Bugs Tracking System

Report a bug

Ask User

Send Email

Technical support
support@fwbuilder.org

Documentation

Download Users Guide in PDF format (100 pages, 12Mb)
Firewall Builder User's Guide
PrevNext

Chapter 9. Installing a Policy onto a Firewall

After firewall configuration has been generated by one of the policy compilers and saved in a file on disk in the format required by the target firewall, it needs to be transferred to the firewall machine and activated. This function is performed by the component we call "Policy Installer", which is part of the Firewall Builder GUI.

The installer needs to be able to copy the generated firewall script to the firewall and then run it there. In order to do so, it uses secure shell. The program does not include ssh code; it uses an external ssh client. On Linux, BSD and Mac OS X it uses the standard ssh client ssh and secure shell file copy program SCP that come with the system; on Windows it uses plink.exe and pscp.exe. The full directory path to the ssh client program can be configured in the Preferences dialog (accessible via Edit/Preferences menu). However if you are on Linux, *BSD or Mac and use the standard ssh client available via your PATH environment variable, you do not need to change the default value there.

Installer works differently depending on the target platform. In the case of Linux and BSD-based firewalls, it uses SCP to copy the generated configuration files to the firewall machine and then uses ssh to log in and run the script. In the case of Cisco routers or ASA appliance (PIX), it logs in, switches to enable and then configuration mode and executes configuration commands one by one in a manner similar to expect scripts. It inspects the router's replies looking for errors and stops if it detects one. In the end, it issues the command write mem to store the new configuration in memory, then logs out.

The built-in policy installer has been designed to work with a dedicated firewall machine, in other words, when the computer where you run Firewall Builder and the actual firewall are different machines. Nevertheless, it can be used when they are the same machine as well. The only difference is that in all commands below you would use the name or address of the machine where you run Firewall Builder instead of the name or address of the dedicated firewall. The SSH client will then connect back to the same machine where it runs and everything will work exactly the same as if it was different computer.

9.1. How does installer decide what address to use to connect to the firewall

Installer does not use the name of the firewall when it connects; it always uses the firewall's IP address. Installer starts by scanning interfaces of the firewall object looking for one that is marked as "Management interface" in the interface object dialog. Installer uses the address of this interface to connect. The Management interface checkbox looks this:

Figure 9-1.

If your firewall has multiple addresses and you want to use the one that is not assigned to its interface in the fwbuilder object, then you can overwrite the address using the entry field in the "Installer" tab of the "Advanced" firewall object settings dialog, like this:

Figure 9-2.

More about other input fields in this dialog below.

Finally, you can overwrite the address on a one-time basis just for a particular install session using the entry field in the installer options dialog. This is the same dialog where you enter your password:

Figure 9-3.

Note: This works for all supported firewall platforms, i.e. iptables on Linux, pf on OpenBSD and FreeBSD, ipfw on FreeBSD and Mac OS X, ipfilter on FreeBSD, Cisco IOS access lists and Cisco ASA (PIX). Regardless of the platform, the installer follows the rules described here to determine what address it should use to connect to the firewall.

PrevHomeNext
Compiling and Installing firewall policies Configuring Installer on Windows
 

Copyright © 2000-2008 NetCitadel, LLC. All rights reserved.
 Using free CSS Templates.