Shortcuts

Download Users Guide in PDF format (448 pages, 14.4MB)

Firewall Builder 4.0 User's Guide
		Next

Firewall Builder 4.0 User's Guide

$Id: UsersGuide4.xml 490 2010-08-03 17:20:54Z mhorn $

Copyright © 2003,2010 NetCitadel, LLC

The information in this manual is subject to change without notice and should not be construed as a commitment by NetCitadel LLC. NetCitadel LLC assumes no responsibility or liability for any errors or inaccuracies that may appear in this manual.

1. Introduction

1.1. Introducing Firewall Builder
1.2. Overview of Firewall Builder Features

2. Installing Firewall Builder

2.1. RPM-based distributions (Red Hat, Fedora, OpenSUSE and others)

2.2. Ubuntu Installation

2.3. Installing FreeBSD and OpenBSD Ports

2.4. Windows Installation

2.5. Mac OS X Installation

2.6. Compiling from Source

2.7. Rpm and deb repositories for stable and testing packages

2.7.1. Debian/Ubuntu packages repository
2.7.2. RPM packages repository

3. Definitions and Terms

4. Getting Started

5. Firewall Builder GUI

5.1. The Main Window

5.2. GUI Menu and Tool Bars

5.2.1. File menu
5.2.2. Edit menu
5.2.3. View menu
5.2.4. Object menu
5.2.5. Rules menu
5.2.6. Tools menu
5.2.7. Window menu
5.2.8. Help menu
5.2.9. Object Context menu
5.2.10. Tool Bar

5.3. Object Tree

5.3.1. Floating the Object Tree
5.3.2. Filtering the Object Tree
5.3.3. Object Attributes in the Tree
5.3.4. Creating Objects

5.4. Undo and Redo

5.4.1. Undo Stack

5.5. Preferences dialog

5.6. Working with multiple data files

6. Working With Objects

6.1. Types of objects

6.2. Addressable Objects

6.2.1. Common Properties of Addressable Objects
6.2.2. The Firewall Object
6.2.3. The Cluster Object
6.2.4. Editing Rule Set Objects
6.2.5. Interface Object
6.2.6. IPv4 Address Object
6.2.7. IPv6 Address Object
6.2.8. Physical Address Object
6.2.9. Host Object
6.2.10. IPv4 Network Object
6.2.11. IPv6 Network Object
6.2.12. Address Range Object
6.2.13. Address Tables Object
6.2.14. Special case addresses
6.2.15. DNS Name Objects
6.2.16. A Group of Addressable Objects

6.3. Service Objects

6.3.1. IP Service
6.3.2. ICMP and ICMP6 Service Objects
6.3.3. TCP Service
6.3.4. UDP Service
6.3.5. User Service
6.3.6. Custom Service

6.4. Time Interval Objects

6.5. Creating and Using a User-Defined Library of Objects

6.6. Finding and Replacing Objects

7. Network Discovery: A Quick Way to Create Objects

7.1. Reading the /etc/hosts file

7.2. Network Discovery

7.3. Using Built-in Policy Importer in Firewall Builder

7.3.1. Importing existing iptables configuration
7.3.2. Importing Cisco IOS access lists configuration

8. Firewall Policies

8.1. Policies and Rules

8.2. Firewall Access Policy Rulesets

8.2.1. Source and Destination
8.2.2. Service
8.2.3. Interface
8.2.4. Direction
8.2.5. Action
8.2.6. Time
8.2.7. Options
8.2.8. Working with multiple policy rule sets

8.3. Network Address Translation Rules

8.3.1. Basic NAT Rules
8.3.2. Source Address Translation
8.3.3. Destination Address Translation

8.4. Routing Ruleset

8.4.1. Handling of the Default Route
8.4.2. ECMP routes

8.5. Editing Firewall Rulesets

8.5.1. Adding and removing rules
8.5.2. Adding, removing and modifying objects in the policy and NAT rules
8.5.3. Changing rule action
8.5.4. Changing rule direction
8.5.5. Changing rule options and logging
8.5.6. Using Rule Groups
8.5.7. Support for Rule Elements and Features on Various Firewalls

