Bug Tracking System

Report a bug

Ask User

Send Email

Technical support
support@fwbuilder.org

Firewall Builder 3.0

Summary

Firewall Builder 3.0 introduces support for IPv6 for iptables and PF firewalls and Cisco IOS extended access lists. Now you can generate both IPv4 and IPv6 policies for firewalls and access lists for routers using the same GUI and the same database of objects that represent network addresses and services. In this version, firewall object can have any number of policy and NAT rule sets which can be used for branching rules or to generate user-defined chains (iptables) or anchors (pf) that can be used by external scripts. In addition to that, the GUI has been improved with addition of the ability to group rules in policies, control size of icons and fonts.

This site can also be accessed over IPv6 as http://ipv6.fwbuilder.org

Versioning

New release has version 3.0.0. Next bug fix release will have number 3.0.1, and so on.

Download

Source code tar.gz archives and pre-built Linux packages can be found on SourceForge under package "fwbuilder-3.0". Here is direct link

Binary packages for Windows and Mac OS X can be found on this page. Packages for Windows are built on Vista but should install and work on Windows XP as well. Mac OS X packages are built on Intel-based Mac running Leopard. I am having difficulties building universal packages with QT so these may not work on PPC Macs.

Bugs and Feature Requests

Bugs and feature requests for the v3.0 are tracked in the "Bugs and Feature Requests v3" category on Source Forge. Please file bug reports there.

Building from source

Dependencies:

  • Fwbuilder 3 needs QT4.

    Minimal version the code will compile with is 4.3. I regularly build with QT 4.4 as well. The code will not compile with QT 4.2.

    On Fedora C8 I am using qt4-4.3.2 RPMs, Fedora C9 comes with qt-4.3.4 RPMs. You'll need both qt4 and qt4-devel and their dependencies.

    On Ubuntu 7.10 (Gutsy) I am using the same version 4.3.2 of qt4 which you can install using aptitude, you'll need qt4 and qt4-dev-tools and dependencies. Hardy comes with QT 4.3.4.

  • Other dependencies are the same as for fwbuilder 2.1, that is libxml2, libxslt, netsnmp.

Compiling from source, as well as binary RPMs I provide for download, do not allow for simultaneous installation of fwbuilder 2.1 and fwbuilder 3 on the same machine under the same prefix. You should be able to install v3 at the same time with v2.1 if you use different one, such as "/usr/local" or "/opt/local". In this case make sure you have both PATH and LD_LIBRARY_PATH environment variables set up right.

Note:

You may need to install packages elfutils-libelf and elfutils-libelf-devel (libelf on SuSE), otherwise libfwbuilder won't pick up net-snmp library even if it is installed

If you get errors that refer to missing autoconf macros while running autogen.sh for fwbuilder, check if your system has RPM gettext-devel.

To compile from source, download source archives libfwbuilder-3.0.0.tar.gz and fwbuilder-3.0.0.tar.gz and unpack them somewhere. Then build as follows: 

cd libfwbuilder-3.0.0
./autogen.sh
make
make install
      
cd /fwbuilder-3.0.0
./autogen.sh
make
make install

By default API libraries are installed in /usr/local/lib and binaries in /usr/local/bin. Make sure /usr/local/lib is added to your LD_LIBRARY_PATH environment variable or to the /etc/ld.so.conf configuration file, otherwise the program won't find dynamic libraries. Likewise, /usr/local/bin needs to be in your PATH.

You can install libraries and binaries in a different place by specifying a prefix as follows: 

./autogen.sh --prefix="/opt"

This will install libraries in /opt/lib and the program in /opt/bin

UI changes:

