 |
FirewallBuilder |
|
Search Users Guide
The object tree stores all objects in a predefined hierarchy:
- Types that correspond to network objects (hosts, address ranges, networks, and groups of these) are located in the Objects branch.
- Types that correspond to services are located in the Services branch.
- Time intervals are located in the Time branch.
- All firewalls are located in the Firewalls branch.
Newly created objects are automatically placed in the appropriate position in the tree. Each branch of the tree is automatically sorted by the object name.
The program has three default libraries: User, Standard, and Deleted Objects.
- The User library holds objects that you define, including objects for your firewall, hosts, and networks.
- The Standard library holds a collection of predefined standard objects that come with Firewall Builder. Note that you need not (and cannot) insert objects into the Standard tree.
- The Deleted Objects library acts like a trash can or recycle bin for user objects you delete. Note that the Deleted Objects library must be enabled using the menu option.
In addition, you can create custom libraries by selecting from the menu. You can populate the new library by copying and pasting objects other views or by creating them from scratch within the new library. Section 5.6 provides instructions for creating and distributing user-defined libraries.
Functionally, there is no difference between having an object in the Standard tree, the User tree, or a user-defined tree; it is just a convenient way to sort objects in the tree. You can think of each as a kind of the "view". The choice of tree affect only the display of the data in the GUI; objects are all equal in all other senses and you can use an object from any library in your policy.
The object that is currently selected in the tree is highlighted in color and is shown in the dialog area on the right.
Firewall Builder understands and uses the object and service types described in the table below. See Chapter 5 and Section 5.3 for more detailed information.
Table 4.8. Object Types
| Object Type | Explanation |
|---|---|
| Library | A library of objects. Firewall Builder comes with the User, Standard, and Deleted Objects libraries. In addition, you can create your own. |
| Cluster | A high-availability pair of firewall devices. The firewall objects themselves must be created as firewall objects, then added to the cluster. The cluster's platform and OS settings must match those of the component firewalls. |
| Firewall | A physical firewall device, its interfaces and addresses, and the policy rule sets associated with the device. Use Firewall Builder to model your actual device's firewall software, OS, interfaces and addresses. Then, use Firewall Builder to construct the policy rule sets to assign to the device. |
| Host | A computer on your network. Hosts can have interfaces associated with them. |
| Interface | A physical interface on a firewall or host. Interfaces can have IP and physical (MAC) addresses associated with them. An IP address can be created from the for the selected interface, but physical addresses can only be created by right-clicking on an interface object. |
| Network | An IPv4 subnet |
| Network IPv6 | An IPv6 subnet |
| Address | An IPv4 address |
| Address IPv6 | An IPv6 address |
| DNS Name | A DNS "A" or "AAAA" record. This name is resolved into an IP address at compile or run time. |
| Address Table | An IP address. Objects of this type can be configured with the name of an external file that is expected to contain a list of IP addresses. Mixing IPv4 and IPv6 addresses is supported. Addresses can be loaded during policy compile or during the execution of a generated firewall script. |
| Address Range | A range of IPv4 or IPv6 IP addresses. This range does not have to be a specific subnet, but address must be contiguous. |
| Object Group | A collection of addressable objects (objects that have or contain IP addresses) such as network, interface, and hosts objects. A group is useful for creating a less cluttered-looking firewall policy and for making sure you have the same objects in every related rule. |
| Dynamic Group | Dynamic Groups include filters based on the object type and keywords in order to build a dynamic list of objects that will be included in the group. Dynamic Groups are used in rules in the same way that standard Object Groups are. When a firewall is compiled the Dynamic Group is expanded to include all the object matching the filter rules when the compile is run. |
| Custom Service | An object that can be used to inject arbitrary code into the generated firewall script. |
| ESTABLISHED and ESTABLISHED IPv6 Services | An object matching all packets that are part of network connections established through the firewall, or connections 'related' to those established through the firewall. (The term "established" here refers to the state tracking mechanism used by iptables and other stateful firewalls; it does not imply any particular combination of packet header options.) |
| IP Service | An IP service such as GRE, ESP, or VRRP. This category is meant to include IP services that do not fall into ICMP, ICMP6, TCP, or UDP service categories. |
| ICMP Service | An ICMP service such as a ping request or reply. |
| ICMP6 Service | An ICMP6 service such as "ipv6 packet too big", "ipv6 ping request", or "ipv6 ping reply". |
| TCP Service | A TCP service such as HTTP, SMTP, or FTP. |
| UDP Service | A UDP service such as DNS or NTP. |
| TagService | A service object that lets you examine the tag in an IP header. You can then construct your rule to take appropriate action on a match. |
| User Service | A service object that matches the owner of the process on the firewall that sends the packet. This object correlates to the "owner" match in iptables and the "user" parameter for PF. |
| Service Group | A collection of services. For example, Firewall Builder comes with the Useful_ICMP service group containing the "time exceeded", "time exceeded in transit", "ping reply", and "all ICMP unreachable" ICMP services. It also comes with a "DNS" service group containing both the UDP and TCP version of DNS. Grouping services is useful for creating a less cluttered-looking firewall policy and for making sure you have the same objects in every related rule. |
| Time Interval | A time period such as "weekends" or a range of dates, or a range of times on certain days of the week. Can be used as part of rule matching in Access Policy rule sets to provide or deny access to something based on time. Note that these time intervals are relative to the time on the firewall device itself. |
Firewall Builder comes with a set of predefined system folders as shown in Figure 4.12. You can also create your own subfolders in the Object Tree to help organize your objects.
Figure 4.14 shows the object tree of a retailer with multiple stores in several cities. As you you can see the objects are not grouped together which can make it hard to quickly find the object you are looking for. Subfolders provide an easy way to organize your objects.
To add a subfolder right-click on one of the system folders, in this case we are going to start with the Firewalls folder, and select the New Subfolder menu item.
A dialog window will appear. Enter the name of your subfolder an click OK. In this case we will create a new subfolder called "Berlin" to hold all the Firewall objects located in Berlin.
To add the firewalls to the Berlin subfolder, select the firewall objects in the tree as shown in Figure 4.16, and drag-and-drop the firewalls onto the Berlin subfolder.
Figure 4.17 shows the Object Tree after folders have been created for both London and New York and the firewalls at each of these locations have been moved to the subfolder. As you can see this makes it much easier to find things quickly in your tree.
While this example showed using subfolders in the Firewalls system folder, you can create subfolders in any of the predefined system folders.
Note
To delete a subfolder simply right-click on the subfolder and select Delete. If there are objects in the subfolder Firewall Builder will pop-up a warning showing the locations where the objects that are going to be deleted are used.
If you don't want to delete the objects in the subfolder then you first need to move them to the system folder by selecting all the objects in the subfolder and dragging-and-dropping them onto the system folder that is the parent of the subfolder you want to delete.
Copyright © 2000-2012 NetCitadel, Inc. All rights reserved.
Using free CSS Templates.