Wednesday, December 29, 2010
we plan to merge libfwbuilder and fwbuilder packages into one "fwbuilder" package to simplify package management and make installation easier for the users. Libfwbuilder will become a directory inside fwbuilder code tree and all executables will link with it statically. This reduces number of files we install in different parts of the file system and makes it easier for the users to both build from source and to install binary packages. The change is planned to go live in the next release of fwbuilder tentatively numbered "4.2" some time in the next month or two.
The change only affects our Linux and FreeBSD/OpenBSD packages.
The side effect of this change is that we won't install header files and dynamic libraries and won't make libfwbuilder-devel package anymore.
Please let me know asap if you have any code that depends on these files or know of a project that does.
Tuesday, December 21, 2010
It has been a very exciting year for both NetCitadel and the Firewall Builder project. The fireworks started in May when Firewall Builder version 4.0 was released. This was a major release that brought critical new features such as support for high availability cluster configurations as well as continuing to improve the stability and usability of Firewall Builder.
That was followed in August with V4.1 which included features like support for iptables ipset and integrated SSH/SCP clients for Windows packages. Since then we have released a few patch releases and have been working on adding new features to Firewall Builder.
While a large percentage of the community has already upgraded to V4.x to our surprise we still run into users that are running versions as old as Firewall Builder V2.0! If you are running a version below V4.0 we hope that you upgrade in 2011!
In the fall we announced the availability of support contracts for open source users. This was part of our push to expand the products and services NetCitadel provides around the Firewall Builder project. We plan to offer more products and services in 2011, stay tuned for more information soon.
In addition to the product enhancements we have continued to work to improve in other areas as well. We have been adding more documentation and have updated our website to make it easier to find the information you are looking for and for new users to figure out what we do. We expect to do much more of that in the coming year.
Finally, we wanted to say thank you to our customers who have supported us this year by purchasing a commercial Firewall Builder license or open source support contract. Our goal is to provide the best firewall management solution available and we are confident you will see lots of exciting progress in 2011!
Mike & Vadim
Wednesday, December 15, 2010
You can read the cookbook recipe of how to configure "double" NAT here:
Double NAT Cookbook Recipe
Btw, the user was in Australia and was a joy to work with. If you are out there and reading this, you know who you are...
Monday, December 6, 2010
In our ongoing efforts to make Firewall Builder easier to use for both new users and power users this release includes the following usability improvements:
- an Advanced User mode which reduces the number of tooltips for power users
- a new policy rule checkbox to define whether new rules have logging enabled or disabled by default
In addition to these enhancements there are also a number of bug fixes in this release including:
- better support for Windows systems that use Putty sessions
- fixed generated IP broadcast addresses for interfaces
- branch rules in a member firewall are now properly imported when a cluster is created
- cluster NAT rules on Linux cluster members now properly generate rules with iptables REDIRECT target
V4.1.3 Release Notes
Friday, December 3, 2010
If you aren't already using color coding you can learn about it in this Quick Tip:
Quick Tip: Color Code Rules
Tuesday, November 30, 2010
Firewall Builder lets you define multiple firewall policies, so you can have a server running a policy configured as part of the cluster and then the same server can also run its own local firewall policies. What you end up with is a cascading chain of firewalls similar to the diagram below.
You can control the order that the firewall policies are evaluated and you can name them to match their function. You can find the complete configuration details in our latest cookbook article:
Cookbook: Creating Local Firewall Rules for a Cluster Member
Wednesday, November 24, 2010
While you could create each server in Firewall Builder and copy-and-paste rules between the servers this is time consuming and it is easy to make a mistake. We have come up with a solution for this problem using Firewall Builder's cluster feature that allows you to define a master firewall policy and apply it to all the members of the cluster. This means that when you need to update a rule that affects multiple servers you only need to make the change in a single firewall policy and then compile and install it on all the cluster members.
During the compile process Firewall builder "localizes" the master rule for each server the policy is being installed on, so things like interface IP addresses are automatically updated to match each individual server the firewall rules will be deployed on. Check out the complete instructions in our latest Cookbook recipe in the Users Guide:
Using clusters to manage firewall policies on multiple servers
Tuesday, November 16, 2010
Quick Tip: Using Groups to Manage Router ACLs
Wednesday, November 10, 2010
Getting Started: Configuring Cisco Router ACL
We are collecting ideas for how-to guides and tips & tricks articles, so if there is a topic you would like to see covered please leave us a comment.
