Previous Virtual Private Networking Index Developing Firestarter Next

Frequently asked questions

This chapter contains answers to commonly asked questions, as well as various tips and tricks for Firestarter.


Is your question not answered here? Contact us!

Q: How can I get Firestarter to load automatically when I log in as a regular user?

Firestarter running in the system tray

Normally when you start Firestarter by clicking an icon or manually from a terminal, the system will prompt you for your root user's password. However, this is a bit of a hassle, especially if you want to run Firestarter all the time when logged in. In that case Firestarter can be loaded in the background when you log in with your regular user, without asking a password and minimized to the system tray (pictured right).

Giving the user permission to launch Firestarter without the root password

In order for a regular user to be able to launch Firestarter, the user must be given additional privileges. Edit your /etc/sudoers file in your favorite text editor and add the following line at the end:

username ALL= NOPASSWD: /usr/bin/firestarter

Note: Debian users should replace /usr/bin/firestarter with /usr/sbin/firestarter in the above line.

Simply replace username with whatever your login is. The specified user is now able to launch Firestarter without being prompted for a password using the command sudo firestarter.

A note on the security aspects: This method makes a trade off in local security for convenience. If your user account becomes compromised the attacker will be able to control the firewall. However this method is preferable to having a shared root user password in a multiuser setting. It is also preferable if the alternative is not to run Firestarter at all.

Launching Firestarter minimized to the tray on login

Having performed the above configuration of permissions, the system can further be set up to load Firestarter when you log in with your regular user account. Firestarter will in that case load directly into the system tray without user intervention, after which the main interface can be accessed by clicking the tray icon.

Using GNOME:

The GNOME sessions manager

Open up your GNOME menu, select Preferences followed by Sessions. Switch to the Startup programs tab, pictured right.

Click Add and enter
sudo firestarter --start-hidden
as the startup command. Click OK and you're done.

To stop Firestarter from loading on login, simply remove its entry from the startup programs listing.

Using KDE:

Open a terminal and execute the following two commands:

echo -e '#'\!'/bin/sh\nsudo firestarter --start-hidden' > ~/.kde/Autostart/firestarter
chmod a+x ~/.kde/Autostart/firestarter

Firstarter will now load automatically when KDE starts. To stop Firestarter from loading when you log in, remove the ~/.kde/Autostart/firestarter file.

Q: How do you specify a range of IPs or use wildcards in the rules?

Wherever in Firestarter a single numerical IP address can be inputted as part of a policy rule, a human readable hostname or a network identifier can also be used. This last form allows you to apply rules to a range of IP addresses.

A range is entered as either address/netmask, for example, or more commonly in CIDR format as

The CIDR address consists of a standard dotted format 32-bit IP address and a postfix of the number of network identifying bits. This might sound confusing, and it is, but it is the only valid way to group IP addresses on the Internet.

Luckily you don't have to break out your pocket calculator to work out an IP range, as there exists many IP calculators online.

CIDR range notation examples
CIDR formatFirst hostLast hostNumber of hosts

Q: Do I have to start Firestarter after I have rebooted?

Usually, no. When Firestarter is installed from a package, the firewall is running as a service. You can query the status of the service by executing /etc/init.d/firestarter status. The excemption to this is Gentoo users, dial-up users in some cases and persons who have installed from source and not registered the Firestarter sytem service.

For an in-depth answer, see the section on persistence of the firewall.

Q: How can I test if the firewall is working for sure?

The only way to know for sure if your firewall coverage is complete is for an outside party to test it. You can not run nmap or some other network tool to test the firewall from the firewall host itself.

There are many free sites on the Internet that will provide a remote scan of your system. Here are a few that we have found useful, as well as the expected result with the Firestarter default policy loaded:

Why you might not be getting the results you expect

If some specific port is reported as Closed instead of Stealthed by Shields Up, your Internet service provider is probably blocking the port before the scanner even connects to your machine. This is typical for ports such as 25 (SMTP) and 80 (HTTP) that your ISP prohibits you from running services on.

If you have a DSL or cable modem box that provides Network Address Translation services, it is possible that the scan does not reflect the status of Firestarter but that of the box.

Previous Virtual Private Networking Index Developing Firestarter Next