I finally got a little tired of Firestarter - although it did a good job most of the time, it annoyed me when I was trying to share my connection or connect to another box with a simple network.
Actually, all it does is act as a manager of the system's ports, accepting and rejecting traffic, by writing "iptables". So that's why it's possible to ditch your GUI firewall because you can configure your own iptables and have complete control with them, like allow any unusual ports which a GUI firewall might just block.
I still don't know much about IP tables, with hardly any time to learn, but they can be used extensively... I got a firewall set up using the iptables file on the Debian Wiki here https://wiki.debian.org/iptables
With just a few easy steps...
1. make a test iptables file, as root,
2. fill that with the Debian Wiki example (including a new line at end after "COMMIT") and save it
3. stop firestarter, if you have it running
4. run
5. see how it's running with
6. save the configuration to the master iptables file with
7. and to have the rules run at start-up, make a file
fill with this script
finally, make the script executable with
Allowing another linux box to share your internet connection
This is called masquerading -but I didn't need a MASQUERADE iptables rule to make it work.
add this rule to the "test.rules" and test it out (your out interface may be different)...
and enable routing
This works with Network manager - server side as "Share" and client side as "Automatic"
With nfs (see my nfs page) choosing random ports to send/receive on, how is it going to get through the firewall at all unless those ports it's using are made static and added to the firewall rules? Let's do that then...
there are some 4 files to edit - basically we have to sync some port numbers, and you could use others than these..
RPCMOUNTDOPTS="--manage-gids --port 892"
STATDOPTS="--port 32765 --outgoing-port 32766"
options lockd nlm_udpport=32769 nlm_tcpport=32803
restart nfs
iptable rules to add (to the test.rules file)
of course -s 192.168.0.0/24 or -s 10.0.0.0/24 would allow a lot more IP addresses, and omitted will allow any
then run
and when you're happy
lastly, on the client, check for exported shares from server,
and after that you should be mounting the shares OK
(just don't mount the server's home dir in the client's home dir! 8P)