Firewall Builder v5 Beta

Firewall Builder v5 is now available for beta testing. In addition to bug fixes and minor enhancements, v5 includes the following new features:

  • User defined system folders
  • Keywords for tagging objects
  • Dynamic Group Objects with Smart Filters
  • Multiple operations per filter Rule
  • New Attached Networks Object
  • Improved GUI layout and behavior
  • Import of PF configurations

Firewall Builder v5 is still being actively developed so please check to make sure you are running the latest build before reporting any issues. The latest build can always be found in the nightly builds directory.

http://www.fwbuilder.org/nightly_builds/fwbuilder-5.0/current_build/

If you do find an issue, and you are running the latest build, please report the issue on SourceForge Tickets

The following provides a brief overview of the new features as well as links to preliminary documentation where available.


User Defined System Folders

Users can now create their own subfolders in the object tree. To add a subfolder right-click on a system folder, for example Firewalls, and select "New Subfolder". You can move objects into the subfolder by dragging-and-dropping them from the parent folder in the object tree to the subfolder. You can only delete empty subfolders, so if you want to delete a subfolder first move all the objects in that subfolder to the parent folder and then you can delete the subfolder.

Preliminary documentation for this feature can be found here.


Keywords for Tagging Objects

This feature gives users the ability to apply keywords to objects and then use the filter box to search for objects that match a keyword.

Preliminary documentation for this feature can be found here.


Dynamic Groups with Smart Filters

A new type of group, called a Dynamic Group, has been added to the Group object in the object tree. Right-click the Group object and select "New Dynamic Group" to create a new group. You can use both Keywords and Object Type to create filters of objects that should be included in the Dynamic Group. There is a preview window that displays all the objects that match the filter.

You can use Dynamic groups in rules just like you would use a regular Group object. When Firewall Builder compiles a rule that includes a Dynamic Group it will expand the group into all its member objects.

Preliminary documentation for Dynamic Groups can be found here.


Multiple Operations per Filter Rule

The actions for Tag, Classify and Route have been moved to the rule Options. This allows a user to define a primary action, like Accept, and then define additional actions that should be taken on traffic that matches the rule.

This is only supported for iptables and PF platforms. For PF setting multiple actions will result in a single rule with multiple actions defined. For iptables this will result in multiple rules ordered so that all actions are performed correctly.

Preliminary documentation for this feature can be found here.


New Attached Networks Object

There is a new child object for interfaces that represents all the networks that are "attached" to the interface. This means that for each IP address that is configured on an interface the associated network for that IP address will be included in the Attached Networks object.

Preliminary documentation for this feature can be found here.


Improved GUI layout and behavior

There are a number of changes that have been made to make the mouse click behavior more consistent and the layout of the GUI has been updated to make things simplier.


Import of PF configurations

Firewall Builder can now import PF configurations in pf.conf format. To import a pf.conf configuration go to File -> Import Firewall and follow the prompts.

Important Note About PF Import

Most firewall platforms like iptables, Cisco ASA, etc. are designed based on a first match and exit paradigm. This means that as soon as packet matches a rule the action of the matching rule is applied and no other rules are checked to see if the traffic matches. Firewall Builder is designed based on this approach and generates configurations based on this assumption.

PF is a bit unique in that it does not require first match and exit behavior. You can force match and exit behavior by using the "quick" keyword, but by default traffic in a PF firewall will traverse all rules regardless of whether the packet matched more than one rule. In this case once the entire rule set has been evaluated the action of the last rule that the packet matched will be applied.

When Firewall Builder generates a PF policy, we always use the "quick" command. This makes PF behave the same way as other firewalls that we configure which helps to maintain consistency across platforms. The problem that arises is if a user tries to import a pf.conf configuration that does not make use of the "quick" command. Since we don't generate rules this way we don't have a way to import configurations that use this format.

Example of configuration structure that we DO NOT support

block in log
pass out keep state
pass in on fwe0 proto udp from any to (fwe0) port 137 keep state
pass in on fwe0 proto udp from any to (fwe0) port 138 keep state

Example of configuration structure that we DO support

pass out keep state
pass in quick on fwe0 proto udp from any to (fwe0) port 137 keep state
pass in quick on fwe0 proto udp from any to (fwe0) port 138 keep state
block in log


Firewall Builder v5 Technical Notes

 

Copyright © 2000-2012 NetCitadel, Inc. All rights reserved.
 Using free CSS Templates.