Fwbuilder is a unique graphical firewall tool that allows the user to
create objects and then drag and drop those objects into firewalls, to
build a powerful security system for a single PC or a network of PCs.
Fwbuilder supports a wide range of firewalls (Cisco ASA/PIX, Linux
iptables, FreeBSD's ipfilter, OpenBSD's
pf,
and more), so its rules can be deployed on multiple platforms. Let's
take a look at using Fwbuilder on Linux, which might just become a
life-long affair with a powerful security system.
Installation of Fwbuilder is as simple as searching for "fwbuilder" (no
quotes) in your Add/Remove Software tool (such as Package-Kit,
Synaptic, etc) and marking Fwbuilder for installation. However, if
you're installing Fwbuilder on Ubuntu, the package that will install is
out of date and will not work. In order to get a working, updated
Fwbuilder installed on Ubuntu, follow these steps (You will either have
to su to the root user or use sudo for this to work):
-
Open
/etc/apt/sources.list
in a text editor.
-
Add
deb http://www.fwbuilder.org/deb/stable/ maverick contrib
to the bottom of that file.
-
Save and close sources.list.
-
Download the GPG key with the command
wget http://www.fwbuilder.org/PACKAGE-GPG-KEY-fwbuilder.asc
.
-
Install the GPG key with the command
apt-key add PACKAGE-GPG-KEY-fwbuilder.asc
.
-
Install the fwbuilder libraries with the command
sudo apt-get install libfwbuilder
.
-
Install fwbuilder with the command
sudo apt-get install fwbuilder
.
Once installed, Fwbuilder can be started by clicking System > Administration > Firewall Builder.
The Graphical Interface
In order to start up fwbuilder administrative privileges will be
necessary. You can start fwbuilder from the command line using
sudo fwbuilder or just fwbuilder
.
Why the difference? The former command runs fwbuilder with
administrator privileges, the latter wthout. I actually recommend you
running fwbuilder without admin privileges (it is not required), so the
security of the system is not comprimised. Ultimately, the easiest way
to start fwbuilder is by using the desktop menu (as shown above). When
fwbuilder is fired up, the main window will appear (see Figure 1). From
the main window, I recommend all new users click the Watch "Getting
Started" tutorial button, which will open up a browser instance to a
short, informative video. From that same pane (in the main fwbuilder
window) a new firewall can be created or an existing firewall can be
imported.
In the same window there is an navigation tree (left pane). This
navigation tree contains everything necessary to create a firewall. But
before objects and services can be added, a new firewall must be
created. Let's begin the process of creating a new firewall, based on
pre-configured templates, with fwbuilder.
Creating a New Firewall
When the Create New Firewall button is clicked, a wizard will appear to
help create the new firewall. Because I recommend first-time users
select from the pre-configured templates, the wizard will require the
following:
-
A name for the firewall.
-
Software the firewall is based on (such as iptables).
-
The OS type the firewall runs on.
-
Select from pre-configured firewall templates (I highly recommend this be selected.)
-
Based on the template chosen, specific information for the ethernet interface will be required.
The first step in the wizard (see Figure 2) is to give the firewall a
name, choose the software running the firewall, and select the operating
system running the firewall. For our example the configurations will
be:
-
Test Firewall
-
iptables
-
Linux 2.4/2.6
The name for the firewall can be any user-specified name required to indicate the purpose the firewall serves.
For those unfamiliar with "Linux 2.4/2.6", that refers to the kernel
release being used on the system. Most all Linux users will select this
option.
As I mentioned earlier, for this test firewall, the pre-configured
firewall templates will be used. The first screen in the wizard is where
the option for pre-configured templates is chosen. After this option is
chosen, the templates will be presented in the next screen (see Figure
3).
Make sure to read the description of the templates, otherwise the wrong
template could be chosen resulting in a non-functional firewall.
Finally, in the last screen of the wizard (see Figure 4), the network
interfaces are named. Since each pre-configured template offers
different hardware configurations (such as a single external interface,
versus a single external and single internal interface) the screen
displayed will depend upon which firewall template is selected.
