Set up a Linux firewall with ease using Firestarter
Thomas Nooning CCNA, CCDA
Published: 26 Apr 2002 09:26 BST
In a recent article, we looked at manually creating a firewall using iptables, the packet-filtering program built into the Linux 2.4 kernel. Now, we're going to look at a front-end graphical user interface (GUI) you can use not only foriptables but for ipchains; as well. This program is called Firestarter, and it is available for use in GNOME and KDE environments. Let's begin by looking at how to install Firestarter. Then, we'll explain how you can use it to create a simple or advanced firewall to protect your Linux server.
Downloading and installing Firestarter
You can download the latest version of Firestarter in either source or binary form from its official site. Before starting your installation, you need to be aware of a few dependencies.
First of all, you need libraries for GNOME 1.2 or later. You will also need to have either ipchains or netfilter/iptables installed, depending on which kernel you're running. The Firestarter download page includes links for downloading all of these dependencies.
Installing Firestarter from source follows the standard guidelines. Once you have downloaded the latest tarball (for this article, we'll be using firestarter-0.8.2.tar.gz), extract its contents using the command tar -xpfz firestarter-0.8.2.tar.gz. Next, change directory (cd) to the newly created firestarter-0.8.2 directory and compile and install the program onto your system by running the following commands:
./configure
make
su
make install
The default configuration directory will be /etc/firestarter. Once you run Firestarter, this is where you will find the firewall script that it creates. The system then uses this script, firewall.sh, to configure the firewall at boot time. Once you have this script, you can transport it (along with its companion files in /etc/firestarter) to similar systems and run it independently of the Firestarter GUI. This is handy when administering multiple servers, especially when they don't run X Windows. You just run Firestarter locally on one system and then copy the script to other systems, tweak it for those systems if necessary, and set it up to start at boot time. You can quickly configure a good firewall and then implement it across multiple systems.
Building the firewall
To open Firestarter, start KDE or GNOME, open a terminal window, and run /usr/bin/firestarter. (If you don't find the Firestarter executable here, do a locate firestarter search.) There is also probably an icon for Firestarter in your GNOME menu system, but the location will vary from distribution to distribution. You can create a shortcut on your desktop in KDE by right-clicking on the desktop, clicking Link To Application, and then entering the path to the executable (e.g., /usr/bin/firestarter).
If you're not running X Windows as the root user (which you probably aren't), you'll be prompted for the root password when you open Firestarter. At your first startup, you will be given the option of creating either a Simple or Advanced firewall with the Firestarter Firewall Wizard. If you're configuring a firewall to protect a single system, Simple is the way to go. But if you're using your Linux box as a gateway, the Advanced option lets you configure NAT and other important settings. Let's look at each configuration.
Simple configuration
Upon entering into the Simple dialog box, you will first need to select your network device. This will be your external (Internet) interface, usually eth0. There are also special options for IP addresses assigned with DHCP and for starting the firewall upon connecting via dial-up if you are using a modem.
The next step is to decide whether you want to disable ICMP packets (Figure A). There are eight types of packets, including the common ECHO, TRACEROUTE, REDIRECTION, and UNREACHABLE. You will see many popular Web sites that have ICMP completely disabled. This aids in fighting ICMP-specific denial of service attacks.
| Figure A |
 |
| Configure how you want to handle ICMP packets. |
Alternately, you could create limit rules to accept only a certain number of requests every second. Or if you have monitoring software that requires your box to be “pingable,” you could accept ICMP requests from only a certain IP or set of IP addresses.
Previous
Did you find this article useful?
76 out of 159 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
