VectorLinux

The nuts and bolts => Software General => Topic started by: sledgehammer on May 30, 2010, 10:59:53 am

Title: starting firestarter
Post by: sledgehammer on May 30, 2010, 10:59:53 am
It should be called firestopper.  At least I can't start it on boot up on my VL 6.0 system. Rather I have to open a terminal, go to root, and type "firestarter" before it will start. (I got firestarter from the VL repositories)

I do not have firewall enabled in VASM.

Does anyone know whether I can just add a line or two at the end of /etc/rc.d/rc.local to get it to autostart?  Such as /usr/bin/firestarter --start?

And, if so, precisely the code to add? 

I have looked around and this seems to be a common problem.  I tried a couple of the "fixes" without success. I think I'm close, but not quite there.
Title: Re: starting firestarter
Post by: bigpaws on May 30, 2010, 11:15:30 am
You can add the command to rc.local remember to use the
full path. Which is what I believe you have listed. You can
also try whereis <name of program>.

Bigpaws
Title: Re: starting firestarter
Post by: sledgehammer on May 30, 2010, 11:55:13 am
Thanks, bigpaws.

whereis returns

Quote
firestarter: /usr/bin/firestarter /etc/firestarter /usr/X11R6/bin/firestarter /usr/bin/X11/firestarter /usr/X11/bin/firestarter /usr/share/firestarter

Any clue which of these might be best?

Title: Re: starting firestarter
Post by: Andy Price on May 30, 2010, 06:03:34 pm
Running the command firestarter in a terminal doesn't start the firewall, it just brings up the Firestarter GUI so that you can adjust the settings. I'm guessing that you actually want to run the firewall.

You can check if the firewall is running by issuing (as root):
/etc/rc.d/init.d/firewall status.
You can also use start, stop or restart in place of status.

To get the firewall to run after you have installed Firestarter, you do need to have the firewall enabled in VASM. Firestarter itself doesn't show up in VASM, I guess it's really just a front-end to iptables, but I'm no expert, the above is just my experience.





Title: Re: starting firestarter
Post by: retired1af on May 30, 2010, 07:07:24 pm
I just installed the program and fiddled around with it. It has an option to start whenever you connect, so I'm not sure you need to add it to rc.local.

I wasn't that impressed with it.
Title: Re: starting firestarter
Post by: sledgehammer on May 30, 2010, 08:24:43 pm
Thanks to all,

Andy Price's suggestion was quite enlightening.  The below shows first an attempt when I thought firestarter was running (the gui was showing in the panel).  Secondly, the result of the same command with the firestarter gui not running.  Third shows the results of the same command after enabling firewall in VASM>Services (level 4). Last shows running same command with the firestarter gui running while firewall is on in VASM.

FIRST

Quote
Vector://home/johwhi
root:# /etc/rc.d/init.d/firewall status
bash: /etc/rc.d/init.d/firewall: Permission denied

SECOND

Quote
Vector://home/johwhi
root:# /etc/rc.d/init.d/firewall status
bash: /etc/rc.d/init.d/firewall: Permission denied

THIRD

Quote
Vector://home/johwhi
root:# /etc/rc.d/init.d/firewall status
Firestarter is running...

FOURTH

Quote
Vector://home/johwhi
root:# /etc/rc.d/init.d/firewall status
Firestarter is running...


I think it has been running all these months (even though firewall not enabled in VASM) when I start it by typing firestarter in root as it regularly showed inbound events, some serious.  Nonetheless, it is very comforting to know that it is now running even if I forget to start the gui.

Title: Re: starting firestarter
Post by: retired1af on May 30, 2010, 08:39:17 pm
That's one of the reasons I wasn't impressed. What it's indicating as "serious", really isn't.
Title: Re: starting firestarter
Post by: bigpaws on May 30, 2010, 08:55:30 pm
ps is great for showing running processes.

Bigpaws
Title: Re: starting firestarter
Post by: sledgehammer on May 30, 2010, 09:32:14 pm
bigpaws,

ps is great!

ps -A shows that firestarter is running.  Now if I can just remember all this.

Title: Re: starting firestarter
Post by: sledgehammer on May 30, 2010, 11:05:28 pm
So, root:# /etc/rc.d/init.d/firewall status showed firestarter was running and ps -A did not show it as running.  I took out what I had added to /etc/rc.d/rc.local and rebooted. 

root:# /etc/rc.d/init.d/firewall status said firestarter was not running and ps -A still didn't show it.  I checked VASM and firewall was still enabled in services for run level 4.  So I started firestarter as follows:

root:# /etc/rc.d/init.d/firewall start and it said that firestarter was running.  Checked with ps -A and still no firestarter.  I then typed "firestarter" as root as I have been accustomed to doing and the gui showed up.  I then ran ps -A and it showed firestarter running.

Any comments?  Anyone know of another good firewall?  What about just removing firestarter altogether and relying on the VASM firewall? I saved bigpaws' instructions on firewall security some time ago and it still looks a bit too complicated for my skill level.  Unless I hear a better suggestion, I will just start the firestarter GUI each time I reboot.  Apologize in advance if I have not followed the proper guidelines from earlier posts.
Title: Re: starting firestarter
Post by: bigpaws on May 31, 2010, 05:43:36 am
Have you looked at the firestarter site?

http://www.fs-security.com/docs/faq.php (http://www.fs-security.com/docs/faq.php)

Bigpaws
Title: Re: starting firestarter
Post by: Andy Price on May 31, 2010, 05:54:25 am
I think you are confusing Firestarter with the actual firewall. Firestarter is just a nice GUI which enables you to add rules to the firewall, which is based on iptables. For example, I needed to add a rule to allow my wife to access a SAMBA share on my PC.

