Installed Fedora 3 today to replace my ailing accounting server for a small business.

My set up is a 3com firewall connected to a cable modem.

I have anywhere from 5-8 pc's (Windows XP and Win 2k), (2 developement - terrabyte servers 1- Windows 2003 and 1-Windows 2000 video server that run occasionally to sometimes full time.

The 3com firewall is also my DHCP server set to offer up to 25 addresses.

I would just like Firestarter to allow incoming and outgoing to/from the Fedora Server to my 25 addresses or the subnet which is 255.255.255.0. I would also like it to allow the Fedora server to be able to occasionally browse the internet mostly for tech stuff and run the Fedora updates. Fedora is has two shares using SAMBA.

This server isn't acting as a firewall for the network nor is it acting as a Web server, just a simple file sharing server.

When I set the firestarter service to run, I cannot even ping the server, with the Firestarter service stopped, I can access both the samba shares and of course ping the server.

I have turned off the firewall under the security features.

In the Firestarter GUI I have tried numerous combo's of setting from both individual IP address to the subnet.

I did see a fairly simple iptable script under network security, but am not up to the task of learning everything about iptables.

If any one has any suggestions, I thank you in advance. My knowledge is middle of the road on this stuff and relatively low on Linux.

Thanks in advance.

We'll need the ip address of the Fedora machine, and the list of services you want to enable connectivity for (just samba?) in order to create an iptables configuration for you.

What version of firestarter are you running? This makes a difference as the latest release looks very different from the first. However, it is fairly easy to work with. If you are running the latest (1.0.3), just go to the Policy tab. From there, if you wish to set policies for individual IP's, right-click in the white box under Allow Connections from Host and set your IP's there. If you want to open ports, right click in the white box under Allow Service, and add your ports there. For samba you'll want to open 137 and 139. Firestarter allows for web browsing by default. If you are having trouble with it blocking something, go to the events tab and watch it as you attempt to use that service. It will show you what it is blocking, as well as the host, port, and other useful information.

Thanks Jayemef - that is the clearest instructions I have ever seen for setting up Firestarter. Iptables leaves me completely baffled, but that was very helpful. :)

follow up to my orig post.

Kernel 2.6.10-1.760_FC3smp

Fedora server is 192.168.199.90 255.255.255.0
rest of computers are in the 70-89 ip range. A windows NT server (that this is going to replace) and a Windows 2003 server. No domain. Just set up as workgroup.

The fedora just needs to have two windows shares on it.

In regards to what services I need., I'm not sure. I obviously need SMB. There is no ftp site, email, or web hosting on this. I need to go out and get updates, Web surf for tech issues and just the SMB share.



I am running version 1.03 of Firestarter. I'm thinking my problems are elsewhere. Firestarter service off, and it works. Firestarter on, and it doesn't work.

With the firestarter service on, I can not ping the Fs2a server nor can I mount the 2 shares I have. I can ping the IP address. Windows networking service brings up the Fs2a server, but says it 'is is not accessable" I can also ping it by it's IP address but not the server name.

I have tried about everycombination of accepting both in and outgoing ip addresses, services, etc. I have sercurity firewall turned off in linux.