In this example, a single interface template has been chosen.
In my example, I am creating a firewall for a single interface host
which happens to be a desktop machine. The desktop machine uses DHCP for
network addressing, so nothing really needs to be changed in the screen
shown in Figure 3. Should the device use a static address, then the
address for the network interface would need to be entered. Once
complete, click the Finish button and the template will be loaded into
the main screen (see Figure 4).
The firewall has been created from the template. It's time to add objects.
Adding Objects
Fwbuilder now has a basic template ready to be edited. If this is just a
very basic firewall (for instance, for a single desktop machine) a lot
of times the firewall based on the template will work, with little or no
modifications. But to really take advantage of the power of fwbuilder,
it is important to know how to build and add objects.
For our newly created template, let's add an internal host (that will
have full access to the hosting machine) to the firewall. To do this a
new object must be built. To add a new machine, a new Host object will
be added. To do this, follow these steps:
-
Right-click the Hosts entry in the left navigation (under objects).
-
Select New Host.
-
Give the new host a name and click Next.
-
Select Configure interfaces manually and click Next.
-
Enter the information for the host to be configured (Name, Label, Static IP, IP Address) and click Finish.
Configure as many hosts as needed to be added to the firewall. With
these hosts now added to the Object Tree, it is possible to drag and
drop those hosts into the firewall. To do this expand the navigation
tree for Hosts, find the desired host to be added, and drag and drop the
host into the firewall. Of course it is best practice to first create a
new rule in your firewall chain that can accommodate the new object. To
create a new rule, follow these steps:
-
Select where the new rule is to be placed in the chain.
-
Right-click the rule in the chain where the new rule is to be located.
-
Select either Insert New Rule or Add New Rule Below (depending upon where the new rule needs to live in the chain.)
The new rule will be placed within the chain. This new rule will be
fairly generic and will Deny all traffic. Obviously, this new rule must
be edited. Let's use our newly created host object in the new rule.
Since this object is a host, that object will be placed into either the
Source or Destination section of the newly created firewall rule. Since
the newly created Host object lives within the internal network (and
assumes that host can be trusted) it will be added to the new rule as a
Source and will be allowed to pass through the firewall.
Find the newly created Host Object in the Object Tree and drag and drop
it to the Source section of the newly created rule (see Figure 5).
With the new host added as a source, it is now important to allow that source into the host.
It is clear, in the current state, the host just added is not allowed
into the destination. In order to change that Deny (a red dot) to Allow
(a green dot) right click the Deny entry for the new rule and select
Accept. The red dot will change to a green dot, indicating the host is
allowed through. If there are multiple hosts to add, create new rules
for each host and repeat the same process.
Hosts are not the only object that can be added. Services (such as
HTTP, SMB, FTP, SSH, etc) can be added for further flexibility and
security. Services are added to the Object tree in the same way hosts
are added. Services are also added into the firewall in the same way
Hosts are added.
Compiling and Installing
Once the firewall has been created, it is necessary to compile and
install the firewall. These two processes will make sure the firewall is
correctly built, compiled such that the firewall is in a form the
system can use, and installed so the firewall is being used by the
system. These processes are simple. Upon completion of the firewall do
the following:
-
Save the firewall by clicking the Save button.
-
Compile the firewall by clicking the Compile button and walking through the easy to use Compile Wizard.
-
Install the firewall by clicking the Install button.
As soon as the installation is complete, the firewall will be running.
This installation will also ensure the firewall runs upon reboot of the
machine. If changes are made in the currently running firewall, it is
necessary to re-compile and re-install the firewall.
Firewall Builder is an incredibly powerful and flexible security tool
that any Linux administrator should get to know. This tool is far better
at creating firewalls than tools like Gufw, but doesn't require the
command line fu as does iptables. And with Firewall Builder, both very
simple (yet powerful) firewalls can be created as can incredibly complex
and powerful firewalls.
Thanks...