Using Firestarter to Configure an Ubuntu 10.x Firewall
In Ubuntu 10.x Firewall Basics we looked at ports and services on an Ubuntu system. We also briefly looked at iptables firewall rules on Ubuntu including the creation of a few very simple rules from the command line. In this chapter we will look at a more user friendly approach to iptables configuration using a tool called Firestarter. As we will see, Firestarter provides a high level of control over both inbound and outbound network traffic and connections without the need to understand the lower level iptables syntax.
Installing Firestarter on Ubuntu
Firestarter is not installed by default when Ubuntu is first installed. The first step in using Firestarter, therefore, is to install it.
Firestarter may be installed using either the Ubuntu Software Center or at the Linux command-line using the apt-get utility. To download Firestarter using the software center, select the Applications -> Ubuntu Software Center. Enter firestarter in the search field and select the resulting Firestarter entry. To initiate the installation simply click on the Install button.
To install from the command line, begin by opening a terminal window by selecting the Applications menu and selecting Terminal from the Accessories menu. In the terminal window enter the following command and press enter to execute it:
sudo apt-get install firestarter
Enter your password when prompted to do so and wait while Firestarter is downloaded and installed.
Running Firestarter
Firestarter will now be listed in the Applications -> Internet -> Firestarter desktop menu. To launch Firestarter select this menu option. The first time Firestarter is run it will ask a number of questions about your network environment. Click Forward on the first introductory screen to display the following screen:
Select the device on which you wish to have the firewall operate. If you are connected to a network this is likely to be eth0. If you are connected directly to a cable or DSL modem this may be ppp. If your system obtains an IP address from a DHCP server as opposed to having a static IP address, check this option. Click Forward when you are ready to move to the next screen:
This page controls whether Internet Connection Sharing is to be used. Firestarter allows you to configure a single Linux system as the gateway to the internet. All other computers on your network then access the internet through the gateway system. The computers that access the internet through the gateway system will appear, to the outside world, to have the same IP address as the gateway system. This is essentially a mechanism for sharing a single internet connection amongst a network of multiple computers whilst masking the identity (i.e. the IP address) of those computers. Note that this configuration requires that you have two network cards installed in the system - one for the internet connection and another for the local area network.
Check Enable Internet Connection Sharing if you wish to use this feature. If you would like the system running Firestarter to also allocate IP addresses to the client machines also check the Enable DHCP for local network box (note that this option is only available if the Ubuntu system has previously been configured to act as a DHCP server).
Click Forward to proceed. Finally the wizard is ready to start the firewall. Click the Save button to save your settings, start the firewall and launch the Firestarter application.
Using Firestarter
The following screenshot shows the Firestarter user interface:
The Firestarter Status Screen
In the above screen the Status page is displayed showing that the Firewall is running, the number of events detected, the volume of data that has been sent and received by the system since the firewall was activated and a list of active connections.
In the above example there are outbound SSH and HTTP connections active. This means that someone is connected to another system using SSH and a web browser is running. This list is updated in real-time to reflect any new or closed connections.
The Firestarter Events Screen
Also in the above example it appears that two serious events have been detected by the firewall. To learn more about these events select the Events tab to show the list of events:
The events of concern to us are ones in red. These indicate that the firewall rejected attempts by the systems at IP address 192.168.2.16 and 192.168.2.18 to establish SSH connections with our system. SSH is a protocol for establishing remote connections between computer systems for the purposes of creating a terminal session, executing programs and transferring files. Clearly such an event is a matter of concern, but fortunately the firewall detected and blocked the connection for us.
Right clicking on a blocked event in the list displays a menu containing a number of options. From this menu it is possible to allow connections from this external IP address (for example if you find the access attempt was valid), enable connections of this type from any source and also disable the port used for this type of connection. It is also possible to look up host names so that system names, rather than IP addresses are displayed.
The Firestarter Policy Screen
The Policy screen lists any policy rules which have been set up on the firewall. By default the screen appears as follows (with no rules defined). In the next section of this chapter we will look at defining firewall security policy.
Defining Firewall Policies
Probably the most important task in configuring a firewall is defining policy. This essentially involves specifying what traffic will be permitted by the firewall. Policy is defined in the Policy screen of the Firestarter user interface (as shown above).
Defining Inbound Policy
Firestarter allows Policy to be defined for both inbound and outbound traffic via the Editing menu. Select either Outbound policy or Inbound policy depending on the rules you wish to edit.
We will begin by looking at inbound traffic policy. With Inbound policy selected we can specify the hosts from which we will allow inbound connections. To do so, click in the Allow connections from host area of the screen so that the Add Rule toolbar button activates. Click on the Add Rule button to invoke the Add new inbound rule dialog as shown below:
Enter the host name or IP address of the host for which you wish to enable connections and an optional comment and click the Add button to add the rule. The IP address or host name will now be listed in the Policy screen. Click on the Apply Policy button located in the toolbar to make this policy active.
Firestarter also allows inbound connections to TCP/IP services to be controlled. TCP/IP defines a set of services that can be provided by a network host. These cover services such as HTTP (for running a web server), NFS (for remote access to file systems), SSH (for remote access and file copying between systems). Each of these services runs on a particular network port. For or a complete list of services and their respective ports refer to:
http://www.techotopia.com/index.php/Primary_TCP/IP_Port_Assignments_and_Descriptions
To define Policy for services click in the Allow service area of the Policy screen and click the Add Rule toolbar button to access the add rule dialog:
Select the name of the service you wish to enable (for example if you plan to host a web site on your system you will select HTTP). Once selected, Firestarter will fill in the corresponding port number automatically. Finally, choose to allow access for everyone, or just from specific hosts. If using Internet Connection Sharing you may also allow service access for the LAN client systems sharing the internet connection. Click the Add button to close the Add dialog and click on the Apply Policy to activate the new rule.
The following figure shows the Policy screen with rules defined to allow IP address 192.168.2.21 to establish connections to our system, and to allow anyone to HTTP service to request web pages from a web server on port 80.
Defining Outbound Policy
Outbound Policy controls the types of outbound connections that may be established through the firewall. For example, access for users to particular hosts, web sites or services may be blocked. Firestarter provides two modes for defining outbound policy. Permissive by default allows all outbound connections except those specified as being blacklisted by the policy. Restrictive by default blocks all outbound connections except those specified as being permissible by the policy.
Connections to a specific host may be prevented by selecting Permissive by default, clicking in the Deny connections to host area of the screen and pressing the Add Rule toolbar button. The Add new outbound rule dialog will appear as follows:
Enter any IP address, hostname or URL you wish to block. For example enter www.cnn.com. Add the rule and click on Apply Policy in the toolbar. Once the policy is applied start a web browser and try to access the CNN web site. You will find access is blocked. Remove the rule and re-apply policy and you will find you are once again able to access the CNN web site.
Firestarter also allows outbound connections to be controlled on a per service and per source basis. For example, to block connections to all external services select Restrictive by default and click on Apply Policy. Any attempt to access a web site using a web browser will result in a connection failure. To allow HTTP connections click in the Allow service section of the Policy screen and click on Add Policy. Select HTTP as the service and make sure the Anyone toggle is selected. Click on Apply Policy and try to visit a web site. You will now find that HTTP connections are now allowed, while connections to all other services are still blocked.