Bugs Tracking System

Report a bug

Ask User

Send Email

Technical support
support@fwbuilder.org

Documentation

Download Users Guide in PDF format (100 pages, 12Mb)
Firewall Builder User's Guide
PrevNext

Chapter 6. Working With Objects

Firewall Builder supports a variety of object types, both simple and complex. Simple object types include Address, Network, Host, and IP, TCP, UDP and ICMP service objects. More complex object types are Firewall, Address Table, DNS Name, and User Service.

There are the following types of objects in Firewall Builder:

  • Addressable objects: Section 6.1 describes objects that have, either directly or indirectly, an address of some kind. This category includes the physical objects (firewalls, hosts, interfaces) as well as some logical objects (networks, address ranges, individual addresses). Addressable objects can be grouped together into Object groups.

  • Service objects: Section 6.2 describes objects that represent services. They include IP, TCP, UDP, and ICMP services, as well as user services. Service objects can be grouped together into Service groups.

  • Time Interval objects: Described in Section 6.3, these represent a discreet or recurring period of time. They can be used as part of a rule in the firewall. For example, you could have a rule that matches on weekends, but not during the week.

  • Rule set objects: Described in Section 6.1.2.3.4, these represent the various rule sets in a firewall. By default, a firewall starts with one access policy, one NAT, and one routing rule set, but you can add more of each. Rule set objects only exist as child objects of a firewall.

All objects in Firewall Builder have some characteristics in common.

All objects have a Name field and a Comment field. The Name field can contain white spaces and can be arbitrarily long (though shorter names work better in the GUI). The Comment field can contain any text of any length.

6.1. Addressable Objects

In this section we examine object types that represent addresses or groups of addresses.

6.1.1. Common Properties of Addressable Objects

Objects that contain IP address fields provide validity checking for the address when the object is saved. Invalid IP addresses produce an error.

6.1.2. The Firewall Object

A firewall object represents a real firewall device in your network. This firewall object will have interface and IP address objects that mirror the real interfaces and IP addresses of the actual device. In addition, the firewall object is where you create the access policy rule sets, NAT rule sets, and routing rule sets that you assign to your firewall device.

By default, a firewall has one Policy rule set, one NAT rule set, and one routing rule set. However, you can create more than one rule set of each type for a firewall. On the other hand, you don't have to populate all the rule sets. You can, for example, create a Policy ruleset and leave the NAT and Routing rule sets empty. Section 8.1 explains more about policies and rule sets.

To speed up the creation of a firewall object, Firewall Builder has a wizard that walks you through creating the object. The wizard has three options for creating a firewall object:

  • From a template: Firewall Builder comes with several pre-defined templates. You can use these to create a firewall that is close to your configuration, then modify it to fit your needs. This method is shown in Chapter 4.

  • Manually: You can provide interface IP address, subnet mask, gateway, and other parameters manually. You can add this information when you create the firewall, or you can add it later. Section 6.1.2.1 (below) describes this process.

  • Via SNMP: Firewall builder uses SNMP queries to learn about the network. Section 6.1.2.2 describes this process.

6.1.2.1. Creating a Firewall Object Manually

To start the firewall object creation wizard, right-click the Firewalls folder in the User tree and select New Firewall.

The first page of this wizard is displayed.

Figure 6-1. First Page of the Wizard

Give the firewall object a name. Usually, this name will be the same name as the device, but it doesn't have to be if you're assigning interfaces manually. (If you will use SNMP or DNS to populate the interfaces, then the name must be the same as the device name.) Then specify the firewall software and device OS.

Leave the Use pre-configured template firewall objects checkbox unchecked.

Click Next.

Figure 6-2. Choose Configure Interfaces Manually

Select Configure interfaces manually and click Next.

Figure 6-3. Adding Interfaces to the new Firewall Object

Use this screen to add firewall interfaces. Populate the following fields for an interface, then click Add to add the interface. Then, populate the fields again for the next interface. If you make a mistake, click on the interface in the list, make your changes, then click Update.

  • Interface type: Indicate the type of interface. Section 6.1.3 explains the interface types in more detail. Briefly, though, a Regular interface has a static IP addresses, a Dynamic address interface has a dynamic address provided by something like DHCP, an Unnumbered interface never has an IP address (a PPPoE connection, for example), and a Bridge port is an interface that is bridged in the firewall.

  • Name: The name of the interface object in Firewall Builder must match exactly the name of the interface of the firewall machine it represents. This will be something like "eth0", "eth1", "en0", "br0", and so on.

  • Label: On most OS's this field is not used and serves the purpose of a descriptive label. The label is mandatory for Cisco PIX though, where it must reflect the network topology. Firewall Builder GUI uses the label, if it is not blank, to label interfaces in the tree. One of the suggested uses for this field is to mark interfaces to reflect the network topology ('outside', 'inside') or interface purpose ('web frontend' or 'backup subnet').

  • Address: If the interface has a static IP address, specify it here. (In Firewall Builder version 3.X, this must be an IPv4 address. If you need it to be an IPv6 address, create the interface without an IP address, then add the IPv6 address after you have created the firewall object.)

  • Netmask: Use either a traditional netmask (255.255.255.0) or slash notation (24, without the actual slash) to specify the interface netmask.

  • MAC: If you like, you can also specify the interface physical address. The MAC address is not necessary, but it can be used to combat spoofing. If the feature is turned on and available, the firewall will only accept packets from the given IP address if the MAC address also matches the one specified. Section 6.1.6.1 has more information.

Once all the interfaces are configured, click Finish to create the new firewall object.

Note: You can always add, modify and delete interfaces later using controls provided in the main window.

6.1.2.2. Creating a Firewall Object using SNMP Discovery

If your firewall runs an SNMP daemon, you can save yourself some time by using SNMP discovery to automatically create interfaces of the new firewall object.

Figure 6-4. SNMP 'read' community string

Start by checking the Use SNMP to discover interfaces of the firewall checkbox on the second page of the wizard and enter your SNMP 'read' community. Then click Discover interfaces using SNMP.

Figure 6-5. Discovering interfaces via SNMP

Firewall Builder runs a series of SNMP queries to the firewall to read the list of interfaces and their addresses. Both IPv4 and IPv6 address can be imported. For IPv6 the firewall must support IP-MIB RFC4293. Once the discovery process finishes, click Next.

Figure 6-6. Discovering interfaces via SNMP

The next page of the wizard offers an opportunity to review the discovered interfaces and make adjustments if necessary. To change something, highlight an interface, edit its parameters in the dialog, then click Update. Finally, when the process is done click Finish. The program creates the new firewall object in the tree and adds all configured interfaces and their addresses.

6.1.2.3. Editing a Firewall Object

The Firewall Object represents the firewall machine and is the most complex object in Firewall Builder. It has three sets of controls that you can modify, not including the policy rule sets. All these controls become available when you double-click the firewall object in the tree.

Figure 6-7. Firewall Controls

6.1.2.3.1. Basic Firewall Controls

These controls let you specify the basic settings of the firewall, such as the name and firewall platform.

  • Name: Specify/change the name of the firewall object.

  • Platform: Specify/change the firewall software.

  • Version: Specify/change the version number of the firewall software. In most cases, you can leave this set to any. In general, setting the version to "any" means the compiler will only support options available in all supported versions of the software. If you need a feature that is only supported by a particular version, then specify that version.

  • Host OS: Specify/change the host operating system of the firewall device.

  • Inactive firewall: Check this box to make the firewall object inactive. The firewall name will change to a regular font (instead of bold) to indicate that it is inactive, and the firewall will not be available for compiling or installation. Essentially, this is a way to "comment out" the firewall object without deleting it.

  • Host OS Settings: Opens the Advanced Settings dialog for the indicated Host OS. Click Help in the dialog for assistance with dialog options. See Section 6.1.2.3.2 for a screen shot.

  • Firewall Settings: Opens the Advanced Settings dialog for the platform/firewall software. Click Help in the dialog for assistance with dialog options. See Section 6.1.2.3.3 for a screen shot..

6.1.2.3.2. Host OS Settings Dialog

For explanations of the various controls, click the Help button in the dialog.

Figure 6-8. Firewall Host OS Settings dialog (Linux)

6.1.2.3.3. Firewall Settings dialog

For explanations of the various controls, click the Help button in the dialog.

Figure 6-9. Firewall Settings dialog (iptables)

6.1.2.3.4. Editing Rule Set Objects

Firewalls can have one or more of the of the following types of rule sets: access policy, NAT, and Routing. A firewall has, by default, one access policy rule set, one NAT rule set, and one routing rule set. However, you can add additional rule sets if you like.

