SolutionBase: Using fwbuilder to create a Linux firewall

[patris1]

کد:

http://articles.techrepublic.com.com/5100-10878_11-6153019.html

This article is also available as a TechRepublic download.

During my tenure as a Linux administrator, I've set up a lot of security. Nearly 100 percent of the time I used either ipchains or iptables for security. After a while, command-line security becomes second nature. But until that glorious moment, CLI security is a pain: so many rules, so many switches, so many flags. Creating rulesets can be mind numbing, tedious, and frustrating. But those days are gone. Now the Linux operating system has a GUI tool to take over the difficult aspect of most administration tools.
One such tool is fwbuilder (FireWall Builder). The fwbuilder tool is an outstanding example of how flexible, powerful, and reliable tools built upon a sound environment can be. It allows you to build firewalls based on many types of systems; and, because fwbuilder is OS-independent, you can use it to generate rulesets forNetfilter/iptables, FreeBSD's IPFilter, OpenBSD's PF, and even Cisco PIX firewalls. In this article, we'll take a look at fwbuilder.
What does fwbuilder do?

Like any good GUI, fwbuilder executes all the commands you would normally run, but allows you to run the commands by simply pointing and clicking (and some typing). The resulting scripts are firewall rulesets that can be used on any Linux machine (as long as that machine is based on the same technology the firewall was built for). Effectively, you can create a firewall ruleset with fwbuilder, save the ruleset, move the ruleset to another machine, and use the ruleset on the target machine.
This is incredibly helpful if the interface between your internal network and the external world is a GUI-less Linux machine. You create the firewall for the GUI-less machine on the machine with fwbuilder, move the newly created ruleset to the target machine, run the ruleset, and you're finished. Since rulesets created with fwbuilder are portable, they should work with no problems.
Of course, before you can start building firewalls, you must have the necessary tools. So let's install fwbuilder.
Installing

You will need these packages installed: fwbuilder and libfwbuilder packages, plus one or more of:

• fwbuilder-ipt
• fwbuilder-ipf or fwbuilder-pf
• gcc
• gdk_pixbuf
• glib
• glibc-2.2.4
• gtk
• gtkmm
• libsigc++
• libstdc++
• libxml2
• libxslt
• libz
• openssl-0.9.6b
• ucdsnmp
• xshared

If you're running Fedora Core, installing fwbuilder is as simple as running (as root):
yum install fwbuilder
But not everyone runs Fedora Core. If you run a Debian-based distribution, you are a fan of apt-get. With that system in place, you can run the command:
apt-get install fwbuilder
Or, if you go to the fwbuildersourceforge page, you can find the specific release for your distribution.
If you're using rpm install (as root), run:
rpm -ivhfwbuilder-RELEASE-NUMBER.rpm
If you are installing from source download the correct tar file, unpackage the tar file, and run the following three installation commands:
./configure
make
make install
Now fwbuilder should be installed on your system.
Running fwbuilder

Running fwbuilder only requires one command: fwbuilder. Of course, X must be running for this to work, since fwbuilder is not a text-based tool. One of the nice things about fwbuilder is that you don't have to run this as root. Remember, fwbuilder simply creates scripts that are to be run later. The scripts do not need to be created by the root user; the less you do as root, the better.
Once fwbuilder is up and running, it's time to start defining your objects.
Objects

Within the world of fwbuilder, an object can represent hosts, networks (identified by IP address and subnet mask), address ranges, TCP/IP services, firewalls (both multi-homed firewalls proper and bastion hosts), time-ranges and groups of other objects. As many or as few objects as you need can be defined in your ruleset: You could create a ruleset with one object or 1,000,000. At minimum, you will need:

