Simple Software Firewall with a Twist

Mitigate attacks with this simple to setup and deploy desktop firewall.

A firewall, in the most traditional sense of the word, is a partition made of fireproof material to prevent (or slow) the spread of fire to adjoining compartments. A computer-related firewall, whether its composition is hardware or software, has the same basic definition where the term fire refers to a security threat. Firewalls don’t prevent attacks, but mitigate them by only allowing specific ports to be opened to a limited number of hosts inside a network. Open ports are still vulnerable to attack, and exploitation if the applications listening on those ports are vulnerable.

Though many contemporary distributions have built-in firewall management tools that create rules for Netfilter and iptables, it’s unlikely that you’ll find any as user-friendly as Firestarter. To begin with, Firestarter is very easy to install via an RPM.

Users on Debian-based distribution can use apt-get to acquire and install Firestarter. Portage packages also exist for Gentoo users. Installing from source is only slightly more difficult due to dependencies required prerequisite to compiling Firestarter. Specifically, you’ll need Perl’s libwww-perl and XML-Parser libraries. You’ll find Firestarter here.

No Kindling Required

Once you install Firestarter, it is ready to setup and use. You’ll find the program icon, in KDE, under the System menu. On first launch, the Firestarter Wizard prompts you for information about your system and network.

Firestarter requires that you enter the root password before using it. This is an important feature for systems acting as network firewalls and routers.

Firestarter Wizard

  1. Click Forward on the Welcome to Firestarter screen.
  2. On the Network Device Setup screen shown in Figure 1, select your active Ethernet device from the drop-down list.
  3. Select Start the firewall on dial-out if you use a modem device then check IP address is assigned via DHCP or uncheck if your computer has a static IP address, then click Forward.
  4. Figure 2 is the Internet connection sharing setup screen. Firestarter can also act as a router and a DHCP server. For a desktop computer that won’t act as an Internet gateway, leave all choices unchecked and click Forward to continue.
  5. The final setup wizard screen, Figure 3, allows you to start the firewall and save the settings you’ve chosen.

FIGURE 1: Select Your Active Ethernet Interface

FIGURE 2: Internet Connection Sharing Setup

FIGURE 3: Save Settings and Start the Firewall

The Firestarter graphical interface, shown in Figure 4, launches after you save your new firewall settings.

FIGURE 4: The Firestarter Interface

If you installed from source and want Firestarter to run as a system service and start automatically on reboot, locate your init script in the source directory and copy it to /etc/init.d as firestarter. Run chkconfig firestarter reset to register the new service.

Punching Holes in Firestarter

To make your firewall software perform its assigned duties, you need to configure it to allow connectivity to your system. You do so by adding rules, commonly known as punching holes in the firewall, so that only the ports, networks, hosts, and protocols you define explicitly gain access. For a desktop system, only allow a small number of inbound services.

The following example illustrates how to setup a trusted host to allow all access to your local system. This setup allows all types of traffic and any protocol from a specific host, IP address, or entire network. Allowing this type of access is OK only if you truly trust the remote host or network because it removes all firewall restrictions from that source.

Grant Access from a Trusted Host

  1. Open Firestarter and select the Policy Tab.
  2. Right click inside the Allow connections from host window and select Add Rule.
  3. In the IP, host, or network field, enter a hostname (fred, for example).
  4. Click the Apply Policy button.

Your new policy is in place and now all traffic from host fred is unrestricted. This example shows you how to setup single protocol (SSH) access to your local system.

Setup Inbound SSH Access

  1. From the Policy tab, right click in the Allow service window and select Add Rule.
  2. Select SSH from the Name drop-down list. Port 22 is added automatically for SSH.
  3. Select Anyone or IP, host or network. If you select IP, host or network, enter the hostname (mary, for example).
  4. Click Apply Policy to enable the new rule.

Only hosts fred and mary have any access to your system. Host fred has full access and host mary has SSH only. Figure 5 shows your two new firewall policy rules for inbound traffic.

