15.7.5. Installing updated firewall policy seems to make no difference

I compiled and activated firewall policy, but my tests seem to show no difference. If I add a rule to block some protocol, it remains permitted for some reason.

Here are few troubleshooting steps:

First of all, make sure you compile the right firewall object and install on the right firewall machine, the same one you use for testing. It is all too easy to mix them up if you have several firewalls. Another case when this happens often is when you work on the firewall replacement and have both old and new firewall machines running simultaneously. You may be pushing updated policy to the new machine, while traffic is still routed through the old one.

If you test by adding a rule to deny some protocol and then trying to connect with this protocol, but it remains permitted, check that you do not have any rules that permit it above the one you've added for testing. You can use "Find" function (Section 5.7) in Firewall Builder GUI to find all uses of any service object. Keep in mind that there could be two objects with different names but the same port and protocol configuration. You can search for objects by their name, tcp/udp port number, ip address etc.

If you use ssh access to test rules by adding a rule that denies ssh access to the firewall, keep in mind that automatic rule may override it. The automatic rule is added using checkbox "Always permit ssh access from the management workstation" in the firewall settings dialog. See Section 10.5.8.

Pay attention to the output that appears in the progress window of the policy installer when you install and activate updated policy. Iptables script generated by fwbuilder always prints the following information when it is activated (here is an example):

Activating firewall script generated Mon Aug 09 17:22:11 2010 by vadim
Running prolog script
Verifying interfaces: eth0 eth1 lo
Rule 0 (NAT)
Rule 0 (eth0)
Rule 1 (lo)
Rule 2 (global)
Rule 3 (global)
Rule 4 (global)
Rule 5 (global)
Rule 6 (global)
Rule 7 (global)
Rule 8 (global)
Rule 9 (global)
Running epilog script

Do you see the "Activating firewall script ... " line in the progress output of the installer? If not, you might be running different script on the firewall. Compare the date and time reported by the script, could it be too old ?


Output shown above appears in the progress output of the installer when you run it with both "Quiet" and "Verbose" options turned off. Running it with "quiet" turned on suppresses these lines and running it in verbose mode produces a lot more output.

Another reason updated policy may not be activated is if you tried an external activation script previously but perhaps forgot about it. In this case the installer will be running this script instead of newly generated firewall script. You can configure alternative command that installer should execute on the firewall in the "Installer" tab of the firewall settings dialog. If this option is set to some script on the firewall machine and this script does not in turn call script generated by fwbuilder, you might be reloading the same firewall policy every time you install. This is just another thing to check.


Copyright © 2000-2012 NetCitadel, Inc. All rights reserved.
 Using free CSS Templates.