Thursday, November 27, 2008

Packages for Ubuntu 8.10 (Intrepid)

Packages for 64bit Ubuntu Intrepid have been uploaded to SourceForge. The virtual machine on which I build them will be included in the nightly builds pool.

Wednesday, November 26, 2008

How to make built-in installer work with firewalls that do not suport SFTP

Built-in installer in v3.0.2 uses scp to copy generated firewall script to the firewall. On Windows I recommend putty as ssh client, which includes utility pscp.exe that is their equivalent of scp. I am told ssh server in some embedded firewalls may not work with pscp.exe right away. One example is DDWRT, the error you get looks like this:

sh: /usr/libexec/sftp-server: not found
unable to initialise SFTP: could not connect
SSH session terminated, exit status: 1

To get around this, enter command line option -scp" in the "Additional command line parameters for scp" input field in the "Installer" tab of the firewall object dialog, visible at the bottom of the screenshot here.

Firewall Builder 3.0.2 build 672

last minute bug has been discovered in the iptables policy importer that caused GUI crash. The bug is fixed in version 3.0.2 build 672. All packages on SourceForge and our web site have been replaced with new ones.

Monday, November 24, 2008

Firewall Builder 3.0.2 released

Notable new features in this release:
  • Built-in installer uses scp (pscp.exe on Windows) to copy files to the firewall, this makes it work much faster.
  • Data file compression (optional)
  • Support for pure mangle table rule sets for iptables
  • Significant improvement in the speed of the shadowing detection for all compilers (up to 5 times on large linear policies)
  • Numerous improvements in the built-in policy importer for iptables (but no support for IPv6 yet)
  • Russian and Japanese translations
See Release Notes for the full list of changes and bug fixes in this release.

Download packages here

Saturday, November 22, 2008

Using tables with PF rules

New additions to the Firewall Builder Cookbook reproduce rules found in the excellent book "The Book of PF" ( I chose rules from the chapter 6 "Turning the Tables for Proactive Defense" because they illustrate usage of dynamic tables, a very powerful mechanism that allows one to build firewall policy to match large numbers of ip addresses that may change all the time, without reloading firewall policy. This is very easy to do in Firewall Builder with run-time Address Table objects.

New chapters in the Firewall Builder Cookbook:

Rules for PF and spamd

Rules to block brute force attacks with PF

Saturday, November 1, 2008

New project: reproducing rules from iptables and pf examples and tutorials with fwbuilder

I started a little project in which I take iptables or pf tutorials and examples and try to reproduce rules found in them with fwbuilder. I put them in separate Firewall Builder Cook Book chapters. Right now I have few chapters about different ways to configure the firewall for transparent proxy and well as some other things. It isn't much but I intend to keep adding more examples as I find them.

I try to follow the same format in these chapters, where I provide a link to the original document, then add screenshots to demonstrate how this can be done in fwbuilder and then provide snapshots of generated rules as well as a copy of the rules from the original document for comparison.

Some examples are rather trivial, while others are not. See the chapter about iptables setup for IPP2P module. Regardless of whether you need to do anything with P2P traffic and therefore need the module or not, this chapter demonstrates interesting mangle rules and how they can be done in fwbuilder. This can be useful in other situations, not only for the IPP2P module.

Please send pointers to the examples you'd like me to add to the Cook Book. Anything goes, but rules in your examples should be relatively complex and not covered by existing chapters. If you have some interesting example of your own, not found in some tutorial on the web, please send those as well.

Firewall Builder CookBook can be found here

Thank you!

Transparent proxy rules for PF

Another Firewall Builder CookBook chapter tries to reproduce rules for transparent proxy with PF found in the document OpenBSD Packet Filter (pf)
The same rules can also be found in many other places on the web, for example here:

These rules can be reproduced exactly for the most part, except for the inbound interface matching in the redirecting NAT rule. Firewall Builder rule model for the NAT rules does not provide place for interface so this can not be done exactly like the original requires. However the rules I propose match source address of the packets to achieve the same goal.

See new Firewall Builder Cook Book chapter here

More examples for transparent proxy configuration

One of the users asked on the mailing list, how can he build firewall configuration with fwbuilder for a transparent proxy in a such way that one machine on the LAN would be excepted from it. I've added a chapter to the Firewall Builder CookBook with this example, see it here: More examples of rules for transparent proxy

I would like to add more examples to this chapter. Please send me email or post to the mailing list if you have good ones.