Wednesday, December 29, 2010

MErging libfwbuilder and fwbuilder

Hello all,

we plan to merge libfwbuilder and fwbuilder packages into one "fwbuilder" package to simplify package management and make installation easier for the users. Libfwbuilder will become a directory inside fwbuilder code tree and all executables will link with it statically. This reduces number of files we install in different parts of the file system and makes it easier for the users to both build from source and to install binary packages. The change is planned to go live in the next release of fwbuilder tentatively numbered "4.2" some time in the next month or two.

The change only affects our Linux and FreeBSD/OpenBSD packages.

The side effect of this change is that we won't install header files and dynamic libraries and won't make libfwbuilder-devel package anymore.

Please let me know asap if you have any code that depends on these files or know of a project that does.


Tuesday, December 21, 2010

Happy Holidays and Year in Review

As we head in to the holiday season Vadim and I wanted to wish everyone in the Firewall Builder community Happy Holidays! The end of the year also provides a good opportunity to pause and reflect so we thought we would share some of our thoughts about 2010.

It has been a very exciting year for both NetCitadel and the Firewall Builder project. The fireworks started in May when Firewall Builder version 4.0 was released. This was a major release that brought critical new features such as support for high availability cluster configurations as well as continuing to improve the stability and usability of Firewall Builder.

That was followed in August with V4.1 which included features like support for iptables ipset and integrated SSH/SCP clients for Windows packages. Since then we have released a few patch releases and have been working on adding new features to Firewall Builder.

While a large percentage of the community has already upgraded to V4.x to our surprise we still run into users that are running versions as old as Firewall Builder V2.0! If you are running a version below V4.0 we hope that you upgrade in 2011!

In the fall we announced the availability of support contracts for open source users. This was part of our push to expand the products and services NetCitadel provides around the Firewall Builder project. We plan to offer more products and services in 2011, stay tuned for more information soon.

In addition to the product enhancements we have continued to work to improve in other areas as well. We have been adding more documentation and have updated our website to make it easier to find the information you are looking for and for new users to figure out what we do. We expect to do much more of that in the coming year.

Finally, we wanted to say thank you to our customers who have supported us this year by purchasing a commercial Firewall Builder license or open source support contract. Our goal is to provide the best firewall management solution available and we are confident you will see lots of exciting progress in 2011!

Mike & Vadim

Wednesday, December 15, 2010

Fun with NAT

The inspiration for our latest cookbook recipe, "Double" NAT (Source and Destination Translation), came from a user support request. Due to some complicating factors in the user's network they needed to NAT inbound windows remote desktop connections with both a source and destination NAT.

You can read the cookbook recipe of how to configure "double" NAT here:

Double NAT Cookbook Recipe

Btw, the user was in Australia and was a joy to work with. If you are out there and reading this, you know who you are...

Monday, December 6, 2010

Firewall Builder V4.1.3 Released

We are happy to announce that Firewall Builder V4.1.3 is now available! This release includes a number of usability improvements and bug fixes.

In our ongoing efforts to make Firewall Builder easier to use for both new users and power users this release includes the following usability improvements:
  • an Advanced User mode which reduces the number of tooltips for power users

  • a new policy rule checkbox to define whether new rules have logging enabled or disabled by default

In addition to these enhancements there are also a number of bug fixes in this release including:
  • better support for Windows systems that use Putty sessions

  • fixed generated IP broadcast addresses for interfaces

  • branch rules in a member firewall are now properly imported when a cluster is created

  • cluster NAT rules on Linux cluster members now properly generate rules with iptables REDIRECT target

A complete listing of enhancements and bug fixes can be found in the V4.1.3 release notes on the Firewall Builder website.

