digg

Facebook Connect Join Digg About

Never Installed a Firewall on Ubuntu? Try Firestarter.

linuxsecurity.com A modern Linux firewall. Security does not have to be complex, and simplicity does not have to mean sacrificing power. With Firestarter you will have a firewall up and running in minutes.

Who dugg this? Made popular Sep 28, 2008

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

55 Comments

show profanity settings
expand all
  • samanathon, on 09/27/2008, -2/+35Firestarter is not a firewall. It's just a graphical tool used for configuring the _already installed_ firewall (iptables).
  • tnoy, on 09/27/2008, -5/+26You must be a blast at parties.
  • inactive, on 09/27/2008, -1/+17Its not just for Ubuntu. >If your new to linux do yourself a favor read about netfilter and iptables. Firestarter is just a front end for iptables and netfilter. One of the great things about linux is the extensive knowlegde you can gain by exploring the operating system and learning to do things without a gui. “Give a man a fish; you have fed him for today. Teach a man to fish; and you have fed him for a lifetime” My problem is not with Ubuntu as a linux distro. Its the generalization that Ubuntu=Linux/Linux=Ubuntu.
  • bruenig, on 09/27/2008, -0/+16iptables is installed by default
  • wontstoptalking, on 09/27/2008, -7/+21I hear Ubuntu is a boring game anyway.
  • inactive, on 09/27/2008, -4/+15Come on kids, seriously if you are behind a Linksys, Netgear or D-Link type router than all is well. The router will not allow inbound traffic unless you open up the ports directed to a specific IP. If port a port is open like 21 for ftp or 5900-5800 and 5800-5801 for vnc without the password they can't do anything. If port 80 is open for a web server then Apache2 is really solid.
  • andrewbash, on 06/11/2009, -0/+7Also, many distros come will all ports closed by default anyway.
  • matx, on 09/28/2008, -0/+6fail2ban is recommended to install if you have ssh open to the world. It will ban people after so many failed logins. It would take a while to crack a password if they are getting their ip's banned.
  • HonoredMule, on 09/28/2008, -0/+5Oh he's a real fire starter.
  • takatoo, on 09/27/2008, -1/+6[root@toor pron]# service iptables start
  • craftyguy, on 09/27/2008, -0/+5Amen.
  • derkles, on 09/27/2008, -2/+6Might I suggest firehol? It has no GUI, it serves as a firewall builder for iptables ,and is damn powerful but easy to learn.

    http://firehol.sourceforge.net
  • angryfirelord, on 09/28/2008, -0/+4It's easy: sudo ufw enable

    Gufw will be included in the next Ubuntu release.
  • SF007, on 09/28/2008, -0/+4GUI for Uncomplicated firewall seems to be better, Firestarter is very old now... (latest version is from 2005!)
    Gufw: http://gufw.tuxfamily.org/
  • Vadi0, on 09/27/2008, -1/+5Try Gufw (http://gufw.tuxfamily.org/index.html). GUI for humans ;)
  • ThsGuyRightHere, on 09/27/2008, -0/+3Not a bad GUI. I personally prefer more granular control but that's just me.
  • griffeycom, on 09/28/2008, -2/+5The name Firestarter makes it sound like it would do the opposite of a Firewall!
  • CCmachined, on 09/28/2008, -0/+3DO NOT USE FIRESTARTER.
    i used it on ubuntu 7.10 and i had to reconfigure the firewall to switch between wifi and wired networking. in the official ubuntu repos! i'm not touching that crap again.
  • deadowl, on 09/28/2008, -0/+3iptables has a much steeper learning curve than firestarter. If you're looking to become a sysadmin or a security expert you should learn how to use iptables/netfilter. If you need a solution and you don't have time to learn about iptables/netfilter, don't bother. Firestarter exists.

    Firestarter, while being quite usable, still has a lot of room to improve.
    What I'd like to see in Firestarter:
    Ability to whitelist/blacklist from a list of active connections.
    ----For example, It's insanely difficult to whitelist Yahoo Mail.
    Drop active connections when a policy is applied.
    Directions on where to find public whitelists or blacklists

    Of course, I was using Firestarter with cron (allow for free time that was never used because he never woke up for 7-9AM) to set up a filtering system for a homeless kid's parent that said he was going to use the internet to look for jobs, but spent all his time on myspace and youtube.

    It's difficult to use publicly available whitelists/blacklists with it because the firestarter blacklist is comma-delimited and a lot of blacklists/whitelists are new-line-delimited. Of course, yea, you can write a script to do that in less than a minute. You shouldn't have to, though.
  • voyvf, on 09/28/2008, -0/+2Yes, because neither Linksys, nor Netgear, nor any of the other home/office hardware companies have ever had security flaws in their products. Never mind all the threads on Bugtraq that state otherwise, because your vendor would never lie to you.

    If you want to keep drinking that Kool-aid, fine, but anyone with a clue will tell you that having a firewall on your server is just common sense - even if you already have a hardware firewall. Making it easy to configure and administrate is even better.

    Props to the firestarter devs for recognizing the former, and making the latter possible.
  • kajoob, on 09/29/2008, -0/+2Or just run Smoothwall..

    http://www.smoothwall.org/


  • LingNoi, on 09/29/2008, -0/+2This is dumb because it makes it sound like Ubuntu doesn't have a firewall. Ubuntu does have a firewall by default called iptables and firestarter isn't a firewall. It's just a GUI for iptables (which you already have).

