7.2.8. Working with Multiple Policy Rule Sets

Every firewall object created in Firewall Builder begins with a single policy rule set. For many firewalls, this is all you need. However, Firewall Builder allows you to create multiple access policy rule sets for a single firewall object and, if your platform supports it, branch between the rule sets. This can help you modularize your policy.

In the following example, the firewall object "fw" has three policy rule sets: Policy, Policy_2, and mgmt:

Figure 7.8. Firewall with Multiple Policy Rule Sets

Firewall with Multiple Policy Rule Sets

To create an additional rule set, right-click the firewall object in the tree and select Add Policy Rule Set from the context menu.

All policy rule sets have configurable parameters. To see a policy rule set's parameters, open it in the editor by double-clicking it in the tree.

Figure 7.9. Policy Rule Set Dialog (iptables)

Policy Rule Set Dialog (iptables)

This dialog has a Name, IPv4/IPv6 setting and a Top ruleset checkbox. For iptables firewalls, there is also a pair of radio buttons that indicates whether the policy should affect filter+mangle tables or just mangle table.

The IPv4/IPv6 pull-down menu lets you select whether the rule set should be compiled for IPv4 only (ignoring any IPv6-related rules), IPv6 only (ignoring any IPv4-related rules), or for both IPv4 and IPv6. If both IPv4 and IPv6 are selected, the compiler automatically places each rule into the correct part of the configuration.

When multiple rule sets have been defined, one rule set is tagged as the "top" rule set by checking the Top rule set checkbox when the rule set is added. The top rule set is the primary rule set assigned to the device. Only one rule set of each type can be marked as the top rule set. The top rule set is always used (if it has any rules). Other rule sets are only used if they are the targets of branching. Scripts are generated as follows for target platforms.

  • iptables: Rules defined in the top rule set are placed into the built-in INPUT, OUTPUT, and FORWARD chains. Rules defined in rule sets where the Top rule set checkbox is not checked are placed into a user-defined chain with the same name as the rule set.

  • PF: Rules defined in rule sets other than the top rule set are placed into an anchor with the name of the rule set.

  • Cisco IOS ACLs: If the rule set is not the top rule set, rules are placed into an access list and the rule set name is prefixed to the accless list name; this access list is not assigned to interfaces using the ip access-group command. Top rule sets generate ACLs with names consisting of a shortened interface name plus traffic direction. Only these lists are assigned to interfaces.

You fork processing between rule sets using the Branch rule action. In the example, this rule causes packets headed for the fw-mgmt host to be passed to the mgmt rule set.

Figure 7.10. Passing a Packet to the "mgmt" Rule Set

Passing a Packet to the "mgmt" Rule Set

A packet directed to the mgmt rule set leaves the main rule set and begins matching against rules in the mgmt rule set. If it matches in the mgmt rule set, then the specified action is taken. If it does not match in the mgmt rule set, processing is passed back to the calling rule set.


Copyright © 2000-2012 NetCitadel, Inc. All rights reserved.
 Using free CSS Templates.