Rule sets are child objects of the a firewall object. They cannot stand alone.

As objects, rule sets have parameters. In Firewall Builder, rule sets have the following parameters:

  • Name: The name of the rule set. If you only have one of each type of rule set, you can leave this at its default.

  • Rule Set family: This pull-down menu lets you specify whether policy compiler should treat the rule set as an IPv4 rule set, an IPv6 rule set, or a combined rule set. If set to IPv4, then only IPv4 rules will be processed and IPv6 rules will be ignored. The opposite is true if you specify an IPv6 rule set. If you select This is combined IPv4 and IPv6 rule set, then the compiler will process both types of rules and place them into the appropriate places in the install script.

  • filter+mangle table or mangle table: These radio buttons let you specify whether the rules will apply to the iptables filter table and mangle table, or just the mangle table. (These radio buttons only appear for access policy rule sets, and only for iptables.) Under most circumstances, the compiler places each rule into the correct table (filter or mangle) automatically. However some combinations of service objects and actions are ambiguous and can be used in both filter and mangle tables. In cases like these, you can clarify things for the compiler by creating a separate Policy ruleset that will be translated only into the mangle table.

  • Top ruleset: One of your rule sets must be the "top" rule set. The top ruleset is the one used by the firewall. Other rule sets of that type are used only if you branch to them using branching logic in the top rule set. (If you don't use branching, then only the rule set tagged as "top" is used.)

  • Comment: A free-form comment field.

Figure 6-10. Rule set options

6.1.3. Interface Object

Figure 6-11. Interface Object

Interface objects belong to firewall or host objects. Interface objects cannot exist alone.

The dialog for the interface object that belongs to the firewall or host provides controls for the parameters described here. Controls that are only valid for the firewall, and not host objects, are marked as such.

Figure 6-12. Interface Object

  • Name: The name of the interface object in Firewall Builder must match exactly the name of the interface of the firewall machine it represents. This will be something like "eth0", "eth1", "en0", "br0", and so on.

  • Label: On most OS's this field is not used and serves the purpose of a descriptive label. Firewall Builder GUI uses a label, if it is not blank, to show interfaces in the tree. One of the suggested uses for this field is to mark interfaces to reflect the network topology ('outside', 'inside') or the purpose ('web frontend' or 'backup subnet'). The label is mandatory for Cisco PIX though, where it must reflect the network topology.

  • Management interface: When a firewall has several network interfaces, one of them can be marked as the "management interface". The management interface is used for all communication between Firewall Builder and the firewall. For example, the built-in policy installer uses the address of the management interface to connect to the firewall via SSH when it copies a generated script or configuration file. (firewall object only)

  • External interface (insecure): Marks an interface that connects to the Internet, or to an area that is outside the network protected by the firewall. (firewall object only)

  • Unprotected interface: Marks interface to which Firewall Builder should not assign any access lists or firewall rules. Unprotected interfaces are recognized by policy compilers for Cisco IOS access lists and PF. Compiler for IOS ACL just skips unprotected interfaces and does not assign any ACL. The compiler for PF generates a "set skip on" clause for unprotected interfaces. (firewall object only)

  • Regular Interface: Use this option if the interface has an IP address assigned to it manually (static IP address).

  • Address is assigned dynamically: Use this option if the interface has a dynamic address (obtained by means of DHCP or PPP or another protocol). In this case an address is unknown at the moment when Firewall Builder generates the Firewall policy. Some firewalls allow for using the interface name in the policy instead of its IP address; the firewall engine then picks an address either when the policy is activated or even at run-time. Some other firewalls support special syntax for rules that are supposed to match packets headed to or from the firewall machine. Examples of these two cases are OpenBSD PF and Netfilter. PF rules can be constructed using interface names; PF automatically uses the current interface address when it loads rules into the memory. Netfilter supports special "chains" called "INPUT" and "OUPUT" that are guaranteed to inspect only packets headed for the firewall machine ("INPUT") or originated on it ("OUTPUT"). Both methods allow Firewall Builder to build correct firewall policy rules that affect the interface with a dynamic IP address, however the interface must be marked as such for the policy compiler to use proper technique depending on the target firewall platform. In cases where the rule has to use actual IP address of the interface (example: anti-spoofing rules), compiler emulates this feature by adding shell script fragment to determine the address at the time when firewall script is executed and then uses the address in rules. Such emulation is only possible on platforms where firewall configuration is in the form of the shell script, most notably this is iptables script on Linux.

  • Unnumbered interface: Use this option if the interface can never have an IP address, such as the Ethernet interface used to run PPPoE communication on some ADSL connections or a tunnel endpoint interface. Although an unnumbered interface does not have an address, firewall policy rules or access lists can be associated with it.

  • Bridge port: This option is used for a port of a bridged firewall. The compilers skip bridge ports when they pick interfaces to attach policy and NAT rules to. For target firewall platforms that support bridging and require special configuration parameters to match bridged packets, compilers use this attribute to generate a proper configuration. For example, in case of iptables, the compiler uses -m physdev --physdev-in or -m physdev --physdev-out for bridge port interfaces. (firewall object only)

  • Security level: Depending on the firewall platform, the security level is either External/Internal or a numeric value between 0 and 100, with 0 being least secure and 100 being most secure. This field in the GUI dialog automatically shows controls appropriate to the current firewall. Not all firewall support the concept of a security zone. (firewall object only)

  • Network zone: Used only with Cisco PIX (ASA). The Network zone drop-down list shows all network objects and groups of addresses and networks present in the tree. Choose one of them to tell the compiler which networks and blocks of addresses can be reached through this interface. Usually the external interface (the one that connects your firewall to the Internet) has the Network Zone set to Any. It is also recommended that you create a group of objects to represent Network Zones for all other interfaces on the firewall. The compiler uses this information to decide which interface each ACL rule should be associated with based on the addresses used in the destination of the rule. (firewall object only)

6.1.3.1. More about Security Levels and Network Zones

Consider the network layout as in Figure 6-13.

Figure 6-13. Choosing Network Zones

Here the firewall has three interfaces: 'outside', 'dmz', and 'inside'. Behind the firewall there is a router which in turn is connected to three subnets: 'subnet A', 'subnet B', and 'subnet C'. Subnet A is shared between the router and the firewall (each device has an interface on this subnet). Let's suppose we have created Network objects for each subnet and called them 'subnet DMZ', 'subnet A', 'subnet B' and 'subnet C' (remember, spaces are allowed in object names). For this setup, network zones should be configured as follows:

InterfaceNetwork Zone
outsideANY
dmzsubnet DMZ
insidesubnet A, subnet B, subnet C

Since the network zone for the 'inside' interface consists of multiple objects, you must create a group so that you can use this group as a Network Zone object.

Table 6-1 explains the differences in the way firewall platforms interpret values in the Security Level and Network Zone parameters of the firewall interfaces.

Table 6-1. Platform-specific interface parameters

Firewall Platform

Security Level Values

Network Zone

iptables

two values: 'External' or 'Internal'

N/A

ipfilter

two values: 'External' or 'Internal'

N/A

pf

two values: 'External' or 'Internal'

N/A

Cisco PIX

numeric, 0 - 100

a reference to a group or network object

Note that the "external" interface option may be deprecated in the future versions of the program.

In PIX, access lists must always be attached to interfaces. The policy compiler for PIX uses information about the network zones of interfaces to decide which interface a rule should be associated with if its "Interface" column does not specify one (is left set to "All"). Instead of placing this rule in access lists attached to all interfaces, it compares addresses in the Source and Destination of the rule with network zones of interfaces and only uses interfaces that match. This helps generate a PIX configuration that is more compact.

6.1.3.2. Using Interface Object in Rules

Policy rules in Firewall Builder have a rule element called Interface. You can drag-and-drop, or copy/paste interface object into this column of a rule to make the firewall match not only the source and destination address and service, but also the interface of the firewall through which packets enter or exit. The direction of the packet is defined in column Direction. Consider the following example:

Figure 6-14. Rule using an Interface object

Rule #0 is "anti-spoofing" rule which relies on the ability to define interface and direction. It matches packets with source addresses equal to the addresses of the firewall's interfaces or internal network, but that are coming in from outside, which is determined by comparing the interface through which packets enter the firewall. Packets with "internal" addresses cannot normally come from outside, and if they do, they must be spoofed and should be dropped. This is what this rule does: it drops and logs these packets. Rule #1 permits connections originating from the internal network going out, but it makes sure these packets enter the firewall through its internal interface.

