FirewallBuilder

Firewall Builder usually generates a firewall script file to configure system parameters such as network interfaces, IP addresses, static routes. Starting with Firewall Builder V4.2, FreeBSD firewalls can be configured to generate system settings in rc.conf format. Section 12.6.1.1 explains how to configure Firewall Builder for FreeBSD firewalls using rc.conf format.

All configuration information shown below assumes the standard behavior where Firewall Builder generates a firewall script to manage system settings.

The generated script includes shell code to manage ip addresses if checkbox "Configure interfaces" is turned on in the "Script" tab of the firewall object "advanced" settings dialog. By default, it is turned off.

The script uses the ifconfig utility to add and remove IP addresses. The path to ifconfig can be changed in the "Host OS" settings dialog of the firewall object. The script checks if the IP address of each interface configured in the GUI exists on the firewall and adds it if necessary. If the script finds the IP address on the firewall that is not configured in the Firewall Builder GUI, it removes it. The goal is to ensure that firewall rules operate in the environment that matches assumptions under which they were generated.

The generated script can manage both IPv4 and IPv6 addresses.

To illustrate how IP address management works, consider the example Figure 9.3. All interfaces have both IPv4 and IPv6 addresses:

Figure 9.3. Example Configuration with Several IPv4 and IPv6 Addresses

Initial configuration of the addresses on the machine looks like this:

# ifconfig -a
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33208
        groups: lo
        inet 127.0.0.1 netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
pcn0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:0c:29:83:4d:25
        groups: egress
        media: Ethernet autoselect (autoselect)
        inet 10.3.14.50 netmask 0xffffff00 broadcast 10.3.14.255
        inet6 fe80::20c:29ff:fe83:4d25%pcn0 prefixlen 64 scopeid 0x1
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:0c:29:83:4d:2f
        media: Ethernet autoselect (1000baseT full-duplex,master)
        status: active
        inet 10.1.1.50 netmask 0xffffff00 broadcast 10.1.1.255
        inet6 fe80::20c:29ff:fe83:4d2f%em0 prefixlen 64 scopeid 0x2
enc0: flags=0<> mtu 1536
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33208
        groups: pflog
    

Interface pcn0 already has IPv4 and IPv6 addresses that match those configured in Firewall Builder, but interface em0 only has one IPv4 address and only link-local IPv6 address and does not have other addresses configured in Firewall Builder. Lets see what happens when the script generated by Firewall Builder runs on the machine:

# /etc/fw/openbsd-test-1-s.fw                                                                                                              
Activating firewall script generated Tue Feb 23 16:39:30 2010 by vadim
net.inet.ip.forwarding: 0 -> 1
# Adding ip address: em0 192.0.2.12 netmask 0xffffff00
# Adding ip address: em0 2001:db8:1f0e:162::20 prefixlen 32
#
    

The script detected existing addresses and did nothing about them. It also added missing addresses. Here is what we get:

# ifconfig -A                  
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33208
        groups: lo
        inet 127.0.0.1 netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
pcn0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:0c:29:83:4d:25
        groups: egress
        media: Ethernet autoselect (autoselect)
        inet 10.3.14.50 netmask 0xffffff00 broadcast 10.3.14.255
        inet6 fe80::20c:29ff:fe83:4d25%pcn0 prefixlen 64 scopeid 0x1
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:0c:29:83:4d:2f
        media: Ethernet autoselect (1000baseT full-duplex,master)
        status: active
        inet 10.1.1.50 netmask 0xffffff00 broadcast 10.1.1.255
        inet6 fe80::20c:29ff:fe83:4d2f%em0 prefixlen 64 scopeid 0x2
        inet 192.0.2.12 netmask 0xffffff00 broadcast 192.0.2.255
        inet6 2001:db8:1f0e:162::20 prefixlen 32
enc0: flags=0<> mtu 1536
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33208
        groups: pflog
    

I am going to run the script again to demonstrate that after addresses were added, it is not going to make any unnecessary changes:

# /etc/fw/openbsd-test-1-s.fw  
Activating firewall script generated Tue Feb 23 16:39:30 2010 by vadim
net.inet.ip.forwarding: 1 -> 1
# 
    

IP address management works both ways: if the administrator deletes an address in the Firewall Builder GUI, the script will remove it on the machine. To illustrate this, I am going to remove the second IPv4 and IPv6 addresses from the same interface em0 object and then recompile the script and run it again on the machine:

Figure 9.4. Configuration After Additional IPv4 and IPv6 Addresses Have Been Removed

# /etc/fw/openbsd-test-1-s.fw  
Activating firewall script generated Tue Feb 23 16:46:26 2010 by vadim
net.inet.ip.forwarding: 1 -> 1
# Removing ip address: em0 192.0.2.12 netmask 0xffffff00
# Removing ip address: em0 2001:db8:1f0e:162::20 prefixlen 32
#
    

As you can see, the script deleted these addresses on the machine to brought its actual configuration in sync with configuration defined in Firewall Builder.

This flexible incremental management of IP addresses helps simplify basic configuration of the firewall OS. One can use standard OS script and configuration files to configure the machine with just one IP address of one interface, used for management, and let the script generated by Firewall Builder manage all other IP addresses of all interfaces. With this, Firewall Builder becomes a configuration GUI for the whole network setup of the firewall machine.