friendly graphical interface as a front-end to configure the built-in IPtables/IPchains utilities for me. There are good ones around - FireHOL, Firestarter, Firewall Builder, KMyFirewall, Guarddog, Shorewall - and much debate as to which is best, but I chose Firestarter. Please remember throughout this, Firestarter is the configuration tool, NOT the firewall itself. It is only as good as the information you feed it.  

Firestarter is contained in most repositories so you can install through Synaptic Package Manager, or if you really must, by running: sudo apt-get install firestarter in a terminal.  

We're off to see the wizard...
Running System > Administration > Firestarter
for the first time launches the Set-up Wizard. Before you say 'wizards are for wimps, Linux doesn't need them,' this one is good. Although I still can't tell if the Firestarter mascot is some kind of mutant-penguin or a chicken. As Firestarter is a system administration tool, it will ask for the root password on launch. First it will detect your network devices; you select one for firewall configuration from a drop down menu. Modem users get the option to enable the firewall on dial-out. The Wizard will also want to know if you are using static or dynamic IP addresses (how your PC identifies itself to your network and the internet). If you connect to the internet through a router, it's most likely assigning your PC's network address dynamically through DCHP, unless you or your Linux buddy explicitly set up static addresses. If you leave all that to your service provider, they will be assigning DCHP addresses for you. The firewall needs to know this in order to set some base rules for internet traffic - otherwise you'll be blocked from everything!

Usefully, right-clicking the Network Manager icon in the desktop panel gives you a Connection Information pane identifying your active network device and current IP addresses, but not the address mode for static or DCHP – you need to open Network Manager itself to find this (System > Administration > Network).

Next, the Firestarter wizard asks if you want to set-up Internet Connection Sharing. If the PC you're configuring is the firewall for your entire network and your other computers connect to the Internet through this one, then you want to enable this and select the network hub or switch that device that connects them. All this kit is 'behind' the firewall and is different from the router or modem used to connect to the Internet which will be 'in front' of the firewall.

The final step is to check the “start firewall now” box and click on Save. Once you've completed the Wizard, Firestarter will launch into the main application window, which consists of three tabs: Status, Events, and Policy. The user interface has a toolbar of big shiny buttons for common tasks and a full menubar for all the operations. It's very easy. Really. It is.
Status Status shows whether your firewall is active, disabled, or locked-down and displays information about your network devices, the traffic that has passed through them (Sent/Received) and current activity. You can click on "Active connections" for a list of all currently connected machines, with the source and destination addresses, the service being used and what application invoked it. Some should be familiar names, like your e-mail , web browser and messaging client. Firestarter has three states:
  • Active: firewall is running and applying rules to all connections.
  • Stopped: firewall is turned off, so all connections are allowed through.
  • Locked: firewall will disallow all connections in and out. Useful in the event of a security breach should you need to lock the firewall and disable the network entirely.
Changing state is a simple one-click operation if you use the toggle buttons on the toolbar to Start/Stop and Lock/Unlock.  

Events The Events tab will list blocked events. Don't be alarmed at everything listed here; generally only the entries in red represent a threat as far as the firewall can tell. These are the connection attempts that are targeted at ports used by important system services. You may decide, with your superior Mark-I human brain to allow a blocked connection as safe; select the blocked connection, right-click and select Allow from the pull down menu.  

About Policy
First, some terminology: Firestarter works through policies. A policy is just a term for a set of firewall rules. You get a default policy, to which you add your individual user policy. You define various rules and conditions for inbound and outbound traffic, applied to hosts (computers) or connection ports. Firestarter provides a basic, safe and user-friendly policy by default to allow normal internet usage such as web-browsing and e-mail on the secured hosts, but blocks any attempts to access network services from the outside, shielding the local network. The default Firestarter policy is essentially:
  • Unsolicited inbound connections from the Internet to the firewall or client hosts are always blocked.
  • The firewall host is freely allowed to establish new outbound connections.
  • All client machines are allowed to establish new outbound connections to the Internet, but not to the firewall host.
  • Inbound traffic from the Internet in response to requests from the firewall or clients is allowed through the firewall.
The good (or bad) news is you can amend policies to be as simple or as complex as you want. You can also set the firewall to be permissive or restrictive (more on that later).

Create your own Policy
Firestarter policyIf you want to create new policy rules, make sure which policy (inbound or outbound) you want in the Editing selection drop-down. The Policy tab is split; the upper pane is for Hosts and the lower pane is for Services and/or Ports.

To make a new policy, right-click in the appropriate pane, then click the Add Rule button on the toolbar . For example, to enable your LAN, add the network IP addresses, something like It's entirely up to you what rules you want to enact, but best enable them one at a time so you can test things individually.

To edit an existing policy select the appropriate policy in the window, right click and select "Remove Rule" to delete the rule and "Edit rule" to modify the rule. The Edit Rule dialog box enables you to define IP addresses, domain names or network names – your choice – then pokes this information into the IPTables config files in the background when you confirm it by clicking the '+ Add' button.
Black-list or White-list
You can change the operating mode of the firewall when you select Editing > Outbound traffic. This gives you a choice of options;
  • Permissive: permit all traffic except whatever you define as black-listed in your user rules. This is the default, open-access setting.
  • Restrictive: block all traffic except whatever you define as white-listed in your user rules. This is the high-security setting for the extremely worried system administrator. Or possibly parents.
Firestarter Preferences
When you quit, all your policy rules are in effect. Your firewall will be active when you boot regardless of whether you have Firestarter open. In order to have Firestarter active in every session, you need to go to Preferences > Initial settings. On the Interface tab, check the box for 'Enable tray icon' and 'Minimize to tray on window close'. This will dock the Firestarter icon in your desktop panel and notify you to Firewall events as they happen. When Firestarter blocks a connection, the tray icon will turn red. Some other options are:  

ICMP Filtering:
ICMP stands for Internet Control Message Protocol - we knew that, right? When you set-up your network, you probably ran some tests by 'pinging' message packets to other machines on the network or on the internet to make sure you have a connection. Just like sonar in submarines. Outsiders may also be able to 'ping' your network address and confirm it is a live target. Firestarter allows you to set filters to block Echo Request (pings outbound) and Echo Reply (response to pings inbound). Disabling replies will stop your machine from responding to incoming requests, this silence effectively saying “nobody home” at your network address. I always leave open the ability to ping an outside machine as its the most basic networking test I know. Other options such as Traceroute are low risk and can be useful, so I leave them enabled.

ToS Filtering: Type of Service filtering will allow you to set which types of applications receive priority in network traffic. For example, if your computer acts as both workstation and server, you might want to set workstation processes as a priority over server processes such as HTTP from other users or applications on your network; Firestarter allows you to prioritize connections, as well; using the "throughput" option allows the most traffic through the firewall, while "reliability" reduces the transfer rate in favor of a more dependable connection.  

Further Reading
The Firestarter manual lives at Community Ubuntu Documentation,