V4.1.3 Release Notes

Friday, December 3, 2010

Quick Tip: Color coding rules

One thing that always amazes me when users send us data files is how they use color coding to identify different rule types. Sometimes it's easy to see what their color coding methodology, other times it just looks like a big rainbow to me :-)

If you aren't already using color coding you can learn about it in this Quick Tip:

Quick Tip: Color Code Rules

Tuesday, November 30, 2010

Creating local rules for cluster members

In our last post we talked about how to use the Firewall Builder cluster feature to create a single firewall ruleset that gets installed on multiple servers. This is great if all your servers should be running exactly the same firewall rules, but what if some of the servers also need to have their own unique rules?

Firewall Builder lets you define multiple firewall policies, so you can have a server running a policy configured as part of the cluster and then the same server can also run its own local firewall policies. What you end up with is a cascading chain of firewalls similar to the diagram below.

You can control the order that the firewall policies are evaluated and you can name them to match their function. You can find the complete configuration details in our latest cookbook article:

Cookbook: Creating Local Firewall Rules for a Cluster Member

Wednesday, November 24, 2010

Managing a single firewall policy for multiple servers

We are always looking for creative ways to use Firewall Builder's technology to simplify firewall management. One challenge we hear from users quite often is how to efficiently manage firewall rules for a large number of servers performing the same function. For example, you might have a group of servers acting as web front ends and each of these servers needs to have the exact same policy as all the other web front end servers.

While you could create each server in Firewall Builder and copy-and-paste rules between the servers this is time consuming and it is easy to make a mistake. We have come up with a solution for this problem using Firewall Builder's cluster feature that allows you to define a master firewall policy and apply it to all the members of the cluster. This means that when you need to update a rule that affects multiple servers you only need to make the change in a single firewall policy and then compile and install it on all the cluster members.

During the compile process Firewall builder "localizes" the master rule for each server the policy is being installed on, so things like interface IP addresses are automatically updated to match each individual server the firewall rules will be deployed on. Check out the complete instructions in our latest Cookbook recipe in the Users Guide:

Using clusters to manage firewall policies on multiple servers

Tuesday, November 16, 2010

Quick Tip: Using Groups to Tame Access List Rules

Firewall Builder has a convenient feature called rule groups that help make managing access lists rules easier. Just create a rule group for each interface and direction combination on the router and organize your rules in these groups. You can find detailed instructions for setting up rules groups for managing router access lists on our website here:

Quick Tip: Using Groups to Manage Router ACLs

Wednesday, November 10, 2010

Router ACL Management Simplified

If you are responsible for managing Cisco router access lists then you know that they can be a pain to manage. Check out the latest Getting Started Guide that explains how to use Firewall Builder to simplify router ACL management.

Getting Started: Configuring Cisco Router ACL

We are collecting ideas for how-to guides and tips & tricks articles, so if there is a topic you would like to see covered please leave us a comment.

Thursday, October 28, 2010

Support Contracts for Linux & BSD Users

Today we announced the availability of support contracts for our Linux and BSD users! This is a great step forward for us as we continue to expand not just the features and functionality of the Firewall Builder application, but also expand the services provided by NetCitadel LLC which is the company that supports and develops Firewall Builder.

The new support services are offered as packages ranging from "Small Business" to "Ultimate". Each package includes a fixed number of support cases that can be opened during the 1 year support period. Our goal is to make sure there are solutions to fit a range of budgets and needs.

As part of this new support offer we are also offering support contract renewals for Windows and Mac users whose existing support contracts have expired. You can see the complete details about our support packages, along with a link to our online store for purchasing on our website:

We plan to continue adding to the list of services provided by NetCitadel based on user feedback and demand. Stay tuned for more information!

Friday, October 8, 2010

Firewall Builder V4.1.2 Released!

We are happy to announce that we released Firewall Builder V4.1.2 this morning. This release includes a few bug fixes and many usability enhancements.

After conducting several usability tests with new users we realized that some concepts and areas of the application can be challenging for new users who are trying to get started. To help these new users we have added more visual cues and navigation aids in the GUI. We also simplified the entry fields in several wizards to make it easier to create certain types of new objects.

