Bugs Tracking System

Ask User

Send Email

Technical support
support@fwbuilder.org

Documentation

Download Users Guide in PDF format (100 pages, 12Mb)

Firewall Builder User's Guide

Copyright © 2003,2009 NetCitadel, LLC

The information in this manual is subject to change without notice and should not be construed as a commitment by NetCitadel LLC. NetCitadel LLC assumes no responsibility or liability for any errors or inaccuracies that may appear in this manual.

Table of Contents

1. Introduction

1.1. Introducing Firewall Builder
1.2. Overview of Firewall Builder Features

2. Installing Firewall Builder

2.1. RPM-based distributions (Red Hat, Fedora, OpenSUSE and others)
2.2. Ubuntu Installation
2.3. Installing FreeBSD and OpenBSD Ports
2.4. Windows Installation
2.5. Mac OS X Installation
2.6. Compiling from Source

3. Definitions and Terms

4. Getting Started

5. Firewall Builder GUI

5.1. The Main Window
5.2. GUI Menu and Button Bars
5.3. Display area
5.4. Object Tree
5.5. Creating Objects
5.6. Navigating The Object Tree and Editing Objects in the Object Dialog
5.7. Policy Rulesets
5.8. Working with multiple data files

6. Working With Objects

6.1. Addressable Objects

6.1.1. Common Properties of Addressable Objects
6.1.2. The Firewall Object
6.1.3. Interface Object
6.1.4. IPv4 Address Object
6.1.5. IPv6 Address Object
6.1.6. Physical Address Object
6.1.7. Host Object
6.1.8. IPv4 Network Object
6.1.9. IPv6 Network Object
6.1.10. Address Range Object
6.1.11. Address Tables Object
6.1.12. Special case addresses
6.1.13. DNS Name Objects
6.1.14. A Group of Addressable Objects

6.2. Service Objects

6.2.1. IP Service
6.2.2. Using ICMP and ICMP6 Service Objects in Firewall Builder
6.2.3. TCP Service
6.2.4. UDP Service
6.2.5. User Service
6.2.6. Custom Service

6.3. Time Interval Objects

6.4. Creating and Using a User-Defined Library of Objects

6.5. Finding and Replacing Objects

7. Network Discovery: A Quick Way to Create Objects

7.1. Reading the /etc/hosts file
7.2. Network Discovery
7.3. Policy Importer

8. Firewall Policies

8.1. Policies and Rules

8.2. Firewall Access Policy Rulesets

8.2.1. Source and Destination
8.2.2. Service
8.2.3. Interface
8.2.4. Direction
8.2.5. Action
8.2.6. Time
8.2.7. Options
8.2.8. Working with multiple policy rule sets

8.3. Network Address Translation Rules

8.3.1. Basic NAT Rules
8.3.2. Source Address Translation
8.3.3. Destination Address Translation

8.4. Routing Ruleset

8.4.1. Handling of the Default Route
8.4.2. ECMP routes

8.5. Editing Firewall Rulesets

8.5.1. Adding and removing rules
8.5.2. Adding, removing and modifying objects in the policy and NAT rules
8.5.3. Changing rule action
8.5.4. Changing rule direction
8.5.5. Changing rule options and logging
8.5.6. Using Rule Groups
8.5.7. Support for Rule Elements and Features on Various Firewalls

8.6. Using Built-in Revision Control in Firewall Builder

8.7. Compiling and Installing firewall policies

9. Installing a Policy onto a Firewall

9.1. How does installer decide what address to use to connect to the firewall

9.2. Configuring Installer on Windows

9.3. Configuring installer to use regular user account to manage the firewall:

9.4. Configuring installer if you use root account to manage the firewall:

9.5. Configuring installer if you regularly switch between Unix and Windows workstations using the same .fwb file and want to manage the firewall from both

9.6. Always permit SSH access from the management workstation to the firewall

9.7. Using putty sessions on Windows

9.8. How to configure the installer to use an alternate ssh port number

9.9. How to configure the installer to use ssh private keys from a special file

9.10. Troubleshooting ssh access to the firewall

9.11. Running built-in installer to copy generated firewall policy to the firewall machine and activate it there

9.12. Running built-in installer to copy generated firewall policy to Cisco router or ASA (PIX)

9.13. Batch install

9.14. How to make your firewall load your firewall policy on reboot

9.14.1. How to make firewall load firewall policy after reboot -- iptables
9.14.2. How to make firewall load firewall policy after reboot -- pf
9.14.3. How to make firewall load firewall policy after reboot -- ipfw
9.14.4. How to make firewall load firewall policy after reboot -- ipfilter

