I want to show you how this is done in two different ways: Using a typical firewall GUI and the ufw command line. For the GUI I am going to illustrate this with GUFW (GNOME frontend for UFW). Naturally, each GUI firewall tool will deal with this process differently, but understanding the fundamentals of what you’re looking for should give you enough information about how exactly to manage the task with the firewall tool you use.

ufw

Figure 1

Let’s start with the more challenging task first. I will assume you know some of the basics. What we will be doing is allowing the necessary Samba ports through with the help of the UFW command line. Let’s first check to make sure your firewall is enabled. To do this issue the command:

sudo iptables -L

When you issue the above command you should see output similar to what you see in Figure 1. If you see nothing, that means your firewall isn’t enabled.

Now, let’s add the rules to allow Samba to pass through your firewall. I am going to illustrate this using the 192.168.1.0 IP address scheme. You can adjust this to fit your needs. The commands you need to run, to open up the necessary ports are:

sudo ufw allow proto udp to any port 137 from 192.168.1.0/24
sudo ufw allow proto udp to any port 138 from 192.168.1.0/24
sudo ufw allow proto tcp to any port 139 from 192.168.1.0/24
sudo ufw allow proto tcp to any port 445 from 192.168.1.0/24

You will issue the above commands one at a time.

GUFW

Figure 2

Now let’s take a look at allowing Samba through your firewall using the UFW front-end, GUFW.  You can start the GUFW tool by clicking System > Administration > Firewall Configuration. When the GUFW window opens (see Figure 2). If the firewall is not enabled, check the Enabled check box to start it up. Once it is started up you can then add rules to the configuration.

Figure 3

When you click the Add button a new window will appear (see Figure 3). From this window select the Preconfigured tab. In this window select the following:

• Allow
• In
• Service
• Samba

When you have the above selected, click Add. Now go back and add another rule to use the same configuration as above with the exception of selecting Out instead of In. Once you have done that, close the Add Rule window and then quit the GUFW window. Your firewall should now allow Samba through.

Now with the Linux operating system you have a lot of choices for protection. But one of the easiest to use is Firestarter. Firestarter is one of the easiest-to-use firewalls I have used. And with this simplicity does not come a sacrifice to security. Just because it’s easy does not mean it lacks protection. Firestarter is powerful and has a ton of features. In this article you will learn how to install Firestarter and set up a basic desktop firewall.

Feature highlights

Firestarter includes such features as:

• Setup wizard.
• Real time event viewer.
• Easy port forwarding.
• ICMP parameter tuning.
• Advanced kernel tuning.
• Suitable for desktops, servers, and gateways.

and much, much more.

Installation

The installation of Firestarter is simple. Because it will most likely be found in your distributions’ repositories you will only need to follow these steps for installation:

1. Open up your Add/Remove Software tool.
2. Search for “firestarter” (no quotes).
3. Select Firestarter for installation.
4. Click Apply.
5. Enter your user password.
6. Wait for the installation to complete.
7. Close your Add/Remove Software utility.

Running Firestarter

Figure 1

You will find the Firestarter executable located in the Administration sub-menu of the System menu (in GNOME). When you first run Firestarter the wizard will open up. The first screen is the usual Welcome screen so you can just click the Forward button. The first screen you will have to do any configuration with is the Network Device Setup (see Figure 1). In this screen you need to set which interface Firestarter is to listen to. I am using a laptop so I will select my wireless device.

Figure 2

The next screen (see Figure 2) asks if you need to use internet connection sharing to set your machine up as a gateway. If you do you will need to first click the check box to enable it and then select an interface for the other machines to connect to. If you need to use your machine as a DHCP server you will have to have that installed outside of Firestarter.

Once you have taken care of connection sharing (if it is needed) click the Forward button and you’re done. The last screen wants to know if you want to start the firewall immediately and has you save your configuration.

Figure 3

While Firestarter is running you will see a small icon in your notification area that looks like a blue circle with a right-pointing triangle. If you click on that it will open up the Firestarter main window (see Figure 3). From this window you can Stop the firewall, lock the firewall, view the events log, edit both your inbound and outbound policies, and monitor active connections.

In order to monitor active connections expand the Active Connections listing which will list every connection made to and from your machine. In both the Active connections section and the Events tab you can right click an entry and take action. For instance, in the Active Connections section you can right click an entry and look up the hostname of that entry. In the Events tab you can do more. If you right click an entry in the Events tab you can do the following:

• Allow connections from source.
• Allow inbound service for everyone.
• Allow inbound service for source.
• Disable events from source.
• Disable events on port.
• Lookup hostnames.

Finally, in the Policy tab, you can right click any blank area and add a rule that will apply to a connection from a host or to a port/service. When you go to add a rule you will only need enter the IP address (or domain) and then add a comment.

Final thoughts

Firestarter makes the often daunting task of creating a firewall for a Linux machine simple. If you have ever dealt with iptables you will understand when I say this is a huge relief for desktop users who do not want to take the time to learn to use the underlying technology.