For a general explanation of the policy system, see working with policy. This section covers how to use the policy page of the Firestarter interface in practice.
The policy page is divided into two parts, the inbound traffic policy and the outbound traffic policy. To switch from one view to the other, use the drop down list at the top of the page.
Each view consists of three lists, called rule groups. A policy rule is simply an entry in one of the lists. To add a new rule, select the group you want to add it to by clicking the corresponding list. Then either click the Add Rule button on the toolbar or use the context sensitive menu by right-clicking the list. To remove a rule, mark it as selected by clicking it, then choose Remove Rule from the toolbar or the context menu. Editing an existing rule is as simple as double-clicking it, alternatively select Edit Rule from the toolbar or the context menu.
All changes you make to the policy page require confirmation before taking effect. This is to make sure you do not at any time have to give more permissions than you would want to, particularly when you are making several new policy decisions at once that depend on each other. To apply the changes, press the Apply Policy button on the toolbar. Through the preferences it is also possible to enable an option that causes all changes to immediately take effect.
Inbound policy controls incoming traffic from the Internet and the local network to the firewall. The default inbound policy is one of complete coverage, meaning nothing is let in unless explicitly allowed. The rules you add to the inbound policy groups therefore create exceptions to this policy, effectively creating holes in the firewall through which legitimate traffic may move.
The three inbound policy groups are, from top to bottom, Allow connections from host, Allow service and Forward service.
When creating a new rule in the Allow connections from host group, the only parameter can you specify is the IP or hostname of the source host. As the name says, adding a host to this group marks the host as a trusted source, all future traffic from the machine will be allowed through the firewall.
The Allow service group allows for much finer grained control of access. Rules in this group take two parameters, the service and the target. The service can be chosen two ways, either through the drop down list of predetermined services or by explicitly entering the network port number the service uses. In the later case, Firestarter will try to determine the service name itself, but the user is also free to enter the name manually.
The target can be one of three choices; Anyone, LAN clients, or a user specified IP, host or network. Anyone means exactly that, anyone and everyone will be able to access the service in question. LAN clients means that only the clients connected to your internal network are allowed to use the service. The user specified target, can either be an IP address in dotted decimal format, a valid human readable hostname, or a whole network. A network is either specified as network/netmask in dotted decimal format, or by using CIDR Notation. In the case where a single IP is specified, the service is effectively stealthed, only the target host can see the service.
The last inbound policy group is Forward service. This group is only active if you have enabled Internet connection sharing. When sharing is enabled, a group of computers is seen as a single entity from the outside network's point of view. As the computers all share a single public IP address, in order to provide public services on the LAN machines the firewall has to act as a forwarding relay between the public and private networks.
Like the previous policy group the rules consist of two parts, the service and the target. The service can be chosen in two ways, either by using the drop down list of predetermined services or by directly entering the network port number. This number is the port the firewall will be listening to, when it gets a request on the port it then forwards it to the target. The target is specified as an IP address of the internal network. This is the machine that will be providing the actual service. It possible to specify a different port for this machine that the one used by the firewall, although in most cases they will be same. One use for separate ports on the firewall and the server is that the port do not have to be symmetric. This means the firewall can listen to a whole range of ports and then forward it all to one single port on the server.
Outbound policy controls outgoing traffic to the Internet from the firewall and any LAN clients. The default outbound policy is permissive. This means you and any clients connected to the local network are able to browse the net, read email, etc. unrestricted. It is also possible to change the policy to a restrictive mode matching that of the default inbound policy. You can toggle between the two modes using the buttons at the top of the outbound policy view.
The mode marked Permissive by default, blacklist traffic is how Firestarter starts out. As explained above, the outgoing traffic is not restricted in this mode and your network applications will work as normal. The policy groups on the outbound policy view serve to black list traffic in this mode, meaning they impose additional restrictions on the otherwise lenient policy.
The first policy group, Deny connections to host, is effectively a black list. Rules in this group take a single parameter consisting of an IP address or a valid hostname. The hosts listed in this group are then marked as off limit. One possible use of this policy group is to maintain a list of banned web sites, no one on the local network or using the firewall as a desktop will be able to browse the listed sites.
The Deny connections from LAN host group works as a black list for local network clients. Any host listed here will not be able to reach the Internet. This can for example be useful if you want to lock out an internally accessed server but still do not want to impose a restrictive policy for any other clients.
Finally, the Deny service group allows the most fine grained control of outbound access. Rules in this group consists of the service and a target. The service is selected as before, the target can be one of four choices; Anyone, Firewall host, LAN clients and a user entered IP, host or network. Adding rules to this group blocks the target from accessing the service in question. The target is selected in the same way as in the Allow service group of the inbound policy.
The second outbound policy mode, marked Restrictive by default, whitelist traffic is equivalent to the default inbound policy. Nothing is allowed out unless you explicitly create a rule for it in one of the groups. This mode offers maximum protection, but it's also very intrusive, none of your networks applications will work unless you create rules for them.
When you first switch Firestarter to this mode you will see that some rules are already present in the Allow service group. These rules allow basic name resolution on the Internet and web browsing. The rules are included so that you do not accidentally create a situation where you are unable to reach help online. Once you are sure you want to use the restrictive mode you can remove them.
Allow connections to host is a whitelist for destinations anyone should be able to reach. Using this group it is for example possible to lock down the machine so that it is only ever able to reach a single web site, something that is desirable when the machine is acting as an kiosk or in other dedicated services.
Allow connections from LAN host gives one single machine on your local network unrestricted access to the Internet.
The Allow service groups provides fine grain control over outbound access. It is the logical opposite of the Deny service group in permissive mode, and the parameters are also the same. Creating rules in this group allows you for example to give exemption to a single machine to use some otherwise forbidden service.