• One firewall object
• One network or host object

Creating a ruleset

Let's start creating a firewall ruleset.
Run the command fwbuilder from the command line. When you first run the command, you will be greeted with a small window that will ask you if you want to open an existing file or create a new project file, as seen in Figure A. Select Create New Project File; you will be asked to name the new file and save it. Once the file is created, select Next.
Figure A
You'll start by creating a new project. The next screen allows you to activate the Revision Control System. Configure fwbuilder to always open with the file you are about to create. Select the Revision Control System but not the Automatic Open Selection. Now the main window will be open as seen in Figure B.
Figure B
Select Revision Control System to see this screen. As you can see, no firewalls are defined. If you right-click the Firewall entry, you can select New Firewall, as shown in Figure C.
Figure C
Select New Firewall to get here. Now you have to name the new firewall object. Select the firewall software the system is running: FWSM, ipchains, iptables, ipfilter, ipfw, PF, PIX, or unknown. You also need to select the OS the firewall will run on: FreeBSD, CISCO FWSM, LinksysSveasoft, Linux 2.4/2.6, Mac OS X, Open BSD, Cisco PIX, Solaris, or unknown.
At this point, you can choose to use preconfigured template firewall objects. If you don't have much experience creating firewalls, this might be a good choice for you; otherwise, leave it unchecked. Once you've selected the firewall software and the OS, select Next. You will now either configure your interfaces manually or have SNMP auto-detect them.
The next window, Figure D, is where you will manually add your interface. You have to give the interface a Name and a Label. Name denotes the actual name of the interface (i.e. eth0, eth1), whereas Label is just a way to denote network topology (i.e. Internal, External). The Unnumbered interface configuration is for an interface such that would not have an IP address (such as those used to terminate PPPoE or VPN tunnels. You can also configure the interface to use a dynamic address now.
Figure D
You'll manually add an interface here. Once you select Finish, a new window (as seen in Figure E) will pop up. This new window allows you to further configure the new firewall.
Figure E
After clicking Finish, you still have more work to do. In the Firewall Settings configuration, you can configure the Compile options which allow you to set up automatic installation of your firewall policies. If you plan on installing your firewall rules manually, you can leave this section blank.
The compiler options depend upon which type of firewall you want to run and which fwbuilder compiler you have installed. Compiler options include:

• fwb_compile_all : compile for all types of supported firewalls
• fwb_ipt : compile for iptables
• fwb_ipf : compile for IPFilter
• fwb_pf : compile for PF
• fwb_pix: compile for PIX

You will want to make sure you download and install the compiler for the system you intend to create. The compilers can be found on the fwbuilder downloads page.
With the right compiler installed, you will know which command to enter in the Compiler section of Advanced Settings window. Below the command section you can enter Command Line Options, output file name, as well as a number of options specific to how you want your firewall to perform. I will be using iptables, so my compiler will be fwb_ipt.
Another important configuration is the Default Action on "Reject". This will be how your firewall handles any network traffic rejected by the firewall.
Certain objects can only be created within their related objects within the tree. For example, if you want to create a new destination object. To create that new destination, you must right-click on Host and select New Host.
Remember Figure D? That is the same information you are going to have to enter to add the new host. You can add as many hosts as you want. Each host will be an object to drag into a rule. Each object must be configured properly when created, otherwise you'll have trouble editing them later. Let's say I have created an object named Desktop. This object contains the IP address 192.168.1.22, a netmask of 255.255.255.0, and belongs to the user library. With this object created, I can now drag it into my recently created firewall (which is currently empty of rules). Let's add and change rules.
Inserting rules

Your firewall is worthless without rules. Adding rules is simple: In the policy window, right-click the blank area and select Insert Rule, as seen in Figure F. The new rule will appear, but will be empty of configuration (other than having an action of Deny, as seen in Figure G). Let's add a destination to this first empty rule.
Figure F
Right-click and select Insert Rule to add rules. Figure G
Right-click and select Insert Rule to add rules. Click, drag, and drop the Desktop object from the left tree view to the Destination placeholder in the main window. When you do that you'll see that the destination has changed, as shown in Figure H.
Figure H
The destination of the object changes. Now let's say you want to deny telnet services entering into the Desktop destination. To do this, you'll have to create a new Service. To create the new service, right-click the Service entry in the left tree view and navigate to TCP | New TCP Service. The Service Window will open, as seen in Figure I.
Figure I
Create a new service. Configure this window for the Telnet service and select Apply Changes. Drag and drop that newly created service into the service section of the rule. Set the Action on the item to Deny. Now you have a firewall rule created to deny any telnet request to the destination Desktop, as seen in Figure J.
Figure J
Your firewall rule is complete! There is another section for each rule called Options. The Options configuration will vary depending on the type of firewall you are working with (i.e., PIX, iptables, ipchains).
Compile and install

Once you've created your entire ruleset, the final step involved with fwbuilder is to compile the rules and install them. Compiling and installing takes the rules created by the tool, turns them into a readable format by the firewall tool employed, and places the file in a user-configured location.
Once you're happy with your rules, select Compile Rules. Once the compilation completes, select Install Firewall Policy, and the new firewall script will be located in the directory configured in the Installer section of the Firewall settings window. This script can then be moved to the hardware the script was created for and run to setup the firewall rulesets.
Now you have a simple and reliable firewall solution.
Final thoughts

The fwbuilder is a blessing for admins who need a hardened security solution that is flexible, open, and cost-effective, but who don't have enough experience with command-line tools to create rulesets with iptables or ipchains. I've found fwbuilder to be an outstanding solution for a very complex problem

---

موضوعات مشابه:

• SolutionBase: Run Internet Explorer on Linux
• SolutionBase: Take a look at the Windows Vista Firewall
• SolutionBase: Steps to take to fix Linux when it won't start
• SolutionBase: Configure a firewall in Linux using SuSe's YaST
• SolutionBase: Learn how to set up an IPCop firewall

---