8.6. Compiling and Installing Your Policy

8.7. Using Built-in Revision Control in Firewall Builder

9. Cluster configuration

9.1. Linux cluster configuration with Firewall Builder
9.2. OpenBSD cluster configuration with Firewall Builder
9.3. PIX cluster configuration with Firewall Builder
9.4. Handling of the cluster rule set and member firewalls rule sets

10. Configuration of interfaces

10.1. General principles

10.2. IP address management

10.2.1. IP address management on Linux
10.2.2. IP address management on BSD

10.3. VLAN interfaces

10.3.1. VLAN interface management on Linux
10.3.2. VLAN interface management on BSD

10.4. Bridge ports

10.4.1. Bridge interface management on Linux
10.4.2. Bridge with VLAN interfaces as bridge ports

10.5. Bonding interfaces

11. Compiling and Installing a Policy

11.1. Different ways to compile

11.2. Compiling single rule in the GUI

11.3. Compiling firewall policies

11.4. Compiling cluster configuration with Firewall Builder

11.4.1. Compile a Cluster, Install a Firewall
11.4.2. Mixed Object Files
11.4.3. Compile a single firewall within a cluster

11.5. Installing a Policy onto a Firewall

11.5.1. Installation Overview
11.5.2. How does installer decide what address to use to connect to the firewall
11.5.3. Configuring Installer on Windows
11.5.4. Using putty sessions on Windows
11.5.5. Configuring installer to use regular user account to manage the firewall:
11.5.6. Configuring installer if you use root account to manage the firewall:
11.5.7. Configuring installer if you regularly switch between Unix and Windows workstations using the same .fwb file and want to manage the firewall from both
11.5.8. Always permit SSH access from the management workstation to the firewall
11.5.9. How to configure the installer to use an alternate ssh port number
11.5.10. How to configure the installer to use ssh private keys from a special file
11.5.11. Troubleshooting ssh access to the firewall
11.5.12. Running built-in installer to copy generated firewall policy to the firewall machine and activate it there
11.5.13. Running built-in installer to copy generated firewall policy to Cisco router or ASA (PIX)
11.5.14. Batch install

11.6. Installing generated configuration onto Cisco routers

11.6.1. Installing configuration with scp
11.6.2. Rollback using EEM

11.7. Installing generated configuration onto Cisco ASA (PIX) firewalls

12. Manage your firewall remotely

12.1. Dedicated Firewall machine
12.2. Using Diskless Firewall Configuration
12.3. The Management Workstation

13. Integration with OS running on the firewall machine

13.1. Generic Linux OS

13.2. OpenWRT

13.3. DD-WRT

13.3.1. DD-WRT (nvram)
13.3.2. DD-WRT (jffs)

13.4. Sveasoft

13.5. IPCOP

13.6. OpenBSD and FreeBSD

13.7. How to make your firewall load your firewall policy on reboot

13.7.1. How to make firewall load firewall policy after reboot -- iptables
13.7.2. How to make firewall load firewall policy after reboot -- pf
13.7.3. How to make firewall load firewall policy after reboot -- ipfw
13.7.4. How to make firewall load firewall policy after reboot -- ipfilter

14. Configlets

14.1. Configlet Example

15. Firewall Builder Cookbook

15.1. How to change IP addresses in the firewall configuration created from a template

15.2. Examples of Access Policy Rules

15.2.1. Firewall object used in examples
15.2.2. Permit internal LAN to connect to the Internet
15.2.3. Letting certain protocols through, while blocking everything else
15.2.4. Letting certain protocols through from specific source.
15.2.5. Interchangeable and non-interchangeable objects
15.2.6. Anti-spoofing rules
15.2.7. Anti-spoofing rules for the firewall with dynamic address
15.2.8. Using groups
15.2.9. Using Address Range instead of a group
15.2.10. Controlling access to the firewall
15.2.11. Controlling access to different ports on the server
15.2.12. Firewall talking to itself
15.2.13. Blocking unwanted types of packets
15.2.14. Using Action 'Reject': blocking Ident protocol
15.2.15. Using negation in policy rules
15.2.16. Tagging packets
15.2.17. Adding IPv6 Rules to a Policy
15.2.18. Using mixed IPv4+IPv6 rule set to simplify adoption of IPv6
15.2.19. Running multiple services on the same machine on different virtual addresses and different ports
15.2.20. Using firewall as DHCP and DNS server for the local net
15.2.21. Controlling outgoing connections from the firewall
15.2.22. Branching rules
15.2.23. Using branch rule set with external script that adds rules "on the fly" to prevent ssh scanning attacks
15.2.24. Different method of prevention ssh scanning attacks: using Custom Service object with iptables module "recent"
15.2.25. Using Address Table object to block access from large lists of ip addresses

