Tuesday, December 30, 2008

Firewall and Internet sharing - Firestarter

Introduction

Firestarter is an Open Source visual firewall program. The software aims to combine ease of use with powerful features, therefore serving both Linux desktop users and system administrators.

Installation

Firestarter is packaged for many of the leading Linux distributions. Using a pre-compiled package ensures that the program will integrate properly with your distribution of choice. For platforms for which a binary package does not yet exist and for experienced users, Firestarter can also be compiled from source.

Installing in Fedora Core, Red Hat Linux, SuSE or Mandrake

Firestarter is conveniently available in RPM package format for RPM enabled Linux distributions like, Fedora Core, SuSE and Mandrake.

Once you have downloaded the Firestarter RPM specific to your distribution, open a terminal and change to the directory where you downloaded the RPM to. Type the following commands as shown in bold to install the package:

[bash]$ su
Password: [Type your root password and hit enter]
[bash]$ rpm -Uvh firestarter*rpm
Preparing...
...

Barring any unresolved dependencies or other problems, Firestarter should now be installed. Alternatively you can use a graphical package manager by double clicking the RPM file in your file manager.

Installing in Debian and Ubuntu

Firestarter is maintained in Debian and can be downloaded and installed using the apt-get tool by simply typing "apt-get install firestarter".

Ubuntu users can install Firestarter by enabling the "universe" repository in the /etc/apt/sources.list file or in synaptic under Settings->Repositories. Having enabled the repository, the procedure is the same as in Debian.

Installing in Gentoo

Firestarter is fully supported in the Gentoo distribution by the Portage system. Simply run "emerge firestarter" to install the program.

Compiling and installing from source

Start by downloading the tar.gz version of Firestarter. Unpack the tarball and move into the newly created directory:

[bash]$ tar -zxvf firestarter*tar.gz
...
[bash]$ cd firestarter

Run the configure script. There is no need to give any parameters to the script, but we recommend you at least specify the sysconfdir variable, which determines the directory the firewall configuration will be written to. For a full list of options, see ./configure --help.

[bash]$ ./configure --sysconfdir=/etc
checking for a BSD compatible install... /usr/bin/install -c
...

By default Firestarter will be installed into the /usr/local tree when compiling from source, you can override this by setting the prefix option.

If the configure stage completed without problem you should now be able to compile and install the program:

[bash]$ make
...
[bash]$ su
Password: [Type your root password and hit enter]
[bash]$ make install
...

The make install stage is optional. You can also run Firestarter directly from the src subdirectory of the build tree if you want. In that case you must however first issue "make install-data-local" in the build directory. This will install the GConf configuration schema, Firestarter will not run without it.

Installing a Firestarter init script

When you install Firestarter from a package the program is automatically registered to run as a system service. This means the firewall is also running even if the graphical program is not. If you compile Firestarter from source and want this same functionality, you will have to install a system init script for your distribution.

In the firestarter tarball you will find .init files. These are service startup scripts tailored to specific distributions, although you can likely use one even if it doesn't exactly match your distribution with a bit of editing.

To install the service, copy the init file to /etc/init.d/ and rename it to firestarter.init. After this you must tell the system to use the new script, exactly how this is done varies between distributions. If your distribution has the chkconfig tool available, simply run "chkconfig firestarter reset" and the service will be registered.


Starting Firestarter

After downloading and installing Firestarter, you will find the Firestarter icon in your desktop's programs menu. For example, in Fedora Core the Firestarter icon is located in the System tools menu. Alternatively you can run the program by simply executing "firestarter" from either a command line or from the Run Application... dialog (accessed by pressing Alt-F2).

Password prompt

Unless you are already logged in as root, you will be prompted for your root user password when starting Firestarter as a regular user.

Running Firestarter for the first time

Since you are running Firestarter for the first time, a wizard is launched. Following the welcome screen, you will be asked to select your network device from a list of detected choices for your machine. In case you have multiple devices, select the one that provides your Internet connection, otherwise you can use the default supplied.

In case your machine has multiple devices and can act as a gateway for your network, you will next have the option of sharing your Internet connection among all the computers on your local network. Again, simply select the local network connected device from the list of detected devices. If you wish for the clients to acquire their network settings automatically, simply check the option to Enable DHCP for local network.

Having completed the wizard, click the save button on page final page. The firewall is now ready and running, and your machine has an added layer of security. Firestarter now works in its default mode, which is a restrictive policy for incoming traffic and a permissive stance towards outgoing connections. This means you are fully protected against connection attempts from the outside, but are still able to browse the web, read your email, etc. as normal. There is no need to further configure Firestarter if you are satisfied with these defaults.


Trying out the Firestarter interface

The main Firestarter application

Let's take a quick look at some of the features of the program itself. The application is divided into three pages, accessed through a tabbed notebook interface. These pages are Status, giving you an fast overview of state the firewall, Events, where blocked intrusion attempts and the firewall history is shown, and Policy, where you alter the behavior of the firewall by creating security policy.

From the Status page where you start out you can further access the prefernces where you can change your network settings, as well as enable advanced options such as ICMP or ToS filtering. For now, let's take a look at the Events page.

Reacting to events

On the events page you will see all connections that the firewall has terminated since you started the program. By pressing the reload button you can also import all the previous events as recorded in the system log. This is really the core of the Firestarter program. Firestarter starts out in a restrictive mode, providing complete protection against incoming intrusions. That means that if you are running a legitimate service on your machine, for example a web server or SSH, connections to these services will also be stopped and recorded here at first.

