January 4, 2005

Securing your workstation with Firestarter

Author: Preston St. Pierre

Firestarter is a GPL-licensed graphical firewall configuration program for iptables, the powerful firewall included in Linux kernels 2.4 and 2.6. Firestarter supports network address translation for sharing an Internet connection among multiple computers, and port forwarding for redirecting traffic to an internal workstation. Firestarter's clean and easy to use graphical user interface takes the time out of setting up a custom firewall.

The Firestarter project provides binary packages for Fedora Core 2 and 3, SUSE 9.2, and Debian; you can use RPM or apt for installation. A source tarball in available for installation on other distributions. GNOME 2.6 is required. If you are running KDE, your distribution's package manager will resolve any dependencies and install any required GNOME libraries.

Let the wizard be your guide

Firestarter automatically saves your settings and restarts itself upon reboot when
installed from a binary package (RPM or .deb). The installation procedure puts a Firestarter icon in the System Tools menu if you are running GNOME. To launch firestarter in KDE, open a terminal window and type firestarter or create your own menu entry. Launching Firestarter the first time will bring up the first run configuration wizard. In it, select your network adapter. If you have a cable modem or a DSL connection that uses a dynamic IP address, check the box that reads "IP address is assigned via DHCP." Firestarter is now ready to protect your workstation.

The program's main interface consists of three tabs: status, events, and policy. The status
tab indicates whether the firewall is active, shows your network devices, the number
of events that have occurred, and any active connections. The event tab lets you know what traffic is being blocked by the firewall. An event is a connection that has been blocked. This tab is where you can selectively allow services through your firewall. Items in black are normal connections to random ports. Items in red could be unauthorized connections attempts. Items in grey are harmless (usually broadcast traffic). The policy tab lets you define which hosts and services are allowed to communicate with your workstation. This is also where you can more broadly define rules.

The two extremes of firewalling are blacklisting and whitelisting. A blacklist denies all activity while a whitelist does the opposite. By default, Firestarter operates in blacklist mode for inbound connections and whitelist mode for outbound traffic. This setup is secure but may not allow legitimate inbound connections. This is where the events tab comes in handy. Both inbound and outbound events are registered. By right-clicking on an inbound event you can choose to:

  • Allow Connections from Source, which gives the source of the connection a free pass through all ports on the firewall;
  • Allow Inbound Service for Everyone; or
  • Allow Inbound Service for Source, which gives only a specific source permission to connect to a service.

By right-clicking on an outbound event you can choose to:

  • Allow Connections to Destination, which allow everyone to reach a specified destination;
  • Allow Outbound Service for Everyone; or
  • Allow Outbound Service for Source, which allows only a specific computer to use a service.

By starting off with blacklisting and then selectively allowing inbound and outbound
connections, you can quickly create a very secure firewall. All you need to do is
keep an eye on the blocked connections in the event tab and then decide what services
to allow. This setup is useful for preventing a malicious program from contacting a remote server, but it takes time to tune it properly. If you already know the names or port numbers of the services you want to pass through the firewall, you can more quickly set rules using the policy tab.

The policy tab's inbound interface allows you to specify which hosts and services to allow, and lets you set up port forwarding. For example, if an internal workstation was
running a service that needed to be accessed from the Internet, you would tell
Firestarter that any connections to the firewall on that port should be redirected
to the internal machine. The outbound interface allows you to set up blanket whitelisting
or blacklisting. You can also block individual hosts or services from this
interface. Clicking on the check box above the Policy tab activates any changes (automatic updating of Policy changes can be set in the Preferences menu).

Lasting protection

After a few minutes of installation and configuration, Firestarter will add an extra layer of security to your workstation. Any future configuration is activated upon reboot.

Firestarter takes the pain out of workstation firewall configuration. Its excellent online tutorial
and manual are well written and
provide clear instructions on how the software is used. The project maintains an active support mailing list.

The Firestarter team has taken something that is hard to configure, wrapped it in a clean user interface, and provided great documentation. Isn't it time to make your workstation a little more secure?