The preferences

The Firestarter preferences dialog holds many options that control the behavior of the graphical interface and the firewall. To access the preferences, either click the button on the toolbar of the status page or use the Edit->Preferences menu entry.

The preferences are divided into two categories; options that change the interface and options that affect the firewall.

Interface options

The interface options are further divided into three sections, general interface options and options for the events and policy pages.

General interface options

Enable tray icon. When this option is enabled, Firestarter will display a notification icon in the system tray. The icon shows the same state information as on the status page. It will also flash when a new event occurs. Clicking the icon causes the Firestarter main window to hide or reveal itself.

Minimize to tray on window close. This option is meant to be used together with the tray icon option. When enabled, instead of exiting the application when you close the window, the application is hidden from view but actually continues to run in the background. This is similar to how many instant messengers work. The idea is that you do not want the Firestarter window on your desktop all the time, but you still want get alerts when something happens.

Events page options

These options control aspects of the events page.

Skip redundant entries. With this option enabled, the list of blocked connections on the events page will filter out identical consecutive events.

Skip entries where the destination is not the firewall. When enabled, this option causes the program to perform a comparison between the firewall's IP and the destination of the blocked connection. If the two do not match, the entry is not shown in the list. This is useful in a few situations, such as when you have disabled the filtering of broadcast events, but still do not want to see them reported.

This page also contains two lists of hosts and ports that are filtered out from the blocked connections list. When you right-click on an entry on the events page and choose Disable Event, the port or source of the entry is added here. Ports and hosts listed here are kept out of the actual firewall event log files, unlike the two previous options which merely hide some of them from view.

Firewall options

The firewall options control some of the more advanced firewalling functions, as well as the choices you made in the initial wizard.

General firewall options

Start/restart firewall on program startup. With this option checked, Firestarter forces a reload of the firewall when you start the graphical interface.

Start/restart firewall on dial-out. This option adds the firewall service to the list of programs to run when a dial-up connection is established. It ensures the firewall is properly restarted when you are assigned a new IP address.

Start/restart firewall on DHCP lease renewal. This option causes the firewall to be restarted when your service provider issues you a new IP address.

Network settings

The options related to the network settings allow you choose the network devices associated with your Internet connection and internal network, if you have one. All network devices in the computer are automatically detected, you only have to choose one from the drop down list of available choices.

Enable Internet connection sharing. This option allows you share the firewall's Internet connection with the other machines on the local network. For more information, please see the chapter on Internet connection sharing.

Enable DHCP for the local network. DHCP is a network service that allows for automatic distribution of the network settings to computers on your local network. For in detail information about configuring the DHCP service, see configuring the DHCP server.

ICMP filtering options

ICMP packets make up a special class of traffic used by many common network utilities, for example ping and traceroute.

By default Firestarter allows ICMP traffic, although it throttles it somewhat to prevent excessive flooding or Denial of Service attacks. By enabling ICMP filtering you can block these services altogether. Note that blocking a certain ICMP type also prevents you from using it yourself.

Firestarter allows control of the following ICMP types:

• Echo request and Echo reply
  Used by the ping network tool, but also widely by network enabled games and programs in general. Ping can also be used as a component in various network attacks and information gathering roles.
• Timestamping
  Timestamping is used by Internet gateways to assess how long a packet destined for a host should remain active before being discarded. Users of the @Home Cable network should not filter timestamping requests, as these are commonly used to maintain statistics tracking and keepalives throughout the networks.
• Traceroute and MS Traceroute
  These ICMP types are used for pathfinding between networks. Useful for configuring networks for Quality of Service as well as detecting network dropouts. Microsoft Traceroute can safely be filtered if you (or your uplink) do not operate Microsoft DNS servers.
• Unreachable
  Sometimes used in Fingerprinting attacks, unreachable messages are sent when a destination host is not responding to a request from your machine. Unreachable requests should not be filtered unless you are running DMZ services on your machine.
• Address Masking
  No longer used since Linux 2.2, you can filter these requests unless you have really old machines on your internal network.
• Redirection
  Used in inter-network traffic, redirection is useful if you have networks connected in different locations (possibly different countries) connected via a VPN or other networking service. In these cases, the gateways can provide redirection for incoming packets, informing them that the destination host is actually on the same logical network, and should therefore be forwarded. If you are not in this situation, you may filter these packets.
• Source Quenches
  No longer used since Linux 2.2, you can filter these requests unless you have proprietary UNIX boxes on your internal network that are able to respond to these.

ToS filtering options

Type of Service filtering allows the firewall in some cases to increase the throughput or reliability for certain applications. It does this by re-prioritizing the traffic. Type of Service prioritization needs to be supported by the network you connect to, in practice this limits the area of effect to local networks.

Firestarter can prioritize the traffic for typical workstation and server tasks. Additionally, applications running remotely over the X Window system can be also prioritized. Either the total throughput, connection reliability or the application interactivity can be maximized for the selected work tasks.

Advanced options

The advanced options are mainly for the experienced user.

Preferred packet rejection method. Firestarter can either reject or drop connections that are not allowed by the security policy. When the firewall rejects a connection, it sends an error packet to the source telling it the connection was denied. Dropping a connecting on the other hand does nothing. In this case the source of the denied connection is non the wiser, in some cases it is even impossible to tell whether there is a machine at the firewall's IP at all. Since rejecting connections allows the remote party to map the network services as well as waste your bandwidth, we recommend you keep the default behavior of dropping connections silently.

Block broadcast traffic. This option blocks all network traffic with a destination or source address that marks it as either a global or local broadcast.

Firestarter and all the contents on this page are © 2000-2007 Tomas Junnonen.
Firestarter is distributed under the terms of the GPL.