  • UI is built with QT4. Built and tested with 4.3 and 4.4
  • UI is now an MDI, you can open several data files in the GUI and copy/paste or drag and drop objects from one data file to another. Complex objects with dependencies, such as entire firewall with all its policies and rules, copy all dependencies automatically. You can open the same file multiple times and copy objects between libraries as well.
  • UI lets you choose the font and font size for the object tree and for the rules.
  • UI lets you switch between 25x25 and 16x16 icons for the rules. This, combined with ability to choose font size, makes it much more friendly for laptops and small screens.
  • Rule grouping: you can combine rules into any number of groups, group can have a title and color. You can collapse groups in the policy so that only group title is visible.
  • Action parameters for rules with action "Chain" or "Anchor" (this is the same action, just different names for iptables and pf) can be opened in the object editor. To associate such rule with a branch rule set just drag rule set object into the drop area in the editor.
  • The same rule set can be used in multiple rules with action "Chain" or "Anchor". This even works if the rule set belongs to a different firewall object. You can create firewall object with a "base" set of rules and then refer to it from policies of many other firewall objects, which "inherit" its policy this way.
  • Action parameters of the rule with action "Mark" or "Tag" can be opened in the editor panel. Instead of typing mark/tag code manually, drag and drop TagService object into the drop area in the dialog.
  • Netmasks can be entered as bit length everywhere, that is, instead of 255.255.240.0 you can type "20". Bit length is the only supported method of entering ipv6 netmasks.
  • Support for add-on libraries in the GUI has been deprecated. User can now open their working file and external library file simultaneously and copy objects from one to another. This removes the need for the cumbersome add-on libraries feature.
  • Implemented printing of the firewall object contents from CLI per bug #1996739: "Feature: CLI printing or policy export"
  • Implemented sorting by name and parameter in group dialogs per bug #646804: "No sort in Group".
  • The GUI sends a query to the web site when user launches the program to check if new version is available. Only the following information is transmitted in the query: current version and build number of the program, OS it rurns on, locale name and a flag that indicates whether the copy is registered. In response, the web site tells the GUI if newer version is available. If it is available, the GUI shows dialog to inform the user of that. This check can be disabled in the global Preferences dialog (main menu Edit/Preferences on Linux and Windows, or menu fwbuilder/Preferences on Mac OS X). If the check is undesired and automated checking is disabled, the user can initiate it manually using button in the same Preferences dialog.

Multiple rule sets

  • A firewall can have any number of policy and nat rule sets. These rule sets are shown as objects in the tree rather than using tabs (this is how fwbuilder v1.0 worked, if anyone remembers). Rule sets can be copied and pasted and can be dragged into branched rules.
  • Each policy and nat rule set object can have unique name. These names are used by the compilers for the names of user-defined chains, anchors or access lists (depending on the platform).
  • One policy and nat rule set should be marked as "top" rule set using checkbox in the rule set object editor. Compilers treat "top" rule set differently, depending on the firewall platform:

    • iptables: rules defined in such rule set will go into built-in chains INPUT,OUTPUT,FORWARD etc. Rules defined in rule sets where this checkbox is not checked go into user-defined chain with the name the same as the name of the rule set.
    • PF: rules defined in the rule set with "top rule set" checkbox turned off go into an anchor with the name of the rule set.
    • Cisco IOS access lists: if "top rule set" checkbox is turned off, the rules go into access list with the name prefixed with the name of the rule set; this access list will not be assigned to interfaces via "ip access-group" command. Rulesets with checkbox "top rule set" checked generate acls with names consisting of the shortened name of interface and direction abbreviation ("in" or "out"). Only these lists are assigned to interfaces.

Support for IPv6.

  • object types AddressIPv6, NetworkIPv6, ICMP6Service have been added.
  • Compilers for iptables and pf can generate ipv6 output.
  • Each policy and nat rule set must have its address family declared as an attribute of the corresponding rule set object. User can do this by double clicking on the Policy or NAT object, which opens it in the object editor panel (like any other object). There are two radio buttons in the editor that let the user choose between ipv4 and ipv6 for the given rule set.
  • Compilers allow for mixing ipv4 and ipv6 objects in the same rule set. When objects representing both address families are used in the rule, compiler picks ones that match address family declared for the rule set.

Support for user id matching:

  • A new object type User Service has been added
  • Compilers for iptables and pf can generate rules that match on user id. Note that semantics is slightly different on iptables and pf, for example iptables can only match user id for outbound packets created by the firewall itself, while pf can do it for inbound packets as well and the operation is also defined for the forwarded packets. Compilers are aware of these differences.

XML data format and API

  • Firewall Builder 3.0 API library libfwbuilder tracks version of the data file format separately from package version. This means most of the time there will be no need to upgrade data file when package is upgraded from one minor version to another, such as from 3.0.0 to 3.0.1. This also means we will maintain backwards compatibility by the data format between minor program versions, so the user can roll back to the previous version if needed. This was not possible with v2.1 where each package upgrade required upgrade of the data file as well, making it incompatible with older version.

    However, sometimes we need to make changes in the XML DTD which requires upgrade of the data file. We do not expect this to happen often and every such occasion will be documented in the Release Notes. If data file upgrade is necessary, the program will do it automatically just like it did it in v2.1. The difference is that this should be required rarely.

New in all compilers:

  • Approximately 2x speed up in shadowing detection and compile. In fact, I do not have a machine with both old and new fwbuilder to run the test and compare this accurately. I would appreciate a feedback from users as to how much faster they see the new compiler process their long rule sets.
  • Compilers include warning and error messages that were generated during rule processing in the generated script in addition to printing on standard error.

