Tuesday, February 28, 2006

Walls ablaze part 2

Ok earlier I have set up Firestarter as my firewall GUI tool. Now I would like to make it work just the way I like it.

In the preferences ("Edit -> Preferences") the first thing i ensure is that "Enable tray icon" and "Minimize to tray on window close" is enabled. Another thing to change would be to "Apply policy changes immediately" in the "Policy" section. For the more paranoid cases, enabling "ICMP Filtering" would be the way to go but be careful what you enable as some network tools might not work as expected if you do enable it.

"ToS Filtering" would require an entire posting of its own but for a quck run through, I enabled ToS filtering, chose "Workstation" and optimized the traffic for "Throughput".

Finally in the "Advanced Options", maintaining "Preferred packet rejection method" to "Drop silently" is good. I personally prefer this option because sometimes its harder for another person to know if there is even a machine if they scanned you. Not that they cant find out using, its just that it makes it slightly harder. Anything that gives you even the slightest edge helps right;). Blocking broadcast traffic is a good idea to prevent you from getting DoS-ed. It also helps in reducing excessive traffic and prevents the degredation of network performance.

As a final note I also enable "Block traffic from reserved addresses on public interfaces". If you're connected directly to the internet using a public IP, it would be ridiculous to get a connection from a LAN IP right. You obviously don't want these spoofed addresses eating up your bandwidth. However this is not just restricted to LAN IP connecting to public IP, it also works for multicast traffic or any range which is deemed restricted. Save your preferences and you're back to where you started earlier.

Now that you have a pretty safe machine, you will want to allow certain connections to come INTO you system such as SSH, Torrent, NetBIOS. Click the "Policy" tab and in the "Inbound traffic policy" you have to add any ports and/or IPs that can connect to you in the "Allow service" section. Once you've added it the rule will immediately become active and you can connect to the service. For a workstation this will be more than sufficient. For controlling outbound traffic, change the "Inbound traffic policy" to "Outbound traffic policy" and you will notice whether to allow all traffic by default or restrictive by default. For those who intend to run it as a server or are just plain paranoid, change the default "Permissive" to "Restrictive" and restrict what kind of connections you wish to allow from your system. But do be careful with this as you may deny connections from other system apps that need to connect out.

You can monitor all blocked connections in the "Events" tab. This is a good place to check in case you set your rules too strict or just want to know what kind of traffic you are being hit with.

Well I finally have my first tutorial on something up. Hope to put something else up soon;)

No comments: