Firestarter inbound trafic polices

[Eric999]

Hi,
I’m new to Linux.
I have just installed Fedora 7 and Firestarter on my machine.

I can not understand behaviors of Firestarter inbound traffic polices.
1. I allowed for connections from host X
2. I allowed for services HTTP only for IP Y
3. I forwarded HTTP services to internal IP Z.

I would expect that only IP Y and X (specified in allowed services and allowed connection policy) would be forwarded to IP Z, but it looks like connection from all IP’s are forwarded to IP Z.

Could someone explain where I am wrong?
Thanks for your assistance

[matonb]

Hi Eric,

To be honest I've always found firestarter to be a bit flakey, don't get me wrong it's great if you want an outward bound only NATting tool.

A good gui tool is fwbuilder, it's very similar to CheckPoint's firewall one.

If you want to be sure that there are no holes in your firewall, best bet is to learn iptables

Better still get a hardware firewall

[Eric999]

Hi Matonb,
Thanks for replay.
I wanted to come back with good news that I'm running fwduilder already, but it looks like it's going to take some time.

Installation successful. Setting up is going to take some time. Unfortunately the tutorials I found are for older versions and I am not able to get 'routing' right.

Fwbuilder option look much better than firestarter. Just hope I will manage to get it running before breakfast.

Iptables - i will think about learning them as soon as I'm comfortable with fwbuilder (few years at least). By this time there will be more choice.

In the meantime...http://www.linuxforums.org/forum/ima...s/confused.gif

[matonb]

Eric, feel free to ask questions I'll do my best to answer them.

There used to be a really good beginers guide on the fwbuilder site, no idea where it's gone now though!

[Eric999]

Hi Matonb,

Thanks.
For manuals I went to source fwbuilder.org. Right now I'm looking for something better.

I got stack at routing. May be I understand it wrong but I want to forward communication to internal ip. Should I do it with routing?

eth0 is on fix external
eth1 is on fix internal
created lo: created from template (127.0.0.0 / 255.0.0.0)

I thought to put in Routing rules
destination: ip on eth0
gateway: my internal ip destination (does it make any sens?)
interface: ip on eth1 (???)

There are still many things I can not sort out, so I have no chance to test it.
Thanks for assistance

[matonb]

Hi Eric,

I'll have a look this evening and let you know

[Eric999]

Hi,

I'm going through manuals from fwbuilder.org. They are pretty old, but I'm getting slowly some ideas about the software and principles.

I wanted to start my machine allowing 'everyone for everything' and gradually to insert rules watching how it works. Unfortunately I am not able to get my loopback.

I have doubt how the loop is described.
The only parameters I can insert is ip 127.0.0.1 / 255.0.0.0
I can not specify that the loop is between eth0 and eth1.

In Polices in Action field is an option for routing with the following parameters:
Change inbound interface...
Change outbound interface...
Route through gateway....
When those come with combination of Source / Destination and Direction....

I don't feel it (mostly guess work) and I can not find any samples for routing in fwbuilder, but I'M LOOKING for it.

[matonb]

loopback is always 127.0.0.1 ?

Have you created a firewall object and some host objects ?

As for routing incoming requests from one host to another, use the NAT tab

Code:

Orig. Src | Orig. Dest | Orig Srv | Trans Src | Trans Dst | Trans Srv |
----------+------------+----------+-----------+-----------+-----------+
   Any    |    eth0    |   HTTP   | Original  |  MyHost   | Original  |

You can drag and drop most things from the left tool bar on to the "policy", also the selection box just above it lets you choose user defined objects (mostly hosts / address ranges etc) and standard objects (predifined port / port ranges etc)

[Eric999]

Hi,
I got question about loopback.

Two weeks ago I was using 'ubuntu', and someone set me up a loopback. The setting of the loopback I could see in etc/network/interface.

Someone recommended me to start using Fedora 7, as a easier one for newbie like me. After installation of Fedora I could not locate file etc/network/interface. I was told I don't need it because I can sort it out with iptables. Too early for me to make my iptables, so I went to Firestarter. It allowed me in very easy way to transfer communication from eth0 to any internal ip. There were few other thinks, did not work I thought they should work, but at least I could reroute the communication.

The question:
Do I need to create loopback creating file etc/network/interface or I could manage to reroute my communication with rules and polices in Fwbuilder only?

Thanks for your assistance Matonb,
regards

[matonb]

I got question about loopback.

Two weeks ago I was using 'ubuntu', and someone set me up a loopback. The setting of the loopback I could see in etc/network/interface.

Someone recommended me to start using Fedora 7, as a easier one for newbie like me. After installation of Fedora I could not locate file etc/network/interface.

I'm not sure what they set up for you, a loopback device usually just talks to itself

I was told I don't need it because I can sort it out with iptables.

Yes you can manage all of the routing / address translation with iptables / fwbuilder.

You do need an IP loopback interface but it's something you should never have to worry about unless you broke it