Thursday, October 28, 2010
The new support services are offered as packages ranging from "Small Business" to "Ultimate". Each package includes a fixed number of support cases that can be opened during the 1 year support period. Our goal is to make sure there are solutions to fit a range of budgets and needs.
As part of this new support offer we are also offering support contract renewals for Windows and Mac users whose existing support contracts have expired. You can see the complete details about our support packages, along with a link to our online store for purchasing on our website:
We plan to continue adding to the list of services provided by NetCitadel based on user feedback and demand. Stay tuned for more information!
Friday, October 8, 2010
After conducting several usability tests with new users we realized that some concepts and areas of the application can be challenging for new users who are trying to get started. To help these new users we have added more visual cues and navigation aids in the GUI. We also simplified the entry fields in several wizards to make it easier to create certain types of new objects.
Existing Firewall Builder users who have enabled "tooltips" in their Preferences settings under the Objects tab will now see additional tooltips when editing firewall policies and other areas. If you haven't enabled tooltips, which were disabled by default on all versions before V4.1.2, then you won't see any of these new tips.
To find out more about the changes in this release you can read the full release note here:
Information for getting the latest packages can be found here:
Let us know what you think of the new enhancements.
Thursday, October 7, 2010
In the last post one of our readers, Scott, asked "What were results of the future direction questions?" Hopefully this post will help answer that question.
In the survey we asked what additional services you were interested in, here's what you told us:
It also turns out that many of our Linux users are interested in having a Technical Support contract, so we are working on developing a support offering to help meet that need. We are still ironing out the details - stay tuned for more information about this in the next couple of weeks.
Many of our users would like us to provide remote Professional Services. We are looking at several options in this area, including partnering with security consulting companies that are knowledgeable about using Firewall Builder for firewall management. We are still looking for partners in some regions, so if you are a security consultant and you are interested in partnering with us send me an email at mike 'at' netcitadel 'dot' com.
Finally, we asked users about what additional firewall platforms they would like to be able to manage with Firewall Builder. Somewhat surprisingly MS Windows Server (2003 & 2008) was the overwhelming winner in this category.
Thursday, September 30, 2010
- Gain a deeper understanding of our current user base and the environments where they use Firewall Builder
- Get user feedback on their satisfaction level with how we are doing in a number of areas (features, support, ease-of-use, etc.)
- Find out what features users would like us to add to future releases of Firewall Builder
- Learn what additional services users would like Firewall Builder to provide
As you can see from the chart below, the majority of users are running Firewall Builder on either Linux or MS Windows systems.
The first video tutorials will cover the basics of getting started with Firewall Builder, but over time we will add more videos to the library that address more complicated topics and scenarios. If you have ideas for a video tutorial you would like to see, please leave us a note in the comments section.
Wednesday, September 22, 2010
Tuesday, September 21, 2010
The survey will be closing on Friday, September 24th. If you haven't already completed the survey please take a few minutes to share your feedback with us:
After the survey is closed we will share some summary data and key statistics.
Wednesday, August 25, 2010
Cookbook: Block SSH Scanners
Let us know if there are configuration recipes that you would like us to add to the cookbook, we are always looking for new ideas!
Tuesday, August 24, 2010
Your input helps make sure we are working on the features that are most important to you.
Friday, August 20, 2010
V4.1.1 has been tested, and we believe it to be ready for production use, but if you do find a bug or issue please let us know.
Our "stable" rpm and deb repositories now serve packages of v4.1.1 build 3243. Source code tar.gz archives and binary packages are also available for download from SourceForge: https://sourceforge.net/projects/fwbuilder/files/
Windows and Mac OS X packages can be downloaded from our web site at http://www.fwbuilder.org
Thursday, August 19, 2010
One of the main goals of the update is to make it easier for new users to understand what the Firewall Builder application does and how they can use it to more effectively manage their firewall configurations. We always love hearing your feedback, so let us know what you think.
Monday, August 16, 2010
Tuesday, August 10, 2010
V4.1 includes new enhancements and features including:
- Support for Address Table objects that use the iptables ipset module
- Integrated SSH tools (plink.exe and pscp.exe) in Windows installer package
- New toolbar shortcut to view complete generated firewall configuration files in the GUI
Users requested the iptables ipset module support for dynamic environments where existing firewall rules need to be updated with a new object to match (IP address or IP subnet). IP sets provide an efficient way to do this without requiring a reload of your iptables rules.