These two rules generate the following iptables script:


# 
# Rule 0 (eth0)
# 
$IPTABLES -N In_RULE_0
$IPTABLES -A FORWARD  -i eth0  -s 192.0.2.1  -j In_RULE_0 
$IPTABLES -A FORWARD  -i eth0  -s 172.16.22.1  -j In_RULE_0 
$IPTABLES -A FORWARD  -i eth0  -s 192.168.2.1  -j In_RULE_0 
$IPTABLES -A FORWARD  -i eth0  -s 172.16.22.0/24  -j In_RULE_0 
$IPTABLES -A In_RULE_0  -j LOG  --log-level info --log-prefix "RULE 0 -- DENY "
$IPTABLES -A In_RULE_0  -j DROP 
# 
# Rule 1 (eth1)
# 
$IPTABLES -A FORWARD  -i eth1  -s 172.16.22.0/24  -m state --state NEW  -j ACCEPT

Here all iptables commands have an "-i eth0" or "-i eth1" clause, which makes iptables compare the interface and direction.

Here is what we get if we compile the same rules for PF:


# Tables: (1)
table <tbl.r9999.d> { 192.0.2.1 , 172.16.22.1 , 192.168.2.1 } 

# 
# Rule  0 (eth0)
# 
block in   log  quick on en0 inet  from <tbl.r9999.d>  to any
block in   log  quick on en0 inet  from 172.16.22.0/24  to any
# 
# Rule  1 (eth1)
# 
pass in   quick on en1 inet  from 172.16.22.0/24  to any keep state
#

For PF, the compiler generated a "block in log quick on eth0" clause to make the rule match interface and direction.

In the case of Cisco IOS access lists, defining an interface in the rule makes the compiler place code generated for this rule into the ACL attached to the given interface. The compiler for IOS ACL always generates both inbound and outbound access lists for each interface, but if the rule specifies both interface and direction ("Inbound" or "Outbound"), the generated configuration goes only into the corresponding access list. Here is the output produced for the rules shown above for Cisco IOS ACL:


ip access-list extended inside_in
! Rule  1 (eth1)
! 
  permit ip 172.16.22.0 0.0.0.255 any  
exit

ip access-list extended outside_in
! Rule  0 (eth0)
! 
  deny   ip host 192.0.2.1 any  log 
  deny   ip host 192.168.2.1 any  log 
  deny   ip 172.16.22.0 0.0.0.255 any  log 
exit

interface FastEthernet1
  ip access-group inside_in in
exit
interface FastEthernet0
  ip access-group outside_in in
exit

So far, the examples in this section have demonstrated how to use Interface objects to associate policy rules with interfaces so as to match packets crossing certain interface. An interface object can be used in the "source" and "destination" of rules just like any other addressable object. In this case, Firewall Builder replaces the interface object with the set of its addresses, picking only those addresses that match the address family (IPv4 or IPv6 or both) assigned to the rule set.

For example, we start with a firewall configuration where interface eth1 has two IP addresses, one IPv4 and another is IPv6. Note that this could be a host object as well because interfaces can belong either to a Firewall or a Host object.

Figure 6-15. Interface object with both address families

Interface eth1 has IPv4 address 172.16.22.1 and IPv6 address fe80::21d:9ff:fe8b:8e94. It is used in a simple policy rule as follows:

Figure 6-16. Interface object in a rule

This policy rule set is configured as a mixed IPv4+IPv6 rule set. For iptables, the compiler generates the following code:


# ================ IPv4
# Rule 0 (global)
# 
$IPTABLES -A INPUT -p tcp -m tcp  -d 172.16.22.1  --dport 22  -m state \
 --state NEW  -j ACCEPT 

# ================ IPv6

# Rule 1 (global)
# 
$IP6TABLES -A INPUT -p tcp -m tcp  -d fe80::21d:9ff:fe8b:8e94  --dport 22 \
 -m state --state NEW  -j ACCEPT

For PF we get the following:


# Rule  0 (global)
# 
# 
pass in   quick inet proto tcp  from any  to 172.16.22.1 port 22 keep state
pass out  quick inet proto tcp  from any  to 172.16.22.1 port 22 keep state

# Rule  0 (global)
# 
# 
pass in   quick inet6 proto tcp  from any  to fe80::21d:9ff:fe8b:8e94 port 22 \
keep state
pass out  quick inet6 proto tcp  from any  to fe80::21d:9ff:fe8b:8e94 port 22 \
keep state

Since the interface has two addresses, one IPv4 and another IPv6, the compiler generates commands in both the IPv4 and IPv6 sections of the script, but it uses only the appropriate address in each. Other than that, the interface object behaves just like a set of addresses when used in the source or destination element of a rule. It can also be used in NAT rules. Here is an example:

Figure 6-17. IPv4 Address object assigned to an interface

This generates the following code for iptables:


# Rule 0 (NAT)
# 
$IPTABLES -t nat -A POSTROUTING -o eth0  -s 172.16.22.0/24 -j SNAT \
--to-source 192.0.2.1 
# 
# Rule 1 (NAT)
# 
$IPTABLES -t nat -A PREROUTING  -p tcp -m tcp   -d 192.0.2.1 --dport 80 \
-j DNAT --to-destination 172.16.22.100

And for PF:


# Rule  0 (NAT)
# 
nat on eth0 proto {tcp udp icmp} from 172.16.22.0/24 to any -> 192.0.2.1 
# 
# Rule  1 (NAT)
# 
rdr on eth0 proto tcp from any to 192.0.2.1 port 80 -> 172.16.22.100 port 80

6.1.3.3. Using Interface Object with Dynamic Address in Rules

The examples above demonstrated what happens when an interface with one or several IP addresses is used in policy and NAT rules. Let's look at the case when an interface has an address assigned dynamically. This means the address is unknown to the Firewall Builder policy compiler when it generates the configuration script. The compiler uses features of the target firewall to work around this. Here is the configuration of the interface object eth0. The radio-button Address is assigned dynamically is selected.

Figure 6-18. Interface with dynamic address

The following policy rule uses interface eth0 in destination:

Figure 6-19. Interface with dynamic address in a rule

Here is what we get for iptables:


getaddr eth0  i_eth0
getaddr6 eth0  i_eth0_v6

# ================ IPv4

# Rule 0 (global)
# 
test -n "$i_eth0" && $IPTABLES -A INPUT -p tcp -m tcp  -d $i_eth0  --dport 22 \
  -m state --state NEW  -j ACCEPT 

# ================ IPv6

# Rule 0 (global)
# 
test -n "$i_eth0_v6" && $IP6TABLES -A INPUT -p tcp -m tcp -d $i_eth0_v6  \
 --dport 22  -m state --state NEW  -j ACCEPT

Shell functions "getaddr" and "getaddr6" are defined earlier in the script. The generated script determines IPv4 and IPv6 addresses of interface eth0 at the time of execution and then uses the values in iptables commands. If the interface does not have an address, the corresponding variable gets an empty string for its value and the iptables command using it is skipped.

PF allows for using interface name in rules and gets its current IP address automatically. Here is what is generated for PF:


# Rule  0 (global)
# 
pass in   quick inet proto tcp  from any  to (en0) port 22 keep state
pass out  quick inet proto tcp  from any  to (en0) port 22 keep state

# Rule  0 (global)
# 
pass in   quick inet6 proto tcp  from any  to (en0) port 22 keep state 
pass out  quick inet6 proto tcp  from any  to (en0) port 22 keep state

We still get two separate parts for IPv4 and IPv6 because the rule set is configured as IPv4+IPv6 mix, but in both cases compiler just used the interface name because its actual IP address is dynamic and was unknown at the time the configuration was generated.

6.1.3.4. Using Interface Object in Rules of Bridging iptables Firewall

In case of the "normal" iptables firewall, Firewall Builder adds an "-i eth0" or "-o eth0" parameter to the generated iptables command to make it match interface and direction. If radio button "Bridge port" is turned on in the interface object, the compiler uses a different option to make iptables match packets crossing bridge ports. Here is the interface "eth1" which is configured as a bridge port:

Figure 6-20. Bridge interface

Consider the following rule in the policy of the firewall this interface belongs to:

Figure 6-21. Bridge interface in rule

This rule matches interface "eth1" and generates the following iptables command:


$IPTABLES -A FORWARD  -m physdev --physdev-in eth1  -s 172.16.22.0/24 \
 -d 172.16.22.255  -m state --state NEW  -j ACCEPT

Since the interface is now a bridge port, the compiler uses "-m physdev --physdev-in eth1" to match it.