Existing Firewall Builder users who have enabled "tooltips" in their Preferences settings under the Objects tab will now see additional tooltips when editing firewall policies and other areas. If you haven't enabled tooltips, which were disabled by default on all versions before V4.1.2, then you won't see any of these new tips.

To find out more about the changes in this release you can read the full release note here:

Information for getting the latest packages can be found here:

Let us know what you think of the new enhancements.

Thursday, October 7, 2010

Firewall Builder User Survey Results - Part 2

In the last post I went through some of the demographic data about the users who responded to our User Survey. This time I am going to cover more about what new services and features users are asking for.

In the last post one of our readers, Scott, asked "What were results of the future direction questions?" Hopefully this post will help answer that question.

In the survey we asked what additional services you were interested in, here's what you told us:

(Click image to enlarge)

Firewall Builder users on all platforms were interested in Online Training, so we are looking in to ways to provide training services. These would be done as either pre-recorded content or live training webinars. If you are interested in Firewall Builder training classes, please leave a comment and let us know what topics you would like to see covered in Online Training sessions.

It also turns out that many of our Linux users are interested in having a Technical Support contract, so we are working on developing a support offering to help meet that need. We are still ironing out the details - stay tuned for more information about this in the next couple of weeks.

Many of our users would like us to provide remote Professional Services. We are looking at several options in this area, including partnering with security consulting companies that are knowledgeable about using Firewall Builder for firewall management. We are still looking for partners in some regions, so if you are a security consultant and you are interested in partnering with us send me an email at mike 'at' netcitadel 'dot' com.

Finally, we asked users about what additional firewall platforms they would like to be able to manage with Firewall Builder. Somewhat surprisingly MS Windows Server (2003 & 2008) was the overwhelming winner in this category.

(Click image to enlarge)

We are currently working on plans to add support for MS Windows Server firewall in a new version of Firewall Builder. If you are interested in helping beta test this feature when it is ready please email me at mike 'at' netcitadel 'dot' com.

Thursday, September 30, 2010

Firewall Builder User Survey Results - Part 1

As many of you know we recently completed a survey of the Firewall Builder user community. Over the next few weeks we will be sharing summary data from the survey here on our blog. Let's start with the goals of the survey, which were:
  • Gain a deeper understanding of our current user base and the environments where they use Firewall Builder
  • Get user feedback on their satisfaction level with how we are doing in a number of areas (features, support, ease-of-use, etc.)
  • Find out what features users would like us to add to future releases of Firewall Builder
  • Learn what additional services users would like Firewall Builder to provide
There were a total of 282 survey responses representing users in over 33 countries. All responses are anonymous and we deleted any obviously fictitious responses.

As you can see from the chart below, the majority of users are running Firewall Builder on either Linux or MS Windows systems.

(Click on image to enlarge)

There were a good range of software versions represented. Most users are running V3.0 or higher, but we still have some V2.1 users hanging on. There are lots of great new features in V4, so hopefully some of these users will see the light and upgrade soon!

(Click on image to enlarge)

The chart below shows a good distribution of how long users have been using the Firewall Builder application. It is great to see a strong showing from both new users having less than 6 months of usage as well as loyal long time users with over 3 years of usage.

(Click on image to enlarge)

Finally, we get to some user satisfaction data. For the most part users appear to be pretty satisfied, but based on the survey responses it looks like Documentation is the area where we can improve the most.

(Click on image to enlarge)

We have started to work on improving our Documentation, beginning by adding a new Video Tutorial series to our website (

The first video tutorials will cover the basics of getting started with Firewall Builder, but over time we will add more videos to the library that address more complicated topics and scenarios. If you have ideas for a video tutorial you would like to see, please leave us a note in the comments section.

Wednesday, September 22, 2010

Video tutorial

Our first video tutorial for Firewall Builder is now live on our web site at . It covers the basics of the Firewall Builder GUI and we plan to add more videos in the coming weeks, stay tuned !