Here is a litst of what's on
[root@Fs2a ~]# chkconfig --list
spamassassin 0:off 1:off 2:off 3:off 4:off 5:off 6:off
mdmonitor 0:off 1:off 2:on 3:on 4:on 5:on 6:off
ypbind 0:off 1:off 2:off 3:off 4:off 5:off 6:off
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
mdmpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
kudzu 0:off 1:off 2:off 3:on 4:on 5:on 6:off
sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
apmd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
yum 0:off 1:off 2:off 3:off 4:off 5:off 6:off
mDNSResponder 0:off 1:off 2:off 3:on 4:on 5:on 6:off
nfs 0:off 1:off 2:off 3:off 4:off 5:off 6:off
rpcidmapd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
irqbalance 0:off 1:off 2:off 3:on 4:on 5:on 6:off
cups 0:off 1:off 2:on 3:on 4:on 5:on 6:off
acpid 0:off 1:off 2:off 3:on 4:on 5:on 6:off
httpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
bluetooth 0:off 1:off 2:off 3:off 4:off 5:off 6:off
rpcsvcgssd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
atd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
netfs 0:off 1:off 2:off 3:on 4:on 5:on 6:off
cpuspeed 0:off 1:on 2:on 3:on 4:on 5:on 6:off
haldaemon 0:off 1:off 2:off 3:on 4:on 5:on 6:off
snmpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off
irda 0:off 1:off 2:off 3:off 4:off 5:off 6:off
diskdump 0:off 1:off 2:off 3:off 4:off 5:off 6:off
cups-config-daemon 0:off 1:off 2:off 3:on 4:on 5:on 6:off
readahead 0:off 1:off 2:off 3:off 4:off 5:on 6:off
readahead_early 0:off 1:off 2:off 3:off 4:off 5:on 6:off
messagebus 0:off 1:off 2:off 3:on 4:on 5:on 6:off
psacct 0:off 1:off 2:off 3:off 4:off 5:off 6:off
anacron 0:off 1:off 2:on 3:on 4:on 5:on 6:off
lm_sensors 0:off 1:off 2:on 3:on 4:on 5:on 6:off
portmap 0:off 1:off 2:off 3:on 4:on 5:on 6:off
autofs 0:off 1:off 2:off 3:on 4:on 5:on 6:off
rpcgssd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
isdn 0:off 1:off 2:on 3:on 4:on 5:on 6:off
snmptrapd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
ntpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
nscd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
xfs 0:off 1:off 2:on 3:on 4:on 5:on 6:off
saslauthd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
smartd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
nfslock 0:off 1:off 2:off 3:on 4:on 5:on 6:off
iptables 0:off 1:off 2:off 3:off 4:off 5:off 6:off
smb 0:off 1:off 2:off 3:off 4:off 5:on 6:off
vncserver 0:off 1:off 2:off 3:off 4:off 5:off 6:off
microcode_ctl 0:off 1:off 2:off 3:off 4:off 5:off 6:off
syslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off
rhnsd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
firestarter 0:off 1:off 2:on 3:on 4:on 5:off 6:off
gpm 0:off 1:off 2:on 3:on 4:on 5:on 6:off
nifd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
winbind 0:off 1:off 2:off 3:off 4:off 5:off 6:off
netdump 0:off 1:off 2:off 3:off 4:off 5:off 6:off
sendmail 0:off 1:off 2:on 3:on 4:on 5:on 6:off
xinetd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
pcmcia 0:off 1:off 2:on 3:on 4:on 5:on 6:off
netplugd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
NetworkManager 0:off 1:off 2:off 3:off 4:off 5:off 6:off
xinetd based services:
daytime: off
krb5-telnet: off
time-udp: off
daytime-udp: off
cups-lpd: off
time: off
eklogin: off
kshell: off
echo-udp: off
rsync: off
chargen-udp: off
gssftp: off
klogin: off
echo: off
chargen: off

I'm stuck right now and continue to fiddle. I may go try an IPtables script I found I emailed it to a friend to see if he thought it would give me the protection for a workstation.

Here is the script I found.

#!/bin/bash

# flush all rules

iptables -F

# Finally drop all incoming packets.

iptables -P INPUT DROP

# Allow everything locally

iptables -A INPUT -i lo -j ACCEPT

# allow everything from this local adress

iptables -A INPUT -p tcp -s 172.16.200.3 -j ACCEPT

iptables -A INPUT -p udp -s 172.16.200.3 -j ACCEPT

# allow all response from requests, that you sent to the web

iptables -A INPUT -p tcp -m tcp -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -p udp -m udp -m state --state RELATED,ESTABLISHED -j ACCEPT

# log all blocked traffic

iptables -A INPUT -j LOG

I'm open to any comments. Sorry for typo's and bad grammer, am multitasking right now and way behind.



