Before fwbuilder v3.0.4, the built-in installer could only use a regular account to activate a policy if this account was configured on the firewall to use sudo without a password. Starting with v3.0.4, this is not necessary anymore because the installer can recognize sudo password prompts and enter the password when needed.
Create an account on the firewall (say, "fwadmin"), create a group "fwadmin" and make this user a member of this group. Most modern Linux systems automatically create group with the name the same as the user account.
Create directory /etc/fw/ on the firewall, make it belong to group fwadmin, make it group writable.
mkdir /etc/fw chgrp fwadmin /etc/fw chmod g+w /etc/fw
Configure sudo to permit user fwadmin to execute the firewall script and a couple of other commands used by the fwbuilder policy installer. Run visudo on the firewall to edit file /etc/sudoers as follows:
Defaults:%fwadmin !lecture , passwd_timeout=1 , timestamp_timeout=1 # User alias specification %fwadmin ALL = PASSWD: /etc/fw/<FWNAME>.fw , /usr/bin/pkill , /sbin/shutdown
Here <FWNAME> is the name of the firewall. Installer will log in to the firewall as user fwadmin, copy the firewall script to file /etc/fw/<FWNAME>.fw and then use the following command to execute it:
ssh fwadmin@firewall sudo -S /etc/fw/<FWNAME>.fw
Set up ssh access to the firewall. Make sure you can log in as user fwadmin using ssh from your management workstation:
$ ssh -l fwadmin <FWNAME>
You may use either password or public key authentication; the installer will work either way. Use putty.exe or plink.exe to test ssh access if you are on Windows (see above for the explanation how to do this).
In the installer tab of the firewall settings dialog of the firewall object, put in your user name (here it is "fwadmin"):
If you need to use an alternative name or IP address to communicate with the firewall, put it in the corresponding field in the same dialog page.
Make sure the entry field directory on the firewall where script should be installed is set to /etc/fw. Firewall Builder is not going to create this directory, so you need to create it manually before you install the firewall policy (see above).
Leave "Policy install script" and "Command line options" fields blank.
Copyright © 2000-2012 NetCitadel, Inc. All rights reserved.
Using free CSS Templates.