Mike and Vadim

Tuesday, September 21, 2010

Firewall Builder User Survey - Last Chance!

Thanks to all the Firewall Builder users who have completed the User Survey. Your input helps us with release planning and lets us know where we can improve.

The survey will be closing on Friday, September 24th. If you haven't already completed the survey please take a few minutes to share your feedback with us:

After the survey is closed we will share some summary data and key statistics.

Wednesday, August 25, 2010

Blocking SSH scanners

We recently updated a cookbook article about how to detect and temporarily block those annoying SSH scanners. You can read the article here:

Cookbook: Block SSH Scanners

Let us know if there are configuration recipes that you would like us to add to the cookbook, we are always looking for new ideas!

Tuesday, August 24, 2010

Firewall Builder User Survey

We just announced our latest User Survey. If you are a Firewall Builder User please take a few moments to share your thoughts with us by completing this survey:

Your input helps make sure we are working on the features that are most important to you.

Friday, August 20, 2010

Firewall Builder v4.1.1 released

We are happy to announce the release of V4.1.1. This release includes fixes for a number of minor bugs as well being the first release to officially support HP ProCurve ACL configuration. Thanks to a generous donation of several switches from HP we were able to test and finalize the ProCurve support. This release also fixes a critical bug in V4.1 related to Cisco IOS ACL configurations. Some configurations would cause Firewall Builder to incorrectly generate and error with the message "Can not find interface with network zone that includes address A.B.C.D.".

V4.1.1 has been tested, and we believe it to be ready for production use, but if you do find a bug or issue please let us know.

Our "stable" rpm and deb repositories now serve packages of v4.1.1 build 3243. Source code tar.gz archives and binary packages are also available for download from SourceForge:

Windows and Mac OS X packages can be downloaded from our web site at

Thursday, August 19, 2010

Website update

We launched an updated version of the Firewall Builder website ( tonight. Since we just released a new software version (V4.1) and have been continuing to evolve we thought it was a good time to update the site with some new content and update the look-and-feel a bit.

One of the main goals of the update is to make it easier for new users to understand what the Firewall Builder application does and how they can use it to more effectively manage their firewall configurations. We always love hearing your feedback, so let us know what you think.

Monday, August 16, 2010

Thank you HP!

A huge thanks to Michael & Arran at HP for arranging a donation of three HP ProCurve Ethernet switches to the Firewall Builder project! Starting in V4.0.1 we had unofficial support for configuring ProCurve Access Control Lists (ACL), this donation will help us to officially support configuration of ACL in the next release of Firewall Builder.

Thanks HP!!

Tuesday, August 10, 2010

V4.1 is released!

We are happy to announce that V4.1 in now released! You can download it from our website here:

V4.1 includes new enhancements and features including:
  • Support for Address Table objects that use the iptables ipset module
  • Integrated SSH tools (plink.exe and pscp.exe) in Windows installer package
  • New toolbar shortcut to view complete generated firewall configuration files in the GUI

Users requested the iptables ipset module support for dynamic environments where existing firewall rules need to be updated with a new object to match (IP address or IP subnet). IP sets provide an efficient way to do this without requiring a reload of your iptables rules.

The integrated SSH tools make it easy for Windows users to utilize the built-in Firewall Builder installer functions. No need to load additional software and update your preferences, everything you need is already there.

Want to know what your configuration will look like? The "inspect" function allows you to preview your configuration files in the Firewall Builder GUI before you deploy them to your firewalls.

Have suggestions for features you would like us to add? Leave us a comment and we'll consider it for future releases.

Thursday, July 29, 2010

V4.1 Beta released

We are happy to announce that V4.1 is ready for beta testing! You can download the Beta test release for V4.1 from our nightly builds folder, just select the build with the highest release number (3173 right now) to get the latest. Or if you use the Firewall Builder rpm and deb repositories, the "testing" repository is now serving the latest V4.1 beta build as well.