The integrated SSH tools make it easy for Windows users to utilize the built-in Firewall Builder installer functions. No need to load additional software and update your preferences, everything you need is already there.
Want to know what your configuration will look like? The "inspect" function allows you to preview your configuration files in the Firewall Builder GUI before you deploy them to your firewalls.
Have suggestions for features you would like us to add? Leave us a comment and we'll consider it for future releases.
Thursday, July 29, 2010
While this release has been tested and we believe it is stable, you should test it prior to using it in production. If you find a bug, or if you have a suggestion on how we can improve something, please open a ticket in our SourceForge project:
What's new in V4.1?
There are several new features in this version including:
- Support for iptables ipset module (provides a dynamic group function in memory) - requires ipset module
- New function and toolbar shortcut to view complete generated firewall script in a viewer window
- Shortcut buttons in the main window to help new users get started more easily
- Updated many dialog window sizes and layouts to work better for users with smaller displays (1024x768)
- Added a new mode for stopping the firewall script called 'block'
There are also a number of smaller enhancements and bug fixes included. You can find a complete list of all the updates in the V4.1 Beta release note on our website:
If you are a licensed user, V4.1 will be a free upgrade for users that have a valid V4.0 license. We plan to officially release V4.1 in a few weeks once we are confident there are no major issues.
Mike & Vadim
Saturday, July 3, 2010
It is great to see a publication like BSD Magazine showcasing Firewall Builder!
Tuesday, June 8, 2010
What's in it for you? Well, to start with there will be free beer and appetizers. This will also be a good chance to network with your peers and meet other Firewall Builder users.
Tied House Cafe & Brewery
954 Villa St
Mountain View, CA 94041
The Tied House is close to the Mountain View CalTrain station. There is a meetup page for this event http://www.meetup.com/Firewall-Builder-Users-SF-Bay-Area/. If you could RSVP for this event, either on meetup.com or by emailing me, it will help us make sure we have enough room reserved on the patio. We look forward to seeing you there!
Btw, if you don't live in the Bay Area we will be trying to arrange meetups in other locations as our travels bring us to different areas, so stay tuned.
Mike & Vadim
Thursday, June 3, 2010
"Stable" repositories of RPM and DEB package have been updated and serve v4.0.1 build 2950. This page explains how to use repositories: http://www.fwbuilder.org/4.0/docs/firewall_builder_packages.html. These packages, as well as source tar.gz archives, can also be downloaded from SourceForge
Tuesday, May 4, 2010
Thank you to everyone who helped with testing and provided bug reports and feedback.
Firewall Builder Project
Monday, April 26, 2010
Tuesday, April 6, 2010
One thing comments posted with that article show quite clearly, is that administrators do not like GUI (or any other kind of high level) tools that aren't transparent. It is true that most GUI tools hide actual actions they perform because authors believed the tool should be trusted completely and therefore it is not necessary to keep administrator "in the loop". Applying this to firewall administration, this means that the firewall configuration GUI does not let the administrator check generated configuration easily, assuming that they should trust the tool. Experienced system administrators who are experts in iptables or other firewall platform understandably do not like that. The program should "earn their trust" first, and for that, administrator must have easy access to the generated configuration at all times, as simply as possible, in order to be able to verify and check the result. This leads to the conclusion that such GUI tool is only good for the beginners because they do not understand underlying technology anyway and so can only get any work done if they use such tool.
As an author of Firewall Builder and systems and network administrator with over 10 years of experience, I believe the GUI tool such as Firewall Builder can be very useful for both categories of users: the beginners and experienced administrators as well. Firewall Builder, when properly used, reduces repetitive tasks, helps perform coordinated policy changes for multiple firewalls and routers, provides early error checking and simplifies deployment. In the end, it saves time in regular day-to-day maintenance and helps reduce potential downtime caused by errors. There is value in that, even for someone who can write or maintain complex iptables scripts by hand. Still, to make experienced administrators more comfortable, the program should make it easy to quickly check what iptables (or other) commands are being generated.
With this in mind, Firewall Builder 4.0 adds new feature that does just that.