6.1.4. IPv4 Address Object

The regular address object describes single a IPv4 address. It can be a child of an interface object, in which case it represents an IP address and netmask of the interface, or it can be used as a standalone object. In the latter case it does not have a netmask and is located in the Objects/Addresses branch of the objects tree.

6.1.4.1. IPv4 Address Object When Used as an Address of an Interface

In this case the object is a "child" or "leaf" under the an interface object, either on a Host or a Firewall object. To create this kind of an Address, right-click on the interface object to bring up the context menu.

Figure 6-22. IPv4 Address object assigned to an interface

Its dialog provides the following entry fields:

  • Name

    This is the name of the object. Use a descriptive name because when the address object is used in the firewall policy, it is labeled with this name. It may be hard to tell one address from another if their names are similar.

  • Address

    This is an IP address. The GUI widget provides syntax control for the values entered in the field. (This syntax control activates when you save the object.)

    Note: A typical error is to interpret this object as an address of the subnet to which the interface of the host or firewall belongs. This object represents an address of the interface, not a network address. (So, 192.168.1.1, not 192.168.1.0)

  • Netmask

    This is a netmask assigned to the interface. You can enter the netmask using the traditional method (255.255.255.0) or using network bit length notation ("24"). Bit length notation is converted to a traditional netmask by Firewall Builder.

  • DNS Lookup

    If the host object has the same name as the actual machine, then clicking this button generates a DNS query that populates the interface IP address and subnet. Only the parent host or firewall object's name is used for the DNS query; the name of the interface is ignored and can be anything.

  • Comment

    This is free-form text field for a comment.

Here we use our IPv4 address in a rule (remember, it belongs to the interface):

Figure 6-23. IPv4 Address object assigned to an interface and used in a rule

Firewall Builder's iptables compiler, for example, generates the following command from this rule:

$IPTABLES -A INPUT -p tcp -m tcp  -d 172.16.22.1  --dport 22  -m state \
	--state NEW  -j ACCEPT

Note how even though the Address object has a netmask, the generated command matches the address as a host address, not as a subnet. This is because the netmask is used only to describe the subnet for the interface, not to describe the subnet. When this address object is used in a rule, it is understood that the intention is to match the address of the interface it belongs to rather than any address on the subnet. Use the Network object if you need to match a whole subnet.

This iptables rule was placed in the INPUT chain because the object in the "Destination" was an address of an interface of the firewall. While processing the policy for the iptables target firewall platform, Firewall Builder compares addresses in the source and destination of a rule to the addresses of all interfaces of the firewall to find rules that control access to and from the firewall. Firewall Builder places these rules into INPUT or OUTPUT chains. This is only necessary for iptables.

6.1.4.2. IPv4 Address Object When Used as a Stand-alone Object

In this case the object is located in the Objects / Addresses part of the objects tree and does not have a netmask entry field. To create this kind of an Address, use the New Object menu to select New Address or use the right-click menu associated with the Addresses folder in the tree.

Figure 6-24. Stand-alone IPv4 Address object

Dialog fields Name, Address and Comment have the same purpose and properties as an Address object assigned to an Interface object.

The DNS Lookup button can be used to automatically populate the address field using a DNS query. The program runs DNS query for the "A" record with the name of the Address object. The object name does not have to match any DNS record if you never plan to use this feature. DNS query function is just a convenience, but to use it, the name of the object must match a DNS record.

6.1.5. IPv6 Address Object

The IPv6 address object is similar to the IPv4 address object. Like IPv4 address objects, it can be used both as a child of an interface object or as a stand-alone object.

6.1.5.1. IPv6 Address Object When Used as an Address of an Interface

Figure 6-25. IPv6 Address Object assigned to an Interface object

If it is used to describe an IPv6 address of an interface, it has a netmask represented as bit length. Unlike with IPv4 address object, an IPv6 netmask is never represented as a colon-separated string of octets.

6.1.5.2. IPv6 Address Object When Used as Stand-alone Object

Figure 6-26. Stand-alone IPv6 Address Object

In this case this object is located in the Objects / Addresses part of the objects tree (the same place where stand-alone IPv4 addresses are located) and does not have a netmask entry field. To create this kind of an Address, use the New Object menu item New Address IPv6 or the right-click menu associated with the Addresses folder in the tree.

Policy compilers treat IPv6 addresses in policy rules according to the same algorithms as those for IPv4 rules. For example, just like with IPv4, the compiler for iptables checks if an address matches an address of any interface of the firewall to determine if the rule should be placed in the INPUT or OUTPUT chain.

Consider the rule shown in the screenshot below where we use two IPv6 address objects. One object belongs to the interface inside of the firewall while another is the IPv6 address of the project's web site.

Figure 6-27. IPv6 Address objects in a rule

For iptables, Firewall Builder generates the following commands from this rule:


$IP6TABLES -A INPUT -p tcp -m tcp  -d fe80::21d:9ff:fe8b:8e94  --dport 80  \
-m state --state NEW  -j ACCEPT 
$IP6TABLES -A FORWARD -p tcp -m tcp  -d 2001:470:1f0e:162::2  --dport 80  \
-m state --state NEW  -j ACCEPT

The rule that matches the address described by object guardian-2:eth1:ipv6 went to the INPUT chain because compiler detected that this rule matches packets that are headed for the firewall itself, which iptables inspects in the INPUT chain. The rule that matches the address described by the object ipv6.fwbuilder.org went to the FORWARD chain because these packets go through the firewall.

6.1.6. Physical Address Object

Figure 6-28. The Physical Address Object

The Physical Address object describes the hardware, or media, address of an interface. Currently only Ethernet MAC addresses are supported, but support for other kinds of physical addresses may be added in the future.

The Physical Address object can only be a child of an interface; it cannot exist as a stand-alone object. To create this kind of address object, right-click on an Interface object in the tree, then select Add MAC Address. Only one Physical Address object is allowed per interface; the program enforces this restriction. If you create a Firewall or Host object using SNMP discovery, all interfaces will be automatically populated with their MAC addresses.

  • Name

    This is the name of the object. The field is populated automatically with a host:interface:addressType descriptive name when the object is created, but you can change it immediately or later. If you change the name, use something descriptive because when the address object is used in the firewall policy, it is labeled with this name. It may be hard to tell one address from another if their names are similar.

  • Address

    This is a string representation of the physical or media address. For many types of media, this will be in a binary representation. For example, an Ethernet address would be represented as a string of 6 octets.

  • Comment

    This is free-form text field for a comment.

6.1.6.1. Using The Physical Address Object in Policy Rules

Only a few firewall platforms really support physical address filtering. Currently, Netfilter/iptables is the only firewall platform supported by Firewall Builder that can do physical address filtering.

As described in Section 6.1.7.4, if an Interface object that has multiple child address objects is used in a rule element (either Source or Destination), then the policy compiler tries to generate a rule using all of them. Section 6.1.7.4 explains that the compiler actually does this by generating multiple rules using each address in turn. This roughly corresponds to using the logical operation "OR" on the IP addresses: if our interface has two addresses, Address1 and Address2, then the generated rule would match if the address in the packet is either Address1 OR Address2. The case of a Physical Address is different though. If the Interface has a physical address, then the compiler builds a rule that has to match an IP address and the MAC address. The reason is to combat IP spoofing.

Suppose we have a very important host on the network. We create a Host object, then add an interface to it. The interface should have both Address and Physical Address objects as shown in Figure 6-29. The two child objects are visible in the tree under the Interface "eth0".

Figure 6-29. The Host object with Address and Physical Address

Note: Note how MAC matching is checked in the Host object dialog. This makes the compiler use the MAC addresses of the interfaces of this host.

Because this is a very important host, we would like to be sure that packets whose source IP is that of this host are really coming from it and are not spoofed. The best way to achieve this goal is to use strong authentication, for example with IPSEC protocol. Using IPSEC is outside the scope of this document though; our goal right now is to show that inspecting the MAC address of the packet can improve security.

Both a real packet originated from this host and a spoofed packet have a source IP address of the interface of this host, but the source MAC address is going to be different if spoofing is going on. We can use this to catch and drop spoofed packets. Here are three possible ways to build security policy in this situation:

  • Using only Address object in the rule element. This means the firewall inspects only IP address and ignores the MAC address of the packets.

