 |
FirewallBuilder |
|
5.4. Object Tree
The object tree stores all objects in a predefined hierarchy. Types that correspond to network objects (hosts, address ranges, networks and groups of these) are located in the Objects branch, types that correspond to services are in the Services branch, time intervals are in the Time branch, and all firewalls are in the Firewalls branch. Newly created objects are automatically placed in the appropriate position in the tree. Each branch of the tree is automatically sorted by the object name.
The program has three default libraries: User, Standard, and Deleted Objects. (Deleted Objects must be turned on in . User holds objects that you define, including objects for your firewall, hosts, and networks. Standard holds a collection of standard objects that come with the program, and Deleted Objects acts like a trash can or recycle bin for user objects you delete. In addition, you can create tailored libraries by selecting from the menu and populating it by copy-and-pasting objects from one of the other views (or creating them there from scratch). Section 6.4 has instructions for creating and distributing user-defined libraries.
Functionally, there is no difference between having an object in the Standard tree, the User tree, or a user defined tree; it is just a convenient way to sort objects in the tree. You can think of each as a kind of the "view". It only affects representation of the data in the GUI; objects are all equal in all other senses and you can use an object from any library in your policy. You need not (and cannot) insert objects into the Standard tree.
The object that is currently selected in the tree is highlighted in color and is shown in the dialog area on the right.
Firewall Builder understands and uses the object and service types described in the table below. See Chapter 6 and Section 6.2 for more detailed information.
Table 5-13. Object Types
| Object Type | Explanation |
|---|---|
| Library | Firewall Builder comes with the Standard, User, and Deleted Objects libraries. In addition, you can create your own. |
| Firewall | Represents a physical firewall device, its interfaces and addresses, and the policy rulesets associated with the device. Use Firewall Builder to model your actual device's firewall software, OS, interfaces and addresses. Then, use Firewall Builder to construct the policy rulesets to assign to the device. |
| Host | A computer on your network. Hosts can have interfaces associated with them. |
| Interface | A physical interface on a firewall or host. Interfaces can have IP and physical (MAC) addresses associated with them. An IP address can be created from the for the selected interface, but physical addresses can only be created by right-clicking on an interface object. |
| Network | An IPv4 subnet |
| Network IPv6 | An IPv6 subnet |
| Address | An IPv4 address |
| Address IPv6 | An IPv6 address |
| DNS Name | A DNS Name object represents a DNS "A" or "AAAA" record and can resolve it into an IP address at compile or run time. |
| Address Table | Objects of this type can be configured with the name of an external file that is expected to contain a list of IP addresses (a mix of IPv4 and IPv6 is supported). Addresses can be loaded during policy compile or during the execution of a generated firewall script. |
| Address Range | A range of IPv4 or IPv6 IP addresses. This range does not have to be a specific subnet, but it does have to be contiguous. |
| Object Group | A collection of addressable objects (objects that have or contain IP addresses) such as network, interface, and hosts objects. Useful for creating a less cluttered-looking firewall policy and for making sure you have the same objects in every related rule. |
| Custom Service | Can be used to inject arbitrary code into the generated firewall script. |
| IP Service | An IP service such as GRE, ESP, or VRRP. IP Service objects cover IP services that are not ICMP, ICMP6, TCP, or UDP services. |
| ICMP Service | An ICMP service such as a ping request or reply |
| ICMP6 Service | An ICMP6 service such as "ipv6 packet too big", "ipv6 ping request", or "ipv6 ping reply" |
| TCP Service | TCP services such as HTTP, SMTP, or FTP |
| UDP Service | A UDP service such as DNS or NTP |
| TagService | A service object that lets you examine the tag in an IP header. You can then construct your rule to take appropriate action on a match. |
| User Service | A User Service object matches the owner of the process on the firewall that send the packet. It translates to the "owner" match in iptables and "user" parameter for PF. |
| Service Group | A collection of services. For example, Firewall Builder comes with the Useful_ICMP service group that contains the "time exceeded", "time exceeded in transit", "ping reply", and "all ICMP unreachable" ICMP services. It also comes with a "DNS" service group that contains both the UDP and TCP version of DNS. Useful for creating a less cluttered-looking firewall policy and for making sure you have the same objects in every related rule. |
| Time Interval | A time period such as "weekends" or a range of dates, or a range of times on certain days of the week. Can be used as part of rule matching in Access Policy rulesets to provide or deny access to something based on time. Note that these time intervals are relative to the time on the firewall device itself. |
Copyright © 2000-2008 NetCitadel, LLC. All rights reserved.
Using free CSS Templates.