Firestarter使用手册

Firestarter User’s Manual 2005-01-07 http://www.fs-security.com Index 1 Firestarter in a nutshell 2 A quick tutorial 3 Installation 4 Interface and basic usage 5 The firewall wizard 6 The status page 7 The events page 8 The policy page 9 The preferences 10 Working with policy 11 Internet connection sharing 12 Configuring the DHCP server 13 Advanced topics 14 Persistence of the firewall 15 Kernel requirements 16 Virtual Private Networking 17 Frequently asked questions 18 Developing Firestarter 19 Getting Firestarter from CVS 20 The Firestarter license 1. Introduction Firestarter is an Open Source visual firewall program. The software aims to combine ease of use with powerful features, therefore serving both Linux desktop users and system administrators. We strongly believe that your job is to make the high level security policy decisions and ours is to take care of the underlying details. This is a departure from your typical Linux firewall, which has traditionally required arcane implementation specific knowledge. Why you need a firewall A firewall does not guarantee security but it is in most environments the first line of defense against network based attacks. You can use Firestarter on your... ... desktop or laptop. Our philosophy of simplicity has made Firestarter the most widely used Linux desktop firewall software available today. ... server. Firestarter can be installed onto individual servers and managed graphically over SSH or using the shell. ... gateway or dedicated firewall. Firestarter will set up Internet connection sharing for you with a minimum of fuss. Want DHCP for the clients? Sure you could configure it yourself, but we know you never get around to doing it, with Firestarter it only takes one click. Firestarter features Open Source software, available free of charge User friendly, easy to use, graphical interface A wizard walks you through setting up your firewall on your first time Suitable for use on desktops, servers and gateways Real-time firewall event monitor shows intrusion attempts as they happen Enables Internet connection sharing, optionally with DHCP service for the clients Allows you to define both inbound and outbound access policy Open or stealth ports, shaping your firewalling with just a few mouse clicks Enable port forwarding for your local network in just seconds Option to whitelist or blacklist traffic Real time firewall events view View active network connections, including any traffic routed through the firewall Advanced Linux kernel tuning features provide protection from flooding, broadcasting and spoofing Support for tuning ICMP parameters to stop Denial of Service (DoS) attacks Support for tuning ToS parameters to improve services for connected client computers Ability to hook up user defined scripts or rulesets before or after firewall activation Supports Linux Kernels 2.4 and 2.6 Translations available for many languages (38 languages as of November 2004) 2. A quick tutorial Starting Firestarter After downloading and installing Firestarter, you will find the Firestarter icon in your desktop’s programs menu. For example, in Fedora Core the Firestarter icon is located in the System tools menu. Alternatively you can run the program by simply executing "firestarter" from either a command line or from the Run Application... dialog (accessed by pressing Alt-F2). Unless you are already logged in as root, you will be prompted for your root user password when starting Firestarter as a regular user. Running Firestarter for the first time Since you are running Firestarter for the first time, a wizard is launched. Following the welcome screen, you will be asked to select your network device from a list of detected choices for your machine. In case you have multiple devices, select the one that provides your Internet connection, otherwise you can use the default supplied. In case your machine has multiple devices and can act as a gateway for your network, you will next have the option of sharing your Internet connection among all the computers on your local network. Again, simply select the local network connected device from the list of detected devices. If you wish for the clients to acquire their network settings automatically, simply check the option to Enable DHCP for local network. Having completed the wizard, click the save button on page final page. The firewall is now ready and running, and your machine has an added layer of security. Firestarter now works in its default mode, which is a restrictive policy for incoming traffic and a permissive stance towards outgoing connections. This means you are fully protected against connection attempts from the outside, but are still able to browse the web, read your email, etc. as normal. There is no need to further configure Firestarter if you are satisfied with these defaults. Read more about the wizard. Trying out the Firestarter interface Let’s take a quick look at some of the features of the program itself. The application is divided into three pages, accessed through a tabbed notebook interface. These pages are Status, giving you an fast overview of state the firewall, Events, where blocked intrusion attempts and the firewall history is shown, and Policy, where you alter the behavior of the firewall by creating security policy. From the Status page where you start out you can further access the preferences where you can change your network settings, as well as enable advanced options such as ICMP or ToS filtering. For now, let’s take a look at the Events page. Reacting to events On the events page you will see all connections that the firewall has terminated since you started the program. By pressing the reload button you can also import all the previous events as recorded in the system log. This is really the core of the Firestarter program. Firestarter starts out in a restrictive mode, providing complete protection against incoming intrusions. That means that if you are running a legitimate service on your machine, for example a web server or SSH, connections to these services will also be stopped and recorded here at first. Traditional firewalls will have you scrambling for the settings and configuration files at this point. However, when you see a connection attempt that you want to authorize, you simply right-click the entry in Firestarter and select "Allow inbound service for everyone". If you want to give access to the machine that is attempting the connection, but without even letting anyone else know that you’re running the service in question, select "Allow inbound service for