I don't think that seeing the firestarter process running tells you much other than that the GUI is running. If you have enabled the firewall in VASM then doing an lsmod | less will show several modules loaded such as ip_tables and ipt_MASQUERADE, which I presume are the actual firewall.

If you are on a network you can test whether the firewall is doing anything. First ping your PC from another one. Then start Firestarter from a terminal (or from the System menu) and go to Preferences > Firewall > ICMP filtering. Tick the Enable ICMP filtering check box but don't tick any of packet types. Restart the firewall, close the Firestarter GUI and then ping again. You should find it to blocked this time around, showing that the firewall is working.

As for other firewalls, I used Guarddog for a while, but it was a lot more complicated to set up (though it did give very fine control) and it, too, was just a front end for iptables. My guess (hope!) is that Firestarter does the job sufficiently well in the same way as Windows' built-in firewall.

Hope the above makes sense.
Title: Re: starting firestarter
Post by: retired1af on May 31, 2010, 06:30:21 am
I'm not sure if Firestarter is a gui front end to iptables or not. I didn't dig into it that much other than to see if it installed properly and took a quick look at the interface. It does install itself as a service, which leads me to believe it's handling the security, rather than iptables. I'd have to play with it longer to see.

I prefer a much more robust solution (such as Guarddog).
Title: Re: starting firestarter
Post by: bigpaws on May 31, 2010, 07:09:08 am
According to what  I found it is a front end to iptables.

If you want to see if there are any rules for iptables set
then use this command

iptables -L

That will give a list of any rules that are invoked.

Guarddog is also a front end to iptables.

Bigpaws
Title: Re: starting firestarter
Post by: retired1af on May 31, 2010, 07:31:01 am
Yeah, I knew Guarddog was. Used it extensively with SOHO 5.x. I thought Guarddog was more robust and allowed you to easily fine tune iptables. I didn't get that impression with Firestarter. Then again, I loved TPF (Tiny Personal Firewall) when it was available for Windows. For a little program, it was a giant when it came to the control you could exercise over your connection (both inbound and outbound).
Title: Re: starting firestarter
Post by: Andy Price on May 31, 2010, 08:39:33 am
Bigpaws, I tried the iptables -L command. I could just see where my SAMBA rule comes in but wouldn't have a hope in hell of writing it. GUI front-ends are so useful sometimes!
Andy
Title: Re: starting firestarter
Post by: sledgehammer on May 31, 2010, 09:07:42 am
This thread has been very educational, but I can see that I need to learn more, a lot more, about this firewall business.  I hope to do so over the next few weeks or months. Its more complicated than I thought.  Perhaps if and when I come to understand the concepts involved, I can figure out how to autostart a reasonably reliable and automatically (mostly) configured firewall on reboot.

thanks.
Title: Re: starting firestarter
Post by: retired1af on May 31, 2010, 09:40:12 am
If one really wants to get technical about it, iptables is also a front end for netfilter, which does the actual "work" on the system.

This is a fairly extensive tutorial on how IP filtering works. http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html  Grab a bottle of aspirin and sit down for a very technical read. However, once you grasp the concepts, you'll find that you'll pretty much be able to lock down your system so tightly, a mouse fart can't get through. ;D
Title: Re: starting firestarter
Post by: sledgehammer on May 31, 2010, 02:07:34 pm
Thanks retired1af.

Think I'l sit down with a bottle of Jack Daniels instead.

Title: Re: starting firestarter
Post by: Andy Price on May 31, 2010, 05:27:03 pm
Perhaps if and when I come to understand the concepts involved, I can figure out how to autostart a reasonably reliable and automatically (mostly) configured firewall on reboot.

It seems (it is!) a complicated topic, but setting up is really just a case of installing Firestarter and setting the firewall to run in VASM. The hard part is convincing yourself that it's working - it was for me. But for basic firewall security I think that's all you need to do. Let us know if you discover more during your reading.
Andy
Title: Re: starting firestarter
Post by: never_stop_learning on May 31, 2010, 05:32:35 pm
Thanks retired1af.

Think I'l sit down with a bottle of Jack Daniels instead.



John - Use Firestarter one time to set your iptables parameters. Then go into vasm -> service -> srvset -> 4 Graphical User Interface Desktop. Enable 'firewall' and click 'OK'. Your firewall will be running in the background every time you boot or reboot. You can verify it at anytime by opening a root terminal and typing iptables -L.....

You can buy me a Jameson tomorrow night at our Cigar Lions meeting.....  ;)
Title: Re: starting firestarter
Post by: rbistolfi on May 31, 2010, 08:06:09 pm
We should all go to one of those meetings once :)
Title: Re: starting firestarter
Post by: sledgehammer on May 31, 2010, 08:13:48 pm
Thanks Andy Price,

That is precisely what I am doing. 

Rodrigo, I think we should have our annual cigar lions convention in Argentina.  If I can talk never_stop_learning into it, that is.  I hear the women there are superb. Perhaps all 20 of us might just show up at your door someday. 

Title: Re: starting firestarter
Post by: Penguinista on May 21, 2011, 10:29:52 am
I've got the Firestarter GUI running on my VL 6.0. It seems to work great but the GUI shuts down at random and I don't know why. Is there a way to prevent this?
Title: Re: starting firestarter
Post by: Andy Price on May 22, 2011, 03:49:25 am
Do you mean that you need the GUI to run all the time for some reason? It isn't necessary to have the GUI running for the firewall to be working. Normally you would just open the GUI to make a change to the settings and then close it again.
Andy
Title: Re: starting firestarter
Post by: Penguinista on May 25, 2011, 03:57:46 am
I like to keep the gui running so I can monitor active connections and events. I tried to verify if the firewall is running at the command line but it didn't work. At least if the gui is up I know it's working.