how do i set up the Debian firestarter firewall?
 

Hello again :)



I downloaded the firestarter firewall for my deb 2.6, and it installed ok, but when i try to start it, it fails with

Xlib: connection to ":0.0" refused by server
Xlib: No protocol specified
(firestarter:3766): Gtk-WARNING **: cannot open display:


I thought it was supposed to start with a configuration menu wizard to set up the ppp ect?

or did i install it wrong, if there is a file to edit i can edit ok but i need to know just what and where to put info into the file, i have the sat modem ip address at hand and i assume that this has to be entered somewhere, but the install did not give any choices, although it did say done.when finished decompressing.

Thank you all for stimulating the nural pathways in my brain.

Check that you've got gksu installed. Then (as normal user) use "gksu firestarter" to start the firewall configuration program. It will then ask you for the root user's password. This way you can start GUI programs with root's privileges.

You only need root's privileges for system administration tasks (like configuring firewall and installing/upgrading/uninstalling programs). It's safer to do all your everyday tasks as normal user.

Dude... that's awesome! I wish I'd've known this earlier. I've gotten used to runnig "# emacs -nw", but now I have a way to launch Guarddog at home without having to go over the KDE menu. :cool:

With so many thousand packages, no wonder I discover a new cool one every few days...

hmm, it works, but now i must give out the root password to others on sys?
 

Hello dead, and thank you, i can now start the firestarter with the root user password, but it lets any other users on the sys access root privleges, this is not a good thing.
i was reading the instructions for firestarter, and it says to set, (for debian users) in the etc/sudoer file,

username ALL= NOPASSWD: /usr/sbin/firestarter

this allows the user to start firestarter without a password.
I haven't been able to get this to work.
any hints?

Thanks again :)

that's odd you are having so much trouble with Firestarter on Debian

I have installed it ona number of machines apt-get install firestarter

When I click the icon to launch firestarter it asks for my root password ( I wouldn't want normal users changing security settings anyway ) once I enter the pass I can use firestarter..

Its not so much that im havin trouble, but i am questioning the logic in giving the root password to normal users, just to be able to start firestarter, the instructions say that the password can be bypassed for normal users so u dont have to give them the root password, that is the part i can't get to work.

i can start firestarter with the root password just fine.

Firestarter is only a tool for configuring firewall. The actual firewall should be started automatically on system boot once you have configured the firewall with firestarter. So all your users will be protected by the firewall even if they cannot start the firestarter program.

Hmm... Maybe you haven't got the "sudo" program installed on your system? Or maybe you didn't start firestarter with "sudo firestarter"? But you should really think twice before allowing any normal user to change your firewall settings with firestarter.

u r right
 

KK thanks Dead, You are right i do not want the users to be able to fiddle with the firewall, but the instructions say to set it up this way, when i command "sudo firestarter"

i get
>>> sudoers file: syntax error, line 20 <<<
sudo: parse error in /etc/sudoers near line 20

this is the link i am using for the instructions, am i reading something wrong?

http://www.fs-security.com/docs/faq.php

it is the following two commands that im interested in to get the firewall to load automatically on startup, when i invoke them i get "no such file"

Using KDE:

Open a terminal and execute the following two commands:

echo -e '#'\!'/bin/sh\nsudo firestarter --start-hidden' > ~/.kde/Autostart/firestarter
chmod a+x ~/.kde/Autostart/firestarter

Firstarter will now load automatically when KDE starts. To stop Firestarter from loading when you log in, remove the ~/.kde/Autostart/firestarter file.

Just to make sure, did you add a line like this to /etc/sudoers for your every user

username ALL= NOPASSWD: /usr/sbin/firestarter

replacing "username" in each line with some actual username? This should give the users you've listed in /etc/sudoers the privilege to start firestarter with the "sudo firestarter" command without entering any password.

Then, for each user, check ~/.kde/Autostart/firestarter (the "~" is here a shorthand for user's home directory) and see if the files look like this:

Also make sure that the files are executable. This should start firestarter for users automatically when they start KDE (and maybe show an icon in the system tray).

But, as I already said, I think that firestarter will start the firewall automatically on system boot once you have configured it as the root user, so there really shouldn't be any reason to load firestarter for each user seperately.

so far so good
 

Yup it is starting on bootup, (pre-gui launch) but still asking for the root pass in the gui. i can tell it to ignore, and continue on with my business, but there is no icon, or otherwise indication that the firewall is actually running.

or i can enter the root password, and see the icon in the taskbar, click the icon, and up pops the firestarter controls.

if i can rest assured that the firewall is actually running as a hidden process, without entering the root password, then it is working as i understand that it should, so... how do i find out if the firewall is actually running in the background as a hidden process? IE:actually starting up on bootup.

The reason I am sceptical is because the bootup also says that alsa is running on bootup, and i know it is not, this is confirmed by the shutdown errors from alsa generated upon sys shutdown.

And bootup also says that my usb floppy is mounted, when it is not.

One problem at a time though.

Thanks again for your help :)

Firewall doesn't need to run as a background process. It's enough if it's set up once during the boot-up and it should filter all network traffic on your machine until the next system shutdown.

You can test your firewall on this web page: https://www.grc.com/x/ne.dll?bh0bkyd2

First, run firestarter and disable it. Then run the test.

Next, run firestarter again and enable it. Then run the test again.

