Note: Although Firstarter is fully functional, active development ended in 2005 with version 1.0.3. The latest version is 1.0.3-11. The official website and documentation (updated last August 2012) is here.

Firestarter is therefore deemed abandoned software and has been removed from Ubuntu repositories as of 13.10 Saucy Salamander. See bug #1183651. For an overview of alternative applications, see Firewall.

Installation must now be done by obtaining and installing the .deb package manually, retrievable from the Raring repositories for either the 32-bit (i386) version here or the 64-bit (amd64) bit version here.

Introduction

Firestarter is an application which provides a graphical interface for quickly configuring firewall rules and settings (policies). Firestarter itself is not a firewall, rather, it is a frontend for configuring iptables, which is the firewall system built into the Linux kernel. Firestarter also provides real-time monitoring of network traffic.

Key Features

  • Easy to use graphical interface.
  • Suitable for use on desktops, servers and gateways.
  • Enables Internet connection sharing.
  • Allows you to define both inbound and outbound access policy.
  • Option to whitelist or blacklist traffic.
  • Wizard for easily configuring your firewall.
  • Sets up DHCP for a local network.
  • Real time firewall events view.
  • View active network connections, including any traffic routed through the firewall.

Screenshots

  • Firestarter 1.0.3

scrn-firestarter.jpg

Installation

Hints and Tips

To open the preference window, click Edit → Preferences. The preferences are divided into two categories; options that change the interface and options that affect the firewall. Select the following options in the corresponding sections:

Interface Options

Check Enable tray icon and Minimize to tray on window close. (Note: Your firewall will be active when you boot regardless of whether Firestarter is running in the tray or not.)

Policy Options

Check the Apply policy changes immediately.

Firewall Options

ICMP Filterings

Select Enable ICMP filtering and check Echo request (ping) and Echo reply (pong) (for network connection testing/troubleshooting).

Disable/Enable the Firewall

To disable the firewall click Firewall → Stop Firewall, or by click the Stop Firewall icon when the Status tab is selected.

To re-enable the firewall click Firewall → Start Firewall, or click the Start Firewall icon when the Status tab is selected.

Allow an Inbound Event from the Events Tab

Right click on the connection you would like to allow and select the action you would like to take from the pop-up menu (this is equivalent to making a new policy). The description of the actions are as follows:

  • Allow Connections from Source: This action gives the source of the connection permission to make any connection it wants. This is equivalent to trusting the source blindly and should be carefully used.

  • Allow Inbound Service for Everyone: This action allows everyone to access the service the connection was previously blocked from.

  • Allow Inbound Service for Source: This action allows only this specific source to access the service in question. This is known as stealthing, no other host except the source will be aware that the service even exists.

Troubleshooting

NetworkManager

It has been reported that there is a conflict between Firestarter and NetworkManager when booting that can cause the firewall policies to not initialize correctly.

A possible workaround is to edit /etc/firestarter/firestarter.sh

gksu gedit /etc/firestarter/firestarter.sh

Comment out the following block:

if [ "$MASK" = "" -a "$1" != "stop" ]; then
echo "External network device $IF is not ready. Aborting.."
exit 2
fi

So that it looks like this:

#if [ "$MASK" = "" -a "$1" != "stop" ]; then
#echo "External network device $IF is not ready. Aborting.."
#exit 2
#fi

Save your changes and re-boot.

Stalled connections

When you use internet connection with traffic limiting by dropping packets (for example, ADSL ISP) firestarter may be a cause stalling TCP connections. For example, when you try to scp some megabytes, process hangs up and scp writes "stalled".

This problem is due to bug #258863 in firestarter. Firestarter contains script (/etc/firestarter/sysctl-tuning), that disables in kernel some TCP mechanisms, that are responsible for effective connection in network with packet loss: SACK, Window-scaling and TCP-timestamps.

If you have such problems, consider using UFW or comment out following lines in the script mentioned above (I have not tested this):

# Turn off TCP Timestamping in kernel
if [ -e /proc/sys/net/ipv4/tcp_timestamps ]; then
  echo 0 > /proc/sys/net/ipv4/tcp_timestamps
fi

# Set TCP Re-Ordering value in kernel to '5'
if [ -e /proc/sys/net/ipv4/tcp_reordering ]; then
  echo 5 > /proc/sys/net/ipv4/tcp_reordering
fi

# Turn off TCP ACK in kernel
if [ -e /proc/sys/net/ipv4/tcp_sack ]; then
  echo 0 > /proc/sys/net/ipv4/tcp_sack
fi

#Turn off TCP Window Scaling in kernel
if [ -e /proc/sys/net/ipv4/tcp_window_scaling ]; then
  echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
fi

Like this

# Turn off TCP Timestamping in kernel
#if [ -e /proc/sys/net/ipv4/tcp_timestamps ]; then
#  echo 0 > /proc/sys/net/ipv4/tcp_timestamps
#fi

# Set TCP Re-Ordering value in kernel to '5'
#if [ -e /proc/sys/net/ipv4/tcp_reordering ]; then
#  echo 5 > /proc/sys/net/ipv4/tcp_reordering
#fi

# Turn off TCP ACK in kernel
#if [ -e /proc/sys/net/ipv4/tcp_sack ]; then
#  echo 0 > /proc/sys/net/ipv4/tcp_sack
#fi

#Turn off TCP Window Scaling in kernel
#if [ -e /proc/sys/net/ipv4/tcp_window_scaling ]; then
#  echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
#fi

Save your changes and restart firewall:

sudo /etc/init.d/firestarter restart

See Also

  • Firewall - An introduction to firewalls, and how to manage them in Ubuntu.

  • Iptables - The tables provided by the Linux kernel firewall.

  • UFW - The default firewall configuration tool for Ubuntu.

  • Gufw - A GUI frontend for controlling UFW.

External Links

  • Firestarter - The official homepage of the firestarter project.


CategoryNetworking CategorySecurity

Firestarter (last edited 2013-12-06 04:15:32 by perspectoff)