A firewall policy is a set of rules that together unambiguously for every connection determine whether it is allowed to pass through the firewall or not. The Firestarter policy is made up of two separate layers, a default policy and a user specified policy.
Firestarter tries to provide a safe and user-friendly policy by default. While it protects both the firewall host itself as well as any client hosts connected to a local network from intrusion attempts, it does not impose restrictions on the services that the protected hosts themselves can access. The default policy provides a solid base on which you can choose to implement additional rules, specifying what constitutes both authorized and unauthorized network access.
The default Firestarter policy is as follows:
This policy allows normal Internet usage such as web browsing and e-mail on the secured hosts, but blocks any attempts to access network services from the outside and shields the local network.
While the default policy can by itself make up the entire firewall rule set, it is often desirable to add your own policies to the set. User specified rules can either relax the default policy or impose further restrictions.
User created policy in Firestarter is grouped according to the class of network traffic affected:
|Policy group||Traffic affected|
|Inbound||Connections originating from the Internet or the local network with the firewall host as the destination.|
|Outbound||Connections from the firewall host and the local network to the Internet|
The reason inbound policy does not affect connections from the Internet to the local network is because such traffic is not directly possible. Only by using the firewall host as a middleman and performing traffic forwarding are local network hosts reachable from the Internet.
All inbound network traffic that is not in response to a connection established by a secured host is always denied. User created inbound policy is therefore permissive by nature and consist of criteria that when met lift the restrictions on the creation of new incoming connections. Changes to inbound policy are made on the inbound policy section of the policy page in Firestarter.
The purpose of outbound traffic policy is to specify the types of network traffic that are allowed out from the secured network to the Internet. Firestarter has two modes of operation when it comes to implementing outbound policy, a permissive (which is the default) and a restrictive mode.
The restrictive outbound mode on the other hand, marked "Deny outbound traffic not allowed" on the policy page, means you explicitly specify which connections are allowed out. When this mode is enabled for the first time some basic rules are already present in the system. These rules permit the secured hosts to access the DNS, DHCP and HTTP services so that you do not accidentally end up in a situation where you are unable to reach the web or further assistance. Once you know for sure you wish to enable the restrictive outbound policy, you can freely remove these rules.