File: FAQ.html

package info (click to toggle)
fwbuilder 1.0.0-2
links: PTS
area: main
in suites: woody
size: 4,508 kB
ctags: 2,655
sloc: cpp: 15,549; sh: 7,494; ansic: 3,538; xml: 3,418; makefile: 906; perl: 397
file content (1629 lines) | stat: -rw-r--r-- 34,498 bytes
<HTML
><HEAD
><TITLE
>Firewall Builder</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.59"><LINK
REL="STYLESHEET"
TYPE="text/css"
HREF="../../fwbuilder.css"></HEAD
><BODY
CLASS="ARTICLE"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="ARTICLE"
><DIV
CLASS="TITLEPAGE"
><H1
CLASS="TITLE"
><A
NAME="AEN2"
>Firewall Builder</A
></H1
><H2
CLASS="SUBTITLE"
>Frequently Asked Questions</H2
><H3
CLASS="AUTHOR"
><A
NAME="AEN5"
>Vadim Kurland</A
></H3
><DIV
CLASS="AFFILIATION"
><DIV
CLASS="ADDRESS"
><P
CLASS="ADDRESS"
>	&nbsp;&nbsp;vadim@fwbuilder.org<br>
	</P
></DIV
></DIV
><DIV
CLASS="REVHISTORY"
><TABLE
WIDTH="100%"
BORDER="0"
><TR
><TH
ALIGN="LEFT"
VALIGN="TOP"
COLSPAN="3"
><B
>Revision History</B
></TH
></TR
><TR
><TD
ALIGN="LEFT"
>Revision 0.1</TD
><TD
ALIGN="LEFT"
>2001-11-25</TD
><TD
ALIGN="LEFT"
>Revised by: vk</TD
></TR
><TR
><TD
ALIGN="LEFT"
COLSPAN="3"
>Converted to SGML</TD
></TR
></TABLE
></DIV
><HR></DIV
><DIV
CLASS="TOC"
><DL
><DT
><B
>Table of Contents</B
></DT
><DT
>1. <A
HREF="#INTRO"
>Introduction</A
></DT
><DT
>2. <A
HREF="#SYSTEMREQ"
>System requirements, using pre-built packages, compiling from source</A
></DT
><DT
>3. <A
HREF="#PROBLEMS"
>Problems, troubleshooting and reporting bugs</A
></DT
><DT
>4. <A
HREF="#BUILDING-POLICY"
>Building firewall policy</A
></DT
><DT
>5. <A
HREF="#INSTALL"
>Installing policy on the firewall</A
></DT
><DT
>6. <A
HREF="#LOGGING"
>Logging</A
></DT
></DL
></DIV
><DIV
CLASS="SECT1"
><HR><H1
CLASS="SECT1"
><A
NAME="INTRO"
>1. Introduction</A
></H1
><P
>      Firewall Builder consists of an object-oriented GUI and a set
      of policy compilers for various firewall platforms. In
      Firewall Builder, a firewall policy is a set of rules; each
      rule consists of abstract objects that represent real network
      objects and services (hosts, routers, firewalls, networks,
      protocols). Firewall Builder helps users maintain a database
      of objects and allows policy editing using simple
      drag-and-drop operations.
    </P
><P
>      Preferences and object databases are stored in XML format.
      The GUI and policy compilers are completely independent. The
      GUI requires only minimal changes in order to add support for
      a new firewall platform even though a new policy compiler must
      be written. This provides for a consistent abstract model and
      the same GUI for different firewall platforms. Standardized
      XML data format opens possibility for many user interfaces and
      policy compiler implementations, all interchangeable.
    </P
><P
>      We ship a policy compiler for the popular free firewall
      iptables <A
HREF="http://netfilter.filewatcher.org/"
TARGET="_top"
>http://netfilter.filewatcher.org/</A
> and
      are currently working on support for ip_filter <A
HREF="http://coombs.anu.edu.au/~avalon/"
TARGET="_top"
>http://coombs.anu.edu.au/~avalon/</A
>. Because of the
      modular architecture, Firewall Builder can be used to manage
      firewalls built on a variety of platforms including, but not
      limited to, Linux using iptables or ipfilter on FreeBSD or
      Solaris.
    </P
><P
>      The GUI is written using <A
HREF="http://gtkmm.sourceforge.net/"
TARGET="_top"
>	GTK--</A
>. We distribute binary RPM packages for RedHat
      7.1 / 7.2 and Mandrake 8.1. Binary packages for Debian can be
      downloaded from our "contrib" area.
    </P
><P
>      An interactive "Druid" facilitates an easy
      kick-start. Basically, to start, one should create objects for
      the firewall and internal network and then use the druid. It
      will ask a few questions and then build a basic skeleton
      policy, which can be edited manually. The same druid can be
      used to add specific "standard" rules later on.
    </P
><P
>      We provide a mechanism for automated creation of network
      objects using information either from the /etc/hosts file or
      by importing DNS zones.
    </P
><P
>      Solutions to many typical problems and answers to many
      questions can also be found in Firewall Builder Tutorial.