    Figure 6-30. Policy rule using only Address object

    Firewall Builder generates the following simple iptables command for this rule:

    
$IPTABLES -A FORWARD  -s 10.3.14.44  -m state --state NEW  -j ACCEPT

  • Using only Physical Address object. A rule built this way permits all kinds of traffic coming from the trusted host even if its IP address changes.

    Figure 6-31. Policy rule using only Physical Address object

    For this rule, the following iptables command is generated:

    
$IPTABLES -A FORWARD  -m mac --mac-source 00:1D:09:8B:8E:94 -m state --state NEW \
-j ACCEPT

  • Using Host or Interface object. This way we end up with a rule that matches on a combination of the IP address and MAC address. This may be used as a sophisticated anti-spoofing rule.

    Figure 6-32. Policy rule using Host object

    Figure 6-33. Policy rule using Interface object

    For this rule, the following iptables command is generated:

    
$IPTABLES -A FORWARD  -m mac --mac-source 00:1D:09:8B:8E:94 -s 10.3.14.44  -m state \
--state NEW  -j ACCEPT

Using Address and Physical Address objects in a rule is not the same as using the Host or Interface object to which these Address and Physical Address belong. Here is what happens if we put objects representing IP address and MAC address in the rule:

Figure 6-34. Policy rule using Address and Physical Address objects

For this rule, the following iptables commands are generated:


$IPTABLES -A FORWARD  -s 10.3.14.44  -m state --state NEW  -j ACCEPT 
$IPTABLES -A FORWARD  -m mac --mac-source 00:1D:09:8B:8E:94 -m state --state NEW \
-j ACCEPT

As described in Section 6.1.7.4, using an multiple objects in the rule element is like bundling them together using logical operation OR. If we were to put Address and Physical Address in the rule like in Figure 6-34, we would end up with a policy matching packets that have the source address 10.3.14.44 or MAC address 00:1D:09:8B:8E:94, but not necessarily both at the same time. Any host that manages to pretend to have the IP address 10.3.14.44 would be able to send packets through our firewall even if its MAC address is different. To achieve our goal and make sure packets with the source 10.3.14.44 really belong to our important host, we should be checking its IP address and MAC address at the same time and let a packet through only if its IP address AND MAC address are what we expect them to be. That is why Firewall Builder treats physical addresses differently and generates firewall code that inspects both IP address and physical address.

Firewall Builder generates firewall code to inspect MAC address only for Host objects with the option MAC address filtering turned on. If this option is off, the Physical Address object will be ignored even if it is present in the Host object's Interface. This is because Host objects created using the Network Discovery Druid ( Chapter 7 ) are often populated with both IP address and MAC address information (available through SNMP query), but inspection of MAC addresses is rarely needed. Use the MAC address filtering option in the Host object to specify that you want the MAC address to be verified for the host.

Note: The target firewall imposes certain restrictions on rules matching the MAC address. For example, only source MAC addresses can be matched. Firewall Builder is aware of these restrictions, and the policy compiler will issue an error if a Physical Address object is used in a rule that would lead to an impossible iptables command.

6.1.7. Host Object

The Host object in Firewall Builder is designed to represent real hosts in the network: workstations, servers, and any other network node with an address. Just like real hosts, Host objects have interfaces that represent different physical connections to the network.

Most hosts have just a single (visible) interface with a single IP address. In that case the actual interface and its name do not matter. For most foreign hosts, Firewall Builder assigns an arbitrary name, like "interface1", to the host's interface. However, by using the tree-like hierarchy of hosts -> interfaces -> addresses, it is possible to specify the exact address and/or interface of a host in cases where it does matter.

As in the Firewall object, interfaces and addresses are represented by objects that are organized in a tree. An interface can have multiple addresses. An example of a host with one interface and multiple addresses is shown in Figure 6-35. Host "test server" is located on the LAN and has three virtual IP addresses that all belong to the same interface, "eth0".

Note that in Firewall Builder, the host object is an abstraction. It does not have to conform to an individual host. This host object may in fact represent a web farm that accepts connections on three IP addresses, each on a different computer.

Figure 6-35. A Host Object With One Interface And Multiple Virtual Addresses

Note: The host object cannot have any access, NAT or routing policy associated with it; only firewall objects can have policies.

6.1.7.1. Creating a Host Object

To speed up the process and make it simpler, creating a new host object is aided by a wizard that is similar to the one for creating a new Firewall Objects.

To launch the wizard, select New Host from the New Object menu or right-click on Hosts and select it from there.

Section 6.1.2 shows how to use the Firewall object wizard. The Host object wizard is the same, with the following exceptions:

  • All methods

    You do not specify the operating system or platform for host objects.

  • From template

    The Host object templates are different than those for Firewall objects. Browse through the list in Firewall Builder to see what's available.

  • Manually

    This method works the same as for the Firewall object, though the Add Interfaces page is slightly different. You cannot tag an interface as a "bridge port" interface. You can, however, indicate it is unnumbered or dynamic by selecting the appropriate checkbox. If neither checkbox is selected, then the interface is assumed to have a static IP address. As with the Firewall object wizard, you can only add IPv4 addresses in this way. If you need to use IPv6 addresses, create the host object without IP addresses and add them later.

  • Via SNMP

    This method works the same as for a Firewall object. The Host object must have the same name as the actual device and the host must respond to SNMP.

Note: You can always add, modify and remove interfaces of the new host object later using controls provided in the main window and object tree view.

6.1.7.2. Editing a Host Object

Figure 6-36. Editing The Host Object

The Host object dialog allows you to edit the following parameters:

  • Name:

    The Host object name.

  • MAC matching:

    If this option is activated, the policy compiler uses the MAC addresses of all interfaces of this host in the firewall rules. Not all firewall platforms support MAC address filtering, so this option may have no effect on the generated firewall script. This is treated as a non-critical situation, and the policy compiler will only generate a warning while processing a firewall policy where such a host is used. You cannot enter the physical (MAC) address in this dialog, however. See Section 6.1.6.1.

  • Comment:

    This is a free-form text field which can be used to add comments.

6.1.7.3. Using a Host Object in Rules

When a Host object is used in a rule, it acts as a group of all of the addresses that belong to all of its interfaces. The only exception is the loopback interface; the compiler skips that address when replacing the Host object with its addresses.

Consider the following Host object. It has interface eth0 with two IP addresses and a MAC address, interface he-ipv6 with an IPv6 address and a MAC address, interface lo (loopback) with its own IP address and interface sit0 (tunnel) with no address.

Figure 6-37. Host with multiple interfaces, some with multiple addresses

Let's put this host object in a rule as follows:

Figure 6-38. Host in a rule

The rule set is configured as "IPv4 only", so even though interface he-ipv6 has IPv6 address, Firewall Builder will ignore it while generating iptables commands for this rule. Interface eth0 has two IPv4 addresses and both will be used. Here are iptables commands generated for this rule:


$IPTABLES -A FORWARD -p tcp -m tcp  --dport 22  -m state --state NEW \
-j Cid6066X5981.1 
$IPTABLES -A Cid6066X5981.1  -d 10.3.14.44  -j ACCEPT 
$IPTABLES -A Cid6066X5981.1  -d 10.3.14.55  -j ACCEPT 
$IPTABLES -A Cid6066X5981.1  -d  -j ACCEPT

Let's see what we get for the same rule if we configure rule set object as "IPv4+IPv6":

Figure 6-39. Host in a rule with both IPv4 and IPv6

Since the rule is now configured to compile for both address families, Firewall Builder processes it twice, once for each address family. Here is what we get (these are relevant fragments of the generated script):


# ================ IPv4

$IPTABLES -A FORWARD -p tcp -m tcp  --dport 22  -m state --state NEW  \
-j Cid6066X5981.1 
$IPTABLES -A Cid6066X5981.1  -d 10.3.14.44  -j ACCEPT 
$IPTABLES -A Cid6066X5981.1  -d 10.3.14.55  -j ACCEPT 
$IPTABLES -A Cid6066X5981.1  -d  -j ACCEPT 

# ================ IPv6

$IP6TABLES -A FORWARD -p tcp -m tcp  --dport 22  -m state --state NEW  \
-j Cid6066X5981.1 
$IP6TABLES -A Cid6066X5981.1  -d fe80::a3:e2c  -j ACCEPT

6.1.7.4. Using Objects With Multiple Addresses in the Policy and NAT rules

Host and Firewall objects have child Interface objects, which in turn have child Address and Physical Address objects. In fact, an interface object can have more than one associated address object. Let's see how this works:

Figure 6-40. Host object with an interface that has multiple addresses

Figure 6-41. Using objects with multiple addresses in policy rules

Consider example Figure 6-40, Figure 6-41. Here interface eth0 of "test server" has three IP addresses (named "test server:eth0:0" through "test server:eth0:2") and interface eth0 of "dmz host" has only one IP address: "dmz host:eth0". Policy rule #9 says that "dmz host" can talk to "test server" using any protocol. Since "test server" has three different addresses, we need to generate policy a rule that will match any of them. (Obviously we cannot match all three at once, so the compiler uses a logical "OR", not a logical "AND" here.) Basically, rule #9 is equivalent to three separate rules, each of them using one address of "test server" in turn. These three rules are represented in Figure 6-42 (original rule #9 also shown there, but it is disabled.)