Thanks again

Based on your input, this iptables configuration should do the job for you (I also allowed SSH, DNS and NTP (time) incoming connections). I suggest you (as root):

mv /etc/sysconfig/iptables /etc/sysconfig/iptables.original

before saving the following as the new /etc/sysconfig/iptables. Then reload the firewall with (as root):

service iptables restart

# Manually created firewall configuration, 2-13-2005
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
# Allow anyone to SSH, on default port 22, to this machine
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT
# DNS, port 53 incoming
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 53 --syn -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -j ACCEPT
# NTP Network Time, port 123 incoming
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 123 --syn -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 123 -j ACCEPT
# Allow only local users access to Samba, ports 137,138,139,445
-A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.199.0/24 --dport 137:139 -d 0/0 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -s 192.168.199.0/24 --dport 137:139 -d 0/0 --syn -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.199.0/24 --dport 445 -d 0/0 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -s 192.168.199.0/24 --dport 445 -d 0/0 --syn -j ACCEPT
# Reject all others
-A RH-Firewall-1-INPUT -p tcp -m tcp --syn -j REJECT
-A RH-Firewall-1-INPUT -p udp -m udp -j REJECT
COMMIT

-A RH-Firewall-1-INPUT -p tcp -m tcp -s 192.168.199.0/24 --dport 445 -d 0/0

What does the 0/23 mean.

Is there a way to inlcude or exclude a range of addresses?

thanks

The 192.168.199.0/24 means IP addresses on the 192.168.199.0 subnet with a netmask of 255.255.255.0; it's a shorthand. The "24" is the number of "1" bits in the netmask that define the network portion of the address (the remainder is the host addresses). The netmask 255.255.255.0 in binary is "11111111.11111111.11111111.00000000" -- 24 "1" bits in the network portion of the netmask.

The "-s 192.168.199.0/24" says that only source IP addresses on your subnet are permitted to connect to the specified port. You can use any valid set of IP address specifications (see man iptables for the details). You can individually authorize IP addresses by replicating the statements and specifying an individual address on each if you'd like.

Ever since I enabled Firestarter, I have been getting error messages on Bootup - saying that Firestarter cannot find device ppp0.

I am on a Dialup Connection, so it seems likely that ppp0 will not be found until I do a Manual Dial. Therefore, I don't see this as a real error - it is just annoying.

Is there any way to stop this without having to start Firestarter manually please - perhaps start Firestarter from the Dialup rather than on Bootup?

The only other Network I have is a LAN connection to my other PC, which is running XPpro. They both share the same Dialup, so only one can be online at any time. That has McAfee and ZoneAlarm running - both on Bootup.

yes i think the latest version of firestarter got problems. me to facing many problems after upgrading. it even blocks my gmail.com site, i cant even ping any ip. :(

wapgeek---look in the firestarter setup, policy tab, and outgoing traffic, do you have the "Permissive by default" button checked? If not check it.

I have finally given up on Firestarter. It's too flakey or I'm just trying to do too much too quickly.

Thank you macemoneta, I took your iptables code and used that. I spend some time looking into what it was doing and about the only thing I changed was at the very end, I changed the last two line ending from reject to drop.

I also changed the range to just allow for about 30 ip addresses and will look into not allowing any forwarding. I'll also limit ssh to just a couple intenal IP's.

I'll be backing up two data shares via my network to another raid 5 server. I'm now comtemplating using ghost to mirror the system as it's a pretty quick rebuild and then restore the data files from the other server.

I have 3 identical drives. One is running the system and the other(s) would be for making an exact copy of the first drive. Maybe making a copy once a month or after any significant upgrades.

Can anyone tell me what I'd have to do from within Fedora 3 to make an exact copy of the drive including the boot track info etc....using Linux as opposed to booting with Ghost.

thanks

Firestarter has a NAT feature. When using NAT functionality, you normally need to have two interface, one connected to the public Internet and the other connected to your private network. You must define on Firestarter's option which interface is connected to the public Internet and private network.

The interface connected to the public Internet would only accept traffic from hosts with public IP address. Likewise, the interface connected to your private network accepts only traffic from hosts with private IP address. This is all possible through Firestarer's list of private addresses on /etc/firestarter/non-routables file.

For example, if your FC box is connected to the Internet through a DSL connection using PPPOE, the name of the interface would normally be ppp0. You can now then set the interface connected to the public Internet to ppp0. On the other hand, if the interface connected to your private network is eth0, set it as your private interface.