nice howto from here

Configuring a firewall policy using iptables can be difficult. If you do it by hand, you need to learn a complicated command line syntax and understand packet flow inside Linux kernel very well. GUI applications such as Firestarter can help build simple configuration but quickly run out of steam when security policy becomes complex. This article introduces “Firewall Builder”, a GUI firewall configuration and management tool designed to help solve this problem.

Firewall Builder (also known as fwbuilder) is a GUI firewall configuration and management tool that supports iptables (netfilter), ipfilter, pf, ipfw, Cisco PIX (FWSM, ASA) and Cisco routers extended access lists. Both professional network administrators and hobbyists managing firewalls with policies more complex that is allowed by simple web based UI can simplify management tasks with the application. The program runs on Linux, FreeBSD, OpenBSD, Windows and Mac OS X and can manage both local and remote firewalls.

Firewall Builder is available from the libfwbuilder and fwbuilder packages in both Debian and Ubuntu (in Universe). Packages for the current development builds are available from the project download area on SourceForge

To start the program, find it in the “System/Administration” menu.

If it is not there, then it probably needs to be installed on your system. You need to install the fwbuilder and libfwbuilder packages.

Use apt-get or aptitude to find and install them:

    # aptitude install libfwbuilder fwbuilder<br />  </pre>   <p>    On FreeBSD and OpenBSD Firewall Builder is part of    ports, you can find it in <tt>/usr/ports/security/fwbuilder</tt>.  </p>   <p>    Packages shipping with Debian and Ubuntu are always one or two    minor revisions behind. If you want to try the latest version, you    can use pre-built binary <em>.deb</em> packages offered on the    project's web site or build from source using our    online <a href="http://www.fwbuilder.org/guides/firewall_builder_installation.html" rel="nofollow">installation instructions</a>. Pre-built binary packages and source code archives can be downloaded  from <a href="http://www.fwbuilder.org/docs/firewall_builder_packages.html" rel="nofollow">from  this page</a>.  </p>   <p> If the system menu item is not there or you have built the program from source, you can always launch it from the command line by just typing "fwbuilder" on the shell prompt: </p>   <pre>    $ fwbuilder<br />  </pre>   <p>    The program starts and opens the main window and greeting dialog. The    dialog provides links to the project web site where you can find    tutorials, FAQ, the Firewall Builder CookBoook and other    documentation, as well as bug tracking system and links to user    forums and mailing list. Clicking on the link in the dialog opens    the corresponding web page in your web browser. This works the same on    all supported OS: Linux, Windows and Mac OS X. You can always open    this dialog later using an item in the main menu "Help".  </p>   <img src="http://www.debian-administration.org/articles/632/debadm_gsfwb_010.png" />   <p>    Lets create our first firewall object. To do this, we'll use    object creation menu that appears when you click on the icon in    the small toolbar right above the object tree. Choose menu item    "New Firewall" from the menu that appears.  </p>   <img src="http://www.debian-administration.org/articles/632/debadm_gsfwb_020.png" />   <p>    The program presents wizard-like dialog that will guide you    through the process of creation of the new firewall object.  In    the first page of the wizard you can enter the name for the new    firewall object (here it is "guardian"), its platform ("iptables")    and host OS ("Linux").  </p>   <p>    There are two ways a new firewall can be created: you can use one of    the preconfigured template firewall objects or create it from    scratch. This tutorial demonstrates the first method (using    a template object). To do this, check checkbox "Use preconfigured    template firewall objects". Template can be taken from the library    of template objects that comes with the Firewall Builder package or    from a file provided by the user. The latter is useful when    administrator wants to distribute a library of predefined    templates to other users in the enterprise. We are using one of    the standard templates in this guide and therefore leave    standard template library path and name in the "Template file:"    input field. Click "Next" to move on to the next page of the    wizard.  </p>   <p>    Note that the template firewall object comes completely configured,    including addresses and netmasks of its interfaces and some basic    policy and NAT rules. This configuration is intended as a starting    point only. You should reconfigure the addresses of interfaces to    match those used on your network and most likely will have to    adjust rules to match your security policy.  </p>   <img src="http://www.debian-administration.org/articles/632/debadm_gsfwb_030.png" />   <p>    This page of the wizard shows template objects and their    configuration. Standard template objects represent firewalls with    two or three interfaces, a host with one interface, web server or    Cisco router. Choose firewall with three interfaces for this    guide. Note that template comes with completely configured    firewall object, including set of interfaces and their ip    addresses and some basic firewall policy. You will see how    addresses can be changed later on in this guide. Click "Finish" to    create a new firewall object using chosen template.  </p>   <img src="http://www.debian-administration.org/articles/632/debadm_gsfwb_040.png" />   <p>    Here is our new firewall object. Its name is "guardian", it    appears in the object tree in the left hand side of the main    window in the folder <tt>Firewalls</tt>. When an object is selected    in the tree, a brief summary of its properties appears in the    panel under the tree. Double-clicking on the object in the tree    opens it in the editor panel at the bottom of the right hand side    panel of the main window. The editor for the firewall object    allows the user to change its name, platform and host OS and also    provides buttons that open dialogs for "advanced" settings for the    firewall platform and host OS. We will inspect these little later    in this tutorial.  </p>   <p>    You can always resize the main window to make all columns of the    policy view be visible.  </p>   <img src="http://www.debian-administration.org/articles/632/debadm_gsfwb_050.png" />   <p>    Now would be a good time to save the data to a disk file. This is    done in a usual way using the main menu "File |Save As".  </p>    <p>    Lets take a little tour of the network and service objects that    come as standard with the program. You can use these preconfigured    objects to build policy and NAT rules for your firewall.  </p>   <p>    Objects in the tree are orginized in libraries, you can switch    between libraries usinf drop-down menu above the tree. Firewall    Builder comes with a collection of address, network, service and    time interval objects in the library called "Standard". Lets take    a look at them. Notice that the background color of the panel that    shows objects tree depends on the chosen object library. This    makes it easier to keep track of the library currently opened in    the program.  </p>   <img src="http://www.debian-administration.org/articles/632/debadm_gsfwb_060.png" />   <p>    The folder <tt>Objects/Hosts</tt> contains few host objects used in    standard firewall templates.  The folder <tt>Objects/Network</tt>    contains network objects that represent various standard address    ranges and blocks, such as multicast, net 127/8, networks defined    in RFC1918 and so on.  </p>   <img src="http://www.debian-administration.org/articles/632/debadm_gsfwb_070.png" />   <p>    Firewall Builder also comes with extensive collection of TCP, UDP    and ICMP service objects that describe commonly used    protocols. This slide shows some TCP objects (all of them do not    fit in the screenshot).  </p>   <img src="http://www.debian-administration.org/articles/632/debadm_gsfwb_080.png" />   <p>    Here is an example of a simple TCP service. It defines source and    destination port ranges (in this case source port range is not    defined and there is only one destination port 80). TCP service    object can also define any combination of tcp flags the firewall    should inspect and also which ones of them should be set in order    for a packet to match this object. In the case of the service    "http" we do not need to define any flags.  </p>   <img src="http://www.debian-administration.org/articles/632/debadm_gsfwb_090.png" />   <p>    Now lets take a look at the objects created as part of the new    firewall object "guardian". In order to do this, switch to    the library <tt>User</tt> where this object was created. To open an    object in the editor panel to inspect or change it, double click    on it in the tree. Also, if you click on an object in the policy    rule to select it, it will automatically open in the tree on the    left.  </p>   <img src="http://www.debian-administration.org/articles/632/debadm_gsfwb_100.png" />   <p>    First, the firewall object itself.  </p>   <p>    Every object in fwbuilder has basic attributes such as its name    and comment. Other attributes depend on the object type.  </p>   <p>    Attributes of the firewall object include platform (which may be    iptables, pf, ipfilter, & etc.), version (platform-depended) and    host OS. The buttons "<tt>Host OS Settings</tt>" and "<tt>Firewall    Settings</tt>" open dialogs with many additional attributes that    depend on the firewall platform and host OS. More on these later.  </p>   <img src="http://www.debian-administration.org/articles/632/debadm_gsfwb_110.png" />   <p>    Here are the choices for the firewall platform, version (for    iptables) and host OS.  </p>   <img src="http://www.debian-administration.org/articles/632/debadm_gsfwb_103.png" />   <p>    Interfaces of the firewall are represented by objects located    below the Firewall object in the tree. We refer to them as    "children" of the firewall object. This slide demonstrates    properties of the interface <tt>eth0</tt>. To open it in the editor double    click on it in the tree. If editor panel is already open and shows    some object, it is sufficient to select new object in the tree to    reveal it in the editor panel (no need to double click).  </p>   <p>    The IP and MAC addresses of interfaces are represented by child    objects in the tree located below corresponding interface.  </p>   <img src="http://www.debian-administration.org/articles/632/debadm_gsfwb_120.png" />   <p>    The interface object has  several attributes that define its function,    such as "Management interface", "external" etc.  </p>   <p>    </p><ul><li>Name: the name of the interface object in Firewall Builder must        match exactly the name of the interface of the firewall machine it        represents. This will be something like "eth0", "eth1", "en0", "br0"        and so on.</li><li>Label: On most OS this is not used and serves the purpose of        a descriptive label. Firewall Builder GUI uses a label, if it is not        blank, to show interfaces in the tree. One of the suggested uses for        this is to mark interfaces to reflect the network topology        or the purpose. The label is mandatory for Cisco PIX though, where it must        reflect the network topology.</li><li>"Management interface": Sometimes the host has several network        interfaces in which case one of them can be marked as the <i>management interface</i>. The management interface is used for all communication between Firewall Builder and the host.</li><li>"External interface (insecure)": marks an interface that connects        to the Internet.</li><li>"Unprotected interface": marks interface to which fwbuilder should        not assign any access lists (used only with Cisco IOS platform)</li><li>"Regular Interface": Use this option if the interface has an IP        address assigned to it manually.</li><li>"Address is assigned dynamically": Use this option if the        interface has a dynamic address (obtained by means of DHCP or PPP or        another protocol); in this case an address is unknown at the moment        when Firewall Builder generates the firewall policy. </li><li>"Unnumbered interface": Use this option if the interface can never        have an IP address, such as the ethernet interface used to run PPPoE        communication on some ADSL connections, tunnel endpoint interface, or        an interface on a bridging firewall. See below Section 5.3.1 for more        detailed discussion of these different types of interfaces. </li><li>"Bridge port": this option is used for port of bridged firewall.</li><li>"Security level": security level of this interface, used only with        Cisco PIX (ASA)</li><li>"Network zone": network zone of this interface, used only with        Cisco PIX (ASA). Network zone drop-down list shows all network obejcts        and groups of addresses and networks present in the tree. Choose one        of them to tell the compiler which networks and blocks of addresses        can be reached through this interface. Compiler uses this information        to decide which interface each ACL rule should be associated with        based on the addresses used in the destination of the rule.