New in compiler for iptables:

  • Support for ipv6 (using ip6tables)
  • Support for user matching by module "owner"
  • Support for new format in module "time" in iptables 1.3.8 and later
  • Support for multiple rule sets. Rule sets with names other than "Policy" will be compiled as user-defined chains. If there is a rule in any rule set that passes control to such chain, it will be compiled too. Otherwise the chain will be left "orphaned" which can still be useful if a rule that jumps to it is added manually to epilog section of the script.
  • Added support for TOS and DSCP matching
  • Support for combinations of srcip, dstip, srcport, dstport options of the hashlimit module has been implemented in the compiler for iptables per bug #1812388: "add srcip,dstip to choices for hashlimit mode"
  • iptables rule with target TCPMSS generated for option "Clamp MSS to MTU" is valid only in mangle table in iptables 1.3.x and later. Still generate this command in the filter table for earlier versions of iptables

New in compiler for PF:

  • Support for ipv6
  • Support for user matching
  • Support for multiple rule sets. Rule sets with names other than "Policy" will be compiled as named anchors. Just like with iptables, if there is a rule in any rule set that passes control to this anchor, it will be compiled too. Otherwise user can add such rule manually to prolog or epilog section of the script.
  • Added support for TOS and DSCP matching

New in compiler for Cisco IOS Access lists:

  • Support for ipv6
  • Added support for TOS and DSCP matching

New in command line tool fwbedit:

Fwbedit has been completely redesigned to make it more flexible and more suitable for serious scripting. The set of the command line parameters has been expanded and redesigned to support object tree browsing, object addition and editing.

Fwbedit can perform the following operations on the objects and the tree: create new object, delete existing object, modify attributes of an object, add a reference to the given object to a group, remove reference to an object from a group, upgrade data file and check object tree in the file and repair it if necessary. Both object and a group can be defined by their ID or by their name and a full path in the tree.

Since fwbedit now supports tree browsing, separate command line tool fwblookup has been deprecated and is not part of the fwbuilder 3.0 package

Commands and options:

  • fwbedit new -f file.fwb -t objtype -n name -p parent [-c comment] [-a attrs]

    Creates new object.

    -f file.fwb: data file

    -t objtype: create new object of this type

    -p parent: create new object as a child of this object. This parameter is mandatory. If you are adding an address to an interface, corresponding interface onkect must be specified as the parent. Similarly if you need to add an interface to a host or a firewall, corresponding host or firewall object is the parent. If you are adding an object to one of the standard folders, the parent is the library you want to add the object to or correct full path to the folder in the tree.

    -n name: the name of the new object

    -c txt: specify comment for the new object

    -a attribute1[,attribute2...] : specify attributes that define parameters of the new object (see below)

  • fwbedit delete -f file.fwb -o object

    Deletes object specified by its full path in the tree or object ID.

    -f file.fwb: data file

    -o object: object to be deleted, full path or ID

  • fwbuilder modify -f file.fwb -o object -c comment [-a attrs]

    Modifies object specified by its full path in the tree or object ID. Object can not be renamed using this operation.

    -f file.fwb: data file

    -o object: object to be deleted, full path or ID

    -c txt: specify comment for the new object

    -a attribute1[,attribute2...] : specify attributes that define parameters of the new object (see below)

  • fwbuilder list -f file.fwb -o object [-r|-c] [-d|-Fformat]

    Prints name and ID of an object.

    -f file.fwb: data file

    -o object: object to print, full path or ID

    -r print specified object and all objects under it in the tree

    -c print only children objects of the given object but do not print the object itself.

    -d print full dump of all object's attributes including internal debugging information if available, this can be very verbose.

    -Fformat_string Program recognizes macros in the format string and replaces them with values of corresponding object's attributes. Macro is the name of the attribute surrounded with '%', such as '%name%' or '%address%'. Here is the list of some attribute names: "id", "name", "path", "comment", "type", "address", "netmask", "dnsname". TCP and UDP service objects provide attributes "src_range_start", "src_range_end", "dst_range_start", "dst_range_end" for the source and destination port ranges. ICMP and ICMP6 service objects have attributes "icmp_type" and "icmp_code".

  • fwbuilder add -f file.fwb -p group -o object

    Adds object specified by path or ID to a group, also specified by its path or ID.

    -f file.fwb: data file

    -p group: group the object should be added to, full path or ID

    -o object: object to be deleted, full path or ID

  • fwbuilder remove -f file.fwb -p group -o object

    Removes object from a group.

    -f file.fwb: data file

    -p group: group the object should be removed from, full path or ID

    -o object: object to be deleted, full path or ID

  • fwbuilder upgrade -f file.fwb

    Upgrades data file to the latest data format version.

    -f file.fwb: data file
  • fwbuilder checktree -f file.fwb

    Checks consistency and correctness of the object tree in the given data file and repairs it if necessary.