      Many cases people deal with while configuring their firewalls
      are covered in the Tutorial in great details.  Some topics can
      be found both in Tutorial and FAQ, but since FAQ is intended
      just as brief reference document, it provides only short
      answer to the question and refers reader to Tutorial for more
      detailed explanation. Firewall Builder Tutorial can be found
      online: <A
HREF="http://www.fwbuilder.org/pages/Tutorial/index.html"
TARGET="_top"
>http://www.fwbuilder.org/pages/Tutorial/index.html</A
>
    </P
></DIV
><DIV
CLASS="SECT1"
><HR><H1
CLASS="SECT1"
><A
NAME="SYSTEMREQ"
>2. System requirements, using pre-built packages, compiling from source</A
></H1
><DIV
CLASS="QANDASET"
><DL
><DT
>2.1. <A
HREF="#AEN34"
>What are the system requirements for Firewall Builder ?</A
></DT
><DT
>2.2. <A
HREF="#AEN40"
>Where do I get GTK-- packages for RedHat 7.0 and 7.1 ?</A
></DT
><DT
>2.3. <A
HREF="#AEN47"
>I want to use pre-built binary package. What do I need to download and
	    install?</A
></DT
><DT
>2.4. <A
HREF="#AEN62"
>Does Firewall Builder need GNOME?</A
></DT
><DT
>2.5. <A
HREF="#AEN67"
>I am trying to compile Firewall Builder v0.9.6 from
	    source, but configure complains "libfwbuilder not
	    installed"</A
></DT
><DT
>2.6. <A
HREF="#AEN72"
>What firewall platforms are supported ?</A
></DT
></DL
><DIV
CLASS="QANDAENTRY"
><DIV
CLASS="QUESTION"
><P
><A
NAME="AEN34"
></A
><B
>2.1. </B
>What are the system requirements for Firewall Builder ?</P
></DIV
><DIV
CLASS="ANSWER"
><P
><B
> </B
>	    These are listed in the file "Requirements" in the docs
	    directory. It is /usr/share/doc/fwbuilder/Requirements or online:
	    <A
HREF="http://www.fwbuilder.org/pages/Requirements.html"
TARGET="_top"
>http://www.fwbuilder.org/pages/Requirements.html</A
>
	  </P
></DIV
></DIV
><DIV
CLASS="QANDAENTRY"
><DIV
CLASS="QUESTION"
><P
><A
NAME="AEN40"
></A
><B
>2.2. </B
>Where do I get GTK-- packages for RedHat 7.0 and 7.1 ?</P
></DIV
><DIV
CLASS="ANSWER"
><P
><B
> </B
> See gtk-- home page at <A
HREF="http://gtkmm.sourceforge.net/"
TARGET="_top"
>http://gtkmm.sourceforge.net/</A
> and follow link
	    "Download" or directly in <A
HREF="http://www.hvrlab.org/pub/gtkmm/"
TARGET="_top"
>http://www.hvrlab.org/pub/gtkmm/</A
>
	  </P
></DIV
></DIV
><DIV
CLASS="QANDAENTRY"
><DIV
CLASS="QUESTION"
><P
><A
NAME="AEN47"
></A
><B
>2.3. </B
>I want to use pre-built binary package. What do I need to download and
	    install?</P
></DIV
><DIV
CLASS="ANSWER"
><P
><B
> </B
>	    We distribute pre-built binary packages for some Linux distributions. You
	    would need to download and install the following (actual names of the
	    packages vary depending on the naming convention for given distribution):
	  </P
><P
>	    <P
></P
><UL
><LI
><P
>The API: libfwbuilder</P
></LI
><LI
><P
>GUI: fwbuilder</P
></LI
><LI
><P
>Policy compiler for iptables: fwbuilder-iptables</P
></LI
></UL
>
	  </P
><P
>	    As policy compilers for other firewall platforms become available, they
	    will appear in the download area.
	  </P
><P
>	    You may also want to check what is available under "Contrib" in the
	    download area. There are useful install, boot-time startup and other
	    scripts contributed by users and beta-testers. Pre-built binary packages
	    for Debian and SuSe are also available in "Contrib" area.
	  </P
></DIV
></DIV
><DIV
CLASS="QANDAENTRY"
><DIV
CLASS="QUESTION"
><P
><A
NAME="AEN62"
></A
><B
>2.4. </B
>Does Firewall Builder need GNOME?</P
></DIV
><DIV
CLASS="ANSWER"
><P
><B
> </B
>	    As of version 0.9.7 Firewall Builder does not need GNOME
	    anymore. All widgets which are part of libgnomeui library have
	    been rewritten so Firewall Builder now uses only gtk+ and
	    gtk-- libraries. This should simplify porting to other OS and
	    should make it possibly to use Firewall Builder on Linux
	    systems using KDE.