While this release has been tested and we believe it is stable, you should test it prior to using it in production. If you find a bug, or if you have a suggestion on how we can improve something, please open a ticket in our SourceForge project:

What's new in V4.1?

There are several new features in this version including:

  • Support for iptables ipset module (provides a dynamic group function in memory) - requires ipset module
  • New function and toolbar shortcut to view complete generated firewall script in a viewer window
  • Shortcut buttons in the main window to help new users get started more easily
  • Updated many dialog window sizes and layouts to work better for users with smaller displays (1024x768)
  • Added a new mode for stopping the firewall script called 'block'

There are also a number of smaller enhancements and bug fixes included. You can find a complete list of all the updates in the V4.1 Beta release note on our website:

If you are a licensed user, V4.1 will be a free upgrade for users that have a valid V4.0 license. We plan to officially release V4.1 in a few weeks once we are confident there are no major issues.

Mike & Vadim

Saturday, July 3, 2010

There is an article by Dru Lavigne in the July issue of BSD Magazine about using Firewall Builder with the BSD pf firewall. If you are already a Firewall Builder user managing pf firewalls you may not learn anything new from this article, but it provides a good getting started overview for new users.

It is great to see a publication like BSD Magazine showcasing Firewall Builder!

Tuesday, June 8, 2010

Firewall Builder - User Meetup in SF Bay Area

If you are a Firewall Builder user and live in the SF Bay Area we want to meet you! We will be hosting an informal get together at the Tied House in Mountain View on Thursday June 17th at 6:30pm. Vadim and I will be there to answer questions, talk about Firewall Builder and most importantly to get to know our users better. We want to hear about how you use it today, what you would like to see added or improved and generally hear your thoughts.

What's in it for you? Well, to start with there will be free beer and appetizers. This will also be a good chance to network with your peers and meet other Firewall Builder users.

Event details:

Thursday 6/17/2010
Tied House Cafe & Brewery
954 Villa St
Mountain View, CA 94041

The Tied House is close to the Mountain View CalTrain station. There is a meetup page for this event If you could RSVP for this event, either on or by emailing me, it will help us make sure we have enough room reserved on the patio. We look forward to seeing you there!

Btw, if you don't live in the Bay Area we will be trying to arrange meetups in other locations as our travels bring us to different areas, so stay tuned.

Mike & Vadim

Thursday, June 3, 2010

Firewall Builder 4.0.1 released

This release comes with fixes for several minor bugs in the GUI and other components, improves policy importer for iptables and introduces support for HP ProCurve port and vlan ACLs.

"Stable" repositories of RPM and DEB package have been updated and serve v4.0.1 build 2950. This page explains how to use repositories: These packages, as well as source tar.gz archives, can also be downloaded from SourceForge

Tuesday, May 4, 2010

Firewall Builder 4.0 released

I am glad to report that Firewall Builder 4.0 has been released. This is a milestone release that comes with improved GUI, support for high availability firewall configurations with Linux, OpenBSD and PIX and many other new features. We have been testing it for several months in beta to make sure it is stable and ready for production use. "Stable" repositories of RPM and DEB package have been updated and serve v4.0.0 build 2877. This page explains how to use repositories: These packages, as well as source tar.gz archives, can also be downloaded from SourceForge

Thank you to everyone who helped with testing and provided bug reports and feedback.

Vadim Kurland
Firewall Builder Project

Monday, April 26, 2010

Support for OpenBSD 4.7

OpenBSD 4.7 (to be released May 19) changes the syntax of "nat" and "rdr" PF rules. These keywords are gone, corresponding translations are done using "nat-to" and "rdr-to" options in "pass" or "match" rules. Fwbuilder 4.0 adds support for this. The list of recognized versions for PF has been extended with "4.7", choosing this version number makes policy compiler generate nat and rdr rules using new syntax. Since the "no" keyword has been removed as well, fwbuilder can no longer generate "no nat" rules for 4.7. Policy compiler recognizes this as a fatal error, administrator should use negation to implement exceptions in NAT rule sets.

