Monday, April 26, 2010

Support for OpenBSD 4.7

OpenBSD 4.7 (to be released May 19) changes the syntax of "nat" and "rdr" PF rules. These keywords are gone, corresponding translations are done using "nat-to" and "rdr-to" options in "pass" or "match" rules. Fwbuilder 4.0 adds support for this. The list of recognized versions for PF has been extended with "4.7", choosing this version number makes policy compiler generate nat and rdr rules using new syntax. Since the "no" keyword has been removed as well, fwbuilder can no longer generate "no nat" rules for 4.7. Policy compiler recognizes this as a fatal error, administrator should use negation to implement exceptions in NAT rule sets.

Tuesday, April 6, 2010

Compiling Single Rule in Firewall Builder 4.0

Article Getting Started With Firewall Builder was published on Debian Administration site some time ago and attracted many comments. Firewall Builder 4.0 addresses some concerns and suggestions expressed there.

One thing comments posted with that article show quite clearly, is that administrators do not like GUI (or any other kind of high level) tools that aren't transparent. It is true that most GUI tools hide actual actions they perform because authors believed the tool should be trusted completely and therefore it is not necessary to keep administrator "in the loop". Applying this to firewall administration, this means that the firewall configuration GUI does not let the administrator check generated configuration easily, assuming that they should trust the tool. Experienced system administrators who are experts in iptables or other firewall platform understandably do not like that. The program should "earn their trust" first, and for that, administrator must have easy access to the generated configuration at all times, as simply as possible, in order to be able to verify and check the result. This leads to the conclusion that such GUI tool is only good for the beginners because they do not understand underlying technology anyway and so can only get any work done if they use such tool.

As an author of Firewall Builder and systems and network administrator with over 10 years of experience, I believe the GUI tool such as Firewall Builder can be very useful for both categories of users: the beginners and experienced administrators as well. Firewall Builder, when properly used, reduces repetitive tasks, helps perform coordinated policy changes for multiple firewalls and routers, provides early error checking and simplifies deployment. In the end, it saves time in regular day-to-day maintenance and helps reduce potential downtime caused by errors. There is value in that, even for someone who can write or maintain complex iptables scripts by hand. Still, to make experienced administrators more comfortable, the program should make it easy to quickly check what iptables (or other) commands are being generated.

With this in mind, Firewall Builder 4.0 adds new feature that does just that.

While you're developing your firewall policy, you can now compile individual rules to confirm that they do what you intended. To do this, right-click anywhere in the rule to open context menu, then select menu item "Compile". Or, highlight the rule and use keyboard shortcut "x". This is a great way to experiment with fwbuilder and see what it generates for different rule configurations built in the GUI. This feature works for all supported firewall platforms and all types of rules (Policy, NAT and routing).

Figure 1. Generated iptables script for the rule #0 is shown in the GUI

Generated iptables script for the rule #0 is shown in the GUI

When you hit 'x' to compile a rule, the program executes the same policy compiler code as when the whole configuration is compiled, except only for one rule. Shadowing detection is not done, obviously, because compiler looks only at one rule, however all error checks are performed as usual. When rule belongs to a firewall cluster, it is compiled for all member firewalls with all address substitutions and the output panel shows generated iptables code for each member. This is shown in the screenshot above. If compiler finds any errors or issues warnings, they are visible in the output panel as well.

Support for firewall clusters built on Linux with vrrpd, heartbeat, keepalived, pacemaker or OpenAIS is a new feature available in Firewall Builder 4.0. It also supports OpenBSD clusters with CARP and pfsync and Cisco ASA (PIX) clusters. Firewall Builder 4.0 has many other new features and improvements, all listed here:
What is new in Firewall Builder v4.0

If you are not familiar with Firewall Builder, you can find many introductory articles on the Internet and our own project web site. Articles Getting Started With Firewall Builder on this site and Introduction to Firewall Builder on the project web site give good overview.

Firewall Builder 4.0 is currently in public beta testing. Latest binary packages and source tar.gz archives are distributed from the SourceForge download pages. Please file bug reports using Source Forge bug tracking system.

Thursday, April 1, 2010

Integration with DD-WRT

Folks over at DD-WRT figured out how to integrate fwbuilder with their firmware for small routers/firewalls quite some time ago. The process was not very difficult but required few manual steps. Firewall Builder 4.0 comes with built-in integration with DD-WRT and makes it simpler. This is documented in the Firewall Builder 4.0 Users Guide

Download Firewall Builder 4.0 source code and binary packages here