10. Manage your firewall remotely

10.1. The Firewall
10.2. Using Diskless Firewall Configuration
10.3. The Management Workstation

11. Firewall Builder Cookbook

11.1. How to change IP addresses in the firewall configuration created from a template

11.2. Examples of Access Policy Rules

11.2.1. Firewall object used in examples
11.2.2. Permit internal LAN to connect to the Internet
11.2.3. Letting certain protocols through, while blocking everything else
11.2.4. Letting certain protocols through from specific source.
11.2.5. Interchangeable and non-interchangeable objects
11.2.6. Anti-spoofing rules
11.2.7. Anti-spoofing rules for the firewall with dynamic address
11.2.8. Using groups
11.2.9. Using Address Range instead of a group
11.2.10. Controlling access to the firewall
11.2.11. Controlling access to different ports on the server
11.2.12. Firewall talking to itself
11.2.13. Blocking unwanted types of packets
11.2.14. Using Action 'Reject': blocking Ident protocol
11.2.15. Using negation in policy rules
11.2.16. Tagging packets
11.2.17. Adding IPv6 Rules to a Policy
11.2.18. Using mixed IPv4+IPv6 rule set to simplify adoption of IPv6
11.2.19. Running multiple services on the same machine on different virtual addresses and different ports
11.2.20. Using firewall as DHCP and DNS server for the local net
11.2.21. Controlling outgoing connections from the firewall
11.2.22. Branching rules
11.2.23. Using branch rule set with external script that adds rules "on the fly"

11.3. Examples of NAT Rules

11.3.1. "1-1" NAT
11.3.2. Using Address of "wrong" Interface for Source Address Translation
11.3.3. "No NAT" rules
11.3.4. Redirection rules
11.3.5. Destination NAT Onto the Same Network

11.4. Useful Tricks

11.4.1. How to generate firewall policy for many hosts
11.4.2. Using Empty Groups
11.4.3. How to use Firewall Builder to configure the firewall using PPPoE

12. Troubleshooting

12.1. Build Issues

12.1.1. autogen.sh complains "libfwbuilder not installed"
12.1.2. "Failed dependencies: ..." when installing RPM

12.2. Program Startup Issues

12.2.1. "fwbuilder: cannot connect to X server localhost:0.0"
12.2.2. "fwbuilder: error while loading shared libraries: libfwbuilder.so.0: cannot load shared object file: no such file or directory."
12.2.3. "fwbuilder: error while loading shared libraries: /usr/local/lib/libfwbuilder.so.8: cannot restore segment prot after reloc: Permission denied"

12.3. Firewall Compiler and Other Runtime Issues

12.3.1. Firewall Builder crashes
12.3.2. Older data file cannot be loaded in Firewall Builder
12.3.3. "I/O Error" while compiling policy. No other error.
12.3.4. ios_base::failbit set on Windows
12.3.5. "Cannot create virtual address NN.NN.NN.NN"

12.4. Running the Firewall Script

12.4.1. Determining which rule caused an error
12.4.2. "ip: command not found"
12.4.3. I get the following error when I run generated script for iptables firewall: "iptables v1.2.8: can't initialize iptables table 'drop': Table does not exits (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded."
12.4.4. "Interface eth0 does not exist"
12.4.5. "Interface eth0:1 does not exist"
12.4.6. Script fails to load module nf_conntrack

12.5. Using Built-in Policy Importer in Firewall Builder

12.5.1. Importing existing iptables configuration
12.5.2. Importing Cisco IOS access lists configuration

12.6. RCS Troubleshooting

12.6.1. Error adding file to RCS
12.6.2. "Error checking file out: co: RCS file c:/fwbuilder/RCS/file.fwb is in use"
12.6.3. "Error checking file out:"

12.7. Issues after new policy activation

12.7.1. Cannot access only some web sites
12.7.2. Firewall becomes very slow with new policy
12.7.3. X won't start on a server protected by the firewall
12.7.4. Cannot access Internet from behind firewall