    Very misleading.
  • wigren, on 09/29/2008, -0/+2-F, --flush [chain]
    Flush the selected chain (all the chains in the table if none is
    given). This is equivalent to deleting all the rules one by
    one.
  • n8dude, on 09/28/2008, -0/+2If your wireless isn't working, I would suggest giving the tool "auto-ndiswrapper" a try. https://launchpad.net/auto-ndiswrapper
  • martyFREEDOM, on 09/28/2008, -1/+3Make sure you are safe, run iptables -F
  • GTPilot, on 09/28/2008, -1/+3linuxdad, why so demeaning? an article about security software is great, and not everyone is behind their home firewall all the time. if someone isn't an expert, then this looks like a great way to understand firewalls.
  • corelist, on 09/28/2008, -0/+2Do you know when was the last time Firestarter updated? Unfortunately there is no active development beyond it.
  • slugicide, on 09/28/2008, -0/+2Can't you just open up the terminal and type "ufw enable" to turn the Ubuntu Firewall on, or "ufw disable" to turn it off. Now that I think about it--why isn't there a gui for it?
  • gdonald, on 09/28/2008, -0/+2apt-get install arno-iptables-firewall

    Been using it for ages, works great.
  • kalagmail, on 09/28/2008, -0/+1Wow!! It s a field day for linux in Digg. Mac has been ignored for a while.
  • fireburner23, on 09/28/2008, -0/+1Meh...I like GuardDog better.
  • chivesandbonbon, on 09/28/2008, -0/+1Disable root logon, Disable password logons, enable authenticaion by certificate only..and setup ssh to only allow access via valid certificates. That will make ssh a more difficult cookie to crack.
  • kajoob, on 09/29/2008, -0/+1Yeah since it's a year old it sucks. *scratches head*

    UNIX was developed in 1969.
    The first true 32-bit version of Windows came out in 1993.
    Which would you rather run?

  • jvincent08, on 09/28/2008, -0/+1Uh.. can't you do that with openSSH anyway? I swear there was an option for it in sshd_config.
  • cdg52, on 09/27/2008, -2/+3Sure for a normal user you are probably fine, but my friend thought the same thing. If you have anything exposed its a bad call without a firewall. My friend figured he was fine at his house he had ssh set up to his Linux box and he ran VNC on his personal Windows computer which was not forwarded to the world only local network... little did he know that someone had cracked his ssh and port forwarded to his windows box as simple as "ssh user@IP-address -L 5907/WindowsVncIP/5900" now all they did was connect to localhost:5907 and they had access to his vnc box which they set up a password interceptor on his Linux box. Basically game over, but if you want to go protected with simply a router fine with me :-)
  • wesw02, on 09/28/2008, -0/+1If your friend was sharing his SSH port to the web and someone cracked it, I fail to see how putting a firewall up would have made any difference. Chances are your friend should have done a little more research about hardening ssh. As matx said, fail2ban is an excellent tool. In addition, unless he/she has a specific reason to do so, they should not be sharing ssh to the outside world on port 22, thats just like hanging up a sign. His/Her router should have been configured to port forward internal port 22 to a higher external port.
  • javaroast, on 09/28/2008, -0/+1Default deny. Open ports only to the IP's that need access and deny everything else.
  • inactive, on 09/28/2008, -0/+1There is one called gufw, really original name no? ; ) You can find it at http://gufw.tuxfamily.org/index.html
  • MattBD, on 09/29/2008, -0/+1uFW is great - what else do you need for a firewall, just on/off.
  • wesw02, on 09/28/2008, -0/+1For what it's worth, I agree with you.
  • dharmeshtailor, on 09/28/2008, -0/+1Youre the firestarter, twisted firestarter.
    Im a firestarter, twisted firestarter.
  • steviesteveo, on 09/28/2008, -0/+1I agree with that, I feel pretty safe behind my NAT router when I'm at home but as soon as I go out and use public Wi-Fi networks it's really nice to be sitting behind closed ports.

    It's much simpler to have been hard sold a combined Internet Security Suite and installation package when you bought your new computer but nevertheless, I thought the majority of distributions included a firewall on default install - something like iptables etc?
  • insllvn, on 09/29/2008, -0/+1I am sure Gizmodo will be back on the front page fellating the iPhone (which sprang fully formed from the mind of Jobs, his name be praised) soon enough. Why not just run along to the Apple website and look at all the pretty pictures until then?
  • antdude, on 09/28/2008, -0/+1Guarddog
  • insanebrain, on 09/28/2008, -4/+5You heard wrong.
  • mahadiga, on 09/29/2008, -0/+1# ufw enable
  • Vaelkar, on 09/28/2008, -0/+11. Get an old computer without a hard drive.
    2. Get two ethernet cards.
    3. Put Devil-Linux on it.

    Easy DHCP/DNS server with Firewall capabilities!
  • insanebrain, on 09/28/2008, -2/+2manage your router, UPNP on ubuntu will do the rest. I once installed Firestarter. 5 minutes later a screamingly uninstalled it.
  • steviesteveo, on 09/28/2008, -1/+1"I never got into Pokemon anyway."

    An XKCD putdown
  • comandrei, on 09/29/2008, -0/+0Shorewall is the way. Firestarter is for kiddies
  • Fetching more discussions...
    Show 51 - 55 of 55 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.