While you're developing your firewall policy, you can now compile individual rules to confirm that they do what you intended. To do this, right-click anywhere in the rule to open context menu, then select menu item "Compile". Or, highlight the rule and use keyboard shortcut "x". This is a great way to experiment with fwbuilder and see what it generates for different rule configurations built in the GUI. This feature works for all supported firewall platforms and all types of rules (Policy, NAT and routing).
Figure 1. Generated iptables script for the rule #0 is shown in the GUI
When you hit 'x' to compile a rule, the program executes the same policy compiler code as when the whole configuration is compiled, except only for one rule. Shadowing detection is not done, obviously, because compiler looks only at one rule, however all error checks are performed as usual. When rule belongs to a firewall cluster, it is compiled for all member firewalls with all address substitutions and the output panel shows generated iptables code for each member. This is shown in the screenshot above. If compiler finds any errors or issues warnings, they are visible in the output panel as well.
Support for firewall clusters built on Linux with vrrpd, heartbeat, keepalived, pacemaker or OpenAIS is a new feature available in Firewall Builder 4.0. It also supports OpenBSD clusters with CARP and pfsync and Cisco ASA (PIX) clusters. Firewall Builder 4.0 has many other new features and improvements, all listed here:
What is new in Firewall Builder v4.0.
If you are not familiar with Firewall Builder, you can find many introductory articles on the Internet and our own project web site. Articles Getting Started With Firewall Builder on this site and Introduction to Firewall Builder on the project web site give good overview.
Firewall Builder 4.0 is currently in public beta testing. Latest binary packages and source tar.gz archives are distributed from the SourceForge download pages. Please file bug reports using Source Forge bug tracking system.
Thursday, April 1, 2010
Download Firewall Builder 4.0 source code and binary packages here
Saturday, March 27, 2010
This is more detailed than Release Notes but skips some minor changes
Wednesday, March 24, 2010
We are working on the documentation at this time. Article "Introduction to Firewall Builder 4.0" on the nixCraft blog http://www.cyberciti.biz/ was rather popular and I am following it with a second one which is going to be a detailed guide that describes building a firewall configuration for the cluster of two web serves (on-the-host firewall, that is). This guide is interesting in that it starts with Linux servers running iptables and heartbeat but then shows how to convert it to OpenBSD running PF and CARP. The second article should be published on nixCraft blog soon.
I am looking for more blogs and professional news sites that would do a review or accept guest posts that I can write. Please send pointers to me if you know of any popular site or blog like that. It would be great if you could do a review or write an article, too. I am offering free license for Firewall Builder 4.0 package for Windows or Mac OS X to those who can write and publish an article or review on their site (or anywhere, for that matter).
In fact, I have a few "specials" where I give a free license in exchange for certain things you could do, please take a look at the purchase page here: http://www.fwbuilder.org/netcitadel/index.html
Wednesday, March 17, 2010
In this post I go over high level points explaining benefits of Firewall Builder for a system administrator and then look at the new features in Firewall Builder 4.0. This is the first article in a mini-series of two, the second article will demonstrate configuration of a firewall for a cluster of two web servers.
Tuesday, March 9, 2010
have been testing the new version internally and in limited beta
release for several months now and we believe it is ready for public
beta. The new version comes with support for high availability
firewall configurations, including heartbeat, vrrpd, keepalived,
conntrackd on Linux, CARP and pfsync on OpenBSD and PIX failover
configuration. It can generate configuration scripts to manage ip
addresses, VLAN, bridge and bonding interfaces on the firewall.
Drop-in support for OpenWRT firewall script is now available, as well
as experimental integration with IPCOP firewall appliances. The GUI
has supports undo/redo of unlimited depth and was generally
streamlined and improved.
Source tar.gz, binary rpm and deb packages have been uploaded to
SourceForge, in the directory Current_Packages/4.0.0/
Release Notes can be found here:
rpm and deb "testing" repositories now serve fwbuilder 4.0 build 2704 packages.
This page explains how to configure apt and yum to use our
We are working on the Firewall Builder Users Guide 4.0 right now. The
text is still work in progress, but updated Guide is being published
on the we site every night:
http://www.fwbuilder.org/4.0/docs/users_guide/ Both HTML and PDF
versions are available.
Chapters that describe configuration of ip addresses, vlan, bridge and
bonding interfaces are here:
Chapters that describe firewall cluster configurations are here:
Examples of cluster configurations on Linux with vrrpd and heartbeat:
Please give it a try!