The procedure for ensuring that the firewall loads the policy after reboot depends on what Linux distribution your firewall is based on. Firewall Builder generates the policy in a form of a shell script for the firewall based on Linux and iptables. To activate the policy at boot time, you must execute this script at boot time one way or another.
The standard method is to locate the generated script in the /etc or /etc/firewall directory and add a line at the bottom of the /etc/rc.d/rc.local script (for Mandrake and RedHat systems), the /etc/rc.local script (for Debian, Ubuntu, and derivative systems) or the /etc/init.d/boot.local script (for SuSE systems) as shown below:
When this is done, the firewall script runs when machine executes boot-time scripts. The name of the file is the same as the name of the firewall object in Firewall Builder GUI, with extension ".fw". So, if firewall object name is guardian, then fwbuilder puts generated policy in the file guardian.fw.
Since the firewall policy generated by Firewall Builder is installed by running this script at a boot time, any other firewall startup script that might be supplied by the vendor of your Linux distribution should be disabled. On Mandrake and RedHat systems, this can be done using the following command:
chkconfig --level 2345 iptables off
On SuSE use command
and change state of services as follows:
SuSEfirewall2_final off SuSEfirewall2_init off SuSEfirewall2_setup off
(There must be better way to turn firewall off on SuSE, but we do not know it.)
Another method to get firewall policy automatically installed at boot time uses scripts supplied by Mandrake or RedHat. You still need to copy the generated script to the firewall machine and execute it there. (This can be done using installer scripts fwb_install or fwbinstaller.) Once the policy has been tested and works as expected, you just execute service iptables save to save the policy. Now the policy will be activated at a boot time if the iptables service is active. You can make it active on Mandrake and RedHat using the following command:
chkconfig --level 2345 iptables on
The script generated by Firewall Builder does more than just set iptables rules; it also adds virtual IP addresses to the interfaces of the firewall and configures kernel parameters. It can get real IP addresses of interfaces with dynamic addresses and checks if interfaces are present and "up" at the time when firewall policy is applied. The standard scripts iptables-save and iptables-restore only manage iptables rules; other tasks performed by the script generated by Firewall Builder will not be done upon reboot if you use this method.
The Firewall policy script generated by Firewall Builder for iptables firewalls needs to be restarted every time the IP address of a dynamic interface changes. This section explains why is it so and how this can be done.
The iptables firewall policy script generated by Firewall Builder determines the IP addresses of all dynamic interfaces and assigns them to variables, which it then uses in the policy rules. This helps to build rules that require knowing the address of the interface correctly, such as anti-spoofing rules. On the other hand, if interface's address changes after the policy has been loaded and activated, the firewall script needs to be restarted.
The firewall can be restarted from one of the
scripts that get called by PPP or DHCP daemons
whenever the connection is established or a new address
lease is obtained. For example, the DHCP daemon
distributed with all major Linux distributions calls
a script named
when a new DHCP lease is obtained. To restart the
Firewall Builder-generated firewall script after a
new DHCP lease is obtained, add the following lines to
The location of the
can vary, but it is usually found in either
/etc/dhcp3, depending on your system. You
may have to create the file if it does not exist already. Check
for the proper file location by running the man
See man page dhclient-script(8) for a detailed explanation.
On SUSE systems, you should use YAST to configure this. Start the YAST control center, go to "System", then "Editor for /etc/sysconfig files" in the right panel, and when the editor appears, choose "Network/DHCP/DHCP client" in the tree and edit "DHCLIENT_SCRIPT_EXE".
The PPP daemon calls the
/etc/ppp/ip-up script when
the connection is established and the IP address
obtained. This script can be used to restart the
firewall as well. Just as
dhclient-exit-hooks, just add a
call to the
/etc/firewall/firewall.fw script at the
bottom of the
"/etc/firewall/firewall.fw" file should be
replaced everywhere with the real name of the firewall
script. Firewall Builder stores firewall commands in
the file with the name the same as the name of the
firewall object, with an extension ".fw".
Currently, Firewall Builder requires restart of the firewall script only on iptables firewalls. Firewalls based on OpenBSD pf do not require a restart, because pf can dynamically load IP address of the interface when it changes. Currently, on ipfilter and ipfw firewalls address of the dynamic interface has to be entered in the GUI, or it cannot be used in the rule. This limitation will be removed in the future versions of the product.
Copyright © 2000-2012 NetCitadel, Inc. All rights reserved.
Using free CSS Templates.