Firestarter 1.0 Released

yes, after sshing in, run `iptables`

:)

If the remote server is having enought of the requrements to have it compile and install it should be possible. All you need to do is log in using ssh -X and launch firestarter. ssh -X will tunnel the X-traffic through the encrypted channel.

This method, of course, is not only limited to firestarter. X is, and always has been, network transparent.

Is it possible to administer a remote box while running Firestarter localy? Otherwise it is still SSH and an editor for the machine under my desk.

Just a thought. Having X on a server running the firewall, is that secure?

There is no need to run an X server to be able to run X client programs. Just installing the X client libs should do it (your distro probably does this automatically).

Of course, as long as you don't let it be available to the outside network...

The same for all services on the firewall machine, no matter what the paranoids might want you to think

Yeah, I think you should install gcc too. Just for sure. Oh, and some games of course.

I've never gotten it to work, either. I use Debian, too -- that may be relevant.

It's almost certainly not your fault. I think one of the things holding back Linux these days is that whenever a piece of software sucks, the response is "It's probably my fault" or "Please add a 'don't eat my files' preference" or something like that. No, it's the program's fault.

They'll often kick and scream if you tell them their program is broken, and try to weasel out of fixing it, but in the end, if we all held their feet to the fire, we'll end up with better software.

I agree. Have been hunting like a mad man for something like that. The closest I can get is by Webmin.

yeh that would work. But what i have in mind as the perfect solution is some sort of small deamon, basic enough to be compiled against the most exotic flavours of embedded hardware.

Mine too. :)

Yes, it uses iptables.

Firestarter 1.0 is very different in this regard than previous versions, it filters out a lot of stuff that was previous logged but not really important.

Previously you pretty much had to manually filter out some ports like smb if you weren't using the services, but now the out of the box behavior should be suitable for almost everyone.

Thanks for pointing that out. I've been using it for about 4 hours and my syslog is already massive. Unless there's a way to turn this off or at least reduce the chatter, I'm afraid this is a show-stopper for me. If there isn't any way to turn this off, are there plans to implement this in the future? Other than this it's exactly what I've been looking for.

Check that under Preferences->Advanced Options the "Block broadcast traffic" option is enabled. This should be the out of box behavior for 1.0, however it might be overriden if you're upgrading from a previous version (or if the gconf schema install fails). This will filter out all of the events marked as gray on the events page and your machine will do a magnitude less logging.

You can right click on events in the Event tab list and have that port not be logged anymore. Once you get the major offenders (SMB traffic in my case), it's not so bad. If you want to shut of logging entirely, you can do it in the preferences panel Events section by blocking every host by adding "0/0" to the Hosts list.

I filed a documentation bug here:
http://bugzilla.gnome.org/show_bug.cgi?id=159418

I'm developing this program on FC2 everyday, so it's not something specific to the distro. I'm genuinely interested in finding out what the problem is, so if you have a bit of time please email me the complete error message at tomas@fs-security.com or use the GNOME bugzilla, otherwise I really can't help.

First understand that the GNOME developers have committed, publicly, to release GNOME on both FreeBSD and Linux simultaneously (i.e. when a new release of GNOME is announced, it means that it is available for both platforms). Thus, it follows that all software included in any given GNOME distribution must run in both FreeBSD and Linux.

Gnome System Tools happens to be available on the platforms officially supported by GNOME developers.

It is a valid point that Firestarter *can* be ported to FreeBSD, but the fact remains that it is not, currently. Until that changes, I do not forsee there being much chance of Firestarter being included in an official GNOME distribution.

There's a couple of problems I see with that. Perhaps most importantly, Firestarter is Linux specific while GNOME is a much more widely available platform. That's unlikely to change anytime soon.

Second, Firestarter is tied to the underlying distributions, as system tools usually are, much more so than most GNOME programs. It requires init scripts, authentication modules (PAM), etc. to really be effective.

You can already get Firestarter from the soon-to-be-launched Fedora Extras, Debian Unstable (and Ubuntu), Gentoo portage, Garnome, and so on. Shoehorning it into GNOME proper wouldn't really help anyone IMHO.

FreeBSD devels who are interested can always port it. It is not acceptable to reject stuff just because developers dont have the knowledge to port and work on multiple operating systems.

Unless the design is very flawed and it requires a complete rewrite I wouldnt complain

gnome-volume-manager has stricter requirements, its linux 2.6 only and has multiple deps on init scripts (dbus, hal)

gnome-system-tools is a prime exaple of another desktop package included in gnome that is tied with the underlying technology, but its not really that distro specific (basically just the init scripts, it works with vanilla 2.4 or 2.6 kernels), much less then gnome-system-tools. Providing an easy to use/configure program to manage internet connection sharing and the firewall for the desktop is very necessary, as right now nothing ships with gnome by default, and people are forced to dropdown to command line to open a port for a program or to share their internet connection, not very gnome-like. Both these features should be part of a standard desktop as they are very important to ensure Linux is safe (for the firewall) and easy to use with other computers (Internet Connection Sharing)

I son't see any reson to include it. It has nothing to do with platformspecific, but has to do with me as a "workstation-user". This computer I use is already behind an external firewall, and I believe that is a quite normal setup for corp-computers (and all my frinds running linux in any way has a external hardware-firewall or a headless box running a firewall). I do not want to have more things running than I must. And including Firestarter would in my case (and my freinds cases too I think) just be bloat. There are some things better left for the user to choose.

You assume everyone has the same setup as you. if gnome system tools can be included why not firestarter. obviously a sys admin needs a easy way to setup a firewall on his workstation

Hmmm. You seem to think it's a good idea to implicitly trust all computers on your lan. You obviously didn't go to university in the last ten years.

I hate to break the news to you, but you're a technical user. My local cable company's internet service and phone company's DSL doesn't support connecting through a router (you can do it but they won't support that setup) and seeing as they are doing the setup for everyone (they go to people's homes and plugin the cable/DSL modem directly into the computer. The average setup for users is that they are connected directly through the internet. Remember, Gnome should be targetting newbies. If you don't want it, you can leave out the module, just like if you don't want Evolution (I know there was lots of complaints about that being bloat as well) you can leave that out. The default, recommended setup should be secure, however, and the secure setup shouldn't require a user to dropdown to command line. While the average corporate setup might not require it, the average personal computer user should have a firewall as they are directly plugged in, and it needs to be easy to configure. For those that have multiple machines, lots of people plug them in directly and use Internet Connection Sharing, which this also has. Thats actually a more common setup in people's homes who know nothing about computers then actually buying a router.

Also hardware and software firewalls provide different information, so I personally run both. I like to know what programs are using my internet connection. This isn't software that is specializing in something that the average household shoudl not have, its software everyone should have, and its the only one that I've seen that follows the HIG.