Tuesday, December 30, 2008

Packages for Ubuntu Hardy i386

I installed virtual machine with Ubuntu Hardy i386 and will build .deb packages for this architecture from now on (again). Packages for the latest development build v3.0.4 build 724 are now available for download from the nightly builds site at

The latest set of OS and architectures I build binary packages for is as follows:

Ubuntu Hardy i386
Ubuntu Hardy amd64
Ubuntu Intrepid amd64
Fedora Core 9 i386
CentOS 5.2 i386

I think I can add a couple more virtual machines on this server, contact me with requests.

Monday, December 8, 2008

Firewall Builder v3.0.3 released

This is a bug-fix release. Problems with storing IPv6 addresses on FreeBSD have been fixed. GUI stability on operations of copying multiple objects between different data files has been improved. Parser for Cisco IOS configurations can now import configurations with wider range of constructs. Support for non-ASCII characters in the RCS commit comments has been implemented.

One of the most important changes in this release is also one of the smallest and was the simplest to fix: firewall script produced by the policy compiler for iptables used to have "executable" bit set in its permissions in versions prior to 3.0.2. However this was broken in 3.0.2, and is now fixed again.

See full Release Notes here

Thursday, November 27, 2008

Packages for Ubuntu 8.10 (Intrepid)

Packages for 64bit Ubuntu Intrepid have been uploaded to SourceForge. The virtual machine on which I build them will be included in the nightly builds pool.

Wednesday, November 26, 2008

How to make built-in installer work with firewalls that do not suport SFTP

Built-in installer in v3.0.2 uses scp to copy generated firewall script to the firewall. On Windows I recommend putty as ssh client, which includes utility pscp.exe that is their equivalent of scp. I am told ssh server in some embedded firewalls may not work with pscp.exe right away. One example is DDWRT, the error you get looks like this:

sh: /usr/libexec/sftp-server: not found
unable to initialise SFTP: could not connect
SSH session terminated, exit status: 1

To get around this, enter command line option -scp" in the "Additional command line parameters for scp" input field in the "Installer" tab of the firewall object dialog, visible at the bottom of the screenshot here.

Firewall Builder 3.0.2 build 672

last minute bug has been discovered in the iptables policy importer that caused GUI crash. The bug is fixed in version 3.0.2 build 672. All packages on SourceForge and our web site have been replaced with new ones.

Monday, November 24, 2008

Firewall Builder 3.0.2 released

Notable new features in this release:
  • Built-in installer uses scp (pscp.exe on Windows) to copy files to the firewall, this makes it work much faster.
  • Data file compression (optional)
  • Support for pure mangle table rule sets for iptables
  • Significant improvement in the speed of the shadowing detection for all compilers (up to 5 times on large linear policies)
  • Numerous improvements in the built-in policy importer for iptables (but no support for IPv6 yet)
  • Russian and Japanese translations
See Release Notes for the full list of changes and bug fixes in this release.

Download packages here

Saturday, November 22, 2008

Using tables with PF rules

New additions to the Firewall Builder Cookbook reproduce rules found in the excellent book "The Book of PF" (http://nostarch.com/pf.htm). I chose rules from the chapter 6 "Turning the Tables for Proactive Defense" because they illustrate usage of dynamic tables, a very powerful mechanism that allows one to build firewall policy to match large numbers of ip addresses that may change all the time, without reloading firewall policy. This is very easy to do in Firewall Builder with run-time Address Table objects.

New chapters in the Firewall Builder Cookbook:

Rules for PF and spamd

Rules to block brute force attacks with PF

Saturday, November 1, 2008

New project: reproducing rules from iptables and pf examples and tutorials with fwbuilder

I started a little project in which I take iptables or pf tutorials and examples and try to reproduce rules found in them with fwbuilder. I put them in separate Firewall Builder Cook Book chapters. Right now I have few chapters about different ways to configure the firewall for transparent proxy and well as some other things. It isn't much but I intend to keep adding more examples as I find them.

I try to follow the same format in these chapters, where I provide a link to the original document, then add screenshots to demonstrate how this can be done in fwbuilder and then provide snapshots of generated rules as well as a copy of the rules from the original document for comparison.

Some examples are rather trivial, while others are not. See the chapter about iptables setup for IPP2P module. Regardless of whether you need to do anything with P2P traffic and therefore need the module or not, this chapter demonstrates interesting mangle rules and how they can be done in fwbuilder. This can be useful in other situations, not only for the IPP2P module.

Please send pointers to the examples you'd like me to add to the Cook Book. Anything goes, but rules in your examples should be relatively complex and not covered by existing chapters. If you have some interesting example of your own, not found in some tutorial on the web, please send those as well.

Firewall Builder CookBook can be found here

Thank you!

Transparent proxy rules for PF

Another Firewall Builder CookBook chapter tries to reproduce rules for transparent proxy with PF found in the document OpenBSD Packet Filter (pf)
The same rules can also be found in many other places on the web, for example here: http://schools.coe.ru.ac.za/wiki/Configuring_transparent_proxy

These rules can be reproduced exactly for the most part, except for the inbound interface matching in the redirecting NAT rule. Firewall Builder rule model for the NAT rules does not provide place for interface so this can not be done exactly like the original requires. However the rules I propose match source address of the packets to achieve the same goal.

