Tuesday, September 20, 2011

Free Software Magazine - Firewall Builder Article

There is a great article by Marco Marongiu over on the Free Software Magazine site today. In the article Marco talks about how he uses Firewall Builder to keep his policies consistent across multiple firewalls. He also touches on using Firewall Builder to manage policies controlling traffic to VM servers by configuring iptables in dom0 on Xen. Enjoy!

FSM - Firewall Consistency with Firewall Builder

Wednesday, September 7, 2011

Security by Default

The team over at Security by Default wrote up a nice blog post about Firewall Builder recently. Here's a link to the original article which is in Spanish:
And, if like me you can't read Spanish, here's a link to a translated version in English. It's not perfect, but the key messages come across.
http://bit.ly/pAu1hF (English translation via Babel Fish)
Always great to hear about how people use Firewall Builder and what they like about it!

Wednesday, July 27, 2011

Firewall Builder 5 - Officially Released

The team at NetCitadel is happy to share that today we released our latest version called Firewall Builder 5. This release includes several enhancements to the GUI and adds a number of new features designed to make it easier for users with large data files to manage their objects.

New features in this release include:
  • User defined subfolders
  • Keywords for tagging objects
  • Dynamic groups with smart filters
  • Multiple operations per filter rule
  • Attached Networks object
  • Import support for PF configuration files
Thanks to everyone that helped beta test Firewall Builder 5. You can find more information about this release in the release notes.

Sunday, July 17, 2011

Linux Journal - Firewall Builder for HA Clusters

An article I wrote for the May 2011 issue of the Linux Journal is now available in the free online LJ content. The article gives detailed step-by-step instructions for implementing High Availability (HA) Linux firewall pairs using iptables, keepalived, conntrackd and of course Firewall Builder.

Tuesday, July 5, 2011

Firewall Builder 5 - Attached Networks

Firewall Builder 5 includes a new feature called Attached Network objects. These new objects are child objects of firewall interface objects and act like a group object that automatically includes all of the IP networks that are associated the IP addresses assigned to the interface that the Attached Network object was created under.
Once created the Attached Network object can be used in firewall rules just like regular group objects and can be created under interfaces that are configured with either static or dynamic IP addresses. This makes it easy to refer to all the networks that are directly attached to a particular firewall interface.
Let's look at a quick example. Suppose I have a firewall that includes interface eth0 which is configured with static IP addresses and If I want to create a rule that allows traffic from the local network on eth0 to the firewall itself currently I could either use two network objects in the rule's Source or create a Group object that includes these networks and use that in the rule's Source.
Now with Attached Networks I can simply create a new Attached Network child object under eth0 and use that in the rule's Source. This Attached Network object will include both the and networks and if I add a new static IP address to eth0 the Attached Network object will automatically update with the IP network of the new IP address.
You can find more information about creating and using Attached Networks in the Firewall Builder 5 Users Guide here.

Wednesday, June 29, 2011

Firewall Builder 5 - User Defined Folders

If your Firewall Builder configuration includes lots of objects then you will probably like user defined subfolders. This feature was added in v5, which is currently in beta, and lets users create subfolders below any of the standard predefined system folders.
After the subfolder has been created you can drag-and-drop objects from the system folder into the subfolder. These subfolders make it convenient to organize objects by region, location, function or whatever grouping makes sense in your environment.
The image below shows an example of using subfolders in the Firewalls system folder to organize firewalls by the city that they are located in.

More information about creating and managing subfolders can be found on the preliminary documentation here.

Wednesday, June 22, 2011

We are happy to announce that the first version of Firewall Builder v5 is now ready for beta testing. Overall the theme of v5 is to help make it easier to organize and manage large numbers of objects as well as adding support for new features like attached networks and PF configuration imports.
Here's a quick overview of some of the new features that are included in the initial beta version of v5:
  • User defined system folders. Add your own sub-folders to existing folders like Firewalls, Networks, etc.
  • Object Keywords. Assign keywords to objects and filter the object tree using those keywords.
  • Dynamic Groups. Create Dynamic Group objects using the keywords and object type as filters.
  • Multiple operations per rule. Specify multiple operations, like tag and classify, in a single rule.
  • Attached Networks. Use new Attached Network object to refer to the networks directly attached to interface.
  • Improved GUI behavior. Multiple enhancements to make the GUI easier to use.
  • PF Import. Import pf.conf configuration files into Firewall Builder.
Over the coming days and weeks I'll be posting more information about each of these features as well as announcing as new Firewall Builder v5 features are added and ready for testing.
This guide includes more information about these new features, including links to updated Users Guide documentation where available.

