FirewallBuilder

The generated script includes shell code to manage IP addresses if the checkbox "Configure interfaces" is turned on in the "Script" tab of the firewall object "advanced" settings dialog. By default, it is turned off.

The script uses ip tool which should be present on the friewall. The script checks if it is available and aborts if it can not find it. The path to this tool can be changed in the "Host OS" settings dialog of the firewall object. The script then checks if the IP address of each interface configured in the GUI exists on the firewall and adds it if necessary. If the script finds ip address on the firewall that is not configured in the Firewall Builder GUI, it removes it.

If the checkbox "Clear ip addresses and bring down interfaces not configured in fwbuilder" is turned on in the "Script" tab of firewall settings dialog, the script deletes all ip address of all interfaces that are not configured in Firewall Builder GUI and brings interfaces that are missing in Firewall Builder but are found on the firewall down. The goal is to ensure that firewall rules operate in the environment that matches assumptions under which they were generated. If the program generated rules assuming some address does not belong to the firewall, but in reality it does, packets may show up in the wrong chain that will lead to the wrong behavior of the firewall. This feature is off by default.

The generated script recognizes command line parameters "start", "stop", "reload", "inetrfaces" and "test_inetrfaces". When the script runs with the parameter "inetrfaces" it performs only inetrface configuration as described above. The command-line parameter "start" makes it do that and then load iptables rules. Parameter "test_inetrfaces" makes the script perform all the checks of IP addresses and print commands that it would use to add and remove addresses but not actually execute them.

The generated script can manage both IPv4 and IPv6 addresses.

To illustrate how IP address management works, consider example Figure 9.1. Interface eth0 has two IPv4 and two IPv6 addresses:

Figure 9.1. Example Configuration with Several IPv4 and IPv6 Addresses

Initial configuration of the addresses on the machine looks like this:

root@linux-test-1:~# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
    valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
    link/ether 00:0c:29:1e:dc:aa brd ff:ff:ff:ff:ff:ff
    inet 10.3.14.108/24 brd 10.3.14.255 scope global eth0
    inet6 fe80::20c:29ff:fe1e:dcaa/64 scope link 
    valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
    link/ether 00:0c:29:1e:dc:b4 brd ff:ff:ff:ff:ff:ff
    inet 10.1.1.1/24 brd 10.1.1.255 scope global eth1
    inet6 fe80::20c:29ff:fe1e:dcb4/64 scope link 
    valid_lft forever preferred_lft forever
    

IPv4 address 10.3.14.108 and IPv6 address fe80::20c:29ff:fe1e:dcaa/64 configured in fwbuilder are already present on the machine, but the other IPv4 and IPv6 addresses are not. First, lets see what happens when the script generated by fwbuilder runs with command line parameter "test_interfaces":

root@linux-test-1:~# /etc/fw/linux-test-1-s.fw test_interfaces
# Adding ip address: eth0 192.0.2.1/24
ip addr add 192.0.2.1/24 dev eth0
ifconfig eth0 up
# Adding ip address: eth0 2001:db8:1f0e:162::2/32
ip addr add 2001:db8:1f0e:162::2/32 dev eth0
ifconfig eth0 up
    

The script detected existing addresses and did nothing about them but printed commands it would execute to add missing addresses. We can now run the script with parameter "interfaces" to actually reconfigure the machine, then run it again to demonstrate that after addresses were added, the script is not going to make any unnecessary changes:

root@linux-test-1:~# /etc/fw/linux-test-1-s.fw interfaces
# Adding ip address: eth0 192.0.2.1/24
# Adding ip address: eth0 2001:db8:1f0e:162::2/32
root@linux-test-1:~# 
root@linux-test-1:~# /etc/fw/linux-test-1-s.fw test_interfaces
root@linux-test-1:~# 
    

IP address management works both ways: if the administrator deletes an address in the Firewall Builder GUI, the script will remove it on the machine. To illustrate this, I am going to remove the second IPv4 and IPv6 addresses from the same interface eth0 object and then recompile the script and run it again on the machine:

Figure 9.2. Configuration after Additional IPv4 and IPv6 Addresses Have Been Removed

root@linux-test-1:~# /etc/fw/linux-test-1-s.fw test_interfaces
# Removing ip address: eth0 192.0.2.1/24
ip addr del 192.0.2.1/24 dev eth0
ifconfig eth0 up
# Removing ip address: eth0 2001:db8:1f0e:162::2/32
ip addr del 2001:db8:1f0e:162::2/32 dev eth0
ifconfig eth0 up
    

As you can see, the script would delete these addresses on the machine to bring its actual configuration in sync with configuration defined in Firewall Builder.

This flexible incremental management of IP addresses helps simplify basic configuration of the firewall OS. One can use standard OS script and configuration files to configure the machine with just one IP address of one interface, used for management, and let the script generated by fwbuilder manage all other IP addresses of all interfaces. With this, Firewall Builder becomes a configuration GUI for the whole network setup of the firewall machine.