Mitigate attacks with this simple to setup and deploy desktop firewall.
A firewall, in the most traditional sense of the word, is a partition made of fireproof material to prevent (or slow) the spread of fire to adjoining compartments. A computer-related firewall, whether its composition is hardware or software, has the same basic definition where the term fire refers to a security threat. Firewalls don’t prevent attacks, but mitigate them by only allowing specific ports to be opened to a limited number of hosts inside a network. Open ports are still vulnerable to attack, and exploitation if the applications listening on those ports are vulnerable.
Though many contemporary distributions have built-in firewall management tools that create rules for Netfilter and iptables, it’s unlikely that you’ll find any as user-friendly as Firestarter. To begin with, Firestarter is very easy to install via an RPM.
Users on Debian-based distribution can use apt-get to acquire and install Firestarter. Portage packages also exist for Gentoo users. Installing from source is only slightly more difficult due to dependencies required prerequisite to compiling Firestarter. Specifically, you’ll need Perl’s libwww-perl and XML-Parser libraries. You’ll find Firestarter here.
No Kindling Required
Once you install Firestarter, it is ready to setup and use. You’ll find the program icon, in KDE, under the System menu. On first launch, the Firestarter Wizard prompts you for information about your system and network.
Firestarter requires that you enter the root password before using it. This is an important feature for systems acting as network firewalls and routers.
- Click Forward on the Welcome to Firestarter screen.
- On the Network Device Setup screen shown in Figure 1, select your active Ethernet device from the drop-down list.
- Select Start the firewall on dial-out if you use a modem device then check IP address is assigned via DHCP or uncheck if your computer has a static IP address, then click Forward.
- Figure 2 is the Internet connection sharing setup screen. Firestarter can also act as a router and a DHCP server. For a desktop computer that won’t act as an Internet gateway, leave all choices unchecked and click Forward to continue.
- The final setup wizard screen, Figure 3, allows you to start the firewall and save the settings you’ve chosen.
FIGURE 1: Select Your Active Ethernet Interface
FIGURE 2: Internet Connection Sharing Setup
FIGURE 3: Save Settings and Start the Firewall
The Firestarter graphical interface, shown in Figure 4, launches after you save your new firewall settings.
FIGURE 4: The Firestarter Interface
If you installed from source and want Firestarter to run as a system service and start automatically on reboot, locate your init script in the source directory and copy it to /etc/init.d as firestarter. Run
chkconfig firestarter reset to register the new service.
Punching Holes in Firestarter
To make your firewall software perform its assigned duties, you need to configure it to allow connectivity to your system. You do so by adding rules, commonly known as punching holes in the firewall, so that only the ports, networks, hosts, and protocols you define explicitly gain access. For a desktop system, only allow a small number of inbound services.
The following example illustrates how to setup a trusted host to allow all access to your local system. This setup allows all types of traffic and any protocol from a specific host, IP address, or entire network. Allowing this type of access is OK only if you truly trust the remote host or network because it removes all firewall restrictions from that source.
Grant Access from a Trusted Host
- Open Firestarter and select the Policy Tab.
- Right click inside the Allow connections from host window and select Add Rule.
- In the IP, host, or network field, enter a hostname (
fred, for example).
- Click the Apply Policy button.
Your new policy is in place and now all traffic from host
fred is unrestricted. This example shows you how to setup single protocol (SSH) access to your local system.
Setup Inbound SSH Access
- From the Policy tab, right click in the Allow service window and select Add Rule.
- Select SSH from the Name drop-down list. Port 22 is added automatically for SSH.
- Select Anyone or IP, host or network. If you select IP, host or network, enter the hostname (
mary, for example).
- Click Apply Policy to enable the new rule.
mary have any access to your system. Host
fred has full access and host
mary has SSH only. Figure 5 shows your two new firewall policy rules for inbound traffic.
Permissive Parent or Queen of Denial
By default, Firestarter allows all outgoing traffic. This firewall setting is a permissive outbound traffic policy. Permissive assumes that all outbound traffic is OK and allowable to any host inside or outside the LAN. Denial of selected sites or protocols is on a case-by-case basis.
The other option, restrictive, is to deny all traffic and selectively allow certain protocols or access to specific sites or hosts. Selecting the restrictive policy allows only DNS, HTTP, and DHCP protocols. Selecting
Allow connections to host in the outbound traffic policy window, allows all traffic from inside your network to that host.
You allow access to a particular host, IP, or network via a single protocol in the
Allow service window. The following example shows you how to allow a single outbound protocol for a particular host.
Allow FTP for Host fred
- Right click in the
Allow service window and select Add Rule.
- Select a service (FTP, for example). The port range (20-21) for FTP fills in automatically.
IP, host or network and enter a hostname (
fred, for example).
- Click Add and Apply Policy.
With this rule in place, only the users who use host
fred can FTP outside the network. All other FTP access is blocked.
Here’s Looking At You, Kid
Security is serious business and if you have a computer that connects to the Internet, even behind a firewall, you will have hack attempts made against your system. Your best defenses are strong passwords and vigilance. Firestarter’s Events tab assists you in your vigilant watch over your system. All blocked connections are logged and show up here in real time so that you are aware of any attempts at compromising your system.
Select the Events tab in Firestarter then attempt to connect from a system other than
mary. The attempt appears with details. Customize these event details by selecting Events on the menu and then Show Column. Select any of the choices to see as much or as little detail that you want to see. For a desktop system, Direction, Port, Source, Protocol, and Service are adequate.
Figure 6 shows various attempts at connectivity logged by the firewall.
FIGURE 6: Blocked Connection Attempts
By paying close attention to the Events screen, mitigation of these attempts will be much easier. You also have the option of allowing these connections. Right click an event to bring up a decision menu as shown in Figure 7.
FIGURE 7: Events Decision Menu Options
Allow Connections From Source allows all connectivity from the source host.
Allow Inbound Service for Everyone allows this service (SSH in the example) for all hosts and
Allow Inbound Service for Source grants access to the source host for this single service. You also have the options of disabling events from the source, which means that the service is still denied but won’t be logged or disabling events for that port altogether.
Lookup Hostnames option allows you to find a human readable hostname from an IP address, which is helpful if you want to trace the source of the attempt. Allowing a source via the Events Decision Menu automatically adds a new rule for the service. Check the Policy tab to see the new addition.
Who’s On First?
Keep track of remote hosts connected to your system with the Active Connections area on the Status tab. To see any active connections, click Active connections. A right click allows you to lookup corresponding hostnames associated with the source addresses in the Active connections list. Figure 8 shows an example of an active connection. Hostname lookup provides the source hostname
FIGURE 8: Active Connection
You can’t take any actions on the Status tab; it is a read-only list.
Firestarter is by far the easiest firewall program I have used. It is intuitive and quick to setup. Without knowing any firewall jargon or command-line configurations, you can setup a formidable firewall service on your desktop system.
You can also use Firestarter as a full-blown firewall, Internet connection, and router if you have two active Ethernet connections. You can do port forwarding and provide LAN security for the price of an old computer, as there are no elaborate requirements for memory, CPU, or software for this system to run.
Kenneth Hess is a Linux evangelist and freelance technical writer on a variety of open source topics including Linux, SQL, databases, and web services. Ken can be reached via his website at http://www.kenhess.com
. Practical Virtualization Solutions by Kenneth Hess and Amy Newman is available now.