|
Unsupported Version |
|
Candidate for Deletion |
Note: Although Firstarter is fully functional, active development ended in 2005 with version 1.0.3. The latest version is 1.0.3-11. The official website and documentation (updated last August 2012) is here.
Firestarter is therefore deemed abandoned software and has been removed from Ubuntu repositories as of 13.10 Saucy Salamander. See bug #1183651. For an overview of alternative applications, see Firewall.
Installation must now be done by obtaining and installing the .deb package manually, retrievable from the Raring repositories for either the 32-bit (i386) version here or the 64-bit (amd64) bit version here.
Introduction
Firestarter is an application which provides a graphical interface for quickly configuring firewall rules and settings (policies). Firestarter itself is not a firewall, rather, it is a frontend for configuring iptables, which is the firewall system built into the Linux kernel. Firestarter also provides real-time monitoring of network traffic.
Key Features
- Easy to use graphical interface.
- Suitable for use on desktops, servers and gateways.
- Enables Internet connection sharing.
- Allows you to define both inbound and outbound access policy.
- Option to whitelist or blacklist traffic.
- Wizard for easily configuring your firewall.
- Sets up DHCP for a local network.
- Real time firewall events view.
- View active network connections, including any traffic routed through the firewall.
Screenshots
- Firestarter 1.0.3
Installation
To install Firestarter, install the following package: firestarter.
Hints and Tips
Recommended Settings
To open the preference window, click Edit → Preferences. The preferences are divided into two categories; options that change the interface and options that affect the firewall. Select the following options in the corresponding sections:
Interface Options
Check Enable tray icon and Minimize to tray on window close. (Note: Your firewall will be active when you boot regardless of whether Firestarter is running in the tray or not.)
Policy Options
Check the Apply policy changes immediately.
Firewall Options
ICMP Filterings
Select Enable ICMP filtering and check Echo request (ping) and Echo reply (pong) (for network connection testing/troubleshooting).
Disable/Enable the Firewall
To disable the firewall click Firewall → Stop Firewall, or by click the Stop Firewall icon when the Status tab is selected.
To re-enable the firewall click Firewall → Start Firewall, or click the Start Firewall icon when the Status tab is selected.
Allow an Inbound Event from the Events Tab
Right click on the connection you would like to allow and select the action you would like to take from the pop-up menu (this is equivalent to making a new policy). The description of the actions are as follows:
Allow Connections from Source: This action gives the source of the connection permission to make any connection it wants. This is equivalent to trusting the source blindly and should be carefully used.
Allow Inbound Service for Everyone: This action allows everyone to access the service the connection was previously blocked from.
Allow Inbound Service for Source: This action allows only this specific source to access the service in question. This is known as stealthing, no other host except the source will be aware that the service even exists.
Troubleshooting
NetworkManager
It has been reported that there is a conflict between Firestarter and NetworkManager when booting that can cause the firewall policies to not initialize correctly.
A possible workaround is to edit /etc/firestarter/firestarter.sh
gksu gedit /etc/firestarter/firestarter.sh
Comment out the following block:
if [ "$MASK" = "" -a "$1" != "stop" ]; then echo "External network device $IF is not ready. Aborting.." exit 2 fi
So that it looks like this:
#if [ "$MASK" = "" -a "$1" != "stop" ]; then #echo "External network device $IF is not ready. Aborting.." #exit 2 #fi
Save your changes and re-boot.
Stalled connections
When you use internet connection with traffic limiting by dropping packets (for example, ADSL ISP) firestarter may be a cause stalling TCP connections. For example, when you try to scp some megabytes, process hangs up and scp writes "stalled".
This problem is due to bug #258863 in firestarter. Firestarter contains script (/etc/firestarter/sysctl-tuning), that disables in kernel some TCP mechanisms, that are responsible for effective connection in network with packet loss: SACK, Window-scaling and TCP-timestamps.
If you have such problems, consider using UFW or comment out following lines in the script mentioned above (I have not tested this):
# Turn off TCP Timestamping in kernel if [ -e /proc/sys/net/ipv4/tcp_timestamps ]; then echo 0 > /proc/sys/net/ipv4/tcp_timestamps fi # Set TCP Re-Ordering value in kernel to '5' if [ -e /proc/sys/net/ipv4/tcp_reordering ]; then echo 5 > /proc/sys/net/ipv4/tcp_reordering fi # Turn off TCP ACK in kernel if [ -e /proc/sys/net/ipv4/tcp_sack ]; then echo 0 > /proc/sys/net/ipv4/tcp_sack fi #Turn off TCP Window Scaling in kernel if [ -e /proc/sys/net/ipv4/tcp_window_scaling ]; then echo 0 > /proc/sys/net/ipv4/tcp_window_scaling fi
Like this
# Turn off TCP Timestamping in kernel #if [ -e /proc/sys/net/ipv4/tcp_timestamps ]; then # echo 0 > /proc/sys/net/ipv4/tcp_timestamps #fi # Set TCP Re-Ordering value in kernel to '5' #if [ -e /proc/sys/net/ipv4/tcp_reordering ]; then # echo 5 > /proc/sys/net/ipv4/tcp_reordering #fi # Turn off TCP ACK in kernel #if [ -e /proc/sys/net/ipv4/tcp_sack ]; then # echo 0 > /proc/sys/net/ipv4/tcp_sack #fi #Turn off TCP Window Scaling in kernel #if [ -e /proc/sys/net/ipv4/tcp_window_scaling ]; then # echo 0 > /proc/sys/net/ipv4/tcp_window_scaling #fi
Save your changes and restart firewall:
sudo /etc/init.d/firestarter restart
See Also
Firewall - An introduction to firewalls, and how to manage them in Ubuntu.
Iptables - The tables provided by the Linux kernel firewall.
UFW - The default firewall configuration tool for Ubuntu.
Gufw - A GUI frontend for controlling UFW.
External Links
Firestarter - The official homepage of the firestarter project.