Firestarter = Firewall for FoxyRoxy

Special files or links to 3rd party application programs

Firestarter = Firewall for FoxyRoxy

Postby jbv » Wed Sep 12, 2012 4:42 am

06-FoxyFirestarter is our official and totally unsupported Firewall..

After playing with it a bit, I've discovered that it does have some issues/problems but there are probably more about the install/setup than anything else. Provided they are known, I think we should go be okay to move forward with this and see if the issues/problems get sorted by someone else - chances are they won't in which case they won't get fixed.

Please let me make it quite clear - we are not supporting this package or any package and that upon finding an issue, you are expected to either make it work on their own or not use the program/package. If you do manage to sort out something, then as a gesture, it would be really nice if you reported back here. That is the beginning and end of the support you can expect and will get from me.

Now, the known issues.

1) Edit: (fixed) Firestarter knocks out miniDLNA at startup, even you do have port 8200 open.
The fix probably lays in getting the system services starting properly as part of our dynamic service start cleanup. This issue may or may not go away then (probably will,but I'm not promising anything). The short term fix is to open a console window (or Alt-F2) before login. yype runminidlna restart

2) Edit: (fixed) Even with the Samba ports open, you can't "browse" the "Debian" machine from a Windows machine using Windows-Explorer while doing a [Tools] --> [Map Network Drive] and then clicking [Browse]. The machine will appear in the Workgroup list, but if you try to expand to see the resources, you will be met with an ugly silence and a long pause. You can manually connect from the Windows command-line for example net use z: \\192.168.0.91\Public will map the drive for you and you then have full r/w access as normal. Not sure what this one is. I played with it for a while and did get it to work once, but it was one of those scenarios whereby when you undo what you just did and try to do it again to confirm, it didn't work. At this point, I put it into the "someone else can sort it out" basket.

3) In "policy" I have unlocked all access from my internal network which is basically 192.168.0.x If you have a different internal IP, then you will need to season to taste.

Surprisingly even with miniDLNA and Firestarter running, after bootup to our desktop CPUinfo shows me that our memory usage is now a whopping 78Mb used, 64Mb active :shock:

Obviously your mileage may vary.

I've created this sqf to show you how to do it. It usually involves quite a few reboots and lots of testing, but with just a little work, it isn't that hard.

Part of the reason for putting it in was as a pre-cursor to adding Wireless support, but let me make it quite clear right here and now, the first person who asks me about Wireless support will get an instant IP Ban, and I will track them down.

Oh, I have also tested it this with LMS. I did a clean install of LMS to see how the scripts would work. It all ran okay. There was something silly where it may not have auto-started after the first install, but doing a 95-create and reboot fixed everything. Not sure what it was or if I have described it properly. No matter what it was, the Build-LMS script held up and I'm sure that our resident LMS expert will sort it in no-time.

The 7.5Mb file can be downloaded by <clicking this link>

You will need to rename the extension and remove .noload before restarting for the Firewall to run.

The configuration/admin/status/info applet can be found in the [TaskBar Menu] --> [Administration]
jbv
 
Posts: 600
Joined: Sat Jul 14, 2012 2:02 am
Location: Sydney, Australia

FoxyRoxy Firewall - Updated

Postby jbv » Sat Sep 15, 2012 5:20 am

Update: 15 September 2012 The download file has been updated.

Not being happy with the few quirks that seemed to be in Firestarter, I decided to have a closer look.

Known Issue 1 - Firestarter knocks out miniDLNA at startup, has been resolved
The problem was in the startup sequence. Starting miniDLNA last, fixes this, so it has been done.

Known Issue 2 - Not able to browse SMB shares from Windows using Explorer, has been resolved
This was related to "broadcast traffic" from the Windows machine, being blocked due to the preference setting in the [Firewall] --> [Advanced Options] being set. By turning "off" the option to "Block broadcasts from internal network", Windows Explorer can now "Browse" your network shares on the FoxyRoxy machine.

If loaded, the sqf now starts the firewall by default.
The firewall is active even if you do not login to the machine.
All services work, regardless as your logging in or not.
After login, the Firewall status applet is auto-magically started in "hidden" mode so that the icon appears in the FoxyRoxy notification area. It is the blue "start" icon to the left of the quick-console button. Click the icon to bring up the application and click it again to minimize it. If the firewall is disabled, the icon will appear as red "stop".

Some general notes:

The updating of this .sqf in no way implies that this is a supported package.
It is NOT a supported package and it NEVER will be.

Firestarter has not had any active development work done on it in more than a few years. This has given many people the impression that it has been abandoned by it's author. It may very well have been. I have no way of knowing and make no claim either way with regard to this. What I can advise you of is that it works and it appears to work quite well.

