Tuesday, October 21, 2008

Major improvement in the speed of shadowing detection in v3.0.2

While debugging a problem for one of the users, I started looking into ways to improve speed of shadowing detection which was always very slow. The policy of the firewall object of this particular user has about 100 rules but each rule uses large group of addresses and large number of services, which leads to a huge number of possible combinations compiler needs to check in order to find if rules shadow each other. On my machine this file compiled in 17 minutes, which was too long. The code that does shadowing detection is old, was written mostly to get the algorithm right and was never optimized. Fortunately it turns out there was great potential for optimization.

The new build of v3.0.2 (build 628) includes optimized version which works about 5 times faster! Please give it a try and let me know how it works for you.

I would also appreciate if you could post your statistics here in comments or to the mailing list fwbuilder-discussion, such as total number of rules and compile times before and after the change.

Sunday, October 19, 2008

Reproducing iptables rules for IPP2P module found in the module documentation

In this new Firewall Builder Cookbook chapter I am using examples from the IPP2P documentation (http://www.ipp2p.org/docu_en.html) to demonstrate how Firewall Builder can be used to generate relatively complex iptables rules for mangle table. These rules match packets using Custom Service object, mark them using Tag Service objects and perform various actions based on marks.

Rules found in the documentation for the IPP2P module can be reproduced in Firewall Builder with little effort.

See CookBook recipe here

Saturday, October 18, 2008

Reproducing iptables rules found in Transparent Proxy with Linux and squid mini-HOWTO

The new Firewall Builder CookBook chapter tries to reproduce iptables rules given in the "Transparent Proxy with Linux and squid mini-HOWTO" as close as possible to illustrate how this can be done in fwbuilder. The HOWTO provides two methods to redirect traffic to a standalone squid box, one uses NAT and another a combination of marking rules and policy routing. Both methods can be implemented in fwbuilder very closely. See the Cookbook recipe here.

Sunday, October 12, 2008

What is new in Firewall Builder v3.0.2 ?

I started working on 3.0.2 even before I released 3.0.1. I had few bugs / feature requests that were too big to squeeze them into 3.0.1 that was almost ready for release so I put them off for 3.0.2. Now most important ones are done, here is the list:

  • The most noticeable of all is major rewrite of the built-in policy installer. It looks the same UI-wise, but internally it is now quite different. Most importantly, it uses scp to copy generated policy script to the firewall which makes it work much much faster. I have no esitmates of the speed-up but we are talking 10x at least on large scripts. This also helps a lot if you store a copy of the .fwb data file on the firewall because .fwb files tend to be quite big and it took forever to copy them line by line as old installer did. On Windows installer uses pscp.exe, you'll need to install it separately and configure path to it in the SSH tab of the Preferences dialog.
  • An option to compress .fwb data file on disk. This option is controlled by a checkbox in the "Data file" tab of the Preferences dialog and it is off by default. Looks like compressed .fwb files are at least 10 times smaller. This may not matter as far as disk space on the management workstation is concerned, but if you save a copy of the .fwb file on the firewall it matters when the firewall is embedded device with a tiny filesystem.
  • Improvements in the internationalization support. One of the old standing problems was program's inability to properly handle firewall name with non-ascii characters. Firewall object name is used for the name of generated configuration file/script and these non-ascii characters caused problems when a file with this name was saved on the disk but installer could not find it. Now this works in all components. I am still testing new code, in particular I need to test it with putty sessions on Windows. However I wanted to offer this new version for beta testing as soon as possible because of the huge benefits it
    brings. Please test and let me know what you find.
Support for international characters in firewall object name comes with some caveats:

  • I had to link compilers with QT in order to implement this. Until now, policy compilers did not use QT libraries and did not depend on them.
  • Dependency on QT libraries means compilers can not be deployed on the firewall or machine without X11 and QT separately from the GUI.
  • pscp.exe on Windows does not seem to be able to pick up file with non-ascii characters in name when program runs on Windows with standard English locale. I could not test on Windows running with national locale. As a workaround, user can specify alternative name for the generated script in the firewall settings dialog (tab "Compiler").
  • Support for non-ascii firewall object and generated script names is currently only available in compiler for iptables
  • Installer can not take advantage of scp to copy generated configuration to PIX and Cisco routers because of the way these platforms are configured.
As usual, 3.0.2 packages are posted to the nightly builds site at http://www.fwbuilder.org/nightly_builds/fwbuilder-3.0/ when they become available.

--vk

New Firewall Builder blog

I used to have a blog site for the Firewall Builder project, which was both good and bad. It is convenient to be able to easily post on the project progress and add random news items once in a while, all without having to edit bunch of HTML manually. On the other hand, blog is not the best format for the project web site and its limitations were clearly visible. Now that I have proper project web site, I feel I need to add blog to it too. So here it is.

I'll be posting here on the project progress, news, ideas and all that does not need to take space on the project web pages. Please subscribe and send feedback.

Vadim