34,333
edits
Changes
no edit summary
Firestarter will now be listed in the ''System->Administration'' desktop menu. To launch Firestarter select this menu option. The first time Firestarter is run it will ask a number of questions about your network environment. Click ''Forward'' on the first introductory screen to display the following screen:
[[Image:ubuntu_linux_firestarter_setup1.jpg|Ubuntu Linux Firestarter Main Screen]]
Select the device on which you wish to have the firewall operate. If you are connected to a network this is likely to be eth0. If you are connected directly to a cable or DSL modem this may be ppp. If your system obtains an IP address from a DHCP server check this option. Click ''Forward''' when you are ready to move to the next screen:
[[Image:ubuntu_linux_firestarter_setup2.jpg|Ubuntu Linux Firestarter Internet Connection Sharing]]
This page controls whether Internet Connection Sharing is to used. Firestarter allows you to configure a single Linux system as the gateway to the internet. All other computers on your network then access the internet through the gateway system. The computers that access the internet through the gateway system will appear, to the outside world, to have the same IP address as the gateway system. This is essentially a mechanism for sharing a single internet connection amongst a network of multiple computers. Note that this configuration requires that you have two network cards installed in the system - one for the internet connection and another for the local area network.
The following screenshot shows the Firestater user interface:
[[Image:ubuntu_linux_firestarter_main.jpg|Ubuntu Linux Firestarter Main Screen]]
=== The Firestarter Status Screen ===
Also in the above example it appears that two serious events have been detected by the firewall. To learn more about these events select the ''Events'' tab to show the list of events:
[[Image:ubuntu_linux_firestarter_events.jpg|Ubuntu Linux Firestarter Events Screen]]
In the above example we see some attempts by the systems at IP addresses 192.168.2.13 and 192.168.2.13 to connect to our system. Because these are Samba messages we can assume that they are safe. Samba is a system which allows Windows systems to access Linux filesystems and other resources over a network connection. Uponm investigation tt turns out that both of these IP addresses are assigned to Windows XP systems on the local network. Clearly these systems send out a message every now and then to see if there are any new network resources to add to their lists.
The Policy screen lists any policy rules which have been set up on the firewall. By default the screen appears as follows (with no rules defined). In the next section of this chapter we will look at defining firewall security policy.
[[Image:ubuntu_linux_firestarter_policy.jpg|Ubuntu Linux Firestarter Policy Screen]]
== Defining Firewall Policies ==
We will begin by looking at inbound traffic policy. With ''Inbound policy'' selected we can specify the hosts from which we will allow inbound connections. To do so, click in the ''Allow connections from host'' area of the screen area of the screen so that the ''Add Rule'' toolbar button activates. Click on the ''Add Rule'' button to invoke the ''Add new inbound rule'' dialog as shown below:
[[Image:ubuntu_linux_firestarter_add_inbound_rule.jpg|Ubuntu Linux Firestarter Add Inbound Rule]]
Enter the host name or IP address of the host for which you wish to enable connections and an optional comment and click the ''Add'' button to add the rule. The IP address or host name will now be listed in the Policy screen. Click on the ''Apply Policy'' button located in the toolbar to make this policy active.
To define Policy for services click in the ''Allow service'' area of the Policy screen and click the ''Add Rule'' toolbar button to access the add rule dialog:
[[Image:ubuntu_linux_firestarter_add_inbound_service.jpg|Ubuntu Linux Firestarter Add inbound Service]]
Select the name of the service you wish to enable (for example if you plan to host a web site on your system you will select HTTP). Once select Firestarter will fill in the port number automatically. Finally choose to allow access for everyonme, or just from specific hosts. If using Internet Connection Sharing you may also allow service access for the client systems sharing the internet connection. Click the ''Add'' button to close the Add dialog and click on the ''Apply Policy'' to activate the new rule.
Connections to a specific host may be prevented by selecting ''Permissive by default'', clicking in the ''Deny connections to host'' area of the screen and pressing the ''Add Rule'' toolbar button. The ''Add new outbound rule'' dialog will appear as follows:
[[Image:ubuntu_linux_firestarter_add_outbound_rule.jpg|Ubuntu Linux Firestarter Add outbound rule]]
Enter any IP address, hostname or URL you wish to block. For example enter ''http://www.cnn.com''. Add the rule and click on ''Apply Policy'' in the toolbar. Once the policy is applied start a web browser and try to access the CNN web site. You will find access is blocked. Remove the rule and re-apply policy and you will find you are once again able to access the CNN web site.
Firestarter also allows outbound connections to be controlled on a per services and per source basis. For example to block connections to all external services select ''Restrictive by default'' and click on ''Apply Policy''. Any attempt to access a a web iste using a web browser will result in a connection failure. To allow HTTP connections click in the ''Allow service'' section of the Policy screen and click on ''Add Policy''. Select ''HTTP'' as the service and make sure the ''Anyone'' toggle is selected. Click on ''Apply Policy'' and try to visit a web site. You will now find that HTTP connections are now allowed, while connection to all other services are still blocked.
