On Mon, May 22, 2006 at 09:50:01PM +0100, John Talbut wrote: > Thanks for the further ideas, Ken. > > Firestarter certainly does not seem to be starting on bootup. Using ps > as root gives no entries for Firestarter after booting, whereas it does > once I get Firestarter to start. > That doesn't mean that the firewall isn't running. Firestarter is just a front-end for iptables as you probably already know. "Firestarter" will only show up in ps output if the firestarter gui is running. To see if it has configured iptables for you use iptables -L to list all the current chains. Maybe an example will help.. I have two user accounts on my machine - one for myself and one for my wife. Only for my own account do I have firestarter the gui set to start on login and only when I am logged in does firestarter show up in ps output. The firewall (iptables) is continuing to run when I log out though and this can be confirmed by logging in with my wife's account and running "iptables -L" in an xterm as root. It shows all the chains that firestarter configured iptables to run. If my dhcp lease expires and dhclient obtains a new IP from my cable provider then the exit hook runs "sh /etc/init.d/firestarter start" which reconfigures iptables to my new IP address. This is transparent though. Running "/etc/init.d/firestarter status" will also tell you if firestarter the firewall (firestarter service) is running. Put another way... /etc/init.d/firestarter runs the firewall /usr/sbin/firestarter runs the firestarter gui > The boot script /etc/init.d/firestarter is: > <snipped> What I was interested in was the script that you said existed in /etc/ppp/ip-up.d You should get a failure notice at bootup since your ppp link is not up. I believe it can be safely ignored. What you need is a script in /etc/ppp/ip-up.d which reruns /etc/init.d/firestarter when you bring up your ppp link. This however will not get you the gui portion of firestarter or make firestarter show up in ps output but it does start the firewall itself. To get the gui firestarter program to come up /usr/sbin/firestarter has to be run with root privileges. When you type this in manually in a console you get the firestarter gui program to come up as it should. To avoid having to do that each time configure sudo and your gnome session manager according to the directions listed at http://www.fs-security.com/docs/faq.php#trayicon > Running /usr/sbin/firestarter as root does start Firestarter. As it should. Run it and make sure it is configured to "start/restart firewall on dialout". This is under Preferences>Firewall in the gui program. > starting at /etc/firestarter/firestarter.sh do not. No it won't if ppp0 isn't up yet. That's why the little script in /etc/ppp/ip-up.d is necessary. To test the whole thing out: 1) Bring up ppp0 using whatever dialer program you use in Gnome 2) In a terminal as root run "/etc/init.d/firestarter status" to see if the firewall service is running. You may need to wait a few seconds after your ppp link is established before you do this. If it is running you will get "Firestarter is running..." as your output. You will NOT see firestarter in ps output though at this point and will not have the firestarter gui either. If you get a message other than "Firestarter is running..." then the script in /etc/ppp/ip-up.d is not working or not installed yet. 3) In a terminal as root run "/usr/sbin/firestarter" to bring up the firestarter gui. Once the firestarter gui is running then firestarter will appear in ps output. Use the firestarter gui to configure firestarter to restart on dial-out but not to restart on program (gui) startup. These options can be found by clicking on the Preferences button, choosing "firewall" on the list on the left pane and ticking the appropriate boxes. If these options are not set correctly then Firestarter the firewall will not restart each time you dial-out. If all that works then all you need to do is configure sudo and the gnome session manager like I described above. That will automate you having the firestarter gui started on login minimized to the system tray. Again, I hope I'm not telling you things you already know/tried. The important point to take away is that Firestarter the gui program and the firestarter (iptables) firewall are two seperate entities. Only the gui shows up in ps output as firestarter. The gui is just a configuration and monitoring tool for the firestarter firewall (service) itself. -- Ken Wahl
Attachment:
signature.asc
Description: Digital signature