Figure 6-42. Equivalent rules

Firewall Builder takes care of this situation automatically and generates the firewall policy described in Figure 6-41 as if a user had built a policy in the GUI using the three rules as shown in Figure 6-42.

In fact, the algorithm used is even more general. In the example Figure 6-41, host "test server" has a single interface with multiple addresses that the compiler used to generate the target firewall code. The policy compiler works in a similar way even if the host or firewall object used in the rule has multiple interfaces and each interface, in turn, has multiple addresses. If a host (or firewall) object is used in the rule, then the compiler scans all its interfaces, finds all corresponding addresses, and uses them to generate the firewall configuration. If an interface object is used in the rule, then the compiler uses all its addresses. And finally, if an Address or Physical Address object is used in the rule, then the compiler uses only this parameter to generate the firewall configuration. In other words, the compiler always traverses the tree, starting from the object found in the policy rule, and uses the parameters of all Address and Physical Address objects it finds. Since Address and Physical Address objects are the leaf nodes in the tree and have no other objects beneath them, the compiler uses the parameters of these objects to generate the target code.

Note: There is an exception to this algorithm, see Section 6.1.6.1

6.1.8. IPv4 Network Object

Figure 6-43. The Network Object

The network object describes an IP network or subnet. Use main menu Net Object / New Network item to create objects of this type. The dialog of the Network object provides the following entry fields:

  • Name:

    Network object name

  • Address:

    The IPv4 address of the network.

  • Netmask:

    The Netmask, in combination with an Address, defines the subnet. You can enter either string octet representation of the mask or its bit length here, however the program always converts it to the octet representation. Netmask in the network object is always entered in the "natural" way, such as "255.255.255.0", even if the object is going to be used to build Cisco IOS access lists which require reversed "bit mask" presentation instead (e.g "0.0.0.255" for the netmask above). Firewall Builder policy compiler takes care of the conversion automatically.

  • Comment:

    This is a free-form text field used for comments

Let's use the Network object shown above in a policy rule compiled for different target platforms.

Figure 6-44. IPv4 Network object used in a rule

Here is what we get for iptables:


$IPTABLES -A FORWARD -p tcp -m tcp  -s 172.16.22.0/24  --dport 80  -m state \
--state NEW  -j ACCEPT

Here is the output produced for PF:


pass in   quick inet proto tcp  from 172.16.22.0/24  to any port 80 keep state
pass out  quick inet proto tcp  from 172.16.22.0/24  to any port 80 keep state

Here is how the output looks like when the rule is compiled into Cisco IOS access-lists (this is one of the generated access lists):


ip access-list extended outside_out
  permit tcp 172.16.22.0 0.0.0.255 any  eq 80 
exit

Here is what we get when the rule is compiled into Cisco ASA (PIX) configuration. Note how the compiler uses netmask 255.255.255.0 for PIX, while for IOS it was converted to 0.0.0.255. Also, interface "inside" was configured with network zone 172.16.0.0/12, which matched network object used in the source element of the rule. Because of that, the compiler put the rule only into the access list attached to interface "inside".


access-list inside_acl_in permit tcp 172.16.22.0 255.255.255.0 any eq 80 
access-group inside_acl_in in interface inside

6.1.9. IPv6 Network Object

Figure 6-45. IPv6 Network Object

The network object describes an IPv6 network or subnet. This object is very similar to the IPv4 Network object, except you can only enter netmask as a bit length. Use main menu "Net Object / New Network IPv6" item to create objects of this type.

Let's see what we get if we use an IPv6 Network object in a policy rule as shown:

Figure 6-46. IPv6 Network object used in a rule

Here is the command generated for iptables:


$IP6TABLES -A FORWARD -p tcp -m tcp  -s 2001:470:1f0e:162::/64  --dport 80  \
-m state --state NEW  -j ACCEPT

Here is what we get for PF:


pass in   quick inet6 proto tcp  from 2001:470:1f0e:162::/64  to any port 80 keep state
pass out  quick inet6 proto tcp  from 2001:470:1f0e:162::/64  to any port 80 keep state

Here is the output for Cisco IOS access lists (only one ACL is shown):


ipv6 access-list ipv6_outside_out
  permit tcp 2001:470:1f0e:162::/64 any  eq 80 
exit

interface eth0
  ipv6 traffic-filter ipv6_outside_out out
exit

There is no IPv6 support for Cisco ASA (PIX) in Firewall Builder at this time.

6.1.10. Address Range Object

Figure 6-47. The Address Range Object

The Address Range object describes a continuous range of IPv4 addresses. (Arbitrary address ranges are unsupported for IPv6.) To create new Address Range object, use main menu New Object / New Address Range. Its dialog provides the following entry fields:

  • Name:

    The name of the Address Range object

  • Range start:

    The address of the start of the range

  • Range end:

    The address of the end of the range

  • Comment:

    A free-form text field used for comments

The Address range is inclusive, that is, both the start and the end addresses are included in the range.

When Address Range object is used in a rule, Firewall Builder replaces it with a list of addresses equivalent to the specified range. The program tries to generate the most economical representation of the range using a combination of subnets of different lengths. Consider the Address Range object shown above. This Address Range object represents IP addresses between 192.168.1.100 and 192.168.1.160 (inclusively). It would be wasteful to generate 61 iptables commands to represent this range. Instead, the compiler uses a combination of several subnets of different lengths and ends up with the following:


$IPTABLES -A FORWARD  -s 192.168.1.100/30  -m state --state NEW  -j ACCEPT 
$IPTABLES -A FORWARD  -s 192.168.1.104/29  -m state --state NEW  -j ACCEPT 
$IPTABLES -A FORWARD  -s 192.168.1.112/28  -m state --state NEW  -j ACCEPT 
$IPTABLES -A FORWARD  -s 192.168.1.128/27  -m state --state NEW  -j ACCEPT 
$IPTABLES -A FORWARD  -s 192.168.1.160  -m state --state NEW  -j ACCEPT

Here is how the generated configuration looks for PF (this is essentially the same, except it uses tables for brevity):


table <tbl.r0.s> { 192.168.1.100/30 , 192.168.1.104/29 , 192.168.1.112/28 , \
192.168.1.128/27 , 192.168.1.160 } 

pass in   quick inet  from <tbl.r0.s>  to any keep state

Just for completeness, let's look at the configuration generated for the same rule for Cisco IOS access lists. This is really just a fragment of the generate router access list configuration because generated ACLs are attached to interfaces and, since the rule in the example was not associated with any interfaces, it got attached to all of them. Here we show only one generated ACL:


ip access-list extended inside_in
! 
! Rule  0 (global)
! 
! 
  permit ip 192.168.1.100 0.0.0.3 any  
  permit ip 192.168.1.104 0.0.0.7 any  
  permit ip 192.168.1.112 0.0.0.15 any  
  permit ip 192.168.1.128 0.0.0.31 any  
  permit ip host 192.168.1.160 any  
exit

6.1.11. Address Tables Object

Sometimes you need to apply a rule to a set of addresses, but you don't know what those addresses will be when you're writing the policy. The Address Table object can help.

Figure 6-48. The Address Table Object

The Address Table object has the following fields:

  • Name:

    The name of the Address Table object

  • Compile Time / Run Time:

    Indicate whether you want the file to be loaded with the firewall compiler runs (Compile Time) or when the firewall runs the firewall script (Run Time).

  • File name:

    The name of the text file you want to load. (The file contains IP addresses or IP address ranges.) The filename can have any extension. If you want the file to load at run time, you must specify the path and name where the file will be on the firewall machine, not the client machine.

  • Browse button:

    Used to populate the file name and path if the file is on the local machine.

  • Preview button:

    Once the File name field is populated, use this button to view the file.

