Security

Implement Firestarter's simple desktop firewall

With high-speed Internet access becoming the norm, it's quickly becoming necessary for desktop PCs to implement firewalls. Linux has numerous means to this end and Firestarter is one of the best! Jim McIntyre gets you up to speed.


High-speed Internet connections, combined with the minimal knowledge of security that most users have, make home and small office computers using these connections easy targets for hackers. The Firestarter firewalling program, used to provide security for the desktop Internet connection, is very useful for users with little knowledge of TCP/IP security. If you’re concerned about the security of your connection, but you don’t know where to start, Firestarter may be the tool for you. In this Daily Feature, I’ll introduce you to the basics of the Firestarter application so that you can quickly implement a firewall suited for the desktop PC.

Firestarter is a GTK+/GNOME GUI used as a simple user interface to the ipchains and iptables programs used in Linux/UNIX. Some of Firestarter's features include the following:
  • Support for both ipchains (2.2 kernel) and iptables (2.4 kernel)
  • Default or user-defined rulesets
  • Support for IP masquerading
  • Default filtering of known problem ports
  • Custom logging capability

Get and install Firestarter
Once you download Firestarter, install the rpm package with this command:
rpm -ivh firesarter-0.7.1-1.rpm

If you download the g'zipped package, untar and uncompress the package with the following command:
tar -zxvf firestarter-0.7.1-1.tar.gz

Next, cd into the directory containing the uncompressed files. From this directory, run the following commands:
su root
./configure
make
make install


The most common problem with installation is that the gnome libraries on your system are not current for this release of Firestarter. If that is the case, I suggest you install the latest version of Ximian GNOME. To run the Ximian install, run the following commands, as root:
lynx -source http://go-gnome.com/ | sh

Follow the instructions from Ximian and select the packages you want to install. Once Ximian GNOME is installed, restart X and install Firestarter again.

GNOME vs. KDE
Although Firestarter is designed for the GNOME desktop, I had no problem installing and running Firestarter under KDE-2.1.1-8.

Build your firewall
You can choose to execute Firestarter from either the command prompt or from a desktop link. Either way, the command to execute is this:
firestarter

Figure A
Selecting the network device is a simple matter of point-and-click.


When Firestarter is run for the first time, you’ll be prompted for the root password for the system. Enter the root password and the next screen will be the firewall configuration wizard (see Figure A). Click Next to begin building your firewall.

Your first choice is to select the interface connecting you to the Internet. This will normally be eth0 if you use an ADSL, cable, or LAN connection. It will probably be ppp0 if you’re using a modem.

Either way, if you don't understand the selection, you can normally safely click the Next button.

The next screen will prompt you for any services your system is running. If you are unsure, click Next. The next window will inform you that Firestarter is ready to create your firewall for you. Click Finish and your firewall will be generated.

Advanced options
Users familiar with networking have more options available. In the main Firestarter window showing the Dynamic Rules and Firewall Hits tabs, select Firewall | Preferences | Advanced | Show Every Page In Wizard. Then, select Run Firewall Wizard under the Firewall tab and the following options will become available:
  • IP Masquerading: This allows all machines on the network to connect to the Internet through a single IP address.
  • Type Of Service: This is used to set priorities for commonly used network services.
  • Services Configuration: This is used to protect any services you may have running on your computer.
  • ICMP Configuration: This provides protection from denial of service (DoS) attacks.

Run Firestarter
The main Firestarter application window (see Figure B) is where Firestarter is controlled, through the Firewall Hits and Dynamic Rules tabs.

Figure B
The Firestarter application window allows you to view incoming packets or create and edit rules.


Every time your firewall stops an attempt to connect to your network, a line is added to the Firewall Hits tab. This line will contain the following information:
  • The IP address the connection was sent from
  • The type of connection attempted

Once a hit is generated, you’re able to apply dynamic rules to any specific connection. Let's look at a typical situation for applying dynamic rules.

Port scanning is often one of the first methods used to find security weaknesses on a target computer. Two typical methods used for port scanning are to send a NetBIOS or Telnet request to the target machine. If you notice this type of activity on the Firewall Hits tab, you may take the following steps:
  1. Right-click on the firewall hit entry from the machine attacking your system.
  2. Select Deny All Connections From Machine.

With these two steps, you’ve disabled any way for the computer at the selected IP address to connect with your computer.

If you later want to grant access to the machine at this IP address, use the following procedure:
  1. Select the Dynamic Rules tab.
  2. Select the Deny All Connections From rule.
  3. Select the line with the IP address you previously denied all access from.
  4. Select Remove This Rule.

The firewall will be updated automatically.

Implement stealth ports
Whenever you send an e-mail to someone, your ISP tries to send an IDENT request to your computer. This IDENT request will automatically be stopped by your firewall. However, you may want your ISP to have access to IDENT. To provide this access, while denying all other IDENT requests, use the following procedure:
  1. Right-click on the IDENT entry on the Firewall Hits tab. (This entry will only show up if you’ve been hit with such a request. In Figure B, you won’t see the IDENT request.)
  2. Select Open Service To Machine.

The ISP can now make IDENT requests to your system, but anyone else making the same request will not know the service is available on your machine. This provides security when hackers look around the Internet for machines with a security hole related to IDENT. This process of making ports available to selected hosts and unavailable to anyone else is called port stealthing.

Conclusion
Inexperienced users’ high-speed Internet connections provide easy targets for hackers. The speed of these connections make the machines connected to them very useful when hackers want to launch attacks on other networks or servers. In this article, I showed you how the Firestarter firewalling tool may be used to provide reasonable security for your desktop Internet connection, without requiring in-depth knowledge of TCP/IP security.

Editor's Picks

Free Newsletters, In your Inbox