</li></ul>     <img src="http://www.debian-administration.org/articles/632/debadm_gsfwb_130.png" />   <p>    Here is IP address of interface eth0, external interface of the    firewall. The address and netmask are attributes of the child    object of the type "IPv4 address". Here the address is "192.0.2.1"    and netmask "255.255.255.0". Button "DNS Lookup" can be used to    determine ip address using DNS. The program runs DNS query for the    "A" record for the name of the parent firewall object.  </p>   <img src="http://www.debian-administration.org/articles/632/debadm_gsfwb_140.png" />     <p>    Lets look at the IP address of the internal interface of the    firewall. The address used in the template is "192.168.1.1" with    netmask "255.255.255.0". This is rather typical address used for    small and home networks. Some commercial firewall appliances come    preconfigured with this address.  </p>   <img src="http://www.debian-administration.org/articles/632/debadm_gsfwb_150.png" />   <p>    If address <b>192.168.1.0/24</b> matches address of your local    network, you can skip this part of the guide and move to the page    4. Otherwise, you need to reconfigure the address of the internal    interface of the firewall object that you just created in    fwbuilder and also change address object used in the policy    rules. Start with changing address attribute (and possibly    netmask, if necessary) of the object <b>guardian:eth1:ip</b> as    shown in the screenshot:  </p>   <img src="http://www.debian-administration.org/articles/632/debadm_gsfwb_160.png" />   <p>    Now we need to change IP address used in the rules. To do this, we    create new Network object with correct address and replace object    <tt>net-192.168.1.0</tt> in all rules with this new network object.  </p>   <p>    Use new object menu to create Network object.  </p>   <img src="http://www.debian-administration.org/articles/632/debadm_gsfwb_170.png" />   <p>    New Network object is created with the default name "New Network" and the IP address 0.0.0.0.  </p>   <img src="http://www.debian-administration.org/articles/632/debadm_gsfwb_180.png" />   <p>    Edit the object name and address, then hit "Apply".  </p>   <img src="http://www.debian-administration.org/articles/632/debadm_gsfwb_190.png" />   <p>    Use the menu "Object | Find" to activate the search and replace dialog. The    Find and Replace dialog opens at the bottom of the right hand side    panel in the main window, below the policy rules view.  </p>   <img src="http://www.debian-administration.org/articles/632/debadm_gsfwb_200.png" />   <p>    Locate object object <tt>net-192.168.1.0</tt> in any policy rule    where it is used or in its location in the tree in    library <tt>Standard</tt> and drag and drop it to the left object    well in the search and replace dialog as shown on the screenshot:  </p>   <img src="http://www.debian-administration.org/articles/632/debadm_gsfwb_210.png" />   <p>    Change the scope setting to "Policy of all firewalls". If you have    many firewalls in the tree, use scope "policy of the opened    firewall" instead.  Locate the new Network object you have just created in    the tree and drag and drop it to the right object well in the    search and replace dialog as shown on the screenshot:  </p>   <img src="http://www.debian-administration.org/articles/632/debadm_gsfwb_220.png" />   <p>    Now hit "Replace all" button.  A pop-up dialog should appear and    report how many replacemens the program had to make in all rules    of the firewall. Note that the replacement is done not only in the    policy rules, but in NAT rules as well.  </p>   <img src="http://www.debian-administration.org/articles/632/debadm_gsfwb_230.png" />   <p>    Now that you have created a new object and replaced old network    object with new one in all rules, do not forget to save data to a    file using menu "File | Save".  </p>     <p>  </p>   <p>    Lets inspect the properties of the firewall object. Double click on    the firewall "guardian" in the tree to open it in the editor    panel, then click "Firewall Settings" button in the editor. This    opens new dialog that looks like this. Notice the "Help" button in    this dialog, clicking this button opens help as shown on the next    slide.  </p>   <img src="http://www.debian-administration.org/articles/632/debadm_gsfwb_240.png" />   <p>    The online help explains all attributes and paramaters located in each    tab of the firewall settings dialog. I encourage you to explore it    as many parameters are important and affect the generated iptables    script in different ways.  </p>   <p>    The next few screenshots show other tabs of the firewall settings    dialog. You can find detailed explanations of all parameters in    the online help.  </p>   <img src="http://www.debian-administration.org/articles/632/debadm_gsfwb_250.png" />   <p>    This page defines various parameters for the built-in policy    installer. Installer uses ssh client (pscp.exe and plink.exe on    Windows) to transfer the generated script to the firewall machine and    activate it there.  </p>   <img src="http://www.debian-administration.org/articles/632/debadm_gsfwb_260.png" />   <p>    User can define shell commands that will be included in the    generated script at the beginning and in the end of it. These    commands can do anything you want, such as configure some    subsystems, set up routing etc.  </p>   <img src="http://www.debian-administration.org/articles/632/debadm_gsfwb_270.png" />    <p>    Parameters for logging.  </p>   <img src="http://www.debian-administration.org/articles/632/debadm_gsfwb_280.png" />     <p>    More options for the script generation. Notice that fwbuilder can    produce iptables script in two formats: 1) as a shell script that    calls iptables utility to add each rule one by one, or 2) it can    use iptables-restore script to activate the whole policy at    once. Other parameters are explained in the online help.  </p>   <img src="http://www.debian-administration.org/articles/632/debadm_gsfwb_290.png" />     <p>    Starting with v3.0 Firewall Builder can generate both IPv4 and    IPv6 policy. This tab controls the order in which they are added    to the script if user defined rules for both address families in    the Policy objects of the firewall.  </p>   <img src="http://www.debian-administration.org/articles/632/debadm_gsfwb_300.png" />     <p>    Lets take a look at the policy of the template firewall. These    rules are intended to be an example, a starting point to help you    create your own policy quicker. Most likely you will want to    modify them to suit your requirements. Explanation of the rules    given here is rather brief because the goal of this guide was only    to demonstrate how to use the Firewall Builder.  </p>   <p>    </p><ul><li>Rule 0: this is an anti-spoofing rule. It block incoming        packets with source address that matches addresses of the        firewall or internal or DMZ networks. The rule is associated        with outside interface and has direction set to        "Inbound".</li><li>Rule 1: this rule permits any packets on loopback        interface. This is necessary because many services on the        firewall machine communicate back to the same machine via        loopback.</li><li>Rule 2: permit ssh access from internal network to the        firewall machine. Notice service object "ssh" in the column        "Service". This object can be found in the Standard objects        library, folder Services/TCP.</li></ul>     <img src="http://www.debian-administration.org/articles/632/debadm_gsfwb_310.png" />    <p>    Policy rules belong to the object "Policy", which is a child    object of the firewall and can be found in the tree right below    it. As any other object in Firewall Builder, Policy object has    some attributes that you can edit if you double click on it in the    tree.  </p>   <p>    </p><ul><li>        Policy can be either IPv4, or IPv4 or combined IPv4 and        IPv6. In the latter case you can use a mix of IPv4 and IPv6        addess objects in the same policy (in different rules) and        Firewall Builder will automatically figure out which one is        which and will sort them out.      </li><li>        Policy can translate to only mangle table, or a combination of        filter and mangle tables. Again, in the latter case policy        compiler decides which table to use based on the rule action        and service object. Some actions, such as "Tag" (translates        into iptables target MARK) go into mangle table.      </li><li>        "Top ruleset" means that compiler will place generated        iptables rules into built-in chains INPUT/OUTPUT/FORWARD. If        policy is not marked as "top ruleset", generated rules will go        into user-defined chain with the name the same as the name of        the policy object.      </li></ul>      <img src="http://www.debian-administration.org/articles/632/debadm_gsfwb_320.png" />   <p>    Here are preconfigured NAT rules.  </p>   <p>    </p><ul><li>Rule 0: tells the firewall that no address translation      should be done for packets coming from network 192.168.2.0 going      to 192.168.1.0 (because Translated Source, Translated      Destination and Translated Service are left empty)      </li><li>Rule 1: packets coming to the firewall from internal and DMZ      networks should be translated so that source address will change      and become that of the outside interface of the firewall.      </li><li>Rule 2: packets coming from the Internet to the interface      "outside" will be translated and forwarded to the internal      server on DMZ represented by the host object "server on dmz".      </li></ul>      <img src="http://www.debian-administration.org/articles/632/debadm_gsfwb_330.png" />     <p>    Now we should be ready to compile the policy of the    firewall "guardian" and generate an iptables script. To do this,    select firewall in the tree and click right mouse button. Choose     "Compile" in the pop-up menu. The dialog that appears lists    all firewall objects defined in the objects tree and lets you    select which ones should be compiled. The firewall "guardian"    has just been created and has never been compiled and dialog shows    that. Make sure checkbox next to the firewall    object "guardian" is checked and click the Next button.  </p>   <img src="http://www.debian-administration.org/articles/632/debadm_gsfwb_340.png" />   <p>    Firewall Builder calls policy compiler (which is an    external program which can be used on the command line). The next    page of the dialog shows compiler progress and result.  </p>   <img src="http://www.debian-administration.org/articles/632/debadm_gsfwb_350.png" />   <p>    The compiler generates an iptables script in the file with the name the    same as the name of the firewall object, with extension "<tt>.fw</tt>". The    file is placed in the same directory where the data file <tt>.fwb</tt> is    located.  </p>   <pre> $ ls -la test2.fwb guardian.fw<br />-rwxr-xr-x 1 vadim vadim 11253 2009-02-16 16:41 guardian.fw<br />-rw-r--r-- 1 vadim vadim 24696 2009-02-16 16:41 test2.fwb<br />  </pre>   <p>    Here is how generated script looks liie. This is just a fragment    from the middle to show some generated iptables commands.  </p>   <pre># ================ IPv4<br /><br /><br /># ================ Table 'filter', automatic rules<br />$IPTABLES -P OUTPUT  DROP<br />$IPTABLES -P INPUT   DROP<br />$IPTABLES -P FORWARD DROP<br /><br />cat /proc/net/ip_tables_names | while read table; do<br />  $IPTABLES -t $table -L -n | while read c chain rest; do<br />      if test "X$c" = "XChain" ; then<br />        $IPTABLES -t $table -F $chain<br />      fi<br />  done<br />  $IPTABLES -t $table -X<br />done<br /><br /><br />$IPTABLES -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT<br />$IPTABLES -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT<br />$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT<br /><br /># ================ Table 'nat',  rule set NAT<br /># NAT compiler errors and warnings:<br />#<br />#<br /># Rule 0 (NAT)<br />#<br />echo "Rule 0 (NAT)"<br />#<br /># no need to translate<br /># between DMZ and<br /># internal net<br />$IPTABLES -t nat -A POSTROUTING   -s 192.168.2.0/24 -d 172.16.22.0/24 -j ACCEPT<br />$IPTABLES -t nat -A PREROUTING   -s 192.168.2.0/24 -d 172.16.22.0/24 -j ACCEPT<br />#<br />  

Now you can transfer it to the firewall and execute it there to install the iptables rules. However it is much more convenient to use the built-in policy installer to do this. To use installer, click right mouse button on the firewall object in the tree and use menu item “Install”. Firewall Builder will compile the policy if necessary and then open a dialog where you can configure parameters of the installer. Here you need to enter the password to authenticate to the firewall. Once you click OK, the installer will connect to the firewall using ssh client. First, it will copy generated script to the directory /etc on the firewall (or different one, if configured in the Installer tab of firewall settings dialog), then it will run this script and check for errors. Its progress will be visible in the panel of the installer wizard, just like the progress of policy compiler.

This guide walked you step by step through the process of creating of a firewall object, making some minor changes in its parameters and policy rules, compiling the policy and activating it on the firewall machine. This guide did not touch advanced topics such as built-in revision control system, working with multiple data files, working with multiple firewall objects, IPv6. You can find documentation and guides on these topics and more on our project web site at http://www.fwbuilder.org.

Advertisements