  • Comment:

    A free-form text field used for comments

The Compile Time and Run Time radio buttons define when the addresses will be read from the file: when the firewall script is generated by Firewall Builder or when the firewall runs the script. If object is configured as Compile Time, the Firewall Builder policy compiler opens the file during compilation and replaces the Address Table object in policy rules with the set of addresses from the file. This means the file with addresses must be accessible on the machine where the Firewall Builder GUI and policy compilers run. If the object is configured as Run Time, policy compiler does not try to find and open the file but instead generates a firewall script that will do this when it is activated. This means the file with addresses must be located where it is accessible by the firewall, and the object must be configured with the full path to it on the firewall.

Here is an example of the file contents (this is what you see if you click "Preview" button in the object dialog):

Figure 6-49. Address Table text file

Note that comments in the file can start with '#' or ';', that a comment can follow an address on the same line or take the whole line and that lines can start with white space for formatting. This example file contains both IPv4 and IPv6 addresses for illustration purposes.

Compile-time Address Table objects are supported on all target firewall platforms because addresses are read by the compiler. The compiler then generates normal configuration lines or script commands. Run time Address Table objects require special support from the target firewall and therefore supported only on some of them. Currently Run Time Address Table objects can be used in rules for iptables and PF firewalls.

Let's look at the firewall script generated by Firewall Builder for the iptables and PF when the Address Table object used in the policy rule is configured first as "Compile Time" and then as "Run Time". The rule is very simple and looks like (Figure 6-50):

Figure 6-50. Rule using an Address Object

This rule, with the object set to Compile Time, generates the following output:

Figure 6-51. Compile Time, iptables compile output


# Rule 0 (global)
# 
$IPTABLES -A INPUT  -d 192.168.1.1  -j DROP 
$IPTABLES -A FORWARD  -d 192.168.1.2  -j DROP 
$IPTABLES -A FORWARD  -d 192.168.1.3/30  -j DROP 
$IPTABLES -A FORWARD  -d 192.168.2.128/25  -j DROP 
$IPTABLES -A FORWARD  -d 192.168.1.200  -j DROP 
$IPTABLES -A FORWARD  -d 192.168.1.201  -j DROP

The compiler replaced object address_table_1 in the Destination with addresses it took from the file. Option assume firewall is part of any was turned off in the firewall object settings, which is why compiler did not generate rules in the OUTPUT chain. However one of the addresses in the file matched the address of one of the interfaces of the firewall (192.168.1.1) and the corresponding rule went into the INPUT chain. Other addresses were copied from the file verbatim, including netmask specifications. The Policy object of this firewall was configured as "IPv4 rule set", because of this the compiler dropped the IPv6 addresses it found in the file. If the rule set was configured as a mix of IPv4 and IPv6, compiler would use IPv4 addresses in IPv4 rules and IPv6 addresses in IPv6 rules.

Figure 6-52. Compile Time, PF compile output


# Tables: (1)
table  { 192.168.1.1 , 192.168.1.2 , 192.168.1.3/30 , 192.168.2.128/25 , \
192.168.1.200 , 192.168.1.201 }

# Rule  0 (global)
# 
block in   quick inet  from any  to <tbl.r0.d>
block out  quick inet  from any  to <tbl.r0.d>

The output for PF is simple because Firewall Builder can use the built-in table facility. All addresses are copied from the file verbatim into the table tbl.r0.d.

Figure 6-53. Run Time, iptables compile output


# Using 1 address table files
check_file "address_table_1" "/home/vadim/addr-table-1.tbl"

# Rule 0 (global)
# 
grep -Ev '^#|^;|^\s*$' /home/vadim/addr-table-1.tbl | while read L ; do
  set $L; at_address_table_1=$1; $IPTABLES -A FORWARD  -d $at_address_table_1  -j DROP 
done

First, the generated script checks if the file specified in the Address Table object exists on the firewall machine. If the file is not found, the script aborts execution to avoid loading incomplete iptables rules. However, the script cannot verify that the file is the one you intended it to be, it just assumes that if the file with this name exists it is the right one and tries to interpret it as a list of IP addresses, with one address per line. Then the script reads the file line by line, skipping comments, and assigns IP addresses to the shell variable at_address_table_1, which it then uses in the iptables command.

Since the compiler did not see the addresses from the file, it could not detect that one of them matched an address of the firewall and all iptables commands went to the FORWARD chain. The file /home/vadim/addr-table-1.tbl should be located on the firewall where the generated iptables script will be executed so the script can find it.

Here is what you get if the option "Assume firewall is part of any" is turned on in the firewall object settings:

Figure 6-54. Run Time, iptables compile output, assume firewall is part of "any"


# Rule 0 (global)
# 
grep -Ev '^#|^;|^\s*$' /home/vadim/addr-table-1.tbl | while read L ; do
  set $L; at_address_table_1=$1; $IPTABLES -A OUTPUT  -d $at_address_table_1  -j DROP 
done
grep -Ev '^#|^;|^\s*$' /home/vadim/addr-table-1.tbl | while read L ; do
  set $L; at_address_table_1=$1; $IPTABLES -A FORWARD  -d $at_address_table_1  -j DROP 
done

The difference is that compiler generated two sets of commands, one in chain OUTPUT and another in chain FORWARD. The original rule has "any" in source, and if option Assume firewall is part of any is turned on, the compiler assumes the source of the rule can have either an unknown address or the firewall. The former makes it generate iptables command in the FORWARD chain and the latter makes it generate iptables command in the OUTPUT chain. This logic is not specific to the Address Table object type; the compiler does this regardless of the type of the object used in destination if source is "any" and option Assume firewall is part of any is turned on.

Figure 6-55. Run Time, PF compile output


# Tables: (1)
table  persist file "/home/vadim/addr-table-1.tbl"
# Rule  0 (global)
# 
# 
block in   quick inet  from any  to <address_table_1>
block out  quick inet  from any  to <address_table_1>

PF is even easier in the case of run time address tables. Compiler just uses table facility with persist and file options to direct pfctl to open the file and read its contents. In this case the file should follow formatting requirements of PF.

Policy compiler for PF treats Address Table objects with empty file name specially. It just generates the line "table <table_name>" at the beginning of the .conf file with no file specification. This table will not be populated when .conf file is loaded and therefore will remain empty, but it can be used in the rules.

Addresses can be added to the table later using external scripts that call pfctl like this:


pfctl -t bad_hosts -T add 192.0.2.1

Another interesting possibility is to automatically populate the table if option "overload" is used in combination with other rate limiting options on a rule. Taking an example from the man page for pf.conf, here is how it looks:


block quick from <bad_hosts>
pass in on $ext_if proto tcp to $webserver port www keep state \
                   (max-src-conn-rate 100/10, overload <bad_hosts> flush global)

The idea behind these rules is that if some host tries to connect to the web server too often—more often than is allowed by max-src-conn-rate 100/10—its address will be added to the table <bad_hosts> by PF. The next time this host tries to connect, the packet coming from it will be denied by the blocking rule right away.

To implement these rules in Firewall Builder, you would create an Address Table object with name "bad_hosts" but a blank file name, configured to resolve at run time:

Figure 6-56. Address Table Object bad_hosts

Then, use this Address Table object in the source field of a policy rule with action "Deny". This is rule #0 in the screenshot below. Another rule, rule #1 in the screenshot, has action "Accept" and matches destination against address of the web server, protocol http, and has limiting options set up to restrict the number of connections and to turn overload table on, with the name of the overload table "bad_hosts" that matches the name of the Address Table object.

Figure 6-57. Address Table Object bad_hosts Rules

These two rules, as shown on the screen shots, yield the following PF configuration that matches the one given in the man page:


# Tables: (1)
table <bad_hosts> persist

# Rule  0 (global)
# 
block in   log  quick inet  from <bad_hosts>  to any 
# 
# Rule  1 (global)
# 
pass in   quick inet proto tcp  from any  to 192.168.1.1 port 80 \
   keep state  (  max-src-conn-rate 100/10, overload <bad_hosts< flush global )

6.1.12. Special case addresses

Policy compilers treat some addresses in policy rules in special ways, depending on the requirements of the target firewall platform. For example, the compiler for iptables checks if the address found in "Destination" or "Source" of a rule matches the address of any interface of the firewall to determine if the rule should be placed in INPUT or OUTPUT chain. The compiler for PIX uses the command ssh <address> <netmask>> inside when it detects such an address in the destination of a rule where the service is TCP Service object "SSH". There are other special cases as well.

6.1.12.1. Broadcast and Multicast Addresses, iptables Firewall

One important special case is broadcast and multicast addresses. It is important to place rules in the correct chain in generated iptables script because even though these addresses are not equal to those of the firewall's interfaces, iptables processes packets with broadcast or multicast destination in the INPUT chain. Firewall Builder is aware of this and generates the correct iptables commands.

