Firewall Builder

We support iptables (available in Linux kernels 2.4.x). As of version 0.9.3 we dropped support for ipchains as obsolete technology and because of lack of time. As of version 1.0.1 we support ipfilter (available for variety of OS, including FreeBSD, OpenBSD, Solaris and others) and added support for pf (OpenBSD 3.0). Version 1.0.10 and later support ipfw. Support for Cisco PIX is available as a commercial product (send us email to inquire).

Our main development OS is Linux, however we test-compile our code on FreeBSD and OpenBSD.

These are listed in the file "Build" in the docs directory. It is fwbuilder/doc/Build if you unpack source tarball, or can be found online: http://www.fwbuilder.org/pages/Documents/Build.html

Binary packages and a source code for the recent release can be downloaded from the "Downloads" page on the project's web site http://www.fwbuilder.org/ or from Source Forge .

Binary packages and a source code for the very latest code can be downloaded from the "CVS" section on our Source Forge site. Nightly builds and experimental packages are available on our ftp site ftp://downloads.fwbuilder.org/pub/fwbuilder/. Nightly builds include latest bug fixes and are great way to test and see what is going to be included in the next release. At the same time nightly builds are certainly a cutting edge of the project and may break. Be sure to make backup copy of your data before you use it! We usually put the latest copy of the ChangeLog file in the same directory, remember to always check it before you download.

Authors of GTK-- recommend using binary packages built by Ximian (see gtk-- home page at http://gtkmm.sourceforge.net/ and follow link "Download") . You should be able to find these packages on Ximian's FTP site ftp://ftp.ximian.com/put/ximian-gnome

You can also try to download packages libgtkmm1.2-1.2.9-3mdk.i586.rpm and libsigc++1.0-1.0.4-5mdk.i586.rpm that are part of Mandrake 9.0 and use them on RedHat 8.0. Note that these packages are built using gcc 3.2 and will NOT work on older RedHat distributions (RedHat 7.x). Use them only on RedHat 8.0 and later.

you can also download binary RPMs for RedHat from the site http://freshrpms.net/

See also the answer for the next question: Q: 1.7..

Our user Toby Johnson published mini-HOWTO with instructions on how to compile these libraries on RedHat 8.0 :

First, read the "Red Hat 8.0" section under http://www.fwbuilder.org/pages/Documents/Build.html. But instead of looking for libgtkmm and ligsigc++ on rpmfind, download these two files:

ftp://ftp.ximian.com/pub/ximian-gnome/redhat-73-i386/source/gtkmm-1.2.9-1.ximian.1.src.rpm
ftp://ftp.ximian.com/pub/ximian-gnome/redhat-73-i386/source/libsigc++-1.0.4-1.ximian.4.src.rpm
            

(Nevermind the "redhat-73-i386"; since they're source RPM's, it won't matter.)

Now, enter the following to build the binary libsigc++ package and install it. If your SRPM root is different that "/usr/src/redhat", make the appropriate changes.

              rpm -ivh libsigc++-1.0.4-1.ximian.4.src.rpm
              rpm -ivh gtkmm-1.2.9-1.ximian.1.src.rpm
              cd /usr/src/redhat/SPECS
              rpmbuild -bb libsigc++.spec
              rpm -ivh ../RPMS/i386/libsigc++-1.0.4-1.ximian.4.i386.rpm
              rpm -ivh ../RPMS/i386/libsigc++-devel-1.0.4-1.ximian.4.i386.rpm
            

Building the gtkmm package is a little trickier since there's a bug in one of the files that gcc 3.2 dies on. First, create a file named "/usr/src/redhat/SOURCES/gtkmm-1.2.9-editable.patch" with the following contents:

--- ./src/editable.gen_h 2001-11-01 12:19:56.000000000 -0500
+++ ./src/editable.gen_h.new 2002-11-01 10:49:55.000000000 -0500
@@ -147,7 +147,7 @@
namespace Gtk
{

- string Editable::get_chars (int start_pos = 0, int end_pos = - 1) const
+ string Editable::get_chars (int start_pos, int end_pos) const
{
gchar *chars = gtk_editable_get_chars (GTK_EDITABLE (gtkobj ()), start_pos, end_pos);
string ret_val = chars;

Now, modify "/usr/src/redhat/SPECS/gtkmm.spec" to include the patch. Find the line that begins with "Source0:" and add the following directly below it:

Patch1: gtkmm-1.2.9-editable.patch

Then find the section labeled "%prep". Add the following line after the "esac" line of the "case" statement (it will be the last line in the %prep section):

%patch1 -p0 -b .editable

Save the spec file, then continue with the following to build and install gtkmm:

              cd /usr/src/redhat/SPECS
              rpmbuild -bb gtkmm.spec
              rpm -ivh ../RPMS/i386/gtkmm-1.2.9-1.ximian.1.i386.rpm
              rpm -ivh ../RPMS/i386/gtkmm-devel-1.2.9-1.ximian.1.i386.rpm
            

Note: rpmbuild is part of the package "rpm-build"

Now you're ready to install the fwbuilder 1.0.7 RPMs!

We distribute binary packages for some Linux distributions. You would need to download and install the following (actual names of the packages vary depending on the naming convention for given distribution):

• The API: libfwbuilder

• GUI: fwbuilder

• Policy compiler for your firewall:

  • For iptables you need fwbuilder-ipt

  • For ipfilter you need fwbuilder-ipf

  • For OpenBSD pf you need fwbuilder-pf

  • For Cisco PIX you need fwbuilder-pix

As policy compilers for other firewall platforms become available, they will appear in the download area.

For example, for RedHat 7.3 you would need the following packages:

• libfwbuilder-0.10.10-1.rh7.i386.rpm

• fwbuilder-1.0.6-1.rh7.i386.rpm

• fwbuilder-ipt-1.0.6-1.rh7.i386.rpm

this set of packages gives you the library, GUI and policy compiler for iptables.

You may also want to check what is available under "Contrib" in the download area. There are useful install, boot-time startup and other scripts contributed by users and beta-testers. Binary packages for Debian and SuSe are also available in "Contrib" area.

The answer depends on what OS and distribution this is done.

One of our users suggested the following procedure that works on Mandrake Linux:

• copy or download fwbuilder files to a dir on target machine

• Start the rpm source manager (from the mandrake control center) and add a new local source pointing to the dir where you've just put the rpms save and quit

• Open rpmdrake (again from the mandrake control center) to install new software. Search on fwbuilder and select the three RPMS you want to install. rpmdrake resolves all dependencies.

• Start install.

On FreeBSD you need to install ports libfwbuilder and fwbuilder. At this time these ports are not part of the standard ports tree and need to be installed manually. Download files libfwbuilder-port.tar and fwbuilder-port.tar from the "Downloads" page on our web site and unpack then in directories /usr/ports/security/libfwbuilder and /usr/ports/security/fwbuilder. If port files you are using are part of the nightly build, then you also need to download source code (files libfwbuilder-1.0.0.tar.gz and fwbuilder-1.0.10.tar.gz ) from the same site and put them in the /usr/ports/distfiles directory. Then go to /usr/ports/security/fwbuilder and type make install, it should install both libfwbuilder and fwbuilder, as well as missing packages they depend on.

On Mac OS X you need to install Firewall Builder as a fink package. Download files libfwbuilder.info and fwbuilder.info from the "Downloads" page on our web site and put them in the directory /sw/fink/dists/local/main/finkinfo/ on your Macintosh. If you are trying to install the nightly build, then you also need to download source code archive (files libfwbuilder-1.0.0.tar.gz and fwbuilder-1.0.10.tar.gz ) from the same site and put them in the directory /sw/src. Then just type fink install fwbuilder. This should install both libfwbuilder and fwbuilder, as well as missing packages they need.

As of version 0.9.7 Firewall Builder does not need GNOME anymore. All widgets which are part of libgnomeui library have been rewritten so Firewall Builder now uses only gtk+ and gtk-- libraries. This should simplify porting to other OS and should make it possibly to use Firewall Builder on Linux systems using KDE.

first of all, you need to obtain source. One way is to download source tarball from our download page. You need to grab two packages: libfwbuilder-N.N.N.tar.gz and fwbuilder-M.M.M.tar.gz , where N.N.N and M.M.M are respective versions of both packages/

Or, if you want to try the code we are currently working on, you can do anonymous CVS checkout from our site on Sourceforge. Just open this URL: http://sourceforge.net/cvs/?group_id=5314 and follow instructions. In this case make sure you get both libfwbuilder and fwbuilder modules.

In either case, once you got source and unpacked it on your machine, you need to check that all dependencies are satisfied and you have all the libraries fwbuilde ruses installed on your machine. You can check list of libraries here: http://www.fwbuilder.org/pages/Documents/Build.html

Now you can build. First go to the directory libfwbuilder and run script ./autogen.sh. This script checks dependencies and customises our code for your system. This script accepts the following parameters:

• --prefix - specify directory prefix where you want libfwbuilder installed

• --with-templatedir=DIR - specify directory for template files and DTD

• --with-glib-prefix=PREFIX - specify prefix directory where glib is installed

• --disable-glibtest - do not compile and run glib test program

• --without-openssl - compile libfwbuilder without encryption support (certain functions won't work, such as support for fwbd daemon)

• --with-openssl-prefix=PREFIX - specify prefix directory where openssl library is installed

• --without-ucd-snmp - compile libfwbuilder without support for SNMP (certain functions won't work, such as network discovery)

If system you are using for build has additional libraries installed in /usr/local/lib, then you either need to add this directory to your LD_LIBRARY_PATH environment variable, or supply path for each lbrary as a parameter for autogen.sh. Unfortunately at this time our script does not support specification of the installation path for all the libraries we use, so setting LD_LIBRARY_PATH is probably safier way.

If your system has all the libraries installed in the standard place, or has dynamic linker configured so that it can find libraries wherever they are installed, then you do not need to worry about LD_LIBRARY_PATH.

Once you are done with autogen.sh, run "make all" in libfwbuilder directory and see that it does not end with an error. If it does, then either autogen.sh could not find some library, or there is something peculiar about your system that we do not support yet. Please verify again that you have all the libraries needed (check with Build) and that autogen.sh worked fine. If nothing helps, report the problem to us.

After "make all" have worked to the end and did not produce any errors, you need to install the library. By default it installs in /usr/local/lib and libfwbuilder-config script installs in /usr/local/bin. You will need root priviliges to install there, so become root and run "make install" in the directory libfwbuilder. If you do not wish to install in /usr/local, you can use parameter --prefix=PREFIX when you run autogen.sh

Once libfwbuilder is installed, you can move on and compile fwbuilder. The procedure is the same: go to the directory fwbuilder, run "./autogen.sh", then "make all" and "make install".

As of version 0.9.6 the code has been split into three major parts: API, GUI and policy compilers. You need to download, compile and install API for the rest to compile. The API comes in a separate source archive called libfwbuilder-0.10.0.tar.gz. Compile and install it as usual, using "./autogen.sh; make; make install" procedure.

gtk and gtkmm 2.0 are different libraries with different API. fwbuilder won't work with them. Please stick with recommended versions of libsigc++ and gtk/gtkmm.

Just type "fwbuilder" on the command line prompt (in xterm or gnome-terminal)

Then the GUI binary (fwbuilder) can not find API library libfwbuilder. If you are using our binary packages, then make sure you download and install package called libfwbuilder. If you compiled from sources, then perhaps you installed libfwbuilder with default prefix /usr/local/, therefore library went to /usr/local/lib. Dynamic linker ldd can not find it there.

You have the following options:

• create environment variable LD_LIBRARY_PATH with value /usr/local/lib and run fwbuilder from this environment.

• add /usr/local/lib to the file /etc/ld.so.conf and run ldconfig so it will rescan dynamic libraries and add them to its cache.

• recompile libfwbuilder and fwbuilder with prefix /usr/, this will install libfwbuilder.so.0 in /usr/lib. ldd will find it there without any changes to environment variables or /etc/ld.so.conf file. To change prefix you need to run autogen.sh with command line parameter "--prefix=/usr". Do this both for libfwbuilder and fwbuilder.

Then usually this error happens when old version of libgtkmm or libsigc++ library is used. Check if you need to upgrade those, you can use our Build document to find out what versions you need and where can you get them from.

sometimes this error happens even if new rpms have been installed. In this case you need to check which library gets picked up by fwbuilder when it starts. Sometimes old version gets stuck somewhere on a disk after upgrade and then ldd loads it instead of newer one. Try to download script called "check_libs.sh" from "Contribs" area on Sourceforge site of Firewall Builder and then run it like this:

	    check_libs.sh /usr/bin/fwbuilder
	  

it will list all dynamic libraries used by fwbuilder binary and what RPM they are part of. Look for libraries which are not part of any installed rpm, those cause the problem.

Most likely you are trying to run fwbuilder binary built for RedHat 7.3 or Mandrake 8.2 on RedHat 8.0 or Mandrake 9.0 system. Latest versions of both RedHat and Mandrake are based on new compiler gcc 3.2, which uses different name mangling algorithm for C++ code and therefore produces binaries which are incompatible with those compiled with older versions of gcc. You need to either recompile libfwbuilder and fwbuilder yourself, or use binaries compiled for RedHat 8.0 or Mandrake 9.0.

You are trying to run fwbuilder on RedHat 8.0 where you installed older version of libgtkmm and libsigc++ libraries. Or may be you have upgraded your older RedHat 7.3 to 8.0 and still use old libgtkmm and libsigc++ that were installed before the upgrade. Latest versions of both RedHat and Mandrake are based on new compiler gcc 3.2, which uses different name mangling algorithm for C++ code and therefore produces binaries which are incompatible with those compiled with older versions of gcc. RedHat does not include these two libraries in their distribution, so you need to add them yourself. Question "Q: 1.6." explains where you can get binary packages from or how you can compile them yourself.

You need to install a package that provides support for your firewall platform.

• For iptables you need fwbuilder-ipt

• For ipfilter you need fwbuilder-ipf

• For OpenBSD pf you need fwbuilder-pf

• For Cisco PIX you need fwbuilder-pix

Please file a bug on Sourceforge. Provide information we might need to fix the problem:

• what version of fwbuilder do you run, did you install prebuilt binary packages or compiled it yourself ?

• Provide the output of the following commands:

                  cat /etc/issue
  
                  rpm -qa | grep gtk
                  rpm -qa | grep libxml
                  rpm -qa | grep libxslt
                  rpm -qa | grep libsigc++
  
                  ldd /usr/bin/fwbuilder
                  ldd /usr/bin/fwb_ipf
                  ldd /usr/bin/fwb_iptables
                

• Download script "check_libs.sh" from Contrib area on our Sourceforge page and run it as follows:

                  check_libs.sh fwbuilder
                

  include its output in your bug report.

Also send us core file and .xml file with your objects.

You need to install corresponding policy compiler. Our prebuilt compilers come in a separate RPMs named like this: fwbuilder-iptables-1.0.1-1rh7.i386.rpm

Did you install package with corresponding compiler ? Our prebuilt compilers come in a separate RPMs named like this: fwbuilder-iptables-1.0.1-1rh7.i386.rpm

Check if compiler dumped core. If you can't find it, you may try to run compiler manually, providing the following command line parameters:

	    $ fwb_iptables  -f path_to_objects.xml   firewall_object_name
	  

All policy compilers have the same command line format.

We can not guarantee that Firewall Builder would work flawlessly on Debian or SuSe since we do not have access to these distributions for testing.

Sometimes we recieve packages built for these distributions by volunteers. In this case we post these packages in "Contribs" area on the project's page on Sourceforge. We do not verify or even try these packages and completely rely on people who submit them. We usually post information about authors, so if you have questions you can contact them directly.

We welcome help from anyone who can test Firewall Builder on these distributions and provide feedback

Sometimes this happens when you skip several versions trying to upgrade the program. There used to be a bug in the upgrade procedure somewhere around version 1.0.4 which broke automatic upgrades from versions before 1.0.4 to versions after that. If this happens to you, upgrade your data file using script fwb-upgrade.sh that you can find in Contrib/Scripts area on our SourceForge site.

As of version 1.0.4, code and GUI dialogs supporting target firewall platform and host OS are not included in the GUI but rather come within additional packages. If your firewall is iptables, you need to install package fwbuilder-ipt. If it is ipfilter, then you need package fwbuilder-ipf. For OpenBSD PF you would need fwbuilder-pf.

Firewall Builder uses "stateful inspection" feature of underlying firewall platform. In case of iptables it loads module ip_conntrack which is tracking connections opened through the firewall and by the firewall itself. Since this module "remembers" each connection, there is no need in additional rule for "ACK" or "reply" packets. In fact, this module does lot more than keeping track of opened TCP sessions as it does similar thing to other protocols as well, where possible. Firewall Builder also loads some other modules to keep track of complex protocols, e.g. it loads module ip_nat_ftp to support FTP.

