The rules view is the traffic control center of the firewall. Here you can specify what type of traffic can take place trough the firewall. You can either control public service access on a high level or grant and revoke privileges from individual hosts or groups. You can even forward incoming traffic to another machine if you are using NAT.
The rules are divided into 6 groups. When a group has one or more rules, pressing the arrow next to the group header will either expand or contract the view of the group in question.
Double-clicking on a group header will bring up the new rule creation dialog. The information required for the rule varies depending on the rule type. See the detailed rule descriptions below for more information.
Double-clicking an existing rule will allow you to edit the rule. You can remove an rule by selecting it, right-clicking on the rule and selecting "Remove rule" from the context menu.
All changes made on the rules page take effect immediately.
Firestarter enforces an precedence order for all rules. Precedence is what determines which rule takes effect when there are conflicting rules specified. For example, what happens when you have the same host listed as both a trusted host and a blocked host? The answer is that the internal precedence is the same as the visual one in the Firestarter client with the highest precedence being at the top of the rule list. In the example above, the host will be trusted because trust is of a higher precedence than blocking.
Hosts on this list are considered "friendly". A trusted host has full access to all the services on the firewall machine and in some cases even to machines behind the firewall. Very careful consideration should be taken before you grant a host trusted status.
The blocked hosts list is where the evil and the annoying end up. Any traffic from a blocked host will be dropped right away. As long as the firewall is running the blocked host will get no reaction out of the firewall machine. From their point of view your network just disappeared off the net. Connection attempts from blocked hosts do not show up on the Hits view.
This rule group will not show up if you only have a single network device in your machine.
A forwarding rule takes packets coming in on a port on the firewall and redirects them to another port on another machine. Usually this other machine will be on your LAN. A typical scenario is that your firewall machine is acting as the gateway machine for the Internet and you have a bunch of computers using NAT behind it. One of the NAT using machines is running a web server on port 8080 (or 80), but because of the NAT setup it is not reachable from the Internet. A forwarding rule will be able to take the packets coming to the standard www port on the firewall (80) and forward them to the internal machines port 8080.
The image to the right shows the scenario described above.
Open ports are ports that are freely accessibly by everyone (except blocked hosts). For example, an open port rule with a value of 80 will allow anyone to access a web server running on the firewalled machine.
The services you configure in the wizard do not show up here, but they are in fact open port rules. Listing a port here that you already listed in the wizard services configuration is not recommended, but relatively harmless.
Stealthed ports, as the name implies, are about hiding services. Ports that are stealthed appear blocked to everyone except the host that has been given explicit access in the stealth rule. In some ways, the stealth rules are like weak trusted host rules. Instead of trusting a host blindly you are saying "Ok, I trust you to use this, and only this, service".
A typical example of an often stealthed service is the ident function. You don't want everyone to able to simply use your ident service, because that would be a security risk. Instead you allow select hosts, like your ISP mail server, or an IRC network host requiring identification, access to your ident service. Another use is stealthing SSH services for a particular machine, say your machine at work. No one else will even know you're running an SSH server unless they are using your job workstation.
All ports not explicitly open are blocked. This group is only for explicitly stopping connection attempts to a port without logging them. Because the low precedence of the group and the fact that hits against these rules are not logged, it is ideally suited as a hit limiter and filtering tool. For example, if you are on a busy network with a lot of Windows workstations you are going to get hit on ports 137 and 138 constantly (these ports are the Netbios ports). Explicitly blocking these ports is a good idea, it will allow you to see the important hits while filtering out the mass of harmless hits these two ports generate.
Another option is to enable the "Hits not meant for me" filter in the preferences. Though the hits are kept out of the Hits view with the filter, they are still written to disk. Explicitly blocking the ports is usually a better option.[Back to Index]