Tuesday, April 6, 2010

Compiling Single Rule in Firewall Builder 4.0

Article Getting Started With Firewall Builder was published on Debian Administration site some time ago and attracted many comments. Firewall Builder 4.0 addresses some concerns and suggestions expressed there.

One thing comments posted with that article show quite clearly, is that administrators do not like GUI (or any other kind of high level) tools that aren't transparent. It is true that most GUI tools hide actual actions they perform because authors believed the tool should be trusted completely and therefore it is not necessary to keep administrator "in the loop". Applying this to firewall administration, this means that the firewall configuration GUI does not let the administrator check generated configuration easily, assuming that they should trust the tool. Experienced system administrators who are experts in iptables or other firewall platform understandably do not like that. The program should "earn their trust" first, and for that, administrator must have easy access to the generated configuration at all times, as simply as possible, in order to be able to verify and check the result. This leads to the conclusion that such GUI tool is only good for the beginners because they do not understand underlying technology anyway and so can only get any work done if they use such tool.

As an author of Firewall Builder and systems and network administrator with over 10 years of experience, I believe the GUI tool such as Firewall Builder can be very useful for both categories of users: the beginners and experienced administrators as well. Firewall Builder, when properly used, reduces repetitive tasks, helps perform coordinated policy changes for multiple firewalls and routers, provides early error checking and simplifies deployment. In the end, it saves time in regular day-to-day maintenance and helps reduce potential downtime caused by errors. There is value in that, even for someone who can write or maintain complex iptables scripts by hand. Still, to make experienced administrators more comfortable, the program should make it easy to quickly check what iptables (or other) commands are being generated.

With this in mind, Firewall Builder 4.0 adds new feature that does just that.

While you're developing your firewall policy, you can now compile individual rules to confirm that they do what you intended. To do this, right-click anywhere in the rule to open context menu, then select menu item "Compile". Or, highlight the rule and use keyboard shortcut "x". This is a great way to experiment with fwbuilder and see what it generates for different rule configurations built in the GUI. This feature works for all supported firewall platforms and all types of rules (Policy, NAT and routing).

Figure 1. Generated iptables script for the rule #0 is shown in the GUI

Generated iptables script for the rule #0 is shown in the GUI

When you hit 'x' to compile a rule, the program executes the same policy compiler code as when the whole configuration is compiled, except only for one rule. Shadowing detection is not done, obviously, because compiler looks only at one rule, however all error checks are performed as usual. When rule belongs to a firewall cluster, it is compiled for all member firewalls with all address substitutions and the output panel shows generated iptables code for each member. This is shown in the screenshot above. If compiler finds any errors or issues warnings, they are visible in the output panel as well.

Support for firewall clusters built on Linux with vrrpd, heartbeat, keepalived, pacemaker or OpenAIS is a new feature available in Firewall Builder 4.0. It also supports OpenBSD clusters with CARP and pfsync and Cisco ASA (PIX) clusters. Firewall Builder 4.0 has many other new features and improvements, all listed here:
What is new in Firewall Builder v4.0

If you are not familiar with Firewall Builder, you can find many introductory articles on the Internet and our own project web site. Articles Getting Started With Firewall Builder on this site and Introduction to Firewall Builder on the project web site give good overview.

Firewall Builder 4.0 is currently in public beta testing. Latest binary packages and source tar.gz archives are distributed from the SourceForge download pages. Please file bug reports using Source Forge bug tracking system.