This is how it works now. Interactive Druid does not check for rules in existing policy and simply adds new ones. If you run Druid twice and ask it to generate the same set of rules, you'll get the same rules many times in your policy. This will be improved in subsequent releases.

Your host may or may not have its IP address assigned dynamically via PPPoE or DHCP.

• If address is static:

  • create firewall object, enter its IP address

  • create interface for it in "Interfaces" tab, mark it as "external"

  • add loopback interface named "lo", address 127.0.0.1/255.0.0.0

  • call Druid, choose "Firewall protects local host" and then pick rules you want.

  See what Druid have created for you. You can edit and add rules now.

• If address is dynamic:

  • create firewall object, mark its address as "dynamic"

  • create interface for it in "Interfaces" tab, mark it as "external" and "dynamic"

  • add loopback interface named "lo", address 127.0.0.1/255.0.0.0

  • call Druid, choose "Firewall protects local host" and then pick rules you want.

This question is outlined in Firewall Builder Tutorial in great details, what follows is just a brief explanation. You can find Tutorial online: http://www.fwbuilder.org/pages/Documents/Tutorial/index.html

There are two possibilities here, depending on what IP address you want to use to access your server - that of your firewall or virtual one. If you use the same address your firewall has, you can arrange access to your internal server from outside, and provide your internal users with access to the Internet using only one address. This scheme may become a limitation though if you have multiple servers inside your network which need to be accessed from outside. In the latter case you may want to use different port numbers or virtual ip addresses for access to different internal servers.

• Using IP address of the firewall to access your server inside.

  This is easy. Just add rule to the "NAT":

  Table 3.

  Orig.Src	Orig.Dst	Orig.Srv	Transl.Src	Transl.Dst	Transl.Srv
  Any	Firewall	Any	Original	Server	Original

  where "firewall" is the object for your firewall and "Server" is the object for your server behind the firewall. This is it, Firewall Builder will generate iptables code for DNAT translation using firewall's IP address.

• Using virtual IP address for translation

  Create a rule in "NAT" in a similar way:

  Table 4.

  Orig.Src	Orig.Dst	Orig.Srv	Transl.Src	Transl.Dst	Transl.Srv
  Any	Server-NAT	Any	Original	Server	Original

  where "Server-NAT" is special object with address of the translation you want to create, and "Server" is an object for your server behind the firewall.

  In addition to the firewall rule, you need to set up static ARP entry and add routing. Asuming external translated address of the server is NN.NN.NN.NN, external firewall's interface is eth1 and its internal interface is eth0, the following commands would do the trick:

  		  # arp -Ds NN.NN.NN.NN eth1 pub  
  		  # route add NN.NN.NN.NN dev eth0
  		

  The first command adds static "published" ARP entry, while the second command routes it through internal interface

  As of version 0.9.3 iptables compiler can add these two commands to the generated firewall script if checkbox "Create ARP entries for DNAT translations" is checked in "iptables" tab in firewall object's dialog

Each firewall has a Global Policy, a policy associated with each interface and a NAT policy.

Global Policy rules apply to packets crossing the firewall, regardless of the interface they ingress and egress through. In case of iptables this is equivalent to writing a rule without "-i interface" or "-o interface" clause. Rule like this will match packets using only their addresses and protocol information. Interface policy rules, on the other hand, always get "-i interface" or "-o interface", depending on their direction setting.

Since Interface Policy rules are associated with certain network interface of the firewall and support direction, they provide a mechanism for dealing with situations where knowing both interface and direction is neccessary, for example setting up anti-spoofing rules. Since situations like this are rare, we recommend placing most of the firewall rules in the Global Policy and only those rules which can not be implemented in any other way into Interface Policy.

There are firewalls which require that all rules are always associated with interfaces. Even in this case you can place policy rules in the Global Policy because our compiler can properly deduct correct interface the rule should be associated with.

When policy compiler generates code for the target platform, it first scans NAT rules, then Interface Policies, then Global Policy. This determines the order in which lines of the target code are generated.

The option "Assume firewall is any" is needed for those firewalls where rules that control access to the firewall machine and rules that control access to machines behind the firewall use different syntax or different commands. Currently two plaforms require and use this option: iptables and Cisco PIX.

In iptables, rules controlling access to the firewall should go into INPUT chain (or rules controlling packets originated on the firewall should go to OUTPUT chain), while rules that control traffic going through the firewall go into the FORWARD chain. Generally, a rule may yield code for either chain depending on the addresses used in SRC and DST. If address used in DST matches one of the addresses of the firewall, then code goes into INPUT chain. There are two ways to interpret "any" though. We can say that "any" means anything, including the firewall. In this case this rule should put code into both INPUT and FORWARD chain. If we do not assume that firewall is part of any, then the generated code goes only into the FORWARD chain.

The algorithms used by the policy compiler are the same regardless of the network configuration, so this logic applies in the case when firewall protects local host, too.

mark interface DMZ as external

We need them to be able to assign rules to an interface, but skip it in src or dst if firewall object is used in src/dst rule elements. This may be useful in configurations with VPN (imagine unnumbered VPN interface through which packets exit the tunnel).

Here is quick step by step procedure. Please note that this would work only for simple network configurations!

1. create Network object for your internal network

2. create a Firewall object for your firewall. Do not forget to choose firewall platform in the "General" tab of the dialog.

3. Add interfaces to the firewall (open firewall object, then use main menu "Insert / Interface"). Add address to each interface (open interface object, then use main menu "Insert / Address"). Do not forget to add loopback interface as well (name 'lo', address 127.0.0.1).

4. Mark interface that connects you to the Internet as "External".

5. Use main menu "Rules / Help me build firewall policy" and choose network topology that describes your network. Generate rules and see what you've got.

I won't do this because I believe that currently the script does "The Right Thing". Here is why:

The script sets default policy in all chains to "DROP" before it clears all the rules. This is necessary because firewall and possibly machines behind it become wide open as soon as script clears the policy. Script needs to wipe out old rules before it installs new ones, so setting default policy to DROP is the only way to ensure there is no time window during which firewall does not offer any protection. One may argue that this window is really short, because script immediately loads new rules, but this is not always so. What if some rule contained an error and did not load? What if script has been interrupted and did not activate whole bunch of rules? In the end, it is always better to block access and thus prevent potential security problems, even if this comes at a price of some inconvenience.

Shadowing happens because a rule is a superset of a subsequent rule and any packets potentially matched by the subsequent rule have already been matched by the prior rule.

This happens when you are using an option "Create virtual addresses for NAT rules". The problem is that policy compiler needs to be able to determine interface of the firewall to assign virtual address to. In order to do that it scans all interfaces trying to find subnet requested NAT address is on. Sometimes firewall's interface has an address which belongs to a different network than NAT address specified in the rule; in this case compiler can not identify an interface and aborts.

The NAT rule still can be built without "-i" or "-o" option, but automatic assignment of virtual address is impossible. You need to turn off option "Create virtual addresses for NAT rules" in the tab "Firewall" of firewall dialog and configure this address manually.

"Compile" only calls compiler, which produces a file called after the name of the firewall object, with ".fw" extension. This file contains a firewall sript which needs to be activated. There are two ways to activate it: 1) you can simply copy it to the firewall machine and then run it by hand; 2) you can use a shell script to copy this file to where it should be and then run it. If you put the full directory path and file name for this script in the "Policy Install Script" field in "Compile/Install" tab of the firewall's object dialog, then menu item "Rules/Install" will be activated. Using this menu item causes GUI to call the script, which is supposed to copy generated firewall script to the firewall machine and run it there. Usually such script uses SSH to securely access firewall machine. Several contributed install scripts are available in the "Contrib" area on Sourceforge and script 'fwb_install' is included in the package. The installation and activation procedure is different on different OS, so please use these scripts with caution.

Script fwb_install that is part of the package is intended for Linux and iptables, although it can be easily modified to support ipfilter and pf. It has been contributed to the project by David Gullasch ( <xonox@web.de> , <gullasch@secunet.de> ), please contact him if you have problems or questions.

You do not need to reboot your firewall to activate the new policy. Iptables script generated by Firewall Builder has a code to do a "clean up" job by removing all previous iptables settings, before it loads new ones.

You do not need to uninstall ipchains, but you need to deactivate it.

