14.6.2. Creating Local Firewall Rules for a Cluster Member

In the previous recipe, we showed how to use the Firewall Builder cluster object to create a single firewall policy that gets installed on multiple servers. When we finished the cluster was configured with three servers as shown below.

Figure 14.191. Cluster with Three Firewalls Sharing the Same Firewall Policy with One Firewall Also Using Local Rules

Cluster with Three Firewalls Sharing the Same Firewall Policy with One Firewall Also Using Local Rules

In this recipe we will show how to create a set of local rules on one of the cluster members. Local rules are evaluated in addition to the rules that are configured for the cluster.

For this example we will add a local rule to the web-03 server firewall allowing remote access to the server via SSH from a trusted external vendor coming from a network defined as "Vendor X Network".

  • Allow inbound SSH from network object "Vendor X Network"

The following steps assume that we are starting with the same configuration that the previous example finished with.

Step 1 - Create a New Policy in the web-servers Cluster

Since we only want this policy applied to one of the servers in the cluster, not all of the cluster members, we need to create a separate policy object to hold the local rules.

In this example we name the new policy object "local_rules". The policy name can be any name you choose except that it cannot be the same name as the policy that contains the main firewall rules for the cluster which, by default, is 'Policy'.

Figure 14.192. New Policy in Cluster Oobject web-servers

New Policy in Cluster Oobject web-servers

After you are done, you should see the new policy named local_rules under the web-servers cluster object.

Figure 14.193. Cluster Object web-servers with New Policy local_rules

Cluster Object web-servers with New Policy local_rules

Step 2 - Create a New Policy in the web-03 server Object

Next we need to create a policy object on the web-03 firewall using exactly the same name as we used for the policy object on the web-servers cluster.

Figure 14.194. New Policy in Firewall Object web-03

New Policy in Firewall Object web-03

Note

You must use the same name for the policy on both the cluster object and the firewall object.

Step 3 - Define the Local Rule in the New Policy on the web-03 Firewall

Remember, the rule we want to add only to web-03 server is:

  • Allow inbound SSH from network object "Vendor X Network"

When creating local rules use the interface objects of the firewall that the local rule is being configured on. For our example we use the interface object of the web-03 firewall for the destination and interface fields. After you configure the rule in the local_rules policy on web-03 the policy should look like this:

Figure 14.195. New Rule in Policy local_rules on Firewall Object web-03

New Rule in Policy local_rules on Firewall Object web-03

Note

Make sure to configure this rule in the local_rules policy object on the web-03 firewall object. You can see which firewall policy you are editing at the top of the Rules panel.

Step 4 - Set Up a Branching Rule in the Cluster Policy to Jump to the Local Policy

For the rules in the policy 'local_rules' to be applied we need to setup a branching rule in the main policy called 'Policy' to jump to the local_rules policy. You can define the branch rule anywhere in the policy, in this example we are going to make the branch the first rule of the policy. This will ensure that the custom rules defined on web-03 will be run first, then the rest of the rules for the cluster will be applied.

Figure 14.196. New Branching Rule in the Main Policy on the Cluster Object web-servers

New Branching Rule in the Main Policy on the Cluster Object web-servers

Note

Make sure you set the branch target to be the 'local_rules' object from the cluster object and not one of the member firewalls.

After you have configured the branching rule in the main policy your rules should look like this.

Figure 14.197. Cluster Policy with Branch Rule on Top

Cluster Policy with Branch Rule on Top

Note

Not all firewall platforms support branching, you can find out more about branching in Section 7.2.8.

Step 5 - Compile and Install Policy

Since changes were made to the web-servers cluster and web-03 objects we need to compile and install the updated firewall rules to all cluster members.

When the rules are compiled, Firewall Builder includes the rules defined in the local_rules policy object on the firewall cluster member if they exist. If no rules are found in the member's local_rules Firewall Builder will include the rules from the cluster object's local_rules.

To see an example of this you can inspect the generated firewall script for the web-03 server. You can see the new iptables chains for the local_rules policy in red.

echo "Rule local_rules 0 (eth0)"
# 
$IPTABLES -N local_rules
$IPTABLES -N In_local_rules_0
$IPTABLES -A local_rules  -i eth0  -p tcp -m tcp  -s 198.51.100.0/24  \
   -d 192.0.2.13   --dport 22  -m state --state NEW  -j In_local_rules_0
$IPTABLES -A In_local_rules_0  -j LOG  --log-level info --log-prefix "RULE 0 -- ACCEPT "
$IPTABLES -A In_local_rules_0  -j ACCEPT
# ================ Table 'filter', rule set Policy
# 
# Rule 0 (global)
# 
echo "Rule 0 (global)"
# 
$IPTABLES -A OUTPUT  -j local_rules
$IPTABLES -A INPUT  -j local_rules
$IPTABLES -A FORWARD  -j local_rules
    

Note

The compiler will generate a warning for the web-03 firewall object since there is a policy object named local_rules on the web-03. When both the cluster object and a member object have a policy with the same name, if the member object's policy is not empty then the member's policy will be used in place of the cluster object for that policy.

This results in the firewall web-03 having the following rules matching applied.

Figure 14.198. Firewall Rules Sequence for Traffic Destined to web-03

Firewall Rules Sequence for Traffic Destined to web-03

Note

All the other members of the cluster will have an empty rule chain created for local_rules. This means incoming traffic will go through this empty chain first before being passed back to the main rules defined in Policy.

You can also create custom rules on other members of the cluster using the same local_rules policy name.

 

Copyright © 2000-2012 NetCitadel, Inc. All rights reserved.
 Using free CSS Templates.