模板
教程
环境
性能
功能
管理
Securing your workstation with Firestarter
By: Paul Virijevich
Let the wizard be your guide
Firestarter automatically saves your settings and restarts itself uponreboot when installed from a binary package (RPM or .deb). The installationprocedure puts a Firestarter icon in the System Tools menu if you are runningGNOME. To launch firestarter in KDE, open a terminal window and typefirestarter or create your own menu entry. Launching Firestarter the first timewill bring up the first run configuration wizard. In it, select your networkadapter. If you have a cable modem or a DSL connection that uses a dynamic IPaddress, check the box that reads "IP address is assigned via DHCP."Firestarter is now ready to protect your workstation.
The program's main interface consists of three tabs: status, events, andpolicy. The status tab indicates whether the firewall is active, shows yournetwork devices, the number of events that have oclearcase/" target="_blank" >ccurred, and any activeconnections. The event tab lets you know what traffic is being blocked by thefirewall. An event is a connection that has been blocked. This tab is where youcan selectively allow services through your firewall. Items in black are normalconnections to random ports. Items in red could be unauthorized connectionsattempts. Items in grey are harmless (usually broadcast traffic). The policytab lets you define which hosts and services are allowed to communicate withyour workstation. This is also where you can more broadly define rules.
javascript:window.open(this.src);" style="CURSOR: pointer" onload="return imgzoom(this,550)">
The two extremes of firewalling are blacklisting and whitelisting. Ablacklist denies all activity while a whitelist does the opposite. By default,Firestarter operates in blacklist mode for inbound connections and whitelistmode for outbound traffic. This setup is secure but may not allow legitimateinbound connections. This is where the events tab comes in handy. Both inboundand outbound events are registered. By right-clicking on an inbound event youcan choose to:
- Allow Connections from Source, which gives the source of the connection a free pass through all ports on the firewall;
- Allow Inbound Service for Everyone; or
- Allow Inbound Service for Source, which gives only a specific source permission to connect to a service.
By right-clicking on an outbound event you can choose to:
- Allow Connections to Destination, which allow everyone to reach a specified destination;
- Allow Outbound Service for Everyone; or
- Allow Outbound Service for Source, which allows only a specific computer to use a service.
By starting off with blacklisting and then selectively allowing inboundand outbound connections, you can quickly create a very secure firewall. Allyou need to do is keep an eye on the blocked connections in the event tab andthen decide what services to allow. This setup is useful for preventing amalicious program from contacting a remote server, but it takes time to tune itproperly. If you already know the names or port numbers of the services youwant to pass through the firewall, you can more quickly set rules using thepolicy tab.
The policy tab's inbound interface allows you to specify which hosts andservices to allow, and lets you set up port forwarding. For example, if aninternal workstation was running a service that needed to be accessed from theInternet, you would tell Firestarter that any connections to the firewall onthat port should be redirected to the internal machine. The outbound interfaceallows you to set up blanket whitelisting or blacklisting. You can also blockindividual hosts or services from this interface. Clicking on the check boxabove the Policy tab activates any changes (automatic updating of Policychanges can be set in the Preferences menu).
Lasting protection
After a few minutes of installation and configuration, Firestarter willadd an extra layer of security to your workstation. Any future configuration isactivated upon reboot.
Firestarter takes the pain out of workstation firewall configuration. Itsexcellent online tutorialand manual are well writtenand provide clear instructions on how the software is used. The projectmaintains an active support mailing list.
The Firestarter team has taken something that is hard to configure,wrapped it in a clean user interface, and provided great documentation. Isn'tit time to make your workstation a little more secure?
