firestarter start failure?

Paul Johnson pauljohn32 at gmail.com
Mon Jun 23 19:06:44 UTC 2008 

On Sun, Jun 22, 2008 at 12:49 PM, NoOp <glgxg at sbcglobal.net> wrote:
> On 06/21/2008 09:57 PM, Paul Johnson wrote:
>
>> Firestarter is not a daemon, it should not show in ps output unless
>> gui is open.  It writes to iptables firewall rules, and then is done,
>> unless gui is open.
>
> Hmmm....
> http://www.fs-security.com/docs/persistence.php
>
> /etc/init.d/firestarter status
>
> should give the status. See: http://www.fs-security.com/docs/faq.php
>
> <quote>
> Q: Do I have to start Firestarter after I have rebooted?
>
> Usually, no. When Firestarter is installed from a package, the firewall
> is running as a service. You can query the status of the service by
> executing /etc/init.d/firestarter status. The excemption to this is
> Gentoo users, dial-up users in some cases and persons who have installed
> from source and not registered the Firestarter sytem service.
> </quote>
>
> Documentation is here:
> http://www.fs-security.com/docs.php
>

This is where the confusion enters, I was asking about it here last
week.  I think there is confusion because the term "firewall is on" is
a bit ambiguous.

I agree the firestarter documentation you refer to calls it a system
service, but it is not a system service in the same sense as "anacron"
or "ntp" or most of the others.  If you read /etc/init.d/firestarter,
you see that when you say "start" it just runs
/etc/firestarter/firestarter.sh, and that calls
/etc/firestarter/firewall. All that does is slide in the
firestarter-created iptables rules into the iptables firewall that the
kernel is running.  There is no "firestarter" program running after
that. It is just iptables reading the rules from firestarter.

As a convenience to users, they have scripted it so that it acts like
a service, but it is not a daemon.

The firewall is "running" in the sense that the kernel uses iptables
to decide if things should be allowed in.  When you "start"
firestarter, it simply means that the set of iptables rules that were
created by firestarter are put into the iptables framework.

Go read the file /etc/firestarter/firewall, which is actually doing
the work. It is a bunch of ipchains commands.   firestarter itself is
not a daemon, it is not "running in the background."  That is why it
does not show up when people use "ps aux" to look to see if it is
running.  I wish the firestarter documentation did not claim it is a
service, otherwise we would not have confused people asking 'is my
firewall running." Observe:

$ sudo /etc/init.d/firestarter status
 * Firestarter is running...
pauljohn at pols123:/etc/init.d$ ps aux | grep fire
pauljohn 10529  7.0 14.2 264956 147012 ?       Sl   13:44   0:43
/usr/lib/firefox-3.0/firefox
pauljohn 11115  0.0  0.0   3008   772 pts/1    S+   13:54   0:00 grep fire

Nevertheless, I do have firewall rules from firestarter, even though
there is no "firestarter process" running:

$ sudo /sbin/iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  192.168.0.1          anywhere            tcp
flags:!FIN,SYN,RST,ACK/SYN
ACCEPT     udp  --  192.168.0.1          anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            limit:
avg 10/sec burst 5
DROP       all  --  anywhere             255.255.255.255
[snip]

In Fedora, they even go so far as to put "iptables" into the service
framework, and it can be turned on and off through the same service
scripts.  Ubuntu doesn't do that.  If you look at the output from
/sbin/lsmod, you see the iptables framework is running as a kernel
module, and you can stop it with the old /sbin/rmmod.


-- 
Paul E. Johnson
Professor, Political Science
1541 Lilac Lane, Room 504
University of Kansas

More information about the ubuntu-users mailing list