10.5.5. Configuring installer to use regular user account to manage the firewall:

Before fwbuilder v3.0.4, the built-in installer could only use a regular account to activate a policy if this account was configured on the firewall to use sudo without a password. Starting with v3.0.4, this is not necessary anymore because the installer can recognize sudo password prompts and enter the password when needed.

  • Create an account on the firewall (say, "fwadmin"), create a group "fwadmin" and make this user a member of this group. Most modern Linux systems automatically create group with the name the same as the user account.

    adduser fwadmin
                

  • Create directory /etc/fw/ on the firewall, make it belong to group fwadmin, make it group writable.

    mkdir /etc/fw
    chgrp fwadmin /etc/fw
    chmod g+w /etc/fw
                

  • Configure sudo to permit user fwadmin to execute the firewall script and a couple of other commands used by the fwbuilder policy installer. Run visudo on the firewall to edit file /etc/sudoers as follows:

    Defaults:%fwadmin   !lecture , passwd_timeout=1 , timestamp_timeout=1
    # User alias specification
    %fwadmin  ALL = PASSWD: /etc/fw/<FWNAME>.fw , /usr/bin/pkill , /sbin/shutdown
              

    Here <FWNAME> is the name of the firewall. Installer will log in to the firewall as user fwadmin, copy the firewall script to file /etc/fw/<FWNAME>.fw and then use the following command to execute it:

    ssh fwadmin@firewall sudo -S /etc/fw/<FWNAME>.fw
              
  • Set up ssh access to the firewall. Make sure you can log in as user fwadmin using ssh from your management workstation:

    $ ssh -l fwadmin <FWNAME>
                

    You may use either password or public key authentication; the installer will work either way. Use putty.exe or plink.exe to test ssh access if you are on Windows (see above for the explanation how to do this).

  • In the installer tab of the firewall settings dialog of the firewall object, put in your user name (here it is "fwadmin"):

    Figure 10.24. 


  • If you need to use an alternative name or IP address to communicate with the firewall, put it in the corresponding field in the same dialog page.

  • Make sure the entry field directory on the firewall where script should be installed is set to /etc/fw. Firewall Builder is not going to create this directory, so you need to create it manually before you install the firewall policy (see above).

  • Leave "Policy install script" and "Command line options" fields blank.

 

Copyright © 2000-2012 NetCitadel, Inc. All rights reserved.
 Using free CSS Templates.