Monday, June 6, 2011

Final article in Linux.com series

Jack Wallen's latest article about configuring firewall settings in Firewall Builder is up on Linux.com.

This wraps up a nice four part series that Jack put together to go through many of the basics about using Firewall Builder. Previous articles were:

We look forward to seeing more articles by Jack about Firewall Builder!

Tuesday, May 31, 2011

Managing rules - New article on Linux.com

Jack Wallen's latest article on Linux.com is about how to manage rules on Firewall Builder. He covers both the basics and some advanced features like rule groups and rule colors that help users organize their rules.

Wednesday, May 25, 2011

New HowtoForge article

Check out our latest article on HowtoForge that walks through the steps of importing an iptables configuration using the newly enhanced import feature in V4.2.
Importing iptables configuration into Firewall Builder

Tuesday, May 24, 2011

New Video Quick Tip - Object & Service Groups

Check out the latest Firewall Builder Video Quick Tip. This one covers how to use object and service groups to simplify your firewall rules.

Monday, May 23, 2011

Latest Linux.com article

In this week's Linux.com article Jack Wallen gets into the details about Firewall Builder object types and how to create advanced options like group objects and address tables.

Monday, May 16, 2011

Linux.com article

Another great article by Jack Wallen on Linux.com about using Firewall Builder to configure Linux iptables firewalls.

Why didn't Sony use firewalls?

There has been a lot of press lately about the Sony Play Station Network breach. One of the facts that came out is that apparently Sony was not using network firewalls to protect the servers that PSN runs on. This got me thinking about why a large company might not have network and/or server firewalls in place. Of course there is the capital cost of purchasing firewall hardware, but I think a far bigger factor is the ongoing operations cost of managing the firewall(s).

This operations cost is one reason that we hear from customers about why they don't implement firewalls for some functions. Keeping firewall configurations up-to-date can be challenging, especially if you are managing host-based firewalls for large server farms where the number of servers is large and the pain of updating the rules is high.

Our mission at NetCitadel is to simplify firewall management so that companies don't have to choose whether or not to implement a firewall. Since Firewall Builder supports multiple firewall platforms including Linux iptables firewalls, companies can install a very capable firewall using standard PC hardware, often with hardware that costs less than $1,000.

Why do you think a large company might not install firewalls to protect critical resources?

Friday, May 13, 2011

Network World Blog Post

There was a post about NetCitadel and Firewall Builder on the Network World open source blog today. You can check it out here:

Network World - Open Source Subnet

Tuesday, May 10, 2011

Firewall Builder v4.2.1 released

We are happy to announce new version of Firewall Builder. V4.2.1 is a minor bug-fix release:

  • fixes a bug discovered in the built-in policy installer batch mode. This should help users who run fwbuilder to manage their firewalls on IPv6 only networks
  • fixes a bug in the SNMP network discovery wizard
  • fixes few other minor bugs in the GUI
  • fixes policy compiler for PF that did not generate PF rules with "queue" keyword correctly in 4.2.0

Full release notes are available on the web site

Avoiding locking yourself out of your firewall

Most people who manage firewalls have locked themselves out of the firewall after pushing new rules at least once. I'll be the first to admit that it has happened to me on more than one occasion.

Firewall Builder includes a neat feature where you can define an IP address or IP network that should always have SSH access to the firewall. This gets installed as a rule above the rest of the regular user defined rules to ensure that you don't lose access after pushing changes to the firewall.

This short video shows you how to configure which address or network should always have access to the firewall.

