What is Firewall Builder?

Firewall Builder is a GUI firewall configuration and management tool that supports iptables (netfilter), ipfilter, pf, ipfw, Cisco PIX (FWSM, ASA) and Cisco routers extended access lists. Both network administrators and hobbyists managing firewalls with policies more complex that is allowed by simple web based UI can simplify management tasks with the application. The program runs on Linux, FreeBSD, OpenBSD, Windows and Mac OS X and can manage both local and remote firewalls

The latest version of Firewall Builder is 3.0

List of features implemented in 3.0 can be found here.
Also do not miss new slideshows demonstrating capabilities of Firewall Builder 3.0

Key Features

• Being truly vendor-neutral, Firewall Builder can generate configuration file for any supported target firewall platform from the same policy created in its GUI. This provides for both consistent policy management solution for heterogeneous environments and possible migration path.
• All configuration management operations can be performed from one central place, Firewall Builder GUI. You can create configuration, track its changes using built-in revision control system and deploy it to one or several firewall machines. Yet, it creates configuration for all supported firewall platforms in their standard format, which makes it easy to integrate with existing automation scripts.
• Firewall Builder implements many best practices in firewall policy design and firewall management procedures. Here are some examples:
  • It enforces policy structure that denies all traffic by default and only permits what is necessary.
  • Administrator can easily define ip address of the management workstation and Firewall Builder will automatically add rule to ensure that ssh access from it to the firewall is always permitted. This rule is designed to assure that ssh session over which installer activates new policy does not break or hang. This helps avoid accidents when errors in the policy rules cut remote access to the firewall off in the middle of activation, making it impossible to fix the error and causing prolonged network outage.
  • For Cisco PIX (ASA) and IOS access lists, where each access-list commands are immediately activated as they are entered, Firewall Builder can optionally create temporary access list to ensure uninterrupted ssh access from the management workstation to the firewall for the duration of the policy reload session. This method provides the best protection against outages caused by loss of contact with the firewall because of errors in policy.
  • For iptables, Firewall Builder can generate script using iptables-restore for atomic activation. If iptables-resore detects an error in the script and refuses to load policy, script leaves the firewall in the state it was in before. For other firewall platforms it uses appropriate activation methods to achieve the same goal.
  • Built-in policy installer supports "test" install mode with automatic roll-back. This is another safety mechanism that helps minimize outages in case of errors in the policy. These mearures are available for all supported systems, such as linux/iptables, *BSD/pf, Cisco PIX and Cisco IOS.

• Firewall Builder runs on Linux, FreeBSD, Windows (XP and Vista) and Mac OS X. This means administrator can use a laptop or workstation running any OS they are comfortable with to manage Open Source firewalls such as iptables, ipfilter, ipfw, pf or commercial firewalls such as Cisco PIX/ASA and Cisco routers access lists.
• Firewall Builder helps administrator manage many firewalls using the same network object database. Change made to an object is immediately reflected in the policy of all firewalls using this object. Administrator only needs to recompile and install policies on actual firewall machines.
• Object-oriented approach simplifies policy design and management for both dedicated firewalls and on-server firewalls. This aids in implementaion of security in depth
• Built-in interactive installer uses ssh to communicated with the firewall and can automatically copy generated policy and activate it. Installer supports batch mode of operation and can update policy on multiple firewalls in one session.
• In Firewall Builder, administrator works with an abstraction of firewall policy and NAT rules; software effectively "hides" specifics of particular target firewall platform and helps administrator focus on implementation of security policy. Backend software components, or policy compilers, can deduct many parameters of policy rules using information available through network and service objects and therefore generate fairly complex code for the target firewall, relieving administrator from having to remember all its details and limitations.
• Policy compilers also run sanity checks on firewall rules and make sure typical errors are caught before generated policy is deployed.
• Policy compiler for PIX, which recently has been released under GPL, allows Firewall Builder to function as a sophisticated policy management software for Cisco PIX firewall with access to all functions of PIX including newest features added in v7.x.
• Policy compiler for Cisco IOS Access Lists adds support for router access lists and turns Firewall Builder into complete solution for the multi-tiered network security.

Firewall Builder is distributed under dual license model.