12.8. Routing Rules Issues

12.8.1. Compile fails with dynamic or point-to-point interfaces

List of Tables
5-1. File Menu
5-2. Preferences>General tab
5-3. Preferences>Objects tab
5-4. Preferences>Data File tab
5-5. Preferences>SSH tab
5-6. Preferences>Labels tab
5-7. Preferences>Icons tab
5-8. Preferences>Fonts tab
5-9. Object menu
5-10. Rules menu
5-11. Tools menu
5-12. Button bar
5-13. Object Types
5-14. Object Right-Click Menu
6-1. Platform-specific interface parameters
6-2. Support for IP options and fragmentation on various firewall platforms
6-3.
8-1. Rule features available on different platforms
8-2.
8-3.
11-1.
11-2.

List of Figures
1-1. Sample firewall policy
4-1. Starting Firewall Builder
4-2. Select New Firewall
4-3. Define firewall platform
4-4. Pick a template
4-5. New Firewall
4-6. Save firewall
4-7. Specify filename
4-8. Filename displayed
4-9. Objects tree
4-10. Host and Network objects
4-11. TCP objects
4-12. ICMP objects
4-13. UDP objects
4-14. Firewall object
4-15. Edit an object
4-16. Firewall attributes
4-17. iptables attributes
4-18. Firewall interface objects
4-19. Interface object attributes
4-20. Interface IP address
4-21. Firewall internal interface
4-22. Firewall DMZ interface
4-23. Firewall Compiler properties
4-24. Compiler properties online help
4-25. Installer properties
4-26. Script Prolog/Epilog properties
4-27. Logging properties
4-28. Script properties
4-29. IPv4, IPv6 generation order
4-30. Template rulesets
4-31. Policy ruleset
4-32. NAT ruleset
4-33. Compile the firewall rulesets
4-34. Compile firewall dialog
4-35. Compile status dialog
4-36. Generated file
4-37. Generated script
4-38. Policy installer
5-1. The main window
5-2. Menu and Button Bars
5-3. The GUI Preferences Dialog
5-4. Buttons
5-5. The main window
5-6. Object Tree Structure
5-7. Standard Objects
5-8. Creating Objects Using The Object Menu
5-9. Creating Objects by Right-Clicking
5-10. Interface Dialog
5-11. Policy Rule set
5-12. Data file
5-13. Data file
5-14. 1.fwb
5-15. Window menu
5-16. Dragging between windows
5-17. Second window now has the object
5-18. local ipv6 net
6-1. First Page of the Wizard
6-2. Choose Configure Interfaces Manually
6-3. Adding Interfaces to the new Firewall Object
6-4. SNMP 'read' community string
6-5. Discovering interfaces via SNMP
6-6. Discovering interfaces via SNMP
6-7. Firewall Controls
6-8. Firewall Host OS Settings dialog (Linux)
6-9. Firewall Settings dialog (iptables)
6-10. Rule set options
6-11. Interface Object
6-12. Interface Object
6-13. Choosing Network Zones
6-14. Rule using an Interface object
6-15. Interface object with both address families
6-16. Interface object in a rule
6-17. IPv4 Address object assigned to an interface
6-18. Interface with dynamic address
6-19. Interface with dynamic address in a rule
6-20. Bridge interface
6-21. Bridge interface in rule
6-22. IPv4 Address object assigned to an interface
6-23. IPv4 Address object assigned to an interface and used in a rule
6-24. Stand-alone IPv4 Address object
6-25. IPv6 Address Object assigned to an Interface object
6-26. Stand-alone IPv6 Address Object
6-27. IPv6 Address objects in a rule
6-28. The Physical Address Object
6-29. The Host object with Address and Physical Address
6-30. Policy rule using only Address object
6-31. Policy rule using only Physical Address object
6-32. Policy rule using Host object
6-33. Policy rule using Interface object
6-34. Policy rule using Address and Physical Address objects
6-35. A Host Object With One Interface And Multiple Virtual Addresses
6-36. Editing The Host Object
6-37. Host with multiple interfaces, some with multiple addresses
6-38. Host in a rule
6-39. Host in a rule with both IPv4 and IPv6
6-40. Host object with an interface that has multiple addresses
6-41. Using objects with multiple addresses in policy rules
6-42. Equivalent rules
6-43. The Network Object
6-44. IPv4 Network object used in a rule