Always Allow SSH to Firewall - Video Quick Tip

Wednesday, May 4, 2011

See what commands Firewall Builder is going to generate

Have you ever wanted to check in real-time what commands will be generated by Firewall Builder when you compile a rule?
This short video shows how easy it is to use the rule compile feature to display the specific commands that Firewall Builder will generate.
Have other features you'd like to see demonstrated in a short video? Just leave us a comment about the feature you'd like to see.

Friday, April 29, 2011

Firewall Builder Webinar

We will be hosting a tutorial webinar next Thursday (May 5) at 8:30am PDT / 11:30am EDT.

The first part of the webinar will be a general overview of Firewall Builder and key concepts and the second part will be responding to user questions. So if you have a complex configuration or just have always wondered how to do something in Firewall Builder register to attend the webinar:

We look forward to seeing you there!

Wednesday, April 20, 2011

Firewall Builder V4.2 Released!

NetCitadel is happy to announce the release of Firewall Builder V4.2. There are a lot of exciting new features in V4.2, here's a quick sampling:
  • Import of Cisco ASA/PIX/FWSM configurations. It's now easier than ever to get started using Firewall Builder to manage your Cisco firewalls.
  • De-duplication of objects during import. Firewall Builder checks to see if the objects you are importing match objects that are already in the database. This works for importing of all supported platforms.
  • Configuration generation for the latest Cisco ASA software versions (Cisco ASA v8.4).
  • Advanced system configuration, including bridge interfaces and static routing, for BSD-based firewalls.
  • Much more...
You can find the full release notes on our website.

Stay tuned for information about the new features we have planned for the next release of Firewall Builder. If you have large numbers of firewalls to manage we think you'll be excited about what we have planned...

Monday, April 18, 2011

Wednesday, April 13, 2011

Linux Journal - Configuring Linux HA firewall pairs

The May 2011 issue of the Linux Journal magazine, which is now available in print edition, includes an article I wrote about how to use Firewall Builder to configure a High Availability pair of Linux iptables firewalls.

The article includes step-by-step instructions on how to setup automatic failover and connection state synchronization. Linux Journal makes the issues available online after two months so if you can't wait that long you can buy it online or at your favorite newsstand.

Monday, April 11, 2011

Firewall Builder V4.2 Beta Release Now Available

We are happy to share that we are getting ready to officially release Firewall Builder V4.2 in the next couple of weeks. This release includes enhancements for all supported platforms with a particular emphasis on BSD PF and Cisco ASA & PIX firewalls.

Some of the exciting new features available in V4.2 include:
  • Import of Cisco ASA and PIX configurations. Now you can quickly and easily add existing Cisco firewalls to your Firewall Builder data file.
  • Support for Cisco ASA v8.3 configuration generation including support for the new nat() command syntax.
  • Bridge interfaces, static routes and rc.conf style configurations for BSD PF firewalls.
  • Enhanced import wizard for all platforms including object de-duplication and automatic platform and version detection.
You can find a detailed listing of new features on our website:

The latest V4.2 pre-release software, currently V4.2.0.3523, is available on website:

We have tested V4.2 extensively, but if you do discover an issue that you believe might be a bug please open a ticket on SourceForge in the V4 tickets:

SourceForge Tickets

If you have a chance to try Firewall Builder V4.2 please let us know what you think. Thanks for your support!

Wednesday, March 30, 2011

Using Firewall Builder to manage Xen firewall

One of our users recently wanted to use Firewall Builder to manage the firewall in dom0 to control traffic to the virtual servers and control access to dom0. After a bit of testing he wrote up a short how-to blog post.

Marco's Blog Post - Xen firewall with Firewall Builder

It is always fun to see users using Firewall Builder in innovative and creative ways. If you have an unusual Firewall Builder configuration let us know and we would be happy to add it to our documentation or post a link to it.

Friday, February 25, 2011

Sometimes you just have to ask...

I was recently exchanging emails with a customer who had just purchased a V4.1 Firewall Builder license. He didn't like the behavior where the GUI showed the interface name in the object tree and showed the interface label in the Policy rule.

He asked if we could fix this, and so we changed the behavior for our upcoming V4.2 release. Now the GUI shows both the interface name and label in the object tree. This makes it easier to quickly scan the object tree and know what interfaces you want to use in a rule.



