![]() While a portion of this set is unlikely to change (for example, the network addresses associated with the two datacenters), the remaining part is expected to undergo several changes during the years. The pitfall hides at point #4 in the list above, which contains a set of addresses allowed to initiate any type of traffic to these machines. ![]() But, if that person is really savvy, they will also understand the hidden pitfall of this approach: maintenance. When the classification was done, we had two Generic rulesets (one for hardware servers and one for virtual machines), a set for Xen servers, and five more rulesets covering other special cases.Īn iptables-savvy person will immediately realize that creating these rulesets by hand is not too difficult. E.g., an Internet accessible web server will be allowed to receive http connections DNS servers will have a rule that allows incoming DNS traffic, and so on. all other traffic should be blocked and logged.įurther rules permitting specific traffic would be added to specific servers.all incoming traffic from directly attached networks, the other datacenter, and a selected set of our company's networks should be allowed.a selection of incoming ICMP traffic should be allowed (only ICMP packets with well defined type/code combinations).any outgoing traffic on physical interfaces should be allowed besides, incoming packets related to these outgoing connections must be allowed.any traffic through the loopback interface should be allowed.Each machine should run an host firewall.Ī firewall-wise classification of the servers was easy to do: there was a general set of rules which held for all servers, namely: In the project I was working on, we had a number of machines in two different datacenters. Corruptions in fwb files may be corrected using a simple text editor such as gedit (eh, yes, that happened to me a few times.). This, as we'll see, is an unexpectedly powerful feature.įWB saves all these entities (objects and firewalls) in an XML file using the ".fwb" extension. Firewalls are also objects, so you can manage many firewalls in the same interface, and share objects between them. These standard objects may be extended by the user with new objects, or by grouping together existing objects in new ones. In fact, the same set of rules may be used to generate scripts for iptables, ipfilter, or (e.g.) Cisco devices.įWB provides an handy library of objects for commonly used entities in firewall rules (e.g.: private address ranges, well-known IP and networks addresses, as well as protocols). You define your rules in the GUI, and a compiler generates scripts from them for the chosen platform. The list is quite long, and you can find more on its website.įWB helps you to configure multiple firewalls in a consistent wayīroadly speaking, FWB is both an graphical interface (GUI) and a set of compilers. What is Firewall Builder?įirewall Builder is a program that simplifies the management of firewall rules for a wide range of operating systems and hardware firewall devices. NetCitadel recently announced the release of Firewall Builder 5 which includes some minor changes in the GUI, so some screenshots in this article may look slightly different from what you would see in v5. The examples in this article are based on Firewall Builder v4.2. We won't be talking about firewalling per se, so you can still benefit from reading this article even if you don't have deep firewalling, networking or security knowledge. This time we'll talk about how FWB helps you to configure multiple firewalls in a consistent way. But I can say that every time I had a firewalling problem at hand, where I needed to prototype and test iptables configurations quickly, this tool never betrayed me! The reason is simple: the tool kept evolving during the years, improving the features it already had and adding interesting new ones.ĭuring these years I've not being using the tool regularly since I am not a Network Administrator. In the past I've already published articles and interviews on FSM about Firewall Builder (or FWB in short).
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |