 |
FirewallBuilder 4 |
|
Shortcuts
This chapter introduces you to the Firewall Builder program. It walks you through using the tool, from starting it to building and installing an actual firewall configuration.
The Firewall Builder package for most Linux distributions creates a menu item that makes starting the program easy. (On Ubuntu, it's .) However, if the menu item is not there, you can always launch it from the command line by just typing fwbuilder at the shell prompt.
The program starts by opening the main window and a welcome dialog.
The "welcome" dialog is only shown once when you start the program for the very first time. It includes a summary of features of Firewall Builder and links to the "Getting Started" guide and "Release Notes" for the latest version.
Let's create our first firewall object. To do this, we'll
use the object creation menu, accessed by clicking this icon above
the object tree:
. Choose from the menu that appears.
The first page of the New Firewall wizard appears. In this page of the wizard we can enter the name for the new firewall object (here it is "guardian"), its platform ("iptables") and its host OS ("Linux 2.4/2.6").
The program remembers your choice of the firewall platform and OS and automatically fills these fields when you create new firewall object next time. Of course you can change the selection, but if you tend to work with the same firewall platform and OS all the time, such as all your machines are Linux running iptables, the program will select these setting automatically, saving you few clicks.
The name of the new firewall object can be anything you want. However, if you want to use SNMP to populate the interface objects, or if you want to use DNS lookups to populate IP address objects, you must name the firewall object the same name as the actual firewall machine.
There are three ways a new firewall can be created: you can use a pre-configured template firewall object, create it from scratch, or use SNMP to create a firewall object with interfaces but an empty policy.
This guide demonstrates the first method, using a template object. (Other methods are described in Section 6.2.2.) To do this, check Use pre-configured template firewall objects checkbox. Firewall Builder comes with a set of default objects, and we'll be using one of those there. Alternatively, an administrator can distribute a library of predefined templates to other users in the enterprise, as described in Section 6.5.
We are going to use one of the standard templates distributed with Firewall Builder, so we'll leave the standard template library path and name in the Template file input field. Click to move on to the next page of the wizard.
Note that the template firewall object comes completely configured, including addresses and netmasks for its interfaces and some basic policy and NAT rules. This configuration is intended as a starting point only. You should reconfigure addresses of interfaces to match those used on your network. We'll see how this is done later on.
This page of the wizard shows template objects and their configuration. Standard template objects represent firewalls with two or three interfaces, a host with one interface, a web server or a Cisco router. We'll choose fw template 3, a firewall with three interfaces, for this example. Click to create a new firewall object using chosen template.
Clicking "Next" brings us to the next page of the wizard where we can change configuration of the interfaces of the template firewall:
Here each tab represents an interface of the firewall (eth0, eth1, eth2 and lo). You can change interface name, label, its type and edit, add or remove IP addresses. You can manage both IPv4 and IPv6 addresses on this page of the wizard.
Template object is preconfigured with generic IP addresses that likely do not match addressing scheme you use on your network. This page of the wizard allows you to change addresses to match your setup.
Note
You do not have to edit IP addresses at this point in the process and can postpone it for later. Each IP address will appear as a separate object in the object tree, right under the object representing interface it belongs to and you will be able to open this address object in the editor and make the changes. However, if you change addresses of interfaces while still in the wizard that creates new firewall object, the program will also adjust policy and NAT rules that comes with template firewall object to reflect IP addresses you use on your network. If you use template object and plan to use at least some of the rules it comes with, we recommend you change addresses here in the wizard so you can then start with the policy and NAT rules that are much closer to your network configuration. In some simple cases that are very close to our predefined template objects, template rules may even be all you need.
After you adjust IP addresses of all interfaces, click Finish button to create firewall object.
Our newly created firewall object is shown in Figure 4.6. Its name is "guardian", and it appears in the object tree in the left hand side of the main window in the folder "Firewalls". Double-clicking the object in the tree opens it in the editor panel at the bottom panel of the main window. The editor for the firewall object allows us to change its name, platform and host OS, and also provides buttons that open dialogs for "advanced" settings for the firewall platform and host OS. We will inspect these little later in this chapter.
Now would be a good time to save the data to a disk file. To do so use main menu .
Firewall Builder uses file extension ".fwb" for the data files. Pick location and name for the new data file, then click Save.
Note that once the firewall data is saved to a file, its name appears in the main window title. Here it is "test.fwb."
Let's take a little tour of the network and service objects that come standard with the program. You can use these pre-configured objects to build access Policy, NAT, and Routing rules for your firewall.
Objects in the tree are organized in libraries. You can switch between libraries using the drop-down menu above the tree. Firewall Builder comes with a collection of address, service and time interval objects in the library called "Standard". Let's take a look at them.
Folder Objects/Hosts contains a few host objects used in standard firewall templates. Folder Objects/Network contains network objects that represent various standard address ranges and blocks, such as multicast, net 127/8, networks defined in RFC1918 and so on.
Firewall Builder also comes with an extensive collection of service objects. The following screenshots show some TCP and UDP objects (all of them do not fit in the screenshot).
Let's inspect some of the objects Firewall Builder created for you as part of the new firewall object. To open an object in the editor and inspect or change its properties, double-click on it in the tree.
Tip
The tree and editor panels in Firewall Builder 4.0 are detachable and can "float". You can rearrange them on the screen to keep them away when you do not need them but still within reach so you can quickly find objects and change their properties. Use main menu "View" to open and close panels; the tree panel can be opened and closed using keyboard shortcut Ctrl+T.
You can also right-click on the object in the tree to open a pop-up menu. Choose to edit the object.
Every object in Firewall Builder has basic attributes such as Name and Comment. Other attributes depend on the object type.
Attributes of the firewall object include Platform (can be iptables, pf, ipfilter, etc.), Version (platform-dependent) and Host OS. Buttons and open dialogs with many additional attributes that depend on the firewall platform and host OS. More on these later.
Object dialogs in Firewall Builder 4.0 do not have button "Apply". When you make changes in the editor, object attributes are updated immediately as soon as you click on another GUI element or hit Tab or Enter.
Tip
Firewall Builder 4.0 has full Undo/Redo functions of unlimited depth. You can monitor undo stack if you open it using main menu "View / Undo stack".
Drop-down list "Platforms" switches between supported firewall platforms "iptables", "ipfilter", "pf", "ipfw", "Cisco IOS ACL" and "Cisco ASA (PIX)". The choice of the host OS depends on chosen firewall platform. For example, for "iptables" the program offers "Linux 2.4/2.6", "OpenWRT", "Sveasoft" and "IPCOP". Host OS choices for the firewall platform "PF" are "OpenBSD" and "FreeBSD" and so on.
Objects located below the Firewall object in the tree represent interfaces of the firewall. We refer to them as "children" of the firewall object. Figure 4.18 shows properties of interface eth0. To open it in the editor, double-click it in the tree.
IP and MAC addresses of interfaces are represented by child objects in the tree located below the corresponding interface.
An interface object has several attributes that define its function, such as "Management interface", "external", and so on.
Name: The name of the interface object in Firewall Builder must match exactly the name of the interface of the firewall machine it represents. This will be something like "eth0", "eth1", "en0", "br0", and so on.
Label: On most OS this field is not used and serves the purpose of a descriptive label. Firewall Builder GUI uses a label, if it is not blank, to show interfaces in the tree. One of the suggested uses for this field is to mark interfaces to reflect the network topology ('outside', 'inside') or the purpose ('web front-end' or 'backup subnet'). The label is mandatory for Cisco PIX though, where it must reflect the network topology.
Management interface: When the firewall has several network interfaces, one of them can be marked as the "management interface". The management interface is used for all communication between Firewall Builder and the firewall. For example, the Firewall Builder policy installer uses the address of the management interface to connect to the firewall via SSH when it copies the generated script or configuration file to it. (firewall object only)
External interface (insecure): Marks an interface that connects to the Internet.
Unprotected interface: Recognized by policy compilers for Cisco IOS access lists and PF. The compiler for IOS ACL just skips unprotected interfaces and does not assign an ACL to them. The compiler for PF generates a "set skip on <interface_name>" clause for unprotected interfaces.
