Set up a Linux firewall with ease using Firestarter
Thomas Nooning CCNA, CCDA
Published: 26 Apr 2002 09:26 BST
The next step in the Simple configuration is to select from a large list of common services you want to allow through the firewall (Figure B). For example, if you are running a Web server, you'll need to make sure that the WWW box is checked. This is also true for other services such as Telnet, SSH, and SMTP. Without choosing the corresponding services in this dialog box, associated packets destined for your machine will be dropped.
| Figure B |
 |
| Set up the services you want your firewall to allow. |
Advanced configuration
The Advanced setup starts out the same, allowing you to choose your network device and select how you want to handle ICMP and service requests. However, unlike with the Simple setup, you can choose whether to use Type of Service (ToS). This allows you to configure iptables to prioritize certain types of traffic by modifying a packet's header.
With Firestarter, you can select from three types of traffic: Client Applications, Server Applications, and the X Windows System. Once you have chosen the traffic you want to modify, you select the method for prioritization: throughput, reliability, or delay. Most administrators will not need to touch these options, but if you're running into issues with service availability, you may find ToS helpful.
The next step in the Advanced option is to configure masquerading, which is basically a form of network address translation (NAT). This is how you get your machine to act as a gateway for other computers. Masquerading allows the server to route traffic from local, nonroutable IP addresses to outside the network and back again. You'll need to choose the internal interface, often eth1, and your internal network range, as shown in Figure C. By default, Firestarter will autodetect your internal network.
| Figure C |
 |
| Set up masquerading (NAT) on your firewall. |
In this dialog box, you also have the option of configuring port forwarding. If you are hosting services on internal systems that you need forwarded to the firewall's external, public IP address, you can set it up from here. Click Port Forwarding and then select Add Entry. You will need to fill in the Firewall Port, LAN Port, and LAN Address options and then specify whether the system is TCP or UDP.
After you have completed the wizard, your new firewall will start automatically. The main interface for Firestarter is now up and running. From here, you can start and stop the firewall, configure dynamic rules, and rerun the Firestarter Firewall Wizard. One of the coolest features of Firestarter is the ability to watch hackers probing your system in the Firewall Hits window (Figure D).
| Figure D |
 |
| Use the Firewall Hits window to watch for hackers. |
You can also load a list of all recent hits by clicking Hit List | Reload Entire Firewall Hit List. If you find an IP address that is continually probing your system on different ports, you can simply click the Dynamic Rules tab, right-click in the Deny All Connections From window, and click Add New Rule. Then, enter the IP address of the suspected hacker, and all traffic from that IP address will be denied.
Summary
With support for ipchains and iptables, Firestarter offers an excellent way to get a firewall up and running with minimal effort on both Linux 2.2 and 2.4 kernels. Its clean interface and excellent wizard make Firestarter suitable for both beginning and experienced administrators. Whether you're creating rules for a stand-alone box or for a complex gateway, you don't have to wade through the manual rule sets any longer. Sit back, relax, and let Firestarter do the heavy lifting.
Have your say instantly in the Tech Update forum.
Let the editors know what you think in the Mailroom.
Previous
Did you find this article useful?
72 out of 155 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