Permissive Parent or Queen of Denial

By default, Firestarter allows all outgoing traffic. This firewall setting is a permissive outbound traffic policy. Permissive assumes that all outbound traffic is OK and allowable to any host inside or outside the LAN. Denial of selected sites or protocols is on a case-by-case basis.

The other option, restrictive, is to deny all traffic and selectively allow certain protocols or access to specific sites or hosts. Selecting the restrictive policy allows only DNS, HTTP, and DHCP protocols. Selecting Allow connections to host in the outbound traffic policy window, allows all traffic from inside your network to that host.

You allow access to a particular host, IP, or network via a single protocol in the Allow service window. The following example shows you how to allow a single outbound protocol for a particular host.

Allow FTP for Host fred

  1. Right click in the Allow service window and select Add Rule.
  2. Select a service (FTP, for example). The port range (20-21) for FTP fills in automatically.
  3. Select IP, host or network and enter a hostname (fred, for example).
  4. Click Add and Apply Policy.

With this rule in place, only the users who use host fred can FTP outside the network. All other FTP access is blocked.

Here’s Looking At You, Kid

Security is serious business and if you have a computer that connects to the Internet, even behind a firewall, you will have hack attempts made against your system. Your best defenses are strong passwords and vigilance. Firestarter’s Events tab assists you in your vigilant watch over your system. All blocked connections are logged and show up here in real time so that you are aware of any attempts at compromising your system.

Select the Events tab in Firestarter then attempt to connect from a system other than fred or mary. The attempt appears with details. Customize these event details by selecting Events on the menu and then Show Column. Select any of the choices to see as much or as little detail that you want to see. For a desktop system, Direction, Port, Source, Protocol, and Service are adequate.

Figure 6 shows various attempts at connectivity logged by the firewall.

FIGURE 6: Blocked Connection Attempts

By paying close attention to the Events screen, mitigation of these attempts will be much easier. You also have the option of allowing these connections. Right click an event to bring up a decision menu as shown in Figure 7.

FIGURE 7: Events Decision Menu Options

Selecting Allow Connections From Source allows all connectivity from the source host. Allow Inbound Service for Everyone allows this service (SSH in the example) for all hosts and Allow Inbound Service for Source grants access to the source host for this single service. You also have the options of disabling events from the source, which means that the service is still denied but won’t be logged or disabling events for that port altogether.

The Lookup Hostnames option allows you to find a human readable hostname from an IP address, which is helpful if you want to trace the source of the attempt. Allowing a source via the Events Decision Menu automatically adds a new rule for the service. Check the Policy tab to see the new addition.

Who’s On First?

Keep track of remote hosts connected to your system with the Active Connections area on the Status tab. To see any active connections, click Active connections. A right click allows you to lookup corresponding hostnames associated with the source addresses in the Active connections list. Figure 8 shows an example of an active connection. Hostname lookup provides the source hostname mary.

FIGURE 8: Active Connection

You can’t take any actions on the Status tab; it is a read-only list.

Firestarter is by far the easiest firewall program I have used. It is intuitive and quick to setup. Without knowing any firewall jargon or command-line configurations, you can setup a formidable firewall service on your desktop system.

You can also use Firestarter as a full-blown firewall, Internet connection, and router if you have two active Ethernet connections. You can do port forwarding and provide LAN security for the price of an old computer, as there are no elaborate requirements for memory, CPU, or software for this system to run.

Comments on "Simple Software Firewall with a Twist"


I used this once and found it fine, but openSuse’s built in works ok for me so I use it instead.

But what I think Linux is missing is a fw that controls outgoing traffic by application (like Zonealarm in windows).


Great job on the write up. Firestarter is definitely easy to use, and seems popular too. A good starter personal firewall.

It’s great for a personal firewall, but I wouldn’t recommend it for the corporate firewall. There are plenty of simple options available for a better stand-alone firewall, such as IPCop, SmoothWall Express, Pfsense, etc., that all have great web-based interfaces, and offer many more features.