Regular Interface: Use this option if the interface has an IP address assigned to it manually.
Address is assigned dynamically: Use this option if the interface has a dynamic address obtained via DHCP, PPP or another protocol. In this case an address is unknown when when Firewall Builder generates the Firewall policy. Some firewalls allow for using the interface name in the policy instead of the IP address; the firewall engine then picks its address either when the policy is activated or even at run-time.
Unnumbered interface: Use this option if the interface can never have an IP address, such as the Ethernet interface used to run PPPoE communication on some ADSL connections, or tunnel endpoint interface (GRE, PPPoE, sometimes IPSEC). Although unnumbered interfaces do not have addresses, firewall policy rules and access lists can be associated with them.
Security level: The security level of this interface, used only with Cisco PIX (ASA).
Network zone: Network zone of this interface, used only with Cisco PIX (ASA). Network zone drop-down list shows all network objects and groups of addresses and networks present in the tree. Choose one of them to tell the compiler which networks and blocks of addresses can be reached through this interface. Compiler uses this information to decide which interface each ACL rule should be associated with based on the addresses used in the destination of the rule.
Screenshot below shows IP address of interface eth0. The address and netmask are attributes of the child object of the type "IPv4 address". Here the address is "192.0.2.1" and netmask "255.255.255.0". (Netmask can also be specified using slash notation, such as 24, without the actual slash.) Button can be used to determine IP address using DNS. The program runs DNS query for the "A" record for the name of the parent firewall object. (This only works if the firewall object has the same name as the actual firewall machine.)
Let's inspect the properties of the firewall object. Double-click on the firewall "guardian" in the tree to open it in the editor panel, then click the button in the editor. This opens a new dialog that looks like Figure 4.21.
Click the button at the bottom of the dialog page to open help for this dialog. The online help explains all attributes and parameters located in each tab of the advanced settings dialog. Explore it, as many parameters are important and affect the generated firewall script in different ways.
The next few images show other tabs of the advanced settings dialog. You can find detailed explanations of all parameters in the online help and Firewall Builder Users Guide.
This page defines various parameters for the built-in policy installer. The installer uses an SSH client (pscp.exe and plink.exe on Windows) to transfer the generated script to the firewall machine and activate it there.
You can define shell commands that will be included in the generated script at the beginning and at the end of it. These commands can do anything you want, such as configure some subsystems, set up routing, and so on.
Parameters for logging.
Screenshot below shows more options for the script generation. Notice that Firewall Builder can produce the iptables script in two formats: 1) as a shell script that calls the iptables utility to add each rule one by one, or 2) it can use iptables-restore script to activate the whole policy at once. Other parameters are explained in the online help.
Starting with v3.0, Firewall Builder can generate both IPv4 and IPv6 policies. This tab controls the order in which they are added to the script if you have defined rules for both address families in the Policy objects of the firewall.
Let's take a look at the policy of the template firewall shown in Figure 4.27. These rules are intended to be an example, a starting point to help you create your own policy. Most likely you will want to modify the rules to suite your requirements. Explanations of the rules given here are brief because the goal of Getting Started is only to demonstrate how to use Firewall Builder.
Rule 0: This is an anti-spoofing rule. It blocks incoming packets on the external interface that have source addresses that belong to the firewall or your internal or DMZ networks. The rule is associated with outside interface and has Direction set to "Inbound".
Rule 1: This rule permits any packets on the loopback interface. This is necessary because many services on the firewall machine communicate back to the same machine via loopback.
Rule 2: Permit ssh access from internal network to the firewall machine. Notice service object "ssh" in the column Service. (This object can be found in the Standard objects library in the Services/TCP folder.)
Firewall Builder 4.0 allows you to compile single policy or nat rule and see generated firewall configuration right there in the GUI. To do this, select any object in the rule you want to process or highlight its leftmost element where rule number is shown, then click right mouse button to open context menu:
Now click "Compile rule" (keyboard shortcut is "X") to see the result in the panel at the bottom of the main window. The is a great way to experiment with rules and see what is being generated in response to your changes.