6-45. IPv6 Network Object
6-46. IPv6 Network object used in a rule
6-47. The Address Range Object
6-48. The Address Table Object
6-49. Address Table text file
6-50. Rule using an Address Object
6-51. Compile Time, iptables compile output
6-52. Compile Time, PF compile output
6-53. Run Time, iptables compile output
6-54. Run Time, iptables compile output, assume firewall is part of "any"
6-55. Run Time, PF compile output
6-56. Address Table Object bad_hosts
6-57. Address Table Object bad_hosts Rules
6-58. Multicast object
6-59. Multicast rule
6-60. Broadcast rules
6-61. Broadcast and Multicast address in a bridging firewall
6-62. Broadcast and Multicast address in a rule
6-63. DNS Name Object
6-64. Rule using DNS Name object
6-65. DNS Name Compile Time, iptables compile output
6-66. DNS Name Compile Time, PF compile output
6-67. DNS Name Run Time, iptables compile output
6-68. DNS Name Run Time, PF compile output
6-69. Group of Objects
6-70.
6-71. Creating/Editing an IP Service Object
6-72.
6-73.
6-74.
6-75.
6-76.
6-77.
6-78.
6-79.
6-80.
6-81.
6-82.
6-83.
6-84.
6-85.
6-86.
6-87.
6-88.
6-89.
6-90.
6-91.
6-92.
6-93.
6-94. User Service Dialog
6-95. User Service Rule Example
6-96. User Service, iptables compile output
6-97. User Service, PF compile output
6-98.
6-99.
6-100.
6-101.
6-102.
6-103. Time Interval dialog
6-104. Time Interval rule example
6-105. A new, empty user-defined library
6-106. Library dialog
6-107. ACME library with blue background
6-108. Library with user-created objects
6-109. Export your library
6-110. Save dialog box
6-111. Policy before the Find/Replace
6-112. Find/Replace dialog
6-113. Objects to find and replace
6-114. Policy with objects replaced
7-1. Calling The Object Discovery Druid
7-2. Creating networks using gathered information
7-3. Creating networks using gathered information (more)
7-4. Creating Hosts using gathered information
7-5. Creating Hosts using gathered information (more)
7-6. List of Objects
7-7. Specify type of object
7-8. Target Library
7-9. Target Library
7-10. Initial Parameters for the Network Discovery program
7-11. Parameters for Network Discovery: Page 1
7-12. Parameters for Network Discovery: Page 2
7-13. The SNMP crawler status
7-14. The SNMP crawler status (more)
8-1. The sequence in which NAT and Policy rules are applied to the packet in Firewall Builder
8-2. Access Policy
8-3. Destination matches any IP that is not an RFC 1918 address
8-4. Directions
8-5. Parameter options for the Reject action
8-6. Rule Actions
8-7. Firewall with more than one Policy rule set
8-8. Policy Rule Set Dialog (iptables)
8-9. Passing a packet to the "mgmt" rule set
8-10. NAT rule set
8-11. Network Address Translation Rules
8-12. Translations done to packets going in different directions: (A) when firewall object is used in TSrc in the NAT rule; (B) when interface eth1 is used in TSrc in the NAT rule; (C) when host object with address 192.0.2.50 is used in TSrc in the NAT rule
8-13.
8-14.
8-15.
8-16.
8-17.
8-18.
8-19.
8-20.
8-21.
8-22.
8-23. Translation limited to packets of HTTP protocol
8-24. Destination Address Translation Rule Using Interface of the Firewall
8-25. Translations done to packets going in different directions: (A) when firewall object is used in ODst in the NAT rule and (B) when interface eth1 is used in ODst in the NAT rule
8-26.
8-27.
8-28.
8-29.
8-30.
8-31.
8-32.
8-33.
8-34. A Routing Rule
8-35. ECMP Routing Rule
8-36. Modifying Policy rules
8-37. Modifying Object in the Policy Rule
8-38. Modifying the Action of the Policy Rule
8-39. Modifying the Direction of the Policy Rule
8-40. Logging and Options in a Policy Rule
8-41. iptables Options dialog
8-42. Rules without grouping
8-43. Create the group
8-44. Name the group
8-45. Group with one entry
8-46. Add a rule to the group
8-47. A group of rules
8-48. Collapsed group
8-49.
8-50.
8-51.
8-52.
8-53.
8-54.
8-55.
8-56.
8-57.
8-58.
8-59.