The moral of the story is, if there is something that you would like to see us add or change in Firewall Builder just let us know. If it's easy you might be surprised how quickly it could appear in a new version.

Thursday, February 24, 2011

More V4.2 Features Ready for Beta Testing

We are making great progress on our next release which will be Firewall Builder V4.2. This release is mainly focused on enhancing our support for Cisco ASA, Cisco PIX and BSD pf platforms. Here's a quick overview of the features that are available in the latest beta release of V4.2.

* Support for defining interfaces in NAT rules
* Ability to configure bridge interfaces and static routes on BSD systems
* Option to generate FreeBSD platform configurations in rc.conf style format
* Support for Cisco ASA and PIX v8.0 - v8.3 platforms
* Use of named objects in Cisco ASA and PIX rules where possible

You can download a copy of the latest Firewall Builder beta version from our website:


And you can find notes about how to configure and use these new features on our website:

V4.2 Beta Notes

The last big feature we will be adding to V4.2 is support for importing Cisco ASA and PIX configurations. This will make it much easier for Cisco users to get started with Firewall Builder. Let us know what you think and thanks for helping us make Firewall Builder better!

Wednesday, February 16, 2011

Some thoughts from the RSA Conference

I was at the RSA conference (http://bit.ly/exsTwN) yesterday. After I finished up my meetings I wandered around the exhibition hall. There are over 330 companies with booths at the show which got me thinking about just how many products and companies there are in the security space.

With all these companies pushing what are sometimes very similar products, it can be hard to understand the differences between them. For instance I was talking with several UTM appliance providers and the list of features each of them were highlighting were almost identical across the board.

So what does this mean for Firewall Builder? Well, first of all it reminded me that there are a lot of products competing for our users attention, so it is critical that we do a good job making it clear both what Firewall Builder does as well as what it doesn't do. But, probably more importantly, it reinforced to me how important it is to stay focused on the problem that we are trying to solve.

Our mission is to make firewall management easier and more consistent across a wide range of firewall platforms. We want to do this in a way that scales both in terms of the number of firewalls that users can manage and also in terms of the number of users that need to manage those firewalls. I'm really excited about 2011 and the progress we are going to make towards these goals!

As always we want to hear from you. Do you think Firewall Builder's core mission is clear? What do you want to see in Firewall Builder in 2011?

Tuesday, February 1, 2011

Are your firewalls ready for IPv6?

I have to admit, over the last few years I have become a bit immune to all the declarations that this year was finally going to be the year that the Internet ran out of IPv4 addresses. While I still think this issue is getting sensationalized by the media, http://bit.ly/eLV7ci, the reality is that 2011 will likely mark the first year where enterprises really have to start planning for how they are going to support IPv6.

Even though it may be a little while before your enterprise is running a dual stack network with both native IPv4 and native IPv6 it’s probably time to start planning for when that day arrives. One notable change driven by IPv6 will be how network and security administrators think about firewall functions and network boundaries.

For example, one of the goals of IPv6 is to have a large enough IP address space that Network Address Translation (NAT) is no longer necessary. However many security administrators view NAT as providing useful hiding of their internal IP address schemes. I predict there will be a lot of interesting discussions about how best to secure IPv6 networks as it gets more widespread and mainstream adoption.

So, why am I posting about IPv6 you ask? One of the features of Firewall Builder is that it has built-in support for creating IPv6 objects and using those objects in your rules. This helps reduce the pain of deploying and supporting IPv6 firewalls. As noted IPv6 network architect pointed out to me, using a tool like Firewall Builder where objects are used in rules instead of straight IP addresses becomes even more critical with IPv6. How many times do you have to type 2001:0db8:85a3:::8a2e:0370:7334 before you make a typo??

Right now Firewall Builder supports IPv6 rules generation for Linux ip6tables, BSD pf, Cisco router access lists and ipfw, however I expect that as we see more of our users adopting IPv6 that we will add support for other platforms like Cisco ASA and PIX firewalls in the future.

Are you already using IPv6 or starting to plan for it? Let us know in the comments how you see IPv6 affecting your firewall management plans.