Ubuntu Firewalls Guide. Part III: Firestarter

There are times when you wish to find a solution quickly, yet with possibility of advanced customizations in future.

For firewalls in Ubuntu such solution is FireStarter. When you install it and launch, all you have to do is follow initial setup wizard, and firewall is ready.

In this guide we’ll cover both basic and advanced options you have for FireStarter.

Installation

Note, that in case you’re not really familiar with installing software in Ubuntu, please read chapter 5 of our Ubuntu Basics Guide, where you can learn how to install software in Ubuntu, with step-by-step instructions and snapshots.

Quick setup:

1. Open Synaptic from System > Administration > Synaptic Package Manager.
2. You’ll be asked to provide your (administrative) password.
3. Type in “firestarter” in Quick search box.
4. Locate “firestarter” right click on it and select “Mark for Installation”.
5. Click “Mark” on “Mark additional required changes?”, if such dialog is displayed.
6. Press “Apply” button on the top.
7. Press “Apply” on “Apply the following changes” dialog.
8. Firestarter is now installing. When it’s done, press close and close Synaptic. NOTE: Installation requires active internet connection, to download Firestarter from repository.

Wizard and launching

When Firestarter is installed, you may launch it from System > Administration > Firestarter.

A Firewall wizard will appear welcoming you to firestarter configuration. Press “Forward” button.

NOTE: Normally, you will be asked to provide your (administrative) password, but since you’ve been already authorized during Synaptic run, you will not be asked for this the first time.

You’ll see “Network device setup” page with list of options:

• Detected device(s) – this will normally only list your Ethernet card device. If more than one device is listed, choose yours according to the rule: eth0 – cable connection, wlan0 – wireless connection.
• Start the firewall on dial-out – check to make sure firewall activates each time you connect to Internet.
• IP Address is assigned via DHCP – check this if your computer should automatically acquire IP address from your ISP (which is true for most cases, except LANs with static routing).

Press “Forward” to continue to “Internet connection sharing setup” page.

• Enable internet connection sharing – enable it ONLY if you plan to share your computer’s connection with other computers.
• Local area network device – contains list of your LAN adapters. If you selected eth0 – as your main Ethernet card – and you have another Ethernet card connected, that connects your computer with another computer, you should see eth1, which is one you should select.
• Enable DHCP for local network – turns on automatic IP address assignment for your LAN connection, where your computer is acting as server.

NOTE: Although option for internet connection sharing is present in firestarter, and generally supported by Ubuntu, we still encourage you to share connection using router. For tips on purchasing router, refer to our Router marketing article.

Click “Forward” when you’re done, and you will see “Ready to start your firewall” page.

There is only one checkbox “Start firewall now”, which you should check if you want to active your newly installed firewall immediately.

Now you’ll see Firestarter main window.

If you checked “Start firewall now” in last page of the wizard, it will be active. All you need to do is to close Firestarter window, by click on Firestart icon (blue with Play sign) in icons tray and enjoy your newly installed firewall. To know how to make it minimized on close, see Preferences section below.

Monitoring connections

In Firestarter window, Status tab, which opens by default, you should see:

Firewall section

• Status – which can be “Active” (if it’s enabled) or “Stopped” (if it’s disabled).
• Events – Total and Serious, for both incoming and outgoing traffic. Total events means events regular events – that were allowed by firewall and occurred – while Serious events indicates blocked connections.

Network section

Which lists devices (normally just one), their types, amount of bytes received and sent, and current activity rate.

Active connections section

That is where all active connections are displayed. They are listed by source IP address, destination IP address, port, service and application.

Switch to Events tab, to see passed and blocked events. Those are related exclusively to blocked or permitted by allowance rules connections. They are given by time, port, source address, destination address, protocol and service.

Configuring Firestarter

In order to add policies to firestarter firewall, you should switch to Policy tab. First, choose traffic type from “Editing” list. Then, depending on which type of rule you want to add – address-specific, port-specific or address and port specific, do the following:

Address specific filtering

1. If you want to allow or deny any particular IP, host or network, right click with your mouse in “Allow connections from host” list, and select “Add rule”.
2. Type in desired IP, host or network mask, comment, if needed, and press “Add”.
3. Your new rule is added.

Port and/or address filtering

If you want to allow or deny network access to particular network port, or service, right click with your mouse in “Allow service” list, and select “Add rule”.