In order to match broadcast or multicast addresses in the rules, we need to create objects to describe them. The choice of object type to describe broadcast or multicast address depends on whether this is just a single address, a range or a block. An Address object is good for defining a single address, Address Range is good for sets of consecutive addresses and Network object is good for describing a block. For example, you can use an Address object with address "255.255.255.255" to describe a broadcast. Address Range with addresses "224.0.0.5 - 224.0.0.6" would work well to describe two multicast groups used by OSPF. A Network object with address "224.0.0.0" and netmask "240.0.0.0" can be used to describe a whole multicast address block.

Here are few examples:

Figure 6-58. Multicast object

Object "all multicasts" is part of the Standard Objects library that comes with the program. It describes an entire address block allocated for multicasts. Consider a simple policy rule that permits all multicasts:

Figure 6-59. Multicast rule

For iptables, this rule translates into the following script:


$IPTABLES -A INPUT  -d 224.0.0.0/4  -m state --state NEW  -j ACCEPT

The rule went into the INPUT chain because iptables processes multicast there.

Here is another example, this time it involves broadcast addresses. Interface "inside" of the test firewall has address 172.16.22.1 with netmask 255.255.255.0. This defines subnet 172.16.22.0/255.255.255.0 with broadcast address 172.16.22.255. We create an Address object with the name "net-172.16.22 broadcast" and address "172.16.22.255" and use it in the destination field of a policy rule. Another rule in the same example will match broadcast address "255.255.255.255"; an Address Range Object that defines this address is present in the Standard Objects library under the name "broadcast". Here are the rules:

Figure 6-60. Broadcast rules

these two rules translate into the following script for iptables:


# Rule 0 (global)
# 
$IPTABLES -A INPUT  -d 255.255.255.255  -m state --state NEW  -j ACCEPT 
# 
# Rule 1 (global)
# 
$IPTABLES -A INPUT  -d 172.16.22.255  -m state --state NEW  -j ACCEPT

Both rules went into INPUT chain as expected.

6.1.12.2. Broadcast and Multicast Addresses and Bridging iptables Firewall

Compilers treat broadcast and multicast addresses differently if the firewall object is set to be a bridging firewall. In this case the checkbox "Bridging firewall" should be turned on in the firewall settings dialog and one or more interface objects should be marked as "Bridge port":

Figure 6-61. Broadcast and Multicast address in a bridging firewall

Now the rule that matches the broadcast destination address will be treated differently:

Figure 6-62. Broadcast and Multicast address in a rule

This produces the following iptables commands:


$IPTABLES -A FORWARD  -d 172.16.22.255  -m state --state NEW  -j ACCEPT 
$IPTABLES -A INPUT  -d 172.16.22.255  -m state --state NEW  -j ACCEPT

Rules went into both INPUT and FORWARD chains because the bridging firewall passes broadcasts through, but at the same time accepts them as packets headed for itself. Since the rule did not specify which interface it should look at, Firewall Builder assumed that the generated rule should inspect packets crossing all interfaces, both bridge ports and "normal" ones, and therefore placed the rule in both INPUT and FORWARD chains.

6.1.13. DNS Name Objects

A DNS Name object represents a DNS "A" or "AAAA" record. The object resolves into IP address at compile or run time. The address (IPv4 or IPv6) the object resolves to depends the address family or families of the ruleset it is used in. That is, if the object is used in a rule that is part of IPv4 rule set, the compiler will try to resolve the object using DNS query for the "A" record, but if the object is used in a rule that is part of an IPv6 rule set, the compiler will run a "AAAA" query. If the rule set where the object is used is a mixed type (IPv4+IPv6), the compiler will resolve the same object twice using different queries.

The DNS Name object dialog looks like this:

Figure 6-63. DNS Name Object

  • Name:

    The name of the DNS Name object

  • DNS Record:

    The DNS record you want to resolve.

  • Compile Time / Run Time:

    Indicate whether you want to resolve the IP address when you create the firewall script (compile time) or when you run the script on the firewall (run time).

  • Comment:

    A free-form text field used for comments

The DNS Record parameter is the name of the A or AAAA record we want to resolve. In this example it is the host name of the Firewall Builder project web site "www.fwbuilder.org". Note that IPv6 web server for the project is accessible as "ipv6.fwbuilder.org" so we are going to need second DNS Name object for IPv6 examples. Compile Time and Run Time options have the same meaning as those in the Address Table object, that is, compile time DNS Name object is converted to the IP address by the policy compiler, while run time DNS Name object is not. In the latter case, the compiler puts DNS record name into the generated script or configuration file and leaves it up to the firewall to resolve it when the script is activated.

Both compile time and run DNS Name objects are supported on all target firewall platforms.

Let's look at how the simple rule shown in Figure 6-69 compiles for iptables and PF, both for compile time and run time DNS Name object.

Figure 6-64. Rule using DNS Name object

Figure 6-65. DNS Name Compile Time, iptables compile output


# Rule 0 (global)
# 
$IPTABLES -A FORWARD  -d 70.85.175.170  -m state --state NEW  -j ACCEPT

In this trivial case, the compiler simply resolved "www.fwbuilder.org" to an IP address and used it in the iptables command. However, if the policy rule was in a ruleset configured as an IPv6-only rule set, the rule would not produce any iptables command at all because there is no AAAA DNS record with name "www.fwbuilder.org". If the rule set was both IPv4+IPv6, then the rule would generate iptables command only in the IPv4 part. The opposite is also true, the DNS Name object with record "ipv6.fwbuilder.org" will only produce iptables commands when used in IPv6 rule set because there is only AAAA record with this name.

Figure 6-66. DNS Name Compile Time, PF compile output


# Rule  0 (global)
# 
pass in   quick inet  from any  to 70.85.175.170 keep state

The same is true in the case of PF: the compiler simply resolved the name "www.fwbuilder.org" and put the address in the generated pf.conf file. Since this name does not resolve into any IPv6 address, IPv6 PF policy would not have any line for this rule. DNS record "ipv6.fwbuilder.org" resolves only into an IPv6 address, and therefore DNS Name object with this record would only produce pf.conf configuration for IPv6 and not for IPv4.

Figure 6-67. DNS Name Run Time, iptables compile output


# Rule 0 (global)
# 
$IPTABLES -A FORWARD  -d www.fwbuilder.org -m state --state NEW  -j ACCEPT

Here the compiler used the line entered in the DNS record parameter literally, leaving it up to iptables on the firewall machine to resolve this name into an IP address. Using a run time DNS Name object in IPv6 policy generates the following iptables command:


# Rule 0 (global)
# 
$IP6TABLES -A FORWARD  -d ipv6.fwbuilder.org -m state --state NEW  -j ACCEPT

$IP6TABLES is the shell variable defined at the beginning of the generated script, the value of this variable is the full path to the ip6tables command line utility. ip6tables will try to resolve given name to an IPv6 address since it processes IPv6 iptables policy.

Figure 6-68. DNS Name Run Time, PF compile output


# Rule  0 (global)
#
pass in   quick inet  from any  to www.fwbuilder.org keep state
pass out  quick inet  from any  to www.fwbuilder.org keep state

Run time DNS Name object translates into PF configuration lines that also use the name of the DNS record and leave it up to PF to actually resolve it to an IP address when the configuration is loaded.

6.1.14. A Group of Addressable Objects

Figure 6-69. Group of Objects

The group of objects holds references to Hosts, Networks, Address Ranges, Firewalls and other groups of addressable objects (Figure 6-69). Use New Object / New Object Group to create a new group. Objects can be added to the group using the following methods:

  • Using drag and drop:

    Objects can be dragged from the tree into the group dialog. Click, hold down the mouse button, and drag the object to add it to the group.

  • Using the popup menu:

    You can use the Copy/Paste operations between the tree and group dialog. Right-clicking on the object in the tree brings a pop-up menu. Choose Copy in this menu, then move the mouse to the group dialog and right-click in the icon field. This also brings up a pop-up menu, where you choose Paste. This inserts a reference to the object in the group.

  • Using the Edit main menu:

    Select the object in the tree, select Edit/Copy Object from the menu bar, then click on the group dialog, and then select Edit/Paste Object from the menu bar.

PrevHomeNext
Working with multiple data files Service Objects
 

Copyright © 2000-2008 NetCitadel, LLC. All rights reserved.
 Using free CSS Templates.