Chapter 9. Configuration of interfaces

9.1. General principles

Firewall Builder 4.0 introduced support incremental management of the configuration of interfaces. It can add and remove IP addresses, create and destroy VLAN interfaces, and add and remove bridge ports and bonding interface members. Incremental management means generated scripts can add or remove interfaces or addresses only when needed, without having to completely remove configuration and then re-add it back.

For example, in case of IP addresses of interfaces, the script checks if the address configured in the Firewall Builder GUI really exists on the interface it should belong to. If it is not there, the script adds it, but if it exists, the script does nothing. Running the script again therefore does not disturb the configuration at all. It is not going to remove addresses and then add them back. The same happens with VLAN interfaces, bridge ports, and bonding interfaces.


If someone reconfigures interfaces, VLANs, or IP addresses on the machine, just run the Firewall Builder-generated script again and it will restore configuration to the state defined in the GUI without removing everything down first and reconfiguring from scratch. The script runs only those commands that are necessary to undo the changes made by hand.

Not all of these features are available on every supported OS. Table 9.1 shows this:

Table 9.1. 

Feature Linux OpenBSD FreeBSD Cisco IOS Cisco ASA (PIX)
IP address management yes yes yes yes
Incremental IP address management yes yes no no
VLAN interfaces yes yes no no
Incremental management of VLAN interfaces yes yes no no
Bridge ports yes yes no no
Incremental management of bridge ports yes yes no no
Bonding interfaces yes no no no
Incremental management of bonding interfaces partial no no no
MTU Configuration no yes no no
Cluster configuration: carp and pfsync on OpenBSD, interface configuration for failover on PIX, interface configuration for clustering protocols on Linux yes yes no yes

The most complete implementation is available on Linux where generated script can incrementally manage IP addresses, VLAN interfaces, bridge ports, and partially bonding interfaces.


Copyright © 2000-2012 NetCitadel, Inc. All rights reserved.
 Using free CSS Templates.