Firestarter: 5 minutes to a Linux firewall
Firestarter Part 2
Alternately, you could create limit rules to accept only a certain number of requests every second.
Or if you have monitoring software that requires your box to be -pingable," you could accept ICMP requests from only a certain IP or set of IP addresses.
Select services that you want to allow through the firewall
The next step in the Simple configuration is to select from a large list of common services you want to allow through the firewall, as shown below in Figure B.
For example, if you are running a Web server, you'll need to make sure that the WWW box is checked.
This is also true for other services such as Telnet, SSH, and SMTP.
Without choosing the corresponding services in this dialog box, associated packets destined for your machine will be dropped.
Set up the services you want your firewall to allow.
Advanced configuration
The Advanced setup starts out the same, allowing you to choose your network device and select how you want to handle ICMP and service requests. However, unlike with the Simple setup, you can choose whether to use Type of Service (ToS). This allows you to configure iptables to prioritise certain types of traffic by modifying a packet's header.
With Firestarter, you can select from three types of traffic: Client Applications, Server Applications, and the X Windows System. Once you have chosen the traffic you want to modify, you select the method for prioritisation: throughput, reliability, or delay. Most administrators will not need to touch these options, but if you're running into issues with service availability, you may find ToS helpful.
The next step in the Advanced option is to configure masquerading, which is basically a form of network address translation (NAT). This is how you get your machine to act as a gateway for other computers. Masquerading allows the server to route traffic from local, nonroutable IP addresses to outside the network and back again. You'll need to choose the internal interface, often eth1, and your internal network range, as shown in Figure C. By default, Firestarter will autodetect your internal network.
Set up masquerading (NAT) on your firewall.
In this dialog box, you also have the option of configuring port forwarding. If you are hosting services on internal systems that you need forwarded to the firewall's external, public IP address, you can set it up from here. Click Port Forwarding and then select Add Entry. You will need to fill in the Firewall Port, LAN Port, and LAN Address options and then specify whether the system is TCP or UDP.
After you have completed the wizard, your new firewall will start automatically. The main interface for Firestarter is now up and running. From here, you can start and stop the firewall, configure dynamic rules, and rerun the Firestarter Firewall Wizard. One of the coolest features of Firestarter is the ability to watch hackers probing your system in the Firewall Hits window (Figure D).
Use the Firewall Hits window to watch for hackers.
You can also load a list of all recent hits by clicking Hit List | Reload Entire Firewall Hit List. If you find an IP address that is continually probing your system on different ports, you can simply click the Dynamic Rules tab, right-click in the Deny All Connections From window, and click Add New Rule. Then, enter the IP address of the suspected hacker, and all traffic from that IP address will be denied.
Summary
With support for ipchains and iptables, Firestarter offers an excellent way to get a firewall up and running with minimal effort on both Linux 2.2 and 2.4 kernels. Its clean interface and excellent wizard make Firestarter suitable for both beginning and experienced administrators. Whether you're creating rules for a stand-alone box or for a complex gateway, you don't have to wade through the manual rule sets any longer. Sit back, relax, and let Firestarter do the heavy lifting.
TechRepublic is the online community and information resource for all IT professionals, from support staff to executives. We offer in-depth technical articles written for IT professionals by IT professionals. In addition to articles on everything from Windows to e-mail to fire walls, we offer IT industry analysis, downloads, management tips, discussion forums, and e-newsletters.
©2001 TechRepublic, Inc.
8%
1%
Linux=SuperEasy ;-)
For those that in past complained about the higher levels of technical proficiency needed to do serious (i.e firewall & security) work on Linux, eat your words.
All that remains is spreading the concept that Linux is _easy_ to use.