Firestarter Notes

Charles Curley charlescurley at charlescurley.com
Sat Jan 1 21:38:45 UTC 2005 

These are some notes that may help folks using firestarter
(http://www.fs-security.com) on Fedora Core 3.

The FC3 installation is an upgrade from FC2, with all updates to FC3
since applied. firestarter is firestarter-1.0.1-1, installed from the
RPM on the firestarter web site.

Setup: I have a firewall which I usually run decapitated. It is, of
course, dual homed (i.e. two NICs). Eth0 is the external interface,
eth1 the internal. Both have their IP addresses assigned by DHCP, so
firestarter runs when an IP address is assigned. Because I run it
decapitated, I must be able to use SSH to log in.

Problem 1: Boot sequencing. I had problems booting in that even with
the firewall set up correctly, I had no NATting. Conjecture: The first
IF is initialized, including DHCP. This includes the firewall
script. However, since eth1 is not yet initialized, the firewall is
broken. Result: no NATting. Then eth1 is initialized.

Apparently, DHCP does not run for eth1, or at least the file
/etc/dhclient-exit-hooks is not used.

If I manually run /etc/firestarter/firestarter.sh, everything works
correctly.

Workaround one: rejigger PCI cards, and their attendant boot
configurations files in /etc/sysconfig so that eth1 is the external
interface. I have not tried this. I'm lazy.

Workaround two: add a line, "/etc/firestarter/firestarter.sh start",
to /etc/rc.d/rc.local. That's easy, and it works for all cases.

Problem 2: Out of the box, the firewall did not allow me to SSH into
the firewall machine. I had to shut the firewall off at the
(temporary) console, log in over SSH, and restart the firewall. Not an
acceptable solution.

Solution: add a policy to allow connections from the appropriate
internal host(s). That works. This is a change from previous behavior,
and as far as I can tell is not documented!

-- 

Charles Curley                  /"\    ASCII Ribbon Campaign
Looking for fine software       \ /    Respect for open standards
and/or writing?                  X     No HTML/RTF in email
http://www.charlescurley.com    / \    No M$ Word docs in email

Key fingerprint = CE5C 6645 A45A 64E4 94C0  809C FFF6 4C48 4ECD DFDB
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20050101/d70e3781/attachment-0001.sig>

More information about the fedora-list mailing list