Thursday, April 1, 2010

Integration with DD-WRT

Folks over at DD-WRT figured out how to integrate fwbuilder with their firmware for small routers/firewalls quite some time ago. The process was not very difficult but required few manual steps. Firewall Builder 4.0 comes with built-in integration with DD-WRT and makes it simpler. This is documented in the Firewall Builder 4.0 Users Guide

Download Firewall Builder 4.0 source code and binary packages here

Saturday, March 27, 2010

What is new in Firewall Builder 4.0

I put together a page where I discuss most important and interesting additions and changes in Firewall Builder 4.0

This is more detailed than Release Notes but skips some minor changes

Wednesday, March 24, 2010

Firewall Builder 4.0 status update

v4.0 beta is progressing really well. We had a few minor issues but at this time I am not tracking any major problems with it. Please find a time and give it a try, I would like to make sure we find and clear as many problems as possible before the release. That is what beta is for, after all. If things go like they did so far, I hope to make the release mid-April.

We are working on the documentation at this time. Article "Introduction to Firewall Builder 4.0" on the nixCraft blog was rather popular and I am following it with a second one which is going to be a detailed guide that describes building a firewall configuration for the cluster of two web serves (on-the-host firewall, that is). This guide is interesting in that it starts with Linux servers running iptables and heartbeat but then shows how to convert it to OpenBSD running PF and CARP. The second article should be published on nixCraft blog soon.

I am looking for more blogs and professional news sites that would do a review or accept guest posts that I can write. Please send pointers to me if you know of any popular site or blog like that. It would be great if you could do a review or write an article, too. I am offering free license for Firewall Builder 4.0 package for Windows or Mac OS X to those who can write and publish an article or review on their site (or anywhere, for that matter).

In fact, I have a few "specials" where I give a free license in exchange for certain things you could do, please take a look at the purchase page here:

Thank you

Wednesday, March 17, 2010

Introduction to Firewall Builder 4.0

My guest post "Introduction to Firewall Builder 4.0" has been published on nixCraft blog. Thanks Vivek! Read it here:

In this post I go over high level points explaining benefits of Firewall Builder for a system administrator and then look at the new features in Firewall Builder 4.0. This is the first article in a mini-series of two, the second article will demonstrate configuration of a firewall for a cluster of two web servers.

Tuesday, March 9, 2010

Firewall Builder 4.0 Beta

I am pleased to announce availability of Firewall Builder 4.0 Beta. We
have been testing the new version internally and in limited beta
release for several months now and we believe it is ready for public
beta. The new version comes with support for high availability
firewall configurations, including heartbeat, vrrpd, keepalived,
conntrackd on Linux, CARP and pfsync on OpenBSD and PIX failover
configuration. It can generate configuration scripts to manage ip
addresses, VLAN, bridge and bonding interfaces on the firewall.
Drop-in support for OpenWRT firewall script is now available, as well
as experimental integration with IPCOP firewall appliances. The GUI
has supports undo/redo of unlimited depth and was generally
streamlined and improved.

Source tar.gz, binary rpm and deb packages have been uploaded to
SourceForge, in the directory Current_Packages/4.0.0/

Release Notes can be found here:

rpm and deb "testing" repositories now serve fwbuilder 4.0 build 2704 packages.

This page explains how to configure apt and yum to use our

We are working on the Firewall Builder Users Guide 4.0 right now. The
text is still work in progress, but updated Guide is being published
on the we site every night: Both HTML and PDF
versions are available.

Chapters that describe configuration of ip addresses, vlan, bridge and
bonding interfaces are here:

Chapters that describe firewall cluster configurations are here:

Examples of cluster configurations on Linux with vrrpd and heartbeat:

Please give it a try!


Thursday, March 4, 2010

Progress report

Firewall Builder 4.0 is very close to the point where it will be released as public beta. We are doing last minor bug fixes and wating for the "GUI" section of the Users Guide to be rewritten to reflect changes in the GUI. Hopefully we'll start public beta mid-March. Stay tuned!

Friday, February 19, 2010

Firewall Builder on Ohloh

With the help of Reto Buerki, we have fixed Firewall Builder record on Ohloh site and CVS and SVN feeds that they need. The url is Check it out, they have interesting statistics that covers entire history of the project all the way since 2000