Now for the real meat. Firestarter is in fact a very nice and fancy tool that manipulates the configuration files for IP Chains which is effectively the standard Linux kernel firewall that was already built into FoxyRoxy. This is why the addition of this package does not consume any memory or have any resource overhead. The small increase in memory you will see from loading this sqf is in fact the miniDLNA service which is started by this sqf.

If you want to stop miniDLNA from loading, perform the following steps.

1) 06-load - will load 06-FoxyFirestarter.squashfs into /tmp/sqf-firewall

2a) edit /tmp/sqf-firewall/etc/init.d/.depend.start
2b) remove/delete all occurrences of minidlna from lines 1, 26, and 17
2c) delete line 14 minidlna: rsyslog - note: do not leave a blank line
2d) save the file

3a) edit /tmp/sqf-firewall/etc/init.d/.depend.stop
3b) remove/delete all occurrences of minidlna from lines 1, 26, and 17
3c) save the file

4)06-save

miniDLNA will no longer be started automatically when the machine is turned on.

If you do not want the status icon to be automatically started in hidden mode,
delete the directory /tmp/sqf-firewall/etc/xdg and all of it's contents before saving the sqf

The reason that miniDLNA would not start with the previous sqf was most likely due to miniDLNA not being happy about the changes being made to IP Tables after it had started.

General Comment:

Some people may be concerned about providing a package that may have been abandoned (if it has been, which once again I have no knowledge of). If it has been, some people may feel that relying upon it to provide a crucial service is highly unresponsible and being very cavalier about system security and integrity. Those same people are actually quite ignorant about what Firestarter does. Once again, let me remind you that the actual firewall services are being provided by IP Tables which is a core part of the Linux Kernel we are using. All Firestarter is doing is putting a very nice, fancy, and incredibly easy to use GUI front end on what is otherwise a very ugly, messy thing to setup and configure. Firestarter is not providing any firewall services or capabilities.

In this regard, it is a work of art and even if it has not been updated for a few years, there is no reason to think that you can not or should not use it. There may be one very simple reason it has not been updated for a while. Perhaps it does not require an update. I understand that software that actually works is a radical concept for some, but occasionally it does happen and it may very well be that for the Author of Firestarter, it does all that it needs to do. From what I have seen, it does this very well.

Oh, in case you haven't understood all that has been said,
Please let me make this very clear.

We can not, and will not support Firestarter (or any firewall)
in any way, shape or form - "Caveat Emptor"
jbv
 
Posts: 600
Joined: Sat Jul 14, 2012 2:02 am
Location: Sydney, Australia

Re: Firestarter = Firewall for FoxyRoxy

Postby jbv » Sat Oct 06, 2012 8:03 am

Update: 6th October 2012

FoxyFirestarter has been updated.
The download link has not changed: <clicking this link> will start the 6.9Mb download

The changes made to FoxyFirestarter were as follows:

1) 06-FoxyFirestarter now complies with our planned standards for AddOns

2) Firewall configuration changes are now saved with the included 99-snap-extension

The Firestarter application, and all other packages inside the FoxyFirestarter AddOn will now be orphans until they are injected into FoxyRoxy. This means they will be fully functional, although they will not show up in the dpkg database. After being injected into FoxyRoxyLinux, the dpkg database will be updated, and the installed packages that make up FoxyFirestarter will then be "known" to dpkg, apt-get, and all related programs.

To save configuration changes, you should have already installed the self-extending-99-snap script.
If you have not yet done this, you can find it and the documentation <here>
[Main Download Area] --> [FoxyRoxyLinux - Scripts] --> [99-snap, Now smarter than a Fox]

The 99-snap-extension is "on" by default.
It also works out if the Firewall package has been injected into FoxyRoxLinux or is an AddOn.
If the Firewall has been injected, any configuration changes are saved into 05-FoxyConfig
If the Firewall is being used as an AddOn, configuration changes are saved into 06-FoxyFirewall

3) 06-inject script has been added.
This script inject FoxyFirestarter into your 02-FoxyDesktop file, and update the dpkg database. It renames the FoxyFirestarter sqf so that it does not load, as it is no longer required, and can be removed from your bootable disk media.

Configuration changes saved while being used as an AddOn are also injected if you inject FoxyFirewall into FoxyRoxy at a later date.

If you have already injected the previous FoxyFirestarter AddOn and only require the 99-snap-extension, download the attachment below and unpack it into /scripts/99-include

While FoxyFirestarter has been updated, this does not change our policy regarding this package.

We can not, and will not support Firestarter (or any firewall)
in any way, shape or form - "Caveat Emptor"
Attachments
99-snap-FoxyFirestarter.tar.gz
99-snap-FoxyFireStarter extension script
(1.33 KiB) Downloaded 459 times
jbv
 
Posts: 600
Joined: Sat Jul 14, 2012 2:02 am
Location: Sydney, Australia


Return to FoxyRoxyLinux - Addons



Who is online

Users browsing this forum: No registered users and 1 guest

cron