> Heresy? Why? There is a consensus of some sort among some security people that (a) personal firewalls are useless, (b) using ipchains, iptables, or anything layered thereupon (like Firestarter)to attempt to construct one is a waste of time. (Obviously I don't care what they think, or I wouldn't be beating on the problem...). this relates in some measure to your comment below regarding running processes "calling home"...
> > I have it set up and running and I can get data through it. The problem > > is that I can't seem to dope out how to properly set it up for packet > > filtering > > This is not a difficult package to install; I did it as a non-technical > newbie. Maybe you're making it more complex than it is? It's installed, just fine. (with minor exceptions). I can get data through it. I can make it completely block an IP address or completely trust an IP address. What I don't seem to be able to do is (generally) figure out how to control which *applications* can communicate (beginning with a browser), and on which ports, etc. etc. (one of the things that distinguishes a "Personal" firewall...). I can't get Netscape (or even "ping") to be able to access any IP address on the net by default - I have to individually make each address "trusted", or (in the case of "ping") give the DNS servers completely unrestricted access, etc... > I run Firestarter 0.9.2 and haven't touched it since installation in > November. It just runs automatically from the init script, like all the > other Linux services. I just opened it up now to remember what it looks Which release have you got? If you have 0.9.2 running on stable Woody, I am very, very, VERY interested in how you got *that* installed... (pre-emptive question: did you upgrade the C library, and if so how and to what?) At the moment I'm stuck with 0.8xx because what I've determined thus far about the upgrade is that it's only compatible with Sarge I had a problem with running it from the "init" script. I'm starting it manually. (Could *that* be my problem? There was some dicsucsion of *that* as well, on the "sourceforge" lists, but I couldn't convince myself that there was a real issue with whether or not it was run from init.d as far as functionality goes...) > like. ;) Its GUI is very easy to use to configure your firewall, and I > use it to protect this desktop box. If you use the pull-down menu item > Edit -> Preferences -> Services, just check the boxes for services you The key there is "services". I don't have any services I want to make available (yet - I'm sure I'll end up with "ftpd" etc. turned on eventually). I just want things like a browser to be able to communicate. Thus far - and if you've got the magic combination, I'd like to know - turning on various services doesn't seem to enable my browser to work. I have to enable IP addresses for every web site one at a time in the security settings. (There's clearly something really wrong there...). But I can't figure out which services might have to be enabled to make the browser work (if that's what's wrong), and my undersatanding (again) is that a running program just uses one or more ports for communication - enabling "services" has nothing to do with it - and that just enabling the *ports* on which it communicates should be sufficient. So far, though, no luck... > want enabled to the public. It's as easy as configuring ZoneAlarm, but > even more configurable, as I recall. Yes and no... it's really a different animal. Zone Alarm is "program" oriented - it can keep track of what apps are actually running and grant or deny access to them. I'm trying to sort of dummy up that feature with Firestarter... Zone Alarm, OTOH, knows nothing of ports (or if it does, I've never seen evidence of it, except possibly in the log files.) > Mine works out-of-the box. I do remember changing some of the settings, > as needed, in the preferences from the GUI, as mentioned above. I > changed Reject to Deny, for example. I haven't tried every combination of everything, but I already feel like a complete idiot so I suppose trying things that make no sense is probably next on the agenda, unless I can find more information somewhere... > > I thought the idea was to explicitly permit only certain *ports* to > > communicate, > > but so far, I can't figure out any way to make *that* work... > > Use the Preferences to do this for Incoming by type of Service. I don't > see how to do that for Outgoing, or even if that is a capability of It's not important for outgoing data unless (as you warn of below) something is trying to call home. (That question - whether something can "call home" - is one in which I'm very interested, and about which I've heard ominous tidbits - particularly as regards Gatesware, of curse - and which could occupy plenty of bandwidth here by itself, if it hasn't already...) In any case, I'm not trying to solve *that* problem yet (though I would like to know how to get logging for *all* IP transactions set up in Linux; I'm sure *that* at least is documented somewhere - haven't looked). But again, the key word in your response is "Service"... thus far, unless there's something I'm missing, a "service" has a "daemon" such as inetd or ftpd or named etc. associated with it, and an assigned port or ports, and is completely distinct from what communications happen when you (for instance) spawn a web browser. If that's not true, and I'm somehow braindamaged over this, that could be the source of my confusion and problems, and I'd like to know about it. > Firestarter. Remember, this isn't windows -- you don't need the same > kind of "leak" protection from rogue programs calling home (I hope). Hope springs eternal... If your girlfriend was a computer, would you trust it not to dial out when you weren't there? Are you convinced that nobody has gerbiled a keyhole into Linux anywhere? (Dennis Ritchie wrote a terrific article on how to use a C compiler as a trojan horse, about 30 years ago - I doubt if things have changed much; they can only have gotten worse.) (If this causes this thread to detonate, I'm sorry... please fork another one). This is one of the reasons I disagree with the anti-personal-firewall Nazis > > Is there some dark secret to determining exactly which ports what > > processes/programs > > are using, so that they can be selectively enabled in the Firestarter > > "rules"? > > Standard protocols. I'm not following you there... There is a list in /etc/services, and there is another list which can be obtained from "lsof -i"... but I've noticed that even the "standard" ports have changed over time (the service for port 53, for instance, corresponding to I-forget-what, has now been re-satandardized on port 32780, or something... dep't...). Also, the (blocked) net traffic I'm seeing tends to indicate that (for instance) "named" may have a block of available ports... Do I need to go read a couple of satandards documents to make this work? > Have you looked at http://firestarter.sourceforge.net/manual/rules.php ? Yes - numerous times. That's not to say that I'm not looking right at the solution and failing to see it right under my nose. But for insatance (from the manual:) >Open ports are ports that are freely accessibly by everyone (except blocked hosts). >For example, an >open port rule with a value of 80 will allow anyone to access a web >server running on the firewalled >machine. I tried enabling port 80 (and various others) to everyone and everything and Netscape still can't communicate except on an IP-address-by-IP-address basis. (again, by my understanding, that should come as no surprise since running a "Web server" has nothing to do with making browser communications work... or does it?) But clearly there is *something* that needs to be enabled, because I can only get Netscape to work by explicitly "trusting" the IP address of whatever website I'm trying to access. (again, that behavior I think represents some sort of global setup problem - ?) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]