If you like FireStarter but think it is oversimplified, then you’ll love FireWall Builder for its flexibility.

FWB User’s Guide (pdf)


I have installed FireStarter and it seems to be great, but I was wondering if it was worth having if my network is running through a LinkSys router. Doesn’t the router have a built in firewall?? Is it not a good enough firewall for a home network or do I need to install FireStarter on all my boxes on the network??

Great article and very informative. Thanks


What is wrong w/ good ol’ iptables?


But what I think Linux is missing is a fw that controls outgoing traffic by application (like Zonealarm in windows).

you can do this, by cmd name, by uid, by gid, by pid, and by sid. its in the man page. try “man iptables” then hit “/” and type “owner” and hit enter. I just reloaded and in the man file i got this at the end of the section, “NOTE: pid, sid and command matching are broken on SMP” So your mileage may vary.

but I was wondering if it was worth having if my network is running through a LinkSys router. Doesn’t the router have a built in firewall?

Yes, you cant make a firewall at the router that can block all types of attacks. So you have to fine tune at the desktops. Now you could put something like snort at the router or behind it, goodluck getting that on your Linksys though. Which could reduce the need for desktop firewalls but with tools like firestarter and others the risk doesn’t justify the gains.


Yeah but it’s pretty basic..I learned the hard way. If you don’t have a linux gateway where you can use iptables then I would use firestarter on your workstations. If you have a home base web server, ftp, or anything else that you want accessible from the internet this is even more true. just my .02


Most if not all applications use a port #. Do a little digging, get the correct port and allow it through your firewall from your LAN. That said most distributions that I have used allow any application originating from the LAN side out to the internet and the returning traffic back in.


On the desktop, I see egress filtering as the greatest challenge. Most networks (I hope) are using a gateway firewall, so the real threat from the desktop is that it will start accessing resources that it should not. This is where MS Windows firewalls excel. If an application connects to a resource, you have to approve it. I don’t know of a similar app for Linux?


Both you and Matador fail to notice or note that Firestarter has the ability to blacklist ALL outgoing services, allowing access only with approval via Firestarter’s root access [password required].Like ZONEALARM and many other SPENDows firewall applications, you have the ability to work at the highest level of restriction by default.

What the article fails to note is that FIRESTARTER is simply a program to control built in firewall support [iptables] present within Linux, an evolution from the original offering that added iptables support when not present.

Most SPENDows users will be very comfortable using FIRESTARTER, as the wizard does all necessary work to turn on an operating system level firewall control.

You have to go beyond what you see in the article to fully appreciate the power of this free add-on desktop firewall.


I agree, there’s nothing better security wise. In the other hand when the network is complex it takes a lot of work maintaining someone else’s script. A graphical interface in those cases is always handy


Security is enhanced by defence in depth, so even if you have enabled the firewall on your router it is worthwhile running firewall software on your machine. Also, if there are any other machines on your internal network, a personal firewall will protect you against malware running on them – this is particularly necessary if you are using a wireless network, as you can never be sure who else is sharing your network!


Check out the Linux project for Peerguardian, MoBlock, at http://developer.berlios.de/projects/moblock/


old iptables is for minimalist.

Thanks for sharing such a pleasant idea, article is pleasant, thats why i have
read it completely

Generally I do not read article on blogs, but I would like to say that this write-up very forced me to try and do so! Your writing style has been amazed me. Thanks, quite nice post.

Wow! This can be one particular of the most helpful blogs We’ve ever arrive across on this subject. Actually Fantastic. I am also a specialist in this topic so I can understand your effort.

tvKz33 vekfcbdbayho, [url=http://fxdbyosnqghb.com/]fxdbyosnqghb[/url], [link=http://gtgqkuratokr.com/]gtgqkuratokr[/link], http://vwvdnglltmdm.com/

Leave a Reply