Protecting Your Linux System with FireStarter and Storm Firewall - page 2
Using a GUI to Configure a System
Firestarter is a free software project headed by Tomas Junnonen of Finland.
Firestarter can be downloaded from the project homepage <http://firestarter.sourceforge.net/>. Binary packages weighing in at around 120KB are available, including RPM's built against GNOME 1.0 or GNOME 1.2 and Red Hat, or a Debian package apparently built against the unstable tree of the project. A source tarball and a source RPM (about 345KB apiece) are also available.
Successful installation of the package from source requires a fairly full complement of GNOME 1.2's development libraries. With those libraries in place, though, the software compiled with no problems at all. The software also installed itself within the GNOME menu system with no problems, where it appears under Programs/Internet.
Firestarter can be started from the GNOME menus or from xterm. Root privileges are required to successfully manipulate the firewall, which means either running it as root (su -c firestarter) or setting the binary suid. The software is also designed to support PAM and should, apparently, prompt for root's password if executed by a non-privileged user, but this feature didn't work for us out of the box and we investigated no further.
Upon startup, users can select Run Firewall Wizard from the Firewall menu of the program's window. This launches a very simple installer that asks for the interface linked to the Internet, whether Firestarter should open on PPP connect, and whether the IP address is assigned via DHCP.
The wizard then asks for whether IP Masquerading will be used, what the machine's internal network interface is, what the address range is of the internal network, and whether any services should be exposed to the Internet. Eighteen services in all are listed on this window, including everything from Telnet and POP to NFS and Xwindow.
After configuration of basic networking and services, the wizard then asks about ICMP filtering, and offers eight different filters for ICMP packets.
Basic familiarity with your LAN and the services you're willing to leave hanging out on the Internet are enough to have the program up and running in under a minute. It took eight clicks to go from starting the wizard to a running firewall.
Once running, there's little to do but sit back and wait for prying little fingers. We were gratified that an unknown collaborator operating on a machine somewhere in Florida provided us with a quick look at Firestarter in action when we took a break, and the Firewall Hits tab of the program window dutifully reported his interest in locating an IMAP server. That, in turn, caused us to check out the program's Dynamic Rules tab, which allows for quick adjustments to the general complexion of the firewall by adding machines which must always or never be blocked, or designating services as open or closed against the entire Internet or only specific machines.
Despite the "live fire" exercise from our curious collaborator, we paid a visit to the Shields Up! site where we were comforted to note that the ports it scanned were, indeed, shielded by the firewall, which dutifully dropped packets into the ether without bothering to tell the portscanner.
Besides the running log and dynamic rules tab, there's little more to Firestarter than a green "start" button and a red "stop" button. Configuration options allow users to designate a sound to be played when packets hit the firewall, change the behavior of the program at startup and finish, or allow the user to designate which ports shouldn't be logged.
In addition to providing the GUI interface, Firestarter writes a
reusable script (/usr/local/etc/firestarter/firewall.sh)
users can insert in rc.local or link to in
/etc/init.d to allow the firewall to be started at boot time,
which means that once the program is run a single time, the user never
need interact with it again unless a change is desired in the
firewall's basic parameters.