As root, run the following command:

	    # chkconfig --level 2345 ipchains off
	  

if you do not want to reboot at this point, run the following to stop and remove ipchains from the memory:

	    # /etc/rc.d/init.d/ipchains stop
	    # rmmod ipchains
	  

Now simply run iptables script created by fwbuilder to activate your firewall. This will immediately activate your new firewall policy; you can always check if your new rules are loaded using command "iptables -L -n".

There still is a problem of activating the policy at a boot time. Different OS deal with it using deifferent scripts that get installed in the directory /etc/rc.d/init.d (scripts in this directory are called in sequence when machine boots.) RedHat's standard iptables setup depends on their scripts iptables-save and iptables-restore. If you wish to stick with RedHat's standard scripts, simply run these commands:

	    # /etc/rc.d/init.d/iptables save
	    # chkconfig --level 2345 iptables on
	  

This will save your configuration to RedHat's standard file /etc/sysconfig/iptables in iptables-save format (which is different!) and then will restart it every time you reboot your firewall.

If you do not want to use their scripts, you can use script "firewall-initscript" available in the "Downloads" area on our web site. This script comes with a README file which describes its usage.

Iptables can either be compiled into the kernel or as a modules, it does not really matter. If some of the modules are missing, then respective feature won't work and you will get an error trying to load generates script. For example, if you compile everything into the kernel and leave ipt_LOG module out, then logging will stop working and you will get errors trying to load rules with logging turned on. Look into iptables HOWTO and Tutorial for more details as this problem is not really specific to Firewall Builder.

Here is (incomplete) list of modules taken from my firewall :

• ipt_limit

• ipt_REJECT

• ipt_multiport

• ipt_MASQUERADE

• ipt_REDIRECT

• ipt_state

• ipt_LOG

• iptable_drop

• iptable_filter

• iptable_nat

• ip_conntrack

• ip_nat_ftp

• ip_tables

• ip_conntrack_ftp

RedHat Linux comes with all iptables code compiled as modules.

You can turn debugging on (look for a checkbox in the tab "Firewall" in firewall dialog). This simple generates firewall script with shell option "-x" so it will print all commands while executing. This way you can see which command causes the error and trace it back to the policy rule.

This tool is part of the package 'iproute'; we use it to manage virtual IP addresses needed for some NAT rules.

RedHat Linux comes with syslog preconfigured to write all log messages with level "info" and higher to /var/log/messages, while iptables script generated by Firewall Builder by default logs everything as "debug". You need either to edit /etc/syslog.conf to make all "debug" messages to be logged, or change log level to "info" in iptables tab in firewall dialog

You can use our script logwatcher.pl available in Contrib area. It reads log file /var/log/messages and shows only the following fields from each log line:

• Date and time

• rule number (assuming you use default setting for the rule prefix which looks like this: "RULE %N -- %A")

• rule action (Deny/Reject/Accept)

• interface

• protocol

• source address and source port

• destination address and destination port

• ICMP type and code for ICMP packets

Note though that this script drops some data logged by iptables to improve readability. You may miss some important information because of this, so in case of real problem always look in the original log!

Another, more elaborate version of the same script is logwatcher2.pl. It is also available in Contrib area.

You can use our script connwatcher.pl available in Contrib area. It prints the contents of the connections table every second, sort of like top shows processes active in the system.

You can use rule options dialog and add unique log prefix for this rule. Open rule options dialog by right mouse clicking on rule element in the "Options" column. This way you can make rules generate special lines in the log, which you can later process with automated script, ot simply use while troubleshooting your policy.

Open Options dialog (under menu "Edit"), choose in the tree "GUI"->"Behavior" and check checkbox "Automatically save data in dialogs while switching between objects".

you need to compile the policy and then activate it.

• check if ip forwarding is turned on (pull down menu in the "Network" tab of the firewall object dialog).

• try to ping hosts on the Internet by their IP address, not their name. This helps isolate DNS problems. If you can ping by address but can't ping by name, then you need to add policy rules to permit DNS queries.

• Look in firewall's log for records indicating that it drops packets. Error in the policy design can cause it to block connections that you really want to go through.

• Use option "Log everything" to make all rules generate log entries, this sometimes helps pinpoint a rule that drops packets.

At least on RedHat create a script /etc/dhclient-exit-hooks and simply call firewall script from it.