FirewallBuilder

Once you have a policy created, you need to compile it into a script that can run on your target device. You then need to install it on that device.

Let's walk through compiling a iptables firewall. Below is the access policy of the firewall.

Figure 10.6. A policy to compile

To compile it use main menu item Rules > Compile.

Alternatively, open the Policy, NAT or routing rules of the firewall you want to compile by double-clicking in the tree, then click the "Compile" icon (the hammer) in the policy window.

To compile several firewalls, use Shift-left click or Ctrl-left click to select more than one firewall. Then, right-click on one of them to bring up the context menu and select Compile.

Different ways to compile one or several firewall objects were described earlier in Section 10.1.

Figure 10.7. Select your firewall

Check the Compile checkbox next to the firewall you want to compile, and uncheck all the others.

Firewall Builder keeps track of the last time the firewall was compiled and also keeps track of any changes since then. If the firewall has not changed since the last compile, that firewall is unchecked by default because no compile is needed. Any direct change done to the rules of the firewall, or a change to any object used in rules, triggers the recompile. You can always force compile by checking the Compile next to the object in the list or skip it by unchecking it.

In addition, you can see which firewalls and clusters have been modified since their last compile by looking at the object tree. If a firewall has been compiled since it was last modified, it appears in normal font. If it has not been compiled since its last modification, it appears in bold.

As you can see in this image, firewalls that need compilation are in bold and are checked by default in the Compile dialog. F irewalls that have been compiled since their last change are in regular font and are unchecked by default.

Figure 10.8. Uncompiled firewalls are in bold

To see the last time a firewall or cluster was compiled, double-click it to bring up its object editor.

Figure 10.9. Object Editor Dialog with last modify and compile times

Returning to Figure 10.7. Since we are just doing a compile, the only checkbox is the Compile checkbox. If we were doing a compile and install in the same run, you would also see an Install checkbox.

Click Next.

A dialog appears that tracks the status of the compile. In this case, we have an error:

Figure 10.10. Compile status messages

Errors appear in red, and warnings appear in blue. In this case, it turns out that one of our rules shadows one of our other rules. For other types of problems, see Section 15.3.

Errors and warnings are clickable. Clicking an error takes you to the portion of the policy where the error occurs.

We fix the problem, then compile again.

Figure 10.11. Successful compile

To see the created script, look in the same directory as your .fwb file. The file will be called <firewallName>.fw. (If you changed your default directory in the Preferences, then the generated script will be there instead.)