FirewallBuilder

In this recipe we are going to cover how to use Firewall Builder clusters to manage a single firewall policy that gets deployed on multiple servers. An example of where you could use this would be managing a shared firewall policy for a collection of web servers that are all providing the same service and should have the same rules.

Normally the cluster feature is used to create high availability firewall pairs, but in this case we are going to use it creatively to create a master firewall policy that gets deployed on multiple servers.

For this recipe, we are going to use the web farm example shown below. The example starts with two servers running Linux with iptables should have identical firewall polices. We'll cover creating the firewalls and cluster and assigning rules to it. At the end we'll walk through adding a third server to the cluster.

Figure 14.179. Server Configuration

On these servers we want to implement the following basic firewall rules.

Step 1 - Create Firewall Objects for Your Servers

To create a cluster, we first need to create the firewall objects that will be members of the cluster. Each server is represented by a firewall object in Firewall Builder. Go through the New Firewall wizard and create a firewall called web-01 with two interfaces. The first interface is the Ethernet interface "eth0" that connects the server to the Internet and the second interface is the loopback interface "lo".

After you have created the firewall object, it should look like this in the object tree:

Figure 14.180. web-01 firewall object

By default, Firewall Builder sets the firewall object to route (forward) IP packets. Since this is a server firewall we should disable IP forwarding on the host. Do this by double-clicking the firewall object and then click on Host OS Settings in the Editor Panel at the bottom. Change the setting for IPv4 Packet Forwarding to Off.

Figure 14.181. Disable IP Forwarding

To create a second firewall object for web-02 you can use the Duplicate feature in Firewall Builder.

Step 2 - Create a new cluster

To create a new cluster right-click the Clusters folder in the object tree and select New Cluster. This will launch the New Cluster wizard. Name the cluster (for example, web-servers), and select both web-01 and web-02 to be members of the cluster. Since we are not using failover it does not matter which firewall is set to Master.

Figure 14.182. Creating a New Cluster

Click Next >

Since both servers use eth0 as the outside interface leave the interface mapping as is. If you have servers with different interface names on your server, for example if one server uses eth0 and the other server uses eth1, you can set the mapping here.

Figure 14.183. Cluster Interface Mapping

Click Next >

To make the cluster interface easy to identify, update the label associated with interfaces eth0 and lo. Since we are not running our servers as a high availability cluster with failover set the Failover protocol to None.

Figure 14.184. Set Cluster Interface Configuration

Click Next >

We want to create new rules for our cluster, so set the source of the cluster rules to be "do not use any, I will create new policy and NAT rules".

Figure 14.185. Set the Source of the Cluster Rules

Click Finish

Once you are done you should see a new cluster object in the tree that looks like this:

Figure 14.186. New Cluster Object web-servers

Step 3 - Define Cluster Policy Rules

After you create the cluster, the policy object is automatically opened in the Rules Panel. Remember we wanted both of our servers to have the following rules:

After you configure these rules your policy should look like this:

Figure 14.187. Set the source of the cluster rules

Step 4 - Compile and Install Rules

The next step is to compile and install the rules to our servers. When Firewall Builder compiles the cluster it will generate a firewall script for each of the cluster members including substituting the cluster objects used in the rules for the local object on the cluster member.

For example, the IP address for the eth0 cluster object is automatically translated to the correct address for web-01 (192.0.2.11) and web-02 (192.0.2.12).

You can see this substitution by inspecting the generated file for web-01 after the compile is completed. Note that the destination is set to the IP address of web-01's eth0 interface.

echo "Rule 0 (eth0)"
#
$IPTABLES -A INPUT -i eth0 -p tcp -m tcp -m multiport -d 192.0.2.11  --dports 80,443 
\  -m state --state NEW -j ACCEPT
    

Modifying rules

Now that you have a cluster setup to generate firewall policies for each of the server firewalls it is easy to make changes that affect all your servers. For example, to add a new rule to all members of the web-servers cluster to allow ICMP from the Trusted Networks object to servers simply add the rule in the cluster policy and compile and install it to the members.

Adding a New Server to the Cluster

To add a new server to the cluster, you first need to create the firewall object to represent the server. You can do this manually, or you can follow the same duplication process we used to create the web-02 firewall object.

The next step is to add the new web-03 firewall object to the cluster.

Figure 14.188. Add the New web-03 Server to the web-servers Cluster

Repeat this process for the "lo" loopback interface. Remember the steps are:

Installing the Firewall Policy on the New Server in the Cluster

To deploy the firewall policy on web-03 you need to compile and install the cluster policy. Since the cluster policy hasn't changed we don't need to re-install the policy on web-01 or web-02 so we unselect them from the install list.

Figure 14.189. Compile the Cluster Policy and Install on web-03

You can add and remove servers to the cluster as needed. Here's our configuration now that we have three servers in the cluster all running the same firewall rules.

Figure 14.190. Cluster with Three Firewalls Sharing the Same Firewall Policy