In the previous recipe, we showed how to use the Firewall Builder cluster object to create a single firewall policy that gets installed on multiple servers. When we finished the cluster was configured with three servers as shown below.
Figure 14.191. Cluster with Three Firewalls Sharing the Same Firewall Policy with One Firewall Also Using Local Rules
In this recipe we will show how to create a set of local rules on one of the cluster members. Local rules are evaluated in addition to the rules that are configured for the cluster.
For this example we will add a local rule to the web-03 server firewall allowing remote access to the server via SSH from a trusted external vendor coming from a network defined as "Vendor X Network".
The following steps assume that we are starting with the same configuration that the previous example finished with.
Since we only want this policy applied to one of the servers in the cluster, not all of the cluster members, we need to create a separate policy object to hold the local rules.
In this example we name the new policy object "local_rules". The policy name can be any name you choose except that it cannot be the same name as the policy that contains the main firewall rules for the cluster which, by default, is 'Policy'.
After you are done, you should see the new policy named local_rules under the web-servers cluster object.
Next we need to create a policy object on the web-03 firewall using exactly the same name as we used for the policy object on the web-servers cluster.
You must use the same name for the policy on both the cluster object and the firewall object.
Remember, the rule we want to add only to web-03 server is:
When creating local rules use the interface objects of the firewall that the local rule is being configured on. For our example we use the interface object of the web-03 firewall for the destination and interface fields. After you configure the rule in the local_rules policy on web-03 the policy should look like this:
Make sure to configure this rule in the local_rules policy object on the web-03 firewall object. You can see which firewall policy you are editing at the top of the Rules panel.
For the rules in the policy 'local_rules' to be applied we need to setup a branching rule in the main policy called 'Policy' to jump to the local_rules policy. You can define the branch rule anywhere in the policy, in this example we are going to make the branch the first rule of the policy. This will ensure that the custom rules defined on web-03 will be run first, then the rest of the rules for the cluster will be applied.
Make sure you set the branch target to be the 'local_rules' object from the cluster object and not one of the member firewalls.
After you have configured the branching rule in the main policy your rules should look like this.
Not all firewall platforms support branching, you can find out more about branching in Section 7.2.8.
Since changes were made to the web-servers cluster and web-03 objects we need to compile and install the updated firewall rules to all cluster members.
When the rules are compiled, Firewall Builder includes the rules defined in the local_rules policy object on the firewall cluster member if they exist. If no rules are found in the member's local_rules Firewall Builder will include the rules from the cluster object's local_rules.
To see an example of this you can inspect the generated firewall script for the web-03 server. You can see the new iptables chains for the local_rules policy in red.
echo "Rule local_rules 0 (eth0)" # $IPTABLES -N local_rules $IPTABLES -N In_local_rules_0 $IPTABLES -A local_rules -i eth0 -p tcp -m tcp -s 198.51.100.0/24 \ -d 192.0.2.13 --dport 22 -m state --state NEW -j In_local_rules_0 $IPTABLES -A In_local_rules_0 -j LOG --log-level info --log-prefix "RULE 0 -- ACCEPT " $IPTABLES -A In_local_rules_0 -j ACCEPT # ================ Table 'filter', rule set Policy # # Rule 0 (global) # echo "Rule 0 (global)" # $IPTABLES -A OUTPUT -j local_rules $IPTABLES -A INPUT -j local_rules $IPTABLES -A FORWARD -j local_rules
The compiler will generate a warning for the web-03 firewall object since there is a policy object named local_rules on the web-03. When both the cluster object and a member object have a policy with the same name, if the member object's policy is not empty then the member's policy will be used in place of the cluster object for that policy.
This results in the firewall web-03 having the following rules matching applied.
All the other members of the cluster will have an empty rule chain created for local_rules. This means incoming traffic will go through this empty chain first before being passed back to the main rules defined in Policy.
You can also create custom rules on other members of the cluster using the same local_rules policy name.
Copyright © 2000-2012 NetCitadel, Inc. All rights reserved.
Using free CSS Templates.