15.3. Examples of NAT Rules

15.3.1. "1-1" NAT
15.3.2. Using Address of "wrong" Interface for Source Address Translation
15.3.3. "No NAT" rules
15.3.4. Redirection rules
15.3.5. Destination NAT Onto the Same Network

15.4. Examples of cluster configurations

15.4.1. Web server cluster running Linux or OpenBSD
15.4.2. Linux cluster using VRRPd
15.4.3. Linux cluster using heartbeat
15.4.4. Linux cluster using heartbeat and VLAN interfaces
15.4.5. Linux cluster using heartbeat running over dedicated interface
15.4.6. State synchronization with conntrackd in Linux cluster
15.4.7. OpenBSD cluster
15.4.8. PIX cluster

15.5. Useful Tricks

15.5.1. How to generate firewall policy for many hosts
15.5.2. Using Empty Groups
15.5.3. How to use Firewall Builder to configure the firewall using PPPoE

16. Troubleshooting

16.1. Build Issues

16.1.1. autogen.sh complains "libfwbuilder not installed"
16.1.2. "Failed dependencies: ..." when installing RPM

16.2. Program Startup Issues

16.2.1. "fwbuilder: cannot connect to X server localhost:0.0"
16.2.2. "fwbuilder: error while loading shared libraries: libfwbuilder.so.0: cannot load shared object file: no such file or directory."
16.2.3. "fwbuilder: error while loading shared libraries: /usr/local/lib/libfwbuilder.so.8: cannot restore segment prot after reloc: Permission denied"

16.3. Firewall Compiler and Other Runtime Issues

16.3.1. Firewall Builder crashes
16.3.2. Older data file cannot be loaded in Firewall Builder
16.3.3. "I/O Error" while compiling policy. No other error.
16.3.4. ios_base::failbit set on Windows
16.3.5. "Cannot create virtual address NN.NN.NN.NN"

16.4. Troubleshooting installing policy on the firewall

16.4.1. Plink.exe fails while trying to activate the firewall policy with an error 'Looking up host "" Connecting to 0.0.0.0 port 22'

16.5. Running the Firewall Script

16.5.1. Determining which rule caused an error
16.5.2. "ip: command not found"
16.5.3. I get the following error when I run generated script for iptables firewall: "iptables v1.2.8: can't initialize iptables table 'drop': Table does not exits (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded."
16.5.4. "Interface eth0 does not exist"
16.5.5. "Interface eth0:1 does not exist"
16.5.6. Script fails to load module nf_conntrack

16.6. RCS Troubleshooting

16.6.1. Error adding file to RCS
16.6.2. "Error checking file out: co: RCS file c:/fwbuilder/RCS/file.fwb is in use"
16.6.3. "Error checking file out:"

16.7. Issues after new policy activation

16.7.1. Cannot access only some web sites
16.7.2. Firewall becomes very slow with new policy
16.7.3. X won't start on a server protected by the firewall
16.7.4. Cannot access Internet from behind firewall
16.7.5. Installing updated firewall policy seems to make no difference

16.8. Routing Rules Issues

16.8.1. Compile fails with dynamic or point-to-point interfaces

17. Appendix

17.1. iptables modules

17.1.1. Installing the iptables ipset module using xtables-addons
17.1.2. Installing the iptables ipset module

		Next
		Chapter 1. Introduction

Copyright © 2000-2010 NetCitadel, LLC. All rights reserved.
Using free CSS Templates.