source". This is known as stealthing and can be a very powerful tool. Creating policy The previous example of enabling the service could also have been accomplished from the Policy page. However, it is not just a gimmick, in reality you will want to create policy from events often for maximum security. By opening services to select machines only after the connection attempt, as shown above, you effectively minimize your exposure on the net. It’s also very convenient. Let’s take a look at a legitimate reason to resort to the Policy page. Say Firestarter is running on your gateway, doing Internet connection sharing for your local network. On your local network you have a desktop, on which you wish to use the BitTorrent application. In the BitTorrent manual it tells you to "forward ports 6881-6889 from your firewall". With Firestarter this kind of setup is a piece of cake. Select the Policy page, right click on the list marked Forward service and select Add rule. You will be presented with a dialog for creating a new policy rule. Select BitTorrent from the service drop-down, fill in the IP of the client and you’re done. Click the Apply Policy button to apply the changes. Of course, that’s only scratching the surface of what the Policy page can do. Another powerful feature is the ability to restrict outgoing traffic. For more information, refer the section on working with outbound policy. Quitting the program A frequently asked is question is, what happens when you quit the program. The answer is that the firewall will keep functioning. If you are running Firestarter as a system service, which is automatically set up for you when installing Firestarter from a binary package, the firewall is in many cases even running before you start the program. 3. Installation Firestarter is packaged for many of the leading Linux distributions. Using a pre-compiled package ensures that the program will integrate properly with your distribution of choice. For platforms for which a binary package does not yet exist and for experienced users, Firestarter can also be compiled from source. Installing in Fedora Core, Red Hat Linux, SuSE or Mandrake Firestarter is conveniently available in RPM package format for RPM enabled Linux distributions like, Fedora Core, SuSE and Mandrake. Once you have downloaded the Firestarter RPM specific to your distribution, open a terminal and change to the directory where you downloaded the RPM to. Type the following commands as shown in bold to install the package: [bash]$ su Password: [Type your root password and hit enter] [bash]$ rpm -Uvh firestarter*rpm Preparing... ... Barring any unresolved dependencies or other problems, Firestarter should now be installed. Alternatively you can use a graphical package manager by double clicking the RPM file in your file manager. Installing in Debian and Ubuntu Firestarter is maintained in Debian and can be downloaded and installed using the apt-get tool by simply typing "apt-get install firestarter". Ubuntu users can install Firestarter by enabling the "universe" repository in the /etc/apt/sources.list file or in synaptic under Settings->Repositories. Having enabled the repository, the procedure is the same as in Debian. Installing in Gentoo Firestarter is fully supported in the Gentoo distribution by the Portage system. Simply run "emerge firestarter" to install the program. Compiling and installing from source Start by downloading the tar.gz version of Firestarter. Unpack the tarball and move into the newly created directory: [bash]$ tar -zxvf firestarter*tar.gz ... [bash]$ cd firestarter Run the configure script. There is no need to give any parameters to the script, but we recommend you at least specify the sysconfdir variable, which determines the directory the firewall configuration will be written to. For a full list of options, see ./configure --help. [bash]$ ./configure --sysconfdir=/etc checking for a BSD compatible install... /usr/bin/install -c ... By default Firestarter will be installed into the /usr/local tree when compiling from source, you can override this by setting the prefix option. If the configure stage completed without problem you should now be able to compile and install the program: [bash]$ make ... [bash]$ su Password: [Type your root password and hit enter] [bash]$ make install ... The make install stage is optional. You can also run Firestarter directly from the src subdirectory of the build tree if you want. In that case you must however first issue "make install-data-local" in the build directory. This will install the GConf configuration schema, Firestarter will not run without it. Installing a Firestarter init script When you install Firestarter from a package the program is automatically registered to run as a system service. This means the firewall is also running even if the graphical program is not. If you compile Firestarter from source and want this same functionality, you will have to install a system init script for your distribution. In the firestarter tarball you will find .init files. These are service startup scripts tailored to specific distributions, although you can likely use one even if it doesn’t exactly match your distribution with a bit of editing. To install the service, copy the init file to /etc/init.d/ and rename it to firestarter.init. After this you must tell the system to use the new script, exactly how this is done varies between distributions. If your distribution has the chkconfig tool available, simply run "chkconfig firestarter reset" and the service will be registered. For more information about the Firestarter system service, refer to the section on firewall persistence. 4. Interface and basic usage The main components of the Firestarter interface are: The firewall wizard The wizard guides you through configuring the application the first time you run Firestarter. The status page This page in the main interface gives you a quick overview of the state of the firewall as well as allowing you start and shut it down. The events page The second page in the main interface, the events page contains the intrusion attempt history of the firewall. The policy page The final page in the main interface, the policy page is where you review your access policy. The policy alone determines what is allowed through the firewall. The preferences The program preferences control many aspects of the interface, as well as giving you the option to enable some additional filtering functions of the firewall. 