    -f file.fwb: data file

Attributes for the new objects, by type

-t Firewall -a platform, host OS

-t IPv4 -a IP address [,netmask]

-t IPv6 -a IPv6 address [,masklen]

-t DNSName -a DNS record,run time

-t AddressRange -a start address, end address

-t ObjectGroup

-t Network -a address,netmask

-t NetworkIPv6 -a ipv6_address,netmask_length

-t Interval -a start time,start date,start day,end time, end date, end day

-t Interface -a security level,address type (dynamic or unnumbered),management

-t Host

-t TCPService -a source port range start,end,destination port range start,end,UAPRSF,UAPRSF

-t UDPService -a source port range start,end,Destination port range start,end

-t ICMPService -a ICMP type,ICMP code

-t IPService -a protocol number,lsrr/ssrr/rr/ts/fragm/short_fragm

Examples

Print contents of the object /User/Firewalls/firewall/eth0 according to the provided format. Note that object of the type "Interface" does not have attribute that would define its address, IP address is defined by its child object of the type IPv4 or IPv6. 

fwbedit list -f x.fwb  -o /User/Firewalls/firewall/eth0 -F "type=%type% name=%name% id=%id% %comment%"

Print contents of the object /User/Firewalls/firewall/eth0 and all its child objects. This is the way to see addresses and netmasks. Interface object does not have attribiute "address" so the program ignores macro "%address%" when it prints interface. 

fwbedit list -f x.fwb  -o /User/Firewalls/firewall/eth0 -F "type=%type% name=%name% id=%id% %comment% %address%" -r

Print group object /User/Objects/Addresses 

fwbedit list -f x.fwb  -o /User/Objects/Addresses -F "type=%type% name=%name% id=%id% %comment%"

Print group object /User/Objects/Addresses and all address objects inside of it: 

fwbedit list -f x.fwb  -o /User/Objects/Addresses -F "type=%type% name=%name% id=%id% %comment%" -r

Print address objects inside group /User/Objects/Addresses but do not print the group object itself: 

fwbedit list -f x.fwb  -o /User/Objects/Addresses -F "type=%type% name=%name% id=%id% %comment%" -c

Print addresses and netmasks of all interfaces of all firewalls in the form of their full object tree path, followed by the type, id, address and netmask: 

fwbedit list -f x.fwb  -o /User/Firewalls -F "%path% %type% %id% %address% %netmask%" -r | grep IP

Print names, platform and version information for all firewall objects defined in the data file: 

fwbedit list -f x.fwb  -o /User/Firewalls -F "%name% platform: %platform% version:  %version%" -c

Print name, source and destination port ranges for all TCP services in the folder TCP of the user-defined group User: 

fwbedit list -f x.fwb  -o /User/Services/TCP -c -F "name='%name%' est=%established% \t %src_range_start%-%src_range_end% : %dst_range_start%-%dst_range_end%"

Print icmp type and code for all ICMP services in the folder ICMP of the user-defined group User: 

fwbedit list -f x.fwb  -o /User/Services/ICMP -c -F "name='%name%' icmp_type=%icmp_type% icmp_code=%icmp_code%"

Add IPv6 address to one of the interfaces of firewall object "firewall": 

fwbedit new  -f x.fwb -p /User/Firewalls/firewall/eth3 -t IPv6 -n eth3-v6-addr -a 2001:470:1f05:590::2,64

Add reference to the Host object 'A' to the group 'B': 

fwbedit add -f x.fwb -g /User/Objects/Groups/B -o /User/Objects/Hosts/A

Add reference to the object with ID id3D71A1BA to the group with IreD id3D151943. If objects with given IDs do not exist, fwbedit prints an error message and does not make any changes in the data file. 

fwbedit add -f x.fwb -o id3D71A1BA -g id3D151943

Add reference to the object with ID id3D71A1BA to the group 'testgroup': 

fwbedit add -f x.fwb -o id3D71A1BA -g /User/Objects/Groups/testgroup

The following script uses fwbedit "list" command to print IDs of all Address objects in the folder /User/Objects/Addresses , then cycles through the obtained list and uses fwbedit to add them to the group "group1". 

  fwbedit list -f x.fwb -o /User/Objects/Addresses -F "%id%" -c  | \\
    while read id; do \\
      fwbedit add -f x.fwb -g /User/Objects/Groups/group1 -o $id; \\
    done

Here is slightly more complex example. The following script uses fwbedit "list" command to print types and IDs of all Address objects in the folder /User/Objects/Addresses , then filters them using grep to get only IPv6 objects and finally cycles through the obtained list and uses fwbedit to add them to the group "group1". 

  fwbedit list -f x.fwb  -o /User/Objects/Addresses -F "%type% %id%" -c | \\
    grep IPv6 | \\
    while read type id; do \\
      fwbedit add -f x.fwb  -g /User/Objects/Groups/group1 -o $id; \\
    done

IPv4 Address Report

 

Copyright © 2000-2012 NetCitadel, Inc. All rights reserved.
 Using free CSS Templates.