Shortcuts

Search Users Guide

Download Users Guide in PDF format (~17MB)

Firewall Builder 5 User's Guide
		Next

Firewall Builder 5 User's Guide

$Id$

Copyright © 2003-2011 NetCitadel, LLC

The information in this manual is subject to change without notice and should not be construed as a commitment by NetCitadel LLC. NetCitadel LLC assumes no responsibility or liability for any errors or inaccuracies that may appear in this manual.

1. Introduction

1.1. Introducing Firewall Builder
1.2. Overview of Firewall Builder Features

2. Installing Firewall Builder

2.1. RPM-Based Distributions (Red Hat, Fedora, OpenSUSE, and Others)
2.2. Ubuntu Installation
2.3. Installing FreeBSD and OpenBSD Ports
2.4. Windows Installation
2.5. Mac OS X Installation
2.6. Compiling from Source

3. Definitions and Terms

4. Firewall Builder GUI

4.1. The Main Window

4.2. GUI Menu and Tool Bars

4.2.1. File Menu
4.2.2. Edit Menu
4.2.3. View Menu
4.2.4. Object Menu
4.2.5. Rules Menu
4.2.6. Tools Menu
4.2.7. Window Menu
4.2.8. Help Menu
4.2.9. Object Context Menu
4.2.10. Tool Bar

4.3. Object Tree

4.3.1. Using Subfolders to Organize Object Tree
4.3.2. Filtering the Object Tree
4.3.3. Object Attributes in the Tree
4.3.4. Creating Objects

4.4. Undo and Redo

4.4.1. Undo Stack

4.5. Preferences Dialog

4.6. Working with Multiple Data Files

5. Working with Objects

5.1. Types of Objects

5.2. Addressable Objects

5.2.1. Common Properties of Addressable Objects
5.2.2. The Firewall Object
5.2.3. The Cluster Object
5.2.4. Editing Rule Set Objects
5.2.5. Interface Object
5.2.6. IPv4 Address Object
5.2.7. IPv6 Address Object
5.2.8. Attached Network Objects
5.2.9. Physical Address Objects
5.2.10. Host Object
5.2.11. IPv4 Network Object
5.2.12. IPv6 Network Object
5.2.13. Address Range Object
5.2.14. Address Tables Object
5.2.15. Special-Case addresses
5.2.16. DNS Name Objects
5.2.17. Object Groups
5.2.18. Dynamic Object Groups

5.3. Service Objects

5.3.1. IP Service
5.3.2. ICMP and ICMP6 Service Objects
5.3.3. TCP Service
5.3.4. UDP Service
5.3.5. User Service
5.3.6. Custom Service

5.4. Time Interval Objects

5.5. Object Keywords

5.6. Creating and Using a User-Defined Library of Objects

5.7. Finding and Replacing Objects

6. Network Discovery: A Quick Way to Create Objects

6.1. Reading the /etc/hosts file

6.2. Network Discovery

6.3. Importing Existing Firewall Configurations into Firewall Builder

6.3.1. Importing Existing Firewall Configurations
6.3.2. iptables Import Example
6.3.3. Information Regarding PF Import

7. Firewall Policies

7.1. Policies and Rules

7.2. Firewall Access Policy Rule Sets

7.2.1. Source and Destination
7.2.2. Service
7.2.3. Interface
7.2.4. Direction
7.2.5. Action
7.2.6. Time
7.2.7. Options and Logging
7.2.8. Working with Multiple Policy Rule Sets

7.3. Network Address Translation Rules

7.3.1. Basic NAT Rules
7.3.2. Source Address Translation
7.3.3. Destination Address Translation

7.4. Routing Ruleset

7.4.1. Handling of the Default Route
7.4.2. ECMP routes

7.5. Editing Firewall Rule Sets

7.5.1. Adding and Removing Rules
7.5.2. Adding, Removing, and Modifying Objects in Policies and NAT Rules
7.5.3. Changing the Rule Action
7.5.4. Changing Rule Direction
7.5.5. Setting Rule Options and Logging
7.5.6. Configuring Multiple Operations per Rule
7.5.7. Using Rule Groups
7.5.8. Support for Rule Elements and Features on Various Firewalls

7.6. Compiling and Installing Your Policy

7.7. Using Built-in Revision Control in Firewall Builder

8. Cluster configuration

8.1. Linux cluster configuration with Firewall Builder
8.2. OpenBSD cluster configuration with Firewall Builder
8.3. PIX cluster configuration with Firewall Builder
8.4. Handling of the cluster rule set and member firewalls rule sets

