Firewall management with Fwbuilder

I like the netfilter / iptables firewall, it comes with Linux and is part of the kernel. The best is, it has a rich feature set, is secure and free of charge.

Netfilter / iptables can target:

  • IP source and destination addresses
  • TCP/UDP source and destination ports
  • Ethernet MAC source and destination addresses
  • Inbound and Outbound

 

Netfilter / iptables is by default a layer four stateful firewall. With a patch it can even work at layer seven as application firewall. Furthermore, it has a bunch of advanced features, like:

  • Can do IP forwarding
  • Can do port forwarding
  • QoS / traffic limit
  • Filter according to user authentication
  • Time of day filtering
  • Change TTL
  • ...

 

The only question is, which tool to use to configure it. There are some tools one can use to configure the netfilter firewall, like KMyFirewall, Guarddog, Shorewall, Webmin and ... Fwbuilder. I used to work with Checkpoint firewall - this may be the reason why I like the drag and drop Fwbuilder approach.

From the website: Firewall Builder is multi-platform firewall configuration and management tool. It consists of a GUI and set of policy compilers for various firewall platforms. Firewall Builder uses object-oriented approach, it helps administrator maintain a database of network objects and allows policy editing using simple drag-and-drop operations. Firewall Builder currently supports iptables, ipfilter, OpenBSD PF as well as Cisco PIX and Cisco IOS extended access lists.

 

Setup

First, You need the software. The folks at Fwbuilder (www.fwbuilder.org) provide by default no Slackware package. If you want to start from scratch, grab the sources and compile them. The better and easier way would be to grab the Slackware packages from here. You need the packages "fwbuilder" and "libfwbuilder". Install them with "installpkg".

NB: My package does not create a Fwbuilder menu link. It is in your obligation to do so, the fwbuilder executable lies in /usr/bin.

 

Start fwbuilder for the first time

fwbuilder

 

Define Firewall

There is no firewall defined at this point.

fwbuilder

Enter a name for your firewall and choose "iptables" and "Linux 2.4/2.6"

fwbuilder

Define your interfaces. You can do this automatically provided you have snmp installed, active and configured. Otherwise you have to do this manually.

You can also define a interface to have a dynamic IP address.

fwbuilder

 

fwbuilder

Check your "Host OS Settings"

fwbuilder

Check your "Firewall Settings"

fwbuilder

 

fwbuilder

 

Object library

If you change to the "Standard" library you will find a almost complete set of object predefinitions.

fwbuilder

 

Create ruleset

Now you can create your rules by dragging and dropping objects from the left side. You can use the context menu to create additional rules or the rules menu on the top.

fwbuilder

 

"Allow all" ruleset

You may want to have a "allow all" ruleset for testing purposes or similar use.

fwbuilder

 

Masquerade ruleset

If you want to use your box as a router to connect your private network to the Internet, a masquerade rule is useful.

fwbuilder

 

Install policy

When you have finished creating your policy, install it. Choose "Compile" and "Install".

fwbuilder

Choose a directory to save the compiled policy file (in this case /etc/fwbuilder).

fwbuilder

 

fwbuilder