See new Firewall Builder Cook Book chapter here

More examples for transparent proxy configuration

One of the users asked on the mailing list, how can he build firewall configuration with fwbuilder for a transparent proxy in a such way that one machine on the LAN would be excepted from it. I've added a chapter to the Firewall Builder CookBook with this example, see it here: More examples of rules for transparent proxy

I would like to add more examples to this chapter. Please send me email or post to the mailing list if you have good ones.

Tuesday, October 21, 2008

Major improvement in the speed of shadowing detection in v3.0.2

While debugging a problem for one of the users, I started looking into ways to improve speed of shadowing detection which was always very slow. The policy of the firewall object of this particular user has about 100 rules but each rule uses large group of addresses and large number of services, which leads to a huge number of possible combinations compiler needs to check in order to find if rules shadow each other. On my machine this file compiled in 17 minutes, which was too long. The code that does shadowing detection is old, was written mostly to get the algorithm right and was never optimized. Fortunately it turns out there was great potential for optimization.

The new build of v3.0.2 (build 628) includes optimized version which works about 5 times faster! Please give it a try and let me know how it works for you.

I would also appreciate if you could post your statistics here in comments or to the mailing list fwbuilder-discussion, such as total number of rules and compile times before and after the change.

Sunday, October 19, 2008

Reproducing iptables rules for IPP2P module found in the module documentation

In this new Firewall Builder Cookbook chapter I am using examples from the IPP2P documentation (http://www.ipp2p.org/docu_en.html) to demonstrate how Firewall Builder can be used to generate relatively complex iptables rules for mangle table. These rules match packets using Custom Service object, mark them using Tag Service objects and perform various actions based on marks.

Rules found in the documentation for the IPP2P module can be reproduced in Firewall Builder with little effort.

See CookBook recipe here

Saturday, October 18, 2008

Reproducing iptables rules found in Transparent Proxy with Linux and squid mini-HOWTO

The new Firewall Builder CookBook chapter tries to reproduce iptables rules given in the "Transparent Proxy with Linux and squid mini-HOWTO" as close as possible to illustrate how this can be done in fwbuilder. The HOWTO provides two methods to redirect traffic to a standalone squid box, one uses NAT and another a combination of marking rules and policy routing. Both methods can be implemented in fwbuilder very closely. See the Cookbook recipe here.

Sunday, October 12, 2008

What is new in Firewall Builder v3.0.2 ?

I started working on 3.0.2 even before I released 3.0.1. I had few bugs / feature requests that were too big to squeeze them into 3.0.1 that was almost ready for release so I put them off for 3.0.2. Now most important ones are done, here is the list:

  • The most noticeable of all is major rewrite of the built-in policy installer. It looks the same UI-wise, but internally it is now quite different. Most importantly, it uses scp to copy generated policy script to the firewall which makes it work much much faster. I have no esitmates of the speed-up but we are talking 10x at least on large scripts. This also helps a lot if you store a copy of the .fwb data file on the firewall because .fwb files tend to be quite big and it took forever to copy them line by line as old installer did. On Windows installer uses pscp.exe, you'll need to install it separately and configure path to it in the SSH tab of the Preferences dialog.
  • An option to compress .fwb data file on disk. This option is controlled by a checkbox in the "Data file" tab of the Preferences dialog and it is off by default. Looks like compressed .fwb files are at least 10 times smaller. This may not matter as far as disk space on the management workstation is concerned, but if you save a copy of the .fwb file on the firewall it matters when the firewall is embedded device with a tiny filesystem.
  • Improvements in the internationalization support. One of the old standing problems was program's inability to properly handle firewall name with non-ascii characters. Firewall object name is used for the name of generated configuration file/script and these non-ascii characters caused problems when a file with this name was saved on the disk but installer could not find it. Now this works in all components. I am still testing new code, in particular I need to test it with putty sessions on Windows. However I wanted to offer this new version for beta testing as soon as possible because of the huge benefits it
    brings. Please test and let me know what you find.
Support for international characters in firewall object name comes with some caveats:

  • I had to link compilers with QT in order to implement this. Until now, policy compilers did not use QT libraries and did not depend on them.
  • Dependency on QT libraries means compilers can not be deployed on the firewall or machine without X11 and QT separately from the GUI.
  • pscp.exe on Windows does not seem to be able to pick up file with non-ascii characters in name when program runs on Windows with standard English locale. I could not test on Windows running with national locale. As a workaround, user can specify alternative name for the generated script in the firewall settings dialog (tab "Compiler").
  • Support for non-ascii firewall object and generated script names is currently only available in compiler for iptables
  • Installer can not take advantage of scp to copy generated configuration to PIX and Cisco routers because of the way these platforms are configured.
As usual, 3.0.2 packages are posted to the nightly builds site at http://www.fwbuilder.org/nightly_builds/fwbuilder-3.0/ when they become available.


New Firewall Builder blog

I used to have a blog site for the Firewall Builder project, which was both good and bad. It is convenient to be able to easily post on the project progress and add random news items once in a while, all without having to edit bunch of HTML manually. On the other hand, blog is not the best format for the project web site and its limitations were clearly visible. Now that I have proper project web site, I feel I need to add blog to it too. So here it is.

I'll be posting here on the project progress, news, ideas and all that does not need to take space on the project web pages. Please subscribe and send feedback.