9. Configuration of interfaces

9.1. General principles

9.2. IP Address Management

9.2.1. IP Address Management on Linux
9.2.2. IP Address Management on BSD

9.3. Interface Names

9.4. Advanced Interface Settings

9.4.1. Setting Interface MTU

9.5. VLAN Interfaces

9.5.1. VLAN Interface Management on Linux
9.5.2. VLAN Interface Management on BSD

9.6. Bridge ports

9.6.1. Enabling Bridge Interface Management
9.6.2. Bridge Interface Management on Linux
9.6.3. Bridge Interface Management on BSD

9.7. Bonding Interfaces

10. Compiling and Installing a Policy

10.1. Different ways to compile

10.2. Compiling single rule in the GUI

10.3. Compiling firewall policies

10.4. Compiling cluster configuration with Firewall Builder

10.4.1. Compile a Cluster, Install a Firewall
10.4.2. Mixed Object Files
10.4.3. Compile a single firewall within a cluster

10.5. Installing a Policy onto a Firewall

10.5.1. Installation Overview
10.5.2. How does installer decide what address to use to connect to the firewall
10.5.3. Configuring Installer on Windows
10.5.4. Using putty sessions on Windows
10.5.5. Configuring installer to use regular user account to manage the firewall:
10.5.6. Configuring installer if you use root account to manage the firewall:
10.5.7. Configuring installer if you regularly switch between Unix and Windows workstations using the same .fwb file and want to m anage the firewall from both
10.5.8. Always permit SSH access from the management workstation to the firewall
10.5.9. How to configure the installer to use an alternate ssh port number
10.5.10. How to configure the installer to use ssh private keys from a special file
10.5.11. Troubleshooting ssh access to the firewall
10.5.12. Running built-in installer to copy generated firewall policy to the firewall machine and activate it there
10.5.13. Running built-in installer to copy generated firewall policy to Cisco router or ASA (PIX)
10.5.14. Batch install

10.6. Installing generated configuration onto Cisco routers

10.6.1. Installing configuration with scp

10.7. Installing generated configuration onto Cisco ASA (PIX) firewalls

11. Manage your firewall remotely

11.1. Dedicated Firewall machine
11.2. Using Diskless Firewall Configuration
11.3. The Management Workstation

12. Integration with OS Running on the Firewall Machine

12.1. Generic Linux OS

12.2. OpenWRT

12.3. DD-WRT

12.3.1. DD-WRT (nvram)
12.3.2. DD-WRT (jffs)

12.4. Sveasoft

12.5. IPCOP

12.6. OpenBSD and FreeBSD

12.6.1. PF
12.6.2. ipfilter
12.6.3. ipfw

12.7. How to make your firewall load your firewall policy on reboot

12.7.1. Making the Firewall Load the Firewall Policy After Reboot: iptables
12.7.2. Making the Firewall Load the Firewall Policy After Reboot: pf
12.7.3. Making the Firewall Load the Firewall Policy After Reboot: ipfw
12.7.4. Making the Firewall Load the Firewall Policy After Reboot: ipfilter

13. Configlets

13.1. Configlet Example

14. Firewall Builder Cookbook

14.1. Changing IP addresses in Firewall Configuration Created from a Template

14.2. Examples of Access Policy Rules

14.2.1. Firewall Object used in Eexamples
14.2.2. Permit Internal LAN to Connect to the Internet
14.2.3. Allowing Specific Protocols Through, while Blocking Everything Else
14.2.4. Letting Certain Protocols through from a Specific Source.
14.2.5. Interchangeable and non-interchangeable objects
14.2.6. Anti-spoofing rules
14.2.7. Anti-Spoofing Rules for a Firewall with a Dynamic Address
14.2.8. Using Groups
14.2.9. Using an Address Range Instead of a Group
14.2.10. Controlling Access to the Firewall
14.2.11. Controlling access to different ports on the server
14.2.12. Firewall talking to itself
14.2.13. Blocking unwanted types of packets
14.2.14. Using Action 'Reject': blocking Ident protocol
14.2.15. Using Negation in Policy Rules
14.2.16. Tagging Packets
14.2.17. Adding IPv6 Rules to a Policy
14.2.18. Using Mixed IPv4+IPv6 Rule Sets to Simplify Adoption of IPv6
14.2.19. Running Multiple Services on the Same Machine on Different Virtual Addresses and Different Ports
14.2.20. Using a Firewall as the DHCP and DNS Server for the Local Net
14.2.21. Controlling Outgoing Connections from the Firewall
14.2.22. Branching rules
14.2.23. Using branch rule set with external script that adds rules "on the fly" to prevent ssh scanning attacks
14.2.24. A Different Method for Preventing SSH Scanning Attacks: Using a Custom Service Object with the iptables Module "recent"
14.2.25. Using an Address Table Object to Block Access from Large Lists of IP Addresses