Access policy rules belong to the object "Policy", which is a child object of the firewall and can be found in the tree below it. As with any other object in Firewall Builder, the Policy object has some attributes that you can edit if you double-click on it in the tree.
Policy can be IPv4, IPv6, or combined IPv4 and IPv6. In the last case you can use a mix of IPv4 and IPv6 address objects in the same policy (in different rules), and Firewall Builder will automatically figure out which one is which and sort them out.
Policy can translate into only the mangle table (used for modifying packets) or a combination of the filter table (used for allowing/blocking packets) and the mangle table. In the latter case, the policy compiler decides which table to use based on the rule action and service object. Some actions, such as "Tag" (which translates into iptables target MARK), go into mangle table.
The "Top rule set" is the one the compiler will use to populate iptables built-in chains INPUT/OUTPUT/FORWARD. (If you have only one rule set, then mark it as the top rule set.) If a policy is not marked as "top rule set", generated rules will go into a user-defined chain with the same name as the policy object.
Here are the pre-configured NAT rules.
Rule 0: Tells the firewall that no address translation should be done for packets traveling from network 192.168.2.0 to 192.168.1.0 (because Translated Source, Translated Destination and Translated Service are left empty).
Rule 1: Packets coming into the firewall from internal and DMZ networks are translated so that their source address will change to that of the outside interface on the firewall.
Rule 2: Packets coming from the Internet to the interface "outside" will be translated and forwarded to the internal server on DMZ represented by the host object "server on dmz".
Now we compile the policy of the firewall "guardian" and generate the iptables script. To do so, use toolbar button located right above the panel that shows policy and nat rules. This button compiles rules of the firewall that is opened at the moment. Compiler processes Policy, NAT and Routing rules even though the panel shows only one kind of rules at a time. Another button with the same picture is located in the main toolbar under the main menu bar compiles all firewall objects defined in the object tree. Of course there is no difference if you only have one firewall object.
A new dialog appears that allows you to choose which firewalls you want to compile. The program keeps track of the changes and automatically selects firewalls that require recompile because some object they depend on has changed recently. Obviously this is only useful if you have several firewalls in the object tree. Since the checkbox next to the "guardian" firewall is already checked, click to proceed.
Firewall Builder calls the appropriate policy compiler. The dialog displays compiler progress and results.
Tip
If compiler finds problems with configuration and issues any warning or error messages, the program highlights them using different color (blue for warnings and red for errors). Click on the warning and error message and the GUI will switch to the firewall object, open corresponding rule set and highlight the rule that caused the message.
Compiler generates an iptables script in a ".fw" file with the name the same as the firewall object (guardian.fw). The file is placed in the same directory as the .fwb data file. Generated iptables script supports standard startup script parameters "start", "stop", "status", "reload" and can be used in place of the standard system firewall script in the /etc/init.d/ directory.
Firewall Builder can also transfer generated script to the firewall and activate it there. It uses ssh to do this (putty on Windows). To use the installer, click on the "Install" toolbar button located above the firewall policy panel or in the main toolbar. Firewall Builder will compile the policy (if it is not compiled already) and then open a dialog where you can configure the parameters of the installer. Here you need to enter a password to authenticate to the firewall. Section Chapter 11 of the Users Guide has detailed instructions for setting up and using the installer.
Tip
Firewall Builder 4.0 can cache password you entered so you don't have to enter it again and again if you need to reinstall firewall policy several times. The password is never stored on disk in any form, it is only cached in the memory of the running fwbuilder process and discarded when you stop the program. You will need to enter it again when you use the program again after that. However this feature really helps speed up policy update if you need to do it several times. To activate it you need to turn it on in the "Installer" tab of the global preferences dialog (menu Edit / Preferences) and then turn on checkbox "Remember passwords" in the installer dialog. Passwords are stored in a dictionary indexed by the firewall name and user name configured in the "Installer" tab of the firewall object dialog. This means you can have different passwords for different firewall objects.
Copyright © 2000-2010 NetCitadel, LLC. All rights reserved.
Using free CSS Templates.