Hi,

Being new to linux and all, I decided to install firestarter rather than manually configuing the IP tables.

Do you think this was the right move?

Basically I have an ip range between 2.0.0.4/15.

I'm not 100% sure Firestarter is doing it's job even though I have specified the IP range within the app.

Should I use Firestarter or should I manually flush the IP tables, start from scratch and config manually?

Hi Cjk,

Firestarter is a good choice for a firewall. It has a GUI and that makes it a lot easier.
If your looking for info on the iptables, try this link:

http://www.linuxguruz.com/iptables/howto/iptables-HOWTO.html

Tashiro

Thanks Tashiro.

IP tables looks complex so will take me a lot of reading. Is configuring the IP tables manually a better method than using a front end GUI firewall?

Which would you advise doing and why?

Depends on what you want.

If you want it to work NOW just configure it in with the firestarter wizard and your done
in 5 minutes. Firestarter controles the iptables so it is practial nothing different then iptables.
Except for the GUI of course.

If you want to get to the bottom of this and understand more on networking you can
read the How-To I linked, do some search on Google. And spend more time on the
Command Line Interface.

It is all up on you and how much time your willing to put in to it.

Tashiro

If you want to use IPTables, please also consider shorewall, an excellent wrapper for iptables rules.
Simple and intuitive (text based), yet very efficient.

Gupi

And there is a gtk-iptables, simple GUI for setting iptables ruleset.
It's handy :)

IP tables looks complex so will take me a lot of reading. Is configuring the IP tables manually a better method than using a front end GUI firewall?

Which would you advise doing and why?I spent a couple years refining a script that sets iptables the way I want it. The end result is very fine grain control of everything that goes in or out of the firewall. With my script fairly well organized, I can tweak it as needed with little effort. Another plus is being able to copy it to a new installation and have it running in seconds--no need to install additional software beyond just a minimal install of Fedora (which is usually all I want on my firewall box). Since it's a script, I have been able to consolidate filtering, traffic control policies, logging and other network related items in a single place.

The bad side to using a script like this is the learning curve. For example, I could post my script here on FedoraForum, but few could actually use it as is without very carefully studying every line to know what it does. The script is really only useful if you know it like the back of your hand.

Hi,

I'm a newbie in Linux. Since we could implement both IP tables and Firestarter in FC box, does this mean that the built-in firewall of FC and TCP_WRAPPER are ineffective nowadays?

Hi

No but Firestarter has a nice GUI which makes it easy to view logs, open ports
and ip numbers. Iptables is the way to do it on the commandline. Both have the
same effect on securing a system.

Tashiro

Hi,

It's true that Firestarter still runs on top of iptables. Got any idea if the built-in firewall of FC(the one labeled Security Level under System Settings) and TCP_WRAPPER (which involves files hosts.allow and hosts.deny) are still effective compared to iptables implementation?

IPTables is the "first line" of defense since it's more packet-driven. The "built in" firewall is actually another interface to configure IPTables, not something separate.

So, when I understand it right, I can install Firestarter, make the right settings and further work without Firestarter active on the background, because Firestarter is only an interface for setting the IP-tables and showing logs an easier way of the standard IP-table based firewall in Fedora?

What when Firestarter is uninstalled again? Are the settings still there in the IP-tables or do you go back to default then?

Jan.

>> So, when I understand it right, I can install Firestarter, make the right settings and further work without Firestarter active on the background, because Firestarter is only an interface for setting the IP-tables and showing logs an easier way of the standard IP-table based firewall in Fedora? <<

On Fedora typically, the Firestarter "firewall" will start itself on-boot up automatically and run in the background as a "service" - (you don't need the actuall application icon in the tray for it to be running in the background) - however - you can configure the actual policies etc by starting the actual GUI application itself. Have a quick read through the docs here for more -

http://www.fs-security.com/docs.php

(One of the nice features with Firestater is the ability to easily change the default outbound policy to a restrictive one, and then only allow outbound connections to the ports/services you require ;))

Hi Drenon,

Thanks for your reply.

I have installed Firestarter now, switched to restrictive and have set the rules for ftp, http, mail and msn.

The only thing I miss is the possibility to make rules for applications. Now it is done on IP, and all processes which want to use a port are free to do that.

But it is much easier then editing IP-tables by hand and much better then the default permissive mode ;)

Jan.

I believe when you uninstall firestarter, all your iptables rules will be reverted to what it was before. In case it does not, you'd better save yourself a copy of /etc/sysconfig/iptables (maybe different file) first. Or you can run this command:
> iptables-save > firewall-rules
Now the file firewall-rules can be restored by:
> iptables-restore < firewall-rules
To save it permanently so that it'll load up on every startup, do:
> service iptables save

TCP_WRAPPER is for your xinetd service I believe. This way, all your services that are listening on certain port is done through xinetd. When a request arrive, xinetd will start the corresponding service. Of course xinetd will first refer to hosts.allow and hosts.deny before accepting any incoming request. As stated before, this only happens after the packet has gone through iptables/netfilter. Iptables is your very first / outermost gate.

Wow, all those people willing to help, great! ;)

One strange thing, or may be not, I noticed, has nothing to do with firestarter itself but the rules.
I have set up rules for all things I am doing on internet (ftp, http, mail etc..).
There is one website http://www.marktplaats.nl, a website for selling stuff where, when I have looked at an advertisement and hit the back-button, port 8080 is used. As far as I know 8080 is used for proxy and I do not have a proxy or am not using an outside proxy. At this moment I have given it free, but is this normal?

Jan.

Quick description of port 8080 here:

http://grc.com/port_8080.htm

One port you will need though for "secure" shopping is 443 https - ie allow outbound connections to 443 :)

Thanks ;)

Jan

One question. If i have firestarter can i turn off iptables service?