14.3. Examples of NAT Rules

14.3.1. "1-1" NAT
14.3.2. "No NAT" Rules
14.3.3. Redirection rules
14.3.4. Destination NAT Onto the Same Network
14.3.5. "Double" NAT (Source and Destination Translation)

14.4. Examples of cluster configurations

14.4.1. Web server cluster running Linux or OpenBSD
14.4.2. Linux Cluster Using VRRPd
14.4.3. Linux Cluster Using a Heartbeat
14.4.4. Linux cluster with OpenVPN tunnel interfaces
14.4.5. Linux Cluster Using Heartbeat and VLAN Interfaces
14.4.6. Linux cluster using heartbeat running over dedicated interface
14.4.7. State synchronization with conntrackd in Linux cluster
14.4.8. OpenBSD cluster
14.4.9. PIX cluster

14.5. Examples of Traffic Shaping

14.5.1. Basic Rate Limiting

14.6. Useful Tricks

14.6.1. Using clusters to manage firewall policies on multiple servers
14.6.2. Creating Local Firewall Rules for a Cluster Member
14.6.3. Another Way to Generate a Firewall Policy for Many Hosts
14.6.4. Using Empty Groups
14.6.5. How to use Firewall Builder to configure the firewall using PPPoE

15. Troubleshooting

15.1. Build Issues

15.1.1. autogen.sh Complains "libfwbuilder not installed"
15.1.2. "Failed dependencies: ..." when installing RPM

15.2. Program Startup Issues

15.2.1. "fwbuilder: cannot connect to X server localhost:0.0"
15.2.2. "fwbuilder: error while loading shared libraries: libfwbuilder.so.0: cannot load shared object file: no such file or directory."
15.2.3. "fwbuilder: error while loading shared libraries: /usr/local/lib/libfwbuilder.so.8: cannot restore segment prot after re loc: Permission denied"

15.3. Firewall Compiler and Other Runtime Issues

15.3.1. Firewall Builder Crashes
15.3.2. Older Data File Cannot Be Loaded in Firewall Builder
15.3.3. "I/O Error" While Compiling policy. No Other Error.
15.3.4. ios_base::failbit set on Windows
15.3.5. "Cannot create virtual address NN.NN.NN.NN"

15.4. Troubleshooting installing policy on the firewall

15.4.1. Plink.exe fails while trying to activate the firewall policy with an error 'Looking up host "" Connecting to 0.0.0.0 port 22'

15.5. Running the Firewall Script

15.5.1. Determining which rule caused an error
15.5.2. "ip: command not found"
15.5.3. I get the following error when I run generated script for iptables firewall: "iptables v1.2.8: can't initialize iptables table 'drop': Table does not exits (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded."
15.5.4. "Interface eth0 does not exist"
15.5.5. "Interface eth0:1 does not exist"
15.5.6. Script fails to load module nf_conntrack

15.6. RCS Troubleshooting

15.6.1. Error adding file to RCS
15.6.2. "Error checking file out: co: RCS file c:/fwbuilder/RCS/file.fwb is in use"
15.6.3. "Error checking file out:"

15.7. Issues after new policy activation

15.7.1. Cannot access only some web sites
15.7.2. Firewall becomes very slow with new policy
15.7.3. X won't start on a server protected by the firewall
15.7.4. Cannot access Internet from behind firewall
15.7.5. Installing updated firewall policy seems to make no difference

15.8. Routing Rules Issues

15.8.1. Compile fails with dynamic or point-to-point interfaces

16. Appendix

16.1. iptables modules

16.1.1. Installing the iptables ipset Module Using xtables-addons
16.1.2. Installing the iptables ipset module

		Next
		Chapter 1. Introduction

Copyright © 2000-2012 NetCitadel, Inc. All rights reserved.
Using free CSS Templates.