	  </P
></DIV
></DIV
><DIV
CLASS="QANDAENTRY"
><DIV
CLASS="QUESTION"
><P
><A
NAME="AEN67"
></A
><B
>2.5. </B
>I am trying to compile Firewall Builder v0.9.6 from
	    source, but configure complains "libfwbuilder not
	    installed"</P
></DIV
><DIV
CLASS="ANSWER"
><P
><B
> </B
>	    As of version 0.9.6 the code has been split into three
	    major parts: API, GUI and policy compilers. You need to
	    download, compile and install API for the rest to
	    compile. The API comes in a separate source archive
	    called libfwbuilder-0.10.0.tar.gz. Compile and install
	    it as usual, using "./configure; make; make install"
	    procedure.
	  </P
></DIV
></DIV
><DIV
CLASS="QANDAENTRY"
><DIV
CLASS="QUESTION"
><P
><A
NAME="AEN72"
></A
><B
>2.6. </B
>What firewall platforms are supported ?</P
></DIV
><DIV
CLASS="ANSWER"
><P
><B
> </B
>	    As of version 0.9.3 we support iptables and are working
	    on ipfilter policy compiler. We dropped support for
	    ipchains as obsolete technology and because lack of time
	  </P
></DIV
></DIV
></DIV
></DIV
><DIV
CLASS="SECT1"
><HR><H1
CLASS="SECT1"
><A
NAME="PROBLEMS"
>3. Problems, troubleshooting and reporting bugs</A
></H1
><DIV
CLASS="QANDASET"
><DL
><DT
>3.1. <A
HREF="#AEN80"
>fwbuilder binary does not start 1</A
></DT
><DT
>3.2. <A
HREF="#AEN108"
>fwbuilder binary does not start 2</A
></DT
><DT
>3.3. <A
HREF="#AEN120"
>fwbuilder binary does not start 3</A
></DT
><DT
>3.4. <A
HREF="#AEN129"
>fwbuilder or one of policy compilers crashes. What
	    to do ?</A
></DT
><DT
>3.5. <A
HREF="#AEN138"
>I get "I/O Error" while compiling policy. There is
	    no other indication of error though.</A
></DT
><DT
>3.6. <A
HREF="#AEN146"
>fwbuilder crashes on my Debian or Mandrake or SuSe
	    system. What do I do ?</A
></DT
></DL
><DIV
CLASS="QANDAENTRY"
><DIV
CLASS="QUESTION"
><P
><A
NAME="AEN80"
></A
><B
>3.1. </B
>fwbuilder binary does not start 1</P
></DIV
><DIV
CLASS="ANSWER"
><P
><B
> </B
>If you get this error:
	  </P
><P
>	    <PRE
CLASS="PROGRAMLISTING"
>	      fwbuilder: error while loading shared
	      libriaries: libfwbuilder.so.0: cannot load shared object
	      file: no such file or directory.
	    </PRE
>
	  </P
><P
>	    Then the GUI binary (fwbuilder) can not find API library
	    libfwbuilder. If you are using our pre-built binary packages,
	    then make sure you download and install package called
	    libfwbuilder. If you compiled from sources, then perhaps you
	    installed libfwbuilder with default prefix <TT
CLASS="FILENAME"
>	      /usr/local/</TT
>, therefore library went to <TT
CLASS="FILENAME"
>	      /usr/local/lib</TT
>. Dynamic linker ldd can not find it
	    there.
	  </P
><P
>	    You have the following options:
	  </P
><P
>	    <P
></P
><UL
><LI
><P
>create environment variable LD_LIBRARY_PATH with value
		  <TT
CLASS="FILENAME"
>/usr/local/lib</TT
> and run fwbuilder
		  from this environment.</P
></LI
><LI
><P
>add <TT
CLASS="FILENAME"
>/usr/local/lib</TT
> to the file
		  <TT
CLASS="FILENAME"
>/etc/ld.so.conf</TT
> and run ldconfig so it
		  will rescan dynamic libraries and add them to its
		  cache.</P
></LI
><LI
><P
>recompile libfwbuilder and fwbuilder with prefix
		  <TT
CLASS="FILENAME"
> /usr/</TT
>, this will install
		  <TT
CLASS="FILENAME"
>libfwbuilder.so.0</TT
> in
		  <TT
CLASS="FILENAME"
>/usr/lib</TT
>. <TT
CLASS="FILENAME"
>ldd</TT
> will
		  find it there without any changes to environment variables
		  or <TT
CLASS="FILENAME"
>/etc/ld.so.conf</TT
> file.  To change
		  prefix you need to run configure with command line parameter
		  <TT
CLASS="FILENAME"
>"--prefix=/usr"</TT
>.  Do this both for
		  libfwbuilder and fwbuilder.</P
></LI
></UL
>
	  </P
></DIV
></DIV
><DIV
CLASS="QANDAENTRY"
><DIV
CLASS="QUESTION"
><P
><A
NAME="AEN108"
></A
><B
>3.2. </B
>fwbuilder binary does not start 2</P
></DIV
><DIV
CLASS="ANSWER"
><P
><B
> </B
>If you get this error:
	  </P
><P
>	    <PRE
CLASS="PROGRAMLISTING"
>	      fwbuilder: error while loading shared
	      libraries: fwbuilder: undefined symbol: co
	      nnect__Q23Gtk9ProxyNodePQ23Gtk6ObjectPCcPFv_vPQ24SigC8S
	      lotDatab
	    </PRE