Traditional firewalls will have you scrambling for the settings and configuration files at this point. However, when you see a connection attempt that you want to authorize, you simply right-click the entry in Firestarter and select "Allow inbound service for everyone". If you want to give access to the machine that is attempting the connection, but without even letting anyone else know that you're running the service in question, select "Allow inbound service for source". This is known as stealthing and can be a very powerful tool.

Creating policy

The previous example of enabling the service could also have been accomplished from the Policy page. However, it is not just a gimmick, in reality you will want to create policy from events often for maximum security. By opening services to select machines only after the connection attempt, as shown above, you effectively minimize your exposure on the net. It's also very convenient.

Let's take a look at a legitimate reason to resort to the Policy page. Say Firestarter is running on your gateway, doing Internet connection sharing for your local network. On your local network you have a desktop, on which you wish to use the BitTorrent application. In the BitTorrent manual it tells you to "forward ports 6881-6889 from your firewall". With Firestarter this kind of setup is a piece of cake. Select the Policy page, right click on the list marked Forward service and select Add rule. You will be presented with a dialog for creating a new policy rule. Select BitTorrent from the service drop-down, fill in the IP of the client and you're done. Click the Apply Policy button to apply the changes.

Quitting the program

A frequently asked is question is, what happens when you quit the program. The answer is that the firewall will keep functioning. If you are running Firestarter as a system service, which is automatically set up for you when installing Firestarter from a binary package, the firewall is in many cases even running before you start the program.

Internet connection sharing

Firestarter has the ability to share the firewall host's Internet connection among all the computers on your local network. This is done through a technique called Network Address Translation, or NAT. To the outside world the cluster of machines will look like a single machine with a single IP address.

For connection sharing to work you need to have two or more network devices in your firewall. If the local network is set up correctly, enabling connection sharing is as easy as enabling the option in either the firewall wizard or the Firestarter prefernces.

The physical setup and network device settings

A complex NAT setup
Sharing a connection with a local network

The procedure for setting up a network using connection sharing is essentially the same whether you have only two computers or a more complex network with hubs or switches connecting multiple computers. For this example we will be assuming that the Internet connected device on the firewall is an Ethernet card, but a modem or ISDN will work too.

The Firewall/gateway machine connected to the Internet will need two network cards and the clients need one each.

The first network card in the firewall, the external interface, will be the one physically connected to the Internet. This card is usually automatically configured with DHCP. The second network card in the firewall, the internal interface, will be connected to the client machines via either a crossover cable if the connection goes directly to another computer, or regular cable if you have a hub or switch.

A simple NAT setup
Sharing a connection with a single computer

The internal interface of the firewall needs to be statically configured. There are many ways to configure a network interface depending on the distribution you use. Fedora and Red Hat Linux ship with a simple command line tool called netconfig and a more sophisticated graphical tool called system-config-network. system-config-network works better with multiple network cards in the same machine, so we recommend you try it. Other distributions include their own configuration tools, for example in SuSE you would use the Yast program.

No matter how you decide to configure the network cards, these are settings you should enter:

For the external device (usually eth0):
  • Enable dynamic IP configuration (DHCP)
  • That's it. You're done, don't touch this card further.
The internal device (usually eth1):
  • Disable dynamic IP configuration
  • IP address: 192.168.0.1
  • Netmask: 255.255.255.0
  • Default gateway (IP):

Any changes you make will take effect after a reboot, or more elegantly after a restart of the network services (run "/etc/init.d/network restart" as root in most distributions).

Configuring the clients

There are two ways to configure the clients. The more elegant and in the long run easier way is to run a DHCP service on the firewall. A DHCP server distributes the network settings such the IP address, the default gateway, nameservers, etc. at run time to the each client. The alternative to using a DHCP server is to configure every client manually.

Using the DHCP service is as easy as simply enabling it in Firestarter. For more information about the service and how to configure it, refer to the section on configuring the DHCP server.

When using DHCP, the clients need only be configured to use dynamic IP configuration. No other settings need to be changed.

Configuring the clients manually

If you do not wish to use the DHCP service, configure the network devices of the clients to use the following settings:

  • Disable dynamic IP configuration
  • IP address: 192.168.0.2 to 192.168.0.254, with each client using an unique IP
  • Netmask: 255.255.255.0
  • Default gateway (IP): 192.168.0.1
  • Primary nameserver: Set this to the same nameserver as used on the firewall. You can see the correct setting in the /etc/resolv.conf file on the firewall.

Restart the network service and you're done.

Testing the Setup

The computers should now be connected and the hardware level configuration complete. To test that everything is ok, try pinging the gateway from the client and vice versa.

Enter the following at the firewall machine console, to test that the gateway can reach the client:

[bash]$ ping 192.168.0.2
PING 192.168.0.2 (192.168.0.2) from 192.168.0.1 : 56(84) bytes of data.
64 bytes from 192.168.0.2: icmp_seq=1 ttl=255 time=1.37 ms
64 bytes from 192.168.0.2: icmp_seq=2 ttl=255 time=0.635 ms
64 bytes from 192.168.0.2: icmp_seq=3 ttl=255 time=0.638 ms

--- 192.168.0.2 ping statistics ---
3 packets transmitted, 3 received, 0% loss, time 2010ms
rtt min/avg/max/mdev = 0.635/0.882/1.375/0.349 ms
[bash]$

In case of DHCP, the IP's might be randomly assigned

If it is not working you know that the problem lies with the hardware or network configuration. It is common to get the default gateway setting wrong, so double check it.

At this point:
  • The firewall machine should be able to reach the Internet
  • The clients and firewall should be able to ping each other
  • The clients should be able to reach the Internet if the Internet connection sharing option is enabled in Firestarter.