In a recent article, we looked at manually creating a firewall using iptables, the packet-filtering program built into the Linux 2.4 kernel. Now, we’re going to look at a front-end graphical user interface (GUI) you can use not only foriptablesbut for ipchains as well. This program is called Firestarter, and it is available for use in GNOME and KDE environments. Firestarter provides a clean, powerful interface for quickly creating a firewall and getting it started. Let's begin by looking at how to install Firestarter. Then, we'll explain how you can use it to create a simple or advanced firewall to protect your Linux server.
Downloading and installing Firestarter
You can download the latest version of Firestarter in either source or binary form from its official site. Before starting your installation, you need to be aware of a few dependencies.
First of all, you need libraries for GNOME 1.2 or later. You will also need to have either ipchains or netfilter/iptables installed, depending on which kernel you're running. The Firestarter download page includes links for downloading all of these dependencies.
Installing Firestarter from source follows the standard guidelines. Once you have downloaded the latest tarball (for this article, we'll be using firestarter-0.8.2.tar.gz), extract its contents using the command tar –xpfz firestarter-0.8.2.tar.gz. Next, change directory (cd) to the newly created firestarter-0.8.2 directory and compile and install the program onto your system by running the following commands:
The default configuration directory will be /etc/firestarter. Once you run Firestarter, this is where you will find the firewall script that it creates. The system then uses this script, firewall.sh, to configure the firewall at boot time. Once you have this script, you can transport it (along with its companion files in /etc/firestarter) to similar systems and run it independently of the Firestarter GUI. This is handy when administering multiple servers, especially when they don't run X Windows. You just run Firestarter locally on one system and then copy the script to other systems, tweak it for those systems if necessary, and set it up to start at boot time. You can quickly configure a good firewall and then implement it across multiple systems.
Building the firewall
To open Firestarter, start KDE or GNOME, open a terminal window, and run /usr/bin/firestarter. (If you don't find the Firestarter executable here, do a locate firestarter search.) There is also probably an icon for Firestarter in your GNOME menu system, but the location will vary from distribution to distribution. You can create a shortcut on your desktop in KDE by right-clicking on the desktop, clicking Link To Application, and then entering the path to the executable (e.g., /usr/bin/firestarter).
If you're not running X Windows as the root user (which you probably aren't), you'll be prompted for the root password when you open Firestarter. At your first startup, you will be given the option of creating either a Simple or Advanced firewall with the Firestarter Firewall Wizard. If you're configuring a firewall to protect a single system, Simple is the way to go. But if you're using your Linux box as a gateway, the Advanced option lets you configure NAT and other important settings. Let's look at each configuration.
Upon entering into the Simple dialog box, you will first need to select your network device. This will be your external (Internet) interface, usually eth0. There are also special options for IP addresses assigned with DHCP and for starting the firewall upon connecting via dial-up if you are using a modem.
The next step is to decide whether you want to disable ICMP packets (Figure A). There are eight types of packets, including the common ECHO, TRACEROUTE, REDIRECTION, and UNREACHABLE. You will see many popular Web sites that have ICMP completely disabled. This aids in fighting ICMP-specific denial of service attacks.
|Configure how you want to handle ICMP packets.|
Alternately, you could create limit rules to accept only a certain number of requests every second. Or if you have monitoring software that requires your box to be “pingable,” you could accept ICMP requests from only a certain IP or set of IP addresses.
The next step in the Simple configuration is to select from a large list of common services you want to allow through the firewall (Figure B). For example, if you are running a Web server, you'll need to make sure that the WWW box is checked. This is also true for other services such as Telnet, SSH, and SMTP. Without choosing the corresponding services in this dialog box, associated packets destined for your machine will be dropped.
|Set up the services you want your firewall to allow.|
The Advanced setup starts out the same, allowing you to choose your network device and select how you want to handle ICMP and service requests. However, unlike with the Simple setup, you can choose whether to use Type of Service (ToS). This allows you to configure iptables to prioritize certain types of traffic by modifying a packet’s header.
With Firestarter, you can select from three types of traffic: Client Applications, Server Applications, and the X Windows System. Once you have chosen the traffic you want to modify, you select the method for prioritization: throughput, reliability, or delay. Most administrators will not need to touch these options, but if you're running into issues with service availability, you may find ToS helpful.
The next step in the Advanced option is to configure masquerading, which is basically a form of network address translation (NAT). This is how you get your machine to act as a gateway for other computers. Masquerading allows the server to route traffic from local, nonroutable IP addresses to outside the network and back again. You'll need to choose the internal interface, often eth1, and your internal network range, as shown in Figure C. By default, Firestarter will autodetect your internal network.
|Set up masquerading (NAT) on your firewall.|
In this dialog box, you also have the option of configuring port forwarding. If you are hosting services on internal systems that you need forwarded to the firewall's external, public IP address, you can set it up from here. Click Port Forwarding and then select Add Entry. You will need to fill in the Firewall Port, LAN Port, and LAN Address options and then specify whether the system is TCP or UDP.
After you have completed the wizard, your new firewall will start automatically. The main interface for Firestarter is now up and running. From here, you can start and stop the firewall, configure dynamic rules, and rerun the Firestarter Firewall Wizard. One of the coolest features of Firestarter is the ability to watch hackers probing your system in the Firewall Hits window (Figure D).
|Use the Firewall Hits window to watch for hackers.|
You can also load a list of all recent hits by clicking Hit List | Reload Entire Firewall Hit List. If you find an IP address that is continually probing your system on different ports, you can simply click the Dynamic Rules tab, right-click in the Deny All Connections From window, and click Add New Rule. Then, enter the IP address of the suspected hacker, and all traffic from that IP address will be denied.
With support for ipchains and iptables, Firestarter offers an excellent way to get a firewall up and running with minimal effort on both Linux 2.2 and 2.4 kernels. Its clean interface and excellent wizard make Firestarter suitable for both beginning and experienced administrators. Whether you're creating rules for a stand-alone box or for a complex gateway, you don't have to wade through the manual rule sets any longer. Sit back, relax, and let Firestarter do the heavy lifting.