8-60. A policy to compile and install
8-61. Select Rules/Compile
8-62. Select your firewall
8-63. Compile status messages
8-64. Select Rules/Install
8-65. Select Install
8-66. Firewall SSH and install parameters
8-67. Installation status
9-1.
9-2.
9-3.
9-4.
9-5.
9-6.
9-7.
9-8.
9-9.
9-10.
9-11.
9-12.
9-13.
9-14.
9-15.
9-16.
9-17.
11-1. New firewall
11-2. Edit the network address
11-3. Create new network object
11-4. New object
11-5. Edit name and address
11-6. Activate Find dialog
11-7. Drag original object to the Find field
11-8. Drag new object to the Replace field
11-9. Drag new object to the Replace field
11-10. New object used in all rule sets
11-11. Firewall and its interfaces used in the examples in this chapter.
11-12. Permit internal network to connect to Internet
11-13. Example of a rule permitting only certain protocols to the server and blocking everything else.
11-14. Example of a rule permitting only certain protocols from limited set of sources to the server.
11-15. Basic anti-spoofing rule
11-16. Basic anti-spoofing rule
11-17. Object group that consists of three host objects.
11-18. Example of a rule using object group.
11-19. Policy for server
11-20. Policy for server
11-21. SSH from anywhere
11-22. SSH from LAN
11-23. LAN to anywhere
11-24. Negating the firewall as a destination from the LAN
11-25. Firewall access from only one machine
11-26. Firewall access from only one machine; all other access to the firewall explicitly denied
11-27. Option that enabled automatic rule to permit ssh access from management workstation
11-28. Policy for server
11-29. Policy for server
11-30. Policy for server
11-31. Rule permitting everything on the loopback interface
11-32. IP Service object which represents fragmented packets.
11-33. Rule options dialog for iptables firewall
11-34. Rule blocking short fragmented packets and TCP "Christmas scan" packets
11-35. Using action "Reject" with rule option
11-36. Adding rule option to make send TCP RST packet
11-37. Using two rules to block access from DMZ to internal net and permit access to the Internet
11-38. Using rule with negation to block access from DMZ to internal net and permit access to the Internet
11-39. Using rule with negation to block access from DMZ to internal net and permit access to the Internet
11-40. Simple tag service
11-41. TCP service to match source port 80
11-42. Rule matching Tag Service
11-43. Configuring Tag action
11-44. Configuring rule options to make the rule stateless
11-45. Add IPv6 addresses to an interface
11-46. Enter address and netmask
11-47. Internal Interface
11-48. Create IPv6 network object
11-49. IPv6 network object name and address
11-50. Policy parameters
11-51. IPv4/IPv6 rule set configuration
11-52. Add policy rule set
11-53. Set rule set parameters
11-54. Add policy rules
11-55. Mixed IPv4/IPv6 rule set parameters
11-56. IPv4 only rule set
11-57. Mixed IPv4/IPv6 rule set
11-58. Firewall object with multiple services
11-59. Policy rules
11-60. webmin object
11-61. Rules with DHCP
11-62. Rules with DHCP using Firewall interface
11-63. Rules with DNS
11-64. HTTP only
11-65. HTTP and DNS
11-66. HTTP,DNS and ping
11-67. Firewall object with two policy rule sets
11-68. Rule with action "Chain"
11-69. Rate limiting rule
11-70. Several rules branching to the same rule set "rate_limit"
11-71. Rate limiting rule for PF
11-72. Create "block_ssh" rule set
11-73. Set the "chain" action
11-74.
11-75.
11-76.
11-77.
11-78.
11-79.
11-80.
11-81. DNAT back to the same LAN
11-82. Using dual translation only for connections coming from internal network
12-1.
12-2.
12-3.
12-4.
12-5.
12-6.
12-7.
12-8.
12-9.
12-10.
12-11.
12-12.
12-13.
12-14.
12-15.
12-16.
12-17.
12-18. DNS on loopback
12-19. DNS on to name servers
12-20. Any to any on firewall
12-21. Any to any on firewall

		Next
		Introduction

Copyright © 2000-2008 NetCitadel, LLC. All rights reserved.
Using free CSS Templates.