Tuesday, April 6, 2010

Compiling Single Rule in Firewall Builder 4.0

Article Getting Started With Firewall Builder was published on Debian Administration site some time ago and attracted many comments. Firewall Builder 4.0 addresses some concerns and suggestions expressed there.

One thing comments posted with that article show quite clearly, is that administrators do not like GUI (or any other kind of high level) tools that aren't transparent. It is true that most GUI tools hide actual actions they perform because authors believed the tool should be trusted completely and therefore it is not necessary to keep administrator "in the loop". Applying this to firewall administration, this means that the firewall configuration GUI does not let the administrator check generated configuration easily, assuming that they should trust the tool. Experienced system administrators who are experts in iptables or other firewall platform understandably do not like that. The program should "earn their trust" first, and for that, administrator must have easy access to the generated configuration at all times, as simply as possible, in order to be able to verify and check the result. This leads to the conclusion that such GUI tool is only good for the beginners because they do not understand underlying technology anyway and so can only get any work done if they use such tool.

As an author of Firewall Builder and systems and network administrator with over 10 years of experience, I believe the GUI tool such as Firewall Builder can be very useful for both categories of users: the beginners and experienced administrators as well. Firewall Builder, when properly used, reduces repetitive tasks, helps perform coordinated policy changes for multiple firewalls and routers, provides early error checking and simplifies deployment. In the end, it saves time in regular day-to-day maintenance and helps reduce potential downtime caused by errors. There is value in that, even for someone who can write or maintain complex iptables scripts by hand. Still, to make experienced administrators more comfortable, the program should make it easy to quickly check what iptables (or other) commands are being generated.

With this in mind, Firewall Builder 4.0 adds new feature that does just that.

While you're developing your firewall policy, you can now compile individual rules to confirm that they do what you intended. To do this, right-click anywhere in the rule to open context menu, then select menu item "Compile". Or, highlight the rule and use keyboard shortcut "x". This is a great way to experiment with fwbuilder and see what it generates for different rule configurations built in the GUI. This feature works for all supported firewall platforms and all types of rules (Policy, NAT and routing).

Figure 1. Generated iptables script for the rule #0 is shown in the GUI

Generated iptables script for the rule #0 is shown in the GUI

When you hit 'x' to compile a rule, the program executes the same policy compiler code as when the whole configuration is compiled, except only for one rule. Shadowing detection is not done, obviously, because compiler looks only at one rule, however all error checks are performed as usual. When rule belongs to a firewall cluster, it is compiled for all member firewalls with all address substitutions and the output panel shows generated iptables code for each member. This is shown in the screenshot above. If compiler finds any errors or issues warnings, they are visible in the output panel as well.

Support for firewall clusters built on Linux with vrrpd, heartbeat, keepalived, pacemaker or OpenAIS is a new feature available in Firewall Builder 4.0. It also supports OpenBSD clusters with CARP and pfsync and Cisco ASA (PIX) clusters. Firewall Builder 4.0 has many other new features and improvements, all listed here:
What is new in Firewall Builder v4.0
.

If you are not familiar with Firewall Builder, you can find many introductory articles on the Internet and our own project web site. Articles Getting Started With Firewall Builder on this site and Introduction to Firewall Builder on the project web site give good overview.

Firewall Builder 4.0 is currently in public beta testing. Latest binary packages and source tar.gz archives are distributed from the SourceForge download pages. Please file bug reports using Source Forge bug tracking system.

3 comments:

阿童木 said...

Automatic watch winders may be rolex replica begin in 3 above flavors, programs akin of investment you admiration to absorb and aswell the corrective acreage amount the winder. The everyman priced automated watch winders serve the replica watches uk commonsensical action of ambagious timepieces, but defective the aesthetically ambrosial covering apprenticed or copse formed case to accommodate them. They charge to accommodate added than almost collapsed apparent rolex replica watches to plan correctly. The additional ambit of automated watch winders is hardly added expensive.

chenmeinv0 said...

adidas superstar trainers
pandora charms
ugg outlet online
adidas yeezy 350
louboutin sale
louis vuitton handbags uk
uggs for women
rolex watches for sale
coach outlet
true religion jeans
tory burch sale
true religion
gucci handbags
coach factory outlet
mcm handbags
seahawks jerseys
uggs outlet
ugg boots
sac louis vuitton
ugg boots
coach outlet
gucci handbags
nike roshe run pas cher
louis vuitton outlet
heat jerseys
nfl jerseys wholesale
borse louis vuitton
gucci bags
michael kors handbags
ugg slippers
ray bans
coach outlet online
toms shoes
fitflop sandals
louis vuitton purses
ugg outlet
wizards jerseys
coach outlet store online
kate spade outlet
adidas originals store
2016.10.31xukaimin

Jian Zhuo said...

louis vuitton outlet
adidas outlet
michael kors outlet
birkenstock sandals
coach outlet
michael kors outlet clearance
red bottoms
oakley vault sunglasses
true religion outlet
michael kors uk
2016126