The days of confusing Linux firewalls are now over. Firestarter provides a very easy to use GUI for most Linux systems, allowing you to create specific firewall rules based on IP addresses, hosts or specific services (FTP, SSH, etc). Continue reading for a complete walk-through on using Firestarter.
- First you’ll need to download and install Firestarter. You can find installation options on the Firestarter download page. If you’re using Ubuntu (as I do for this tutorial), you can install it via Synaptic.
- Once installed, launch it from the appropriate menu (in Ubuntu, select Applications -> Internet -> Firestarter
- Enter your password to continue.
- Since this is the first time you’re running Firestarter, you’ll be taken through a quick setup wizard. Review the info on the Welcome screen and click Forward to continue.
- On the Network device setup screen you’ll need to specify which device (ethernet card, wireless card, modem etc) that provides your Internet connection. Generally, this is Ethernet device (eth0). If your Internet Service Provider assigns you a dynamic IP address (almost all North American broadband ISPs do), make sure to check the box IP address is assigned via DHCP. Click Forward to continue.
- If you’re going to use this PC to share its Internet connection with other PCs (ie. a gateway), place a check in the Enable Internet connection sharing. This is not the same thing as “file and printer” sharing, so unless you’re certain the PC you’re installing/setting up Firestarter on is going to act as a gateway, leave this option unchecked. Again, click Forward to continue.
- That’s it – the setup wizard is done. Place a check in the Start firewall now box, and click Save.
- Firestarter will launch and display the Status tab. If you’re currently surfing the Internet, using an FTP program etc, you’ll see detailed info on your connections in the Active connections pane.
- Now you’ll want to create some firewall rules. Click on the Policy tab, and make sure Inbound traffic policy is selected from the Editing drop-down menu. Right-click inside the Allow connections from host window, and select Add Rule.
- By adding a rule in this section, you’ll be allowing an IP, host or network full access to your Linux PC. They will still need to provide a user name and password to connect to any services (FTP, SSH etc), but the IP, host or network will not be blocked at all by your firewall. In the example below I added the host name for my MacBook Pro (ross-macbookpro) and included a descriptive comment. Click Add when you’re done.
- If you want to create a rule based on a single service (eg. SSH, FTP, Telnet etc), right-click in the Allow Service section and click Add Rule. From the new menu that pops up, select the service you want to allow from the Name drop-down menu. In the example below I selected SSH.
- The port for SSH (22) will be automatically added to the Port field. Decide who you want to allow to access SSH on the PC running Firestarter (Anyone, LAN clients, IP, host or network). In the example below, I opted to allow access to SSH from my PC running Vista, which has a host name of ross-vista. Again, I added a descriptive comment. Once you’ve got everything filled in, click Add
- Back at the Policy main menu, click the Apply Policy button to apply the two policies (rule) you just created.
- Now select Outbound traffic policy from the Editing pull-down menu.
By default, Firestarter allows all outbound traffic. So if you’re trying to surf the web, chat with a friend using your IM program, FTP to a remote host, connect to your POP3 or IMAP email server – all of these services will be “allowed”. You can reverse that policy, and change it to Restrictive by default, whitelist traffic if you’d like, but then you’ll have to create rules to allow any outbound Internet activity.
- If you do opt to go the Restrictive route, creating outbound rules is pretty much the same as inbound rules. In the Allow connections to host, right-click and select Add Rule. Again, I will allow all outbound connections to my MacBook Pro by adding its host name (ross-macbookpro). Click Add to create this rule.
- And again, similar to inbound rules, you can create a rule that’s specific to a service. Right-click in the Allow service window and select Add Rule. As before, select the service you want to allow out (in the example below I selected FTP) and choose Anyone, Firewall host, LAN clients, IP, host or network. Click Add when you’re done.
The screenshot below illustrates a rule that would allow me to FTP to my Windows Vista PC.
- Back at the Policy main window again, click Apply Policy to apply any new rules you created.
- Click the Events tab, and you’ll see a list of “firewall happenings”. In this example, I intentionally blocked off being able to FTP and SSH from my Linux PC, and when I tried to FTP and SSH to my web host, it was denied (blocked).
- Now that you’ve got the gist of creating firewall rules, select Edit -> Preferences.
- From here you can customize some of the Firestarter Interface options.
- Click Firewall from the left navigation window, and you can alter some of the Firewall specific preferences.
- That’s pretty much it – feel free to explore and by all means if you have a question, leave a comment below.