Firewalls are usually packet filters, which analyze IP packets on their way from network A to network B. The packets are passed/forwarded or rejected based on the firewall's policy. Usually the goal is a unidirectional communication i.e. users from the Intranet can browse the Internet, but attackers from the Internet cannot initiate communication with Intranet resources.
Firewall Builder is a GUI front-end to create scripts for various firewalls. In order to do this, you first create an inventory of your network resources. Then you create a policy with the help of a "Druid", drag&drop and other kind of GUI WIMPS (Windows, Icons, Menus, Pop-ups and Scrollbars). At this stage you can save your configuration to an XML file for later reuse. Finally you choose the appropriate compiler to create a script for your target system.
The inventory phase can be automated by SNMP. The upload to the target system will be possible in future via a special daemon, which authenticates via certificates. Currently the daemon is still in Beta. This however goes beyond this start-up tutorial. For more information c.f. Firewall Builder Architecture Overview (PDF).
You need several packages
installed on your system before you can install fwbuilder c.f.
Firewall
Builder: Requirements. They can be installed as usual
with rpm --install package.rpm or with --update if an older version is already
installed. Then you install The API: libfwbuilder, the GUI: fwbuilder and the
policy compiler for your target, e.g. fwb-iptables for iptables (c.f.
FAQ
1.5). Now try to start "fwbuilder &". If it does not work, read
FAQ
2. Another debugging aid is the contributed script
check_libs.sh.
In case you run RedHat 7.2 with Kernel 2.4 be aware, that the preferred method for Kernel 2.4 is iptables, whereas RH 7.2 come preconfigured with ipchains. Simply deactivate ipchains and activate iptables by clicking the appropriate checkbox in the service configuration GUI. The version 1.2.3 has a bug, which makes it complain about the log-level. fwbuilder provides a workaround ("Use numeric log levels"), but you should consider updating to the latest version (currently 1.2.6a), which you can get from netfilter. For RH 7.1 there is a contribution firewall-initscript.tar.gz.
Let's
start with a simple but typical example: Your SOHO (Small Office Home Office)
network has RFC 1918 addresses, e.g. 192.168.1.X and consists of several PCs
which want to access the Internet via a gateway called gw. This gateway is a
Linux Combo server, which runs several services for the Intranet and the
firewall software and fwbuilder. It is connected to the Internet via a dialup
connection (interface ppp0) with a dynamically assigned IP-address. The
intranet reaches this machine via Ethernet (interface eth0). This is the
scenario of the official tutorial chapter
|
|
Create home directory for all configurations. |
|
|
Start Firewall Builder |
|
|
Set path to home directory |
|
|
Save all
subsequent changes in |
|
( |
Discover all hosts of your network. This may be useful for the Advanced configuration, but it's not necessary for this first example. |
|
|
Insert your Intranet (you do not need to insert your Loopback network) |
|
Most important step: Create the firewall and specify its interfaces. Will be explained in more detail in the next lines. |
|
Tab General : Enter the host name, e.g. " |
|
|
Tab Interfaces : Add 3 interfaces: |
You may specify the mac address of eth0, but it's not used in this scenario. |
|
Tab Compile / Install : Enter the name of the
compiler e.g. |
Optionally choose "Install Script" and specify one of the install scripts mentioned below. |
|
Tab Network : Select Packet forwarding and Allow dynamic addresses "On". |
This will
set |
|
|
This runs the "Druid". |
|
In the Tree on the left side navigate to "Policy". Drag&Drop the Firewall to the 'masquerading' rule's source. |
The Druid created some rules for you, but you have to enhance them. |
|
|
Save the work from above. |
In order to compile the
script select your firewall on the left side and choose Rules | compile ->
gw.fw from the menu bar. A pop-up window should confirm success. Rules |
Install will invoke the installation script which you specified in the "Compile
/ Install"-tab of the firewall dialog. For the moment use my dummy-script
installfw.sh
which will do nothing but some checking and then print that you have to
manually copy the generated file to /etc/rc.firewall. Make sure that this
script is actually executed, e.g. by inserting a call in /etc/rc.d/rc.local.