• Name – you can select service by name from existing services list.
• Port – or you can type in desired port.
• When source (destination) is – can be “Anyone”, to apply this rule to all hosts; “IP, host or network”, to apply the rule only to specific host or network, which should be then typed in to the following box; LAN clients which only applies when Internet connection sharing is enabled.
• Comment – type in comment, if you need it.

When you are done, just press “Add” to see your rule appeared in rule set. Your new rule is added. It will be applied when you restart firewall (that is start and stop). To know how to make rules applied immediately, see Preference (Policy) section below.

To edit a rule, right click over it and select “Edit rule”.

To delete a rule, right click over it and select “Remove rule”.

Preferences

To access Firestarter preference, go to Edit > Preferences.

Interface

• Enable tray icon – check this box to make Firestarter icon appear in system tray.
• Minimize to tray on window close – check this box to make Firestarter minimize to tray on close.

Events

• Skip redundant entries – checking this box will encapsulate repeating events (eg. several similar events will be displayed as one).
• Skip entries where the destination is not the firewall – checking this box will prevent events not related to firewall filtering from appearing in events list.
• Do not log events for the following – contains two lists for hosts and ports. You can press “Add” button to add host or port to be excluded from logging.

Policy

Apply policy changes immediately – checking this box will make sure that rules are being applied the very moment they’ve created.

Firewall

Start/restart firewall on:

• Program startup – checking this will make firewall enabled when it is started.
• Dial-out – checking this will make firewall enabled when you connect to Internet.
• DHCP lease renewal – checking this will make firewall enabled when your dynamic IP is renewed.

Network Settings

• Detected device(s) – lists your Ethernet adapters. Select one used for Internet access (normally eth0 for cable connection and wlan0 for WiFi).

Local network connected device will appear grayed unless you have more than 1 adapters. In case you do and you still want to share Internet access to another computer thru yours, it contains detected devices, where you should select your secondary network adapter, used to connect your computer to another one. You should also check “Enable Internet connection sharing” box, and “Enable DHCP for the local network”, if you want your computer to automatically assign IP for another computer.

ICMP Filtering

ICMP, which stands for Internet Control Message Protocol, is used mainly by service applications, but can also be used to perform Denial of Service attacks on your computer. Therefore, it is recommended to check box “Enable ICMP filtering”, which will filter all ICMP traffic.

• Echo request (ping) – will allow ping utility requests to pass thru.
• Echo reply (ping) – will allow ping utility replies to pass thru.
• Timestamping – will allow ICMP time stamping.
• MS Traceroute – will allow MS Windows’ trace route utility requests to pass thru.
• Traceroute – will allow generic trace route utilities to work.
• Unreachable – will allow “host unreachable” ICMP message to pass thru.
• Address masking – will allow address masquerading messages to pass thru.
• Redirection – will allow ICMP redirection.
• Source Quenching – will allow ICMP quenching packets to pass thru.

ToS Filtering

ToS, or Type of Service, filtering is actually traffic prioritization function which allows to prioritize one traffic type over another.
Enable Type of Service filtering – enables the function.
Prioritize services commonly used by:

• Workstations – will prioritize browsing, messaging and downloads traffic.
• Servers – will prioritize daemons traffic (such as http and ftp servers).
• The X Window System – will prioritize traffic related to X-Window remote control application. This application is specific for classic Linux uses, and therefore not required much.

In addition, you can choose how to prioritize selected traffic: by Throughput, Reliability or Interactivity.

Note that although you can actually setup traffic prioritization, each system and/or application in your set-up, should support the QoS (Quality of Service standard) function; otherwise it will not work.

Advanced Options

• Preferred packet rejection method – defines how network packets will be blocked. You can set it to “Reject with error packet” to answer to remote hosts, or to “Drop silently” to simply ignore them.
• Broadcast traffic – is an option for filtering packets sent to multiple machines simultaneously. Default setup here is “filter broadcasts from outside, but accept internal broadcasts” and will suit most cases. However, if you have IPTV, which you watch on your computer, it is recommended that you uncheck “Block broadcasts from external network”.
• Traffic validation – is additional security option that allows packets to be evaluated on subject of being reserved, yet coming from Internet. For example, if packet comes with IP address 127.0.0.1 – which is always local host, but comes from Ethernet card. Checking this box will make such packet blocked.

Lock

In addition, Firestart features “Lock” button, which will lock firewall settings from being modified, unless your (administrative) password is provided.