Firestarter Manual

[Back to Index]

The Wizard

The following section will walk you through the process of configuring the firewall using the wizard interface.

The first time you start Firestarter, the Firewall Wizard will automatically start and configure your firewall. If you wish to re-configure your firewall for any reason later on simply select: Firewall->Run Firewall Wizard or click the Wizard icon on the toolbar (the firewall can also be configured from the Preferences).

The wizard is a series of 7 pages designed to customize the firewall to your needs. You can change most of the firewall functions from other parts of the program, for example the Network Services Setup wizard page is overridden by the more advanced Rules view in the main interface.

Network Device Setup

This page is for configuring the external network device; that is, your Internet connected network adapter.

The wizard attempts to discover all devices that are currently active on your machine. Generally, you should use either PPPxx or ETHxx devices unless you are an advanced user and know what you are doing. If for some reason your preferred interface is not detected you can type it into the text box. In practice however this will do you no good; if the wizard can't find your interface there is probably some problem with it that must be resolved first.

Some cable modem users might have to select ppp0 as their device, even if they only have an Ethernet card in their machine. This is because of the PPPoE protocol deployed by their ISP. If you see an ppp device in the list, and you do not have a modem, you probably must select it as your device on this page.

The following two options are available:

Internet Connection Sharing Setup

Internet Connection Sharing

Internet connection sharing allows several machines to access the Internet trough a single network connection. This is done using NAT. To the outside world the cluster of machines will look like a single machine with a single IP address.

For NAT to work you need two or more network devices in your machine. If you only have one device this page will not show in the wizard. The port forwarding section in the Rules view will also be disabled.

To enable NAT select an device from the drop down menu of autodetected devices other than the one you chose for your external connection.

The IP range autodetection should be left on in nearly all cases. In some advanced cases of subnet dividing you can specify it manually, but normally you should not touch this option unless you are sure you need to.

For a in-depth look at Internet connection sharing, read our Guide to NAT.

Network Services Setup

If you are running server software, for example an web server or DNS services, you can specify here that the services in question are public. Public services can be accessed by everyone from the Internet. Note that you do not need to, and should not, mark services public that are only meant to be accessed from your LAN if you are using NAT.

Services are easily opened and closed using the Rules view. The settings on the Rules page take precedence over the settings on the Services Wizard page.

Type of Service Filtering Setup

This section is intended for advanced users. ToS filtering can improve throughput or reliability of network connections. Note that ToS filtering needs to be supported by the network you are connected to, meaning that you are in practice restricted to LANs for filtering purposes. Firestarter provides several ways to optimize the connection, emphasis can be placed on client, server or remote X sessions.

ICMP Filtering Setup

This option allows you to select which ICMP options you would like to receive on the external device. By default, Firestarter allows all forms of ICMP messages through the firewall, including some uncommon or seldom used options (such as address masking).

Note that filtering out ICMP packets will render several common network utilities like ping and traceroute useless on your machine. This can in turn further affect other programs that are relying on these utilities.

If you are concerned about people performing ping scans, floods or probes on your network it is advised to at least filter some forms of ICMP communication.

Firestarter has the following ICMP filtering options are available:

Timestamping is used by many @Home providers for statistics tracking

Users of the @Home Cable network should not filter timestamping requests, as these are commonly used to maintain statistics tracking and keepalives throughout the networks.

Some LAN Manager Requests require Source Quenches

Some earlier implementations of the OS/2 LAN Manager stack (Warp 3.0 and 2.1/Connect) require source quenches to be enabled - we are still unsure why this is, but OS/2->OS/2 communication will silently fail if you enable filtering of these packets.

Ready to Start The Firewall

At the final page you have to option to either discard your changes or accept and save your choices.

[Back to Index]