If there was any difference between the two tests, then you can reboot and run the test one more time without running firestarter. This should tell you if firestarter has configured your firewall to start automatically (for all users) during the system boot-up. :)

BTW, do you still get the same error message if you run "sudo firestarter" as normal user?

ports open
 

Yup i still get the error when su user starts the firewall,

of more concern is with the firewall running, according to the test link u gave, i only have two ports that are stealthed, the rest are wide open.

I am gonna investigate this a lot more tomorow. with it running it shows the changing ip address, as i browse, but it did not actively show the port probes from the test site., or perhaps they were too fast foe me to see them, it only took about 5 seconds to complete.

Thanks again

If you continue to have trouble configuring firestarter properly, you can try another firewall configuration program instead, called firehol. But before you install firehol, you should remove firestarter so that it won't interfere with the other firewall setup program.

After installing firehol, you can edit /etc/default/firehol, changing the text "START_FIREHOL=NO" into "START_FIREHOL=YES". This will instruct firehol to enable your firewall automatically during the system boot-up.

Then you can run the firehol setup wizard with the "firehol-wizard" command. This wizard will first inspect your running services and then it will ask you to press Enter in order to proceed applying the firewall rules it has created.

After running the firehol wizard, you can point your web browser to the firewall test site and see if your firewall works any better now.

- - -

About editing /etc/sudoers -- I should have perhaps pointed out earlier that there is a special command for this: "visudo". It will check the syntax of the sudoers file after you've edited it and it will warn you if it finds any syntax errors.

"visudo" defaults to use the vi editor. If you prefer to use some other editor instead of vi, you can run (as root) "update-alternatives --config editor" before running "visudo".

I'd suggest that you should try the following line instead of the one provided by the firestarter web site:

replacing, of course, "user_name" with some actual user name.

But if you choose to try firehol instead of firestarter, like I suggest above, and you find firehol satisfactory, then you won't be needing this firestarter command in the sudoers file. ;)

Ok thanks Dead, im gonna install firehol, this may take a while, as i have only installed software, never removed it, so i got a bit of reading to do.

I have used vi before in my very early checking out of linux, bit of a learning curve there, but im sure it would come back to me if i had to do it again, since then I became attached to nano, unfortunately nano was not supplied with this distro, so i have been using the kwrite editor, and i am dreading the day my gui stops working, perhaps i should get familiar with vi again.

I havent read anywhere if removing and installing is handled the "apt-get" way, even with the knoppix 4.0 debian dvd install that i used for this system, i chose this type of install, because i am on a satelite modem, and restricted to one 150mb download in a given 4 hour period over a 24 hour timeframe.

all the software i have is on the dvd, and i have had mixed success at installing it.
The only instructions that came are for the harddrive install, after that i am left to my own devices for finding information.

I learned the hard way about init3, and init5 now always make sure i change this in case i break my gui when editing.

Thanks again , i will be back when i get the firehol installed :)

Personally, I think you should be doing fine with Firestarter, if you understand a few key concepts. But using Firehol as DP describes should be easy enough to use. (Btw I also find Guarddog to be even easier and give a better overview of what is allowed, and it works pretty good.)


When you install any packages that are important to security such as a firewall configuration program, you should first to "apt-get update" to make sure you have any security patches for those programs first.


As has been explained in this thread, these programs do not have to be running for the firewall to be active. This is different from Windows programs such as ZoneAlarm, which are always running in the background to act as a firewall. These Linux firewall programs (Firehol, Firestarter, Guarddog, etc.) are not firewalls themselves. Instead, you run them one time in order to configure the firewall settings (iptables), and then the programs (such as Firestarter) do not need to run after that. Linux itself will be running the firewall all the time, and also starting it new at each reboot (as you have seen). (The messages you read about ALSA and USB could be misleading; these are possibly just modules being loaded at startup, whereas that is no guarantee that things will work the way you think they should.) So at the risk of repeating too many times, you only need to run Firestarter (or Firehol or Guarddog) once, and after that if you need to make a change in your firewall settings.

Here is how to uninstall Firestarter:
# apt-get --purge remove firestarter

The --purge option should get rid of any Firestarter configuration files (not any firewall settings themselves though). I'm pretty sure this will leave the Firestarter package in your local package repository (like a cache), it just won't be installed anymore. This has the advantage that you shouldn't have to download Firestarter over the Internet again if you want to reinstall it later (unless it gets a security update).

*If* Firehol also doesn't work for you (it should), you can remove it and try Guarddog. Someone will mention though that it's not necessarily a great idea to run different firewall programs on the same installation, even after having uninstalled a previous one. Still, it's far better than having no firewall configured, or having one poorly configured.

You can get Guarddog as follows:
# apt-get install guarddog

Use gksu to start Guarddog:
# gksu guarddog
(enter root password)

Unless I am mistaken, entering the root password after running gksu does not give out your password to other users or allow "any other users on the sys access root privleges." You will simply have to give in root's password whenever you want to use Guarddog (or Firestarter, etc.) to configure the firewall, and this should be seldom.


By the way, I also don't recommend adding Firestarter or any other such program to the sudoers file if it is going to give permission to everybody to run the firewall configuration program. It would be okay though to let an account with special system maintenance privileges run it though, as opposed to letting all users run it.


It seems like you didn't have any problems testing your firewall with ShieldsUp!, but here are specific instructions from the first page of the Debian Configuration Post-Install sticky at the top of this forum:
Keep us informed. :)