5. The firewall wizard The Firestarter firewall wizard is automatically launched when you start the program the first time. If you want to return to the wizard at a later time, it is also accessible from the Firewall menu in the main interface. All of the choices made in the wizard can however also be changed through the preferences. Network device setup This page of the wizard is for configuring the primary network device; that is, your Internet connected network adapter. The wizard automatically discovers all devices that are currently present in your machine. Generally, you will use either a pppxx or ethxx device, unless you have some special hardware. ppp is usually associated with a dial-up device while eth is the norm for most broadband connected machines. Some cable modem users might have to select ppp0 as their device, even if there is also the choice of selecting eth0. This is because of the PPPoE protocol used by their ISP. If you see a ppp device in the list, and you do not have a modem, you probably must select it as your network device. The following two options are available: Start the Firewall on dial-out If you have a dialup (PPP) device or a VPN interface where the connection will be down occasionally, you should select this option. When enabled, Firestarter will try to reload the firewall as soon as the connection is established. IP address is assigned via DHCP If your network settings such as the IP address of you computer is distributed via DHCP, you should enable this option. If you are connecting to the Internet using a cable, DSL or direct Ethernet connection you should almost always select this option. It is perfectly safe to select this option even if there is no DHCP server on your network. With this option enabled, Firestarter will reload the firewall when your network settings change. Internet connection sharing setup Internet connection sharing allows several machines to access the Internet trough a single network connection. This is done using NAT. To the outside world the group of machines will look like a single machine with a single IP address. For NAT to work you need two or more network devices in your machine. If you only have one device this page will not show in the wizard. To enable NAT, simply select a device from the drop down list of autodetected devices. You must select a device other than the one you selected on the previous page. For an in-depth look at the subject, as well as how to configure the DHCP service, read our guide to Internet connection sharing. Generally however, both NAT and DHCP will work out of the box simply by enabling them in the wizard, without the need to configure anything. Ready to start the firewall At the final page you have to option to either discard your changes or accept and save your choices. As soon as you click save, the firewall is started. At this point Firestarter will be working in its default secure mode and there is no immediate need to further configure anything. The default mode implements a restrictive policy for incoming traffic and a permissive stance towards outgoing connections. For more information about the default mode of operation and how to change it, refer to the section on creating policy. 6. The status page The status page is the first page you see when you start up Firestarter. This page gives you an overview of the firewall, as well as allowing you to change the state of the firewall. The state is changed through the buttons on the toolbar at the top of the page. There are three states the firewall can be in: Active The firewall is enabled and working. Disabled The firewall has been stopped. In this state the security policy is not being enforced, all connections are accepted. Locked The firewall is in a state of lock-down. Nothing is allowed through the firewall, neither in nor out. A button on the toolbar of the status page allows you to access the program preferences. The status page is further divided into three separate sections. Firewall status The firewall status section shows you at a glance the state the firewall is in. It does this through the icons depicted to the right. A count is also kept of the number of firewall events, meaning blocked connection attempts, since program startup. The events are separated based on the direction of the attempted connection. If the connection originated from the firewall host or from a client on the LAN, it is classified as outbound, otherwise inbound. An event is further marked and counted as critical if Firestarter thinks it is a genuine threat and you should pay closer attention to it. For more information about the various types of events, please see the section on events. Network status The network section of the status page gives you an overview of the network resource usage. It contains a list of all the network devices in the firewall host, as well as some metrics for each device. The following device metrics are gathered: Device The device name as reported by the operating system. Type The role of the device in the firewall, or the generic device type if Firestarter is not using the device in question. Received The amount of incoming traffic received through the device, in megabytes. Sent The amount of outgoing traffic sent through the device, in megabytes. Activity The current network bandwidth usage of the device. Active connections Active connections is a view into the firewall engine itself. It lists every established connection the firewall is tracking at any given moment. These connections include incoming traffic to the firewall as well as outgoing connections and the programs they are associated with. Furthermore, all the traffic that is being routed through the firewall, in case Internet connection sharing is enabled, is also tracked. The following data points are recorded for each tracked connection: Source The host that established the connection. Destination The target host of the connection. Port The network port the connection is using at the target host. Service The name of the network service associated with the port in question. Program The name of the program that created the program. This information is only available for connections local to the firewall host. The entries in the active connections list are color coded as follows: Black A currently active connection Gray A terminated connection. Terminated connections are removed from the list after 10 seconds. Using the context-sensitive menu associated with the entries, accessed through the right mouse button, there is the option to resolve the hostnames of the source and destination of a connection. 7. The events page The events page shows the history of connections blocked by the