You can take this script as a starting point for your own experiments. Other
scripts, which should be applicable to this sample scenario are fwb_iptables_wrapper
and transfer.
Until this point everything you did was meant to deny inbound traffic (from the Internet to the Intranet) and allow outbound traffic. (C.f. 3.1. Providing Internet connection for workstations behind the firewall) That's what a firewall is meant for. But if you run some public services on the firewall machine e.g. Web and FTP server. You have to pierce holes into the firewall that allow inbound traffic to nothing but these services. This could become a security issue and therefore it is recommended to run public services on a 3rd Network called "DMZ" (demilitarized zone). However in this SOHO example, you have nothing but your "all in one" combo machine.
Add a rule to the global "Policy" section:
"Rules | Add Rule after current" Drag&Drop
the firewall into the Destination field and change the Action from "Deny"
to "Accept". Switch from the "User" to the
"Standard" tab. Expand the tree to
"Services | TCP". Drag&Drop the appropriate services, e.g.
http, https and ftp to the Service field of the
rule you just created. You don't need ftp_data. Save and recompile everything.
If everything went OK up to here you might be in trouble after the next reboot of your client if if gets its IP-address from a DHCP server on the firewall. You specified that the whole Intranet may access your firewall machine, but since your client has not yet an address, especially no address inside the Intranet. The contributed document Firewall as a DHCP Server tells you how to handle this.
This paragraph is intended for the the configuration of applications like MS NetMeeting, but it is yet incomplete: You probably have to create a group which includes the tcp services 389 (ldap and old ILS), 522 (User Location Service), 1002 (new ILS), 1503 (T.120), 1720 (H323hostcall) and 1731/tcp (Audio call control) and allow them to be routed between the Internet to your client machine. The basics are described in 3.2. Server behind the firewall using address of the firewall for access
For interfaces with dynamically
assigned address you usually have to use "any", i.e. 0.0.0.0 as source or
destination. If you prefer to use the actual address you have to proceed as
proposed by on of the fwbuilder users: Select a fake IP address for the
interface. Patch the generated script by insert a line like EXTIP=`/sbin/ifconfig
ppp0 | grep inet | cut -d : -f 2 | cut -d \ -f 1` and replace the fake address
by $EXTIP. Waring: Something like EXTIP="`/sbin/ifconfig ppp0 | grep 'inet
addr' | ...`" may fail on localized Linux versions (e.g. the German version reads 'inet
Adresse'). Reinvoke the firewall script everytime the address changes. You may
insert a call into /etc/ppp/ip-up.local.
First test if everything that should work actually works. Access the Internet from both the firewall machine and some Intranet clients, let the Intranet clients access the firewall machine and verse visa. If you use a dynamic DNS service test if their client works as expected and if you can reach your own machine via the dynamic name.
Test if everything that should be blocked is actually blocked. Several companies who sell Firewalls offer web based tests of your system.
Since fwbuilder uses XML to
store its configuration, you can easily transform it into HTML using an XSL
stylesheet. Use File | Print, check File as destination and use gw.htm as
filename. You can display the file $HOME/fwbuilder/gw.htm with your browser. Some
browsers, e.g. Microsoft Internet Explorer Version 5 and higher can do the
transformation themselves. Copy /etc/fw1.xml,
/usr/share/libfwbuilder/fwbuilder.dtd and
/usr/share/fwbuilder/filters/policy-html.xsl to a directory where you can edit
them and access them with your browser. Maybe you will change them with
unix2dos into DOS format. Insert <?xml-stylesheet type="text/xsl"
href="policy-html.xsl"?> right below <?xml
version="1.0"?>. Edit policy-html.xsl and delete mode="fw" from
<xsl:for-each select="fwbuilder:Interface" mode="fw">
and <xsl:call-template name="Interface" mode="fw"/>. Then
simply display fw1.xml with your browser.
If you still have questions, the best place to ask is the Open Forum. Everyone can read this forum, but in order to post questions or replies, you have to register at SourceForge.
May 11 2002 Christian BarmalaCopyright © 2000-2008 NetCitadel, LLC. All rights reserved.
Free CSS Templates.