A graphical interface for creating simple rules for a netfilter/iptables-based firewall.

Firestarter is a graphical tool for simplifying the process of managing, analysing, supervising and configuring a firewall based on netfilter/iptables. It uses the GTK2 library.

 

 

Figure 1. User interface of Firestarter

 

Quick start: As an administrator of a Linux server, containing confidential data in an InterBase (gds_db)-based database system, we have been given a task of granting access to this database only and exclusively to the users of two computers, with IP addresses IP 10.10.10.22 and 10.10.10.23. All other IP addresses are to be denied access. In order to accomplish this task, let us use the Firestarter tool, installed on the same machine as the database.

Let's begin by downloading the installer from the program's home page. We can download the source code or one of the installation packages, suitable for our Linux distribution. Root rights (su -)are necessary for the program to be installed and run.

We start the program in graphical mode by typing firestarter (root rights are required); After a while the welcome screen appears; let's click the next button in order to enter the configuration phase; at that stage one has to choose the network interface and the kind of IP address it is assigned (static or dynamic from DHCP).

Once configuration has been taken care of, the main window of the program will appear. Let's click the Policy tab and then the menu next to the Editing label. Here we can choose one of the two options: Inbound traffic policy (managing policies and rules for incoming connections) or Outbound traffic policy (the same, for outgoing connections).

Starting from version 1.0.3, Firestarter offers the so-called closed policy by default. Connection requests from all IP addresses on all ports are automatically denied, thus relieving us of the need to block access ourselves; thanks to this the program offers strong protection from the first start. All that remains for us to do is grant access rights to the database to the users of computers with IP addresses 10.10.10.22 and 10.10.10.23.

In the Inbound traffic policy menu, we right-click on the empty, blank field in the Allow service section, then select Add rule. Next, we define the service (gds_db), set the port (3050 - default for InterBase/gds_db) and enter the IP address of one of the users we want to grant access to. Now we accept the rule and repeat the process to grant the same privilege to the second user. All that is left now is to click Apply policy in order to commit the changes we have just made.

Other useful features: Firestarter also lets define general rules, allowing access to/from given IP address on each port. To use this feature, instead of using the Allow service section we right-click in the Allow connections from host section, then select Add rule and enter the IP address in the Allow connections from field. In the Comment section we can add a comment related to the rule it refers to.

It is also worth knowing that under the Events tab we can find information about blocked connection, whereas the Status tab informs about active connections and network traffic (displays the amount of transferred data and the current transfer rate). Moreover, in the Preferences window(available from the Edit menu) we can enable blocking of ICMP events (ICMP Filtering) or set packet priorities according to type (ToS Filtering).

Drawbacks: While Firestarter allows easy management of access rights and lets one protect their system against unauthorised access, we'll never be able to have it define rules as precisely as what can be achieved by editing iptables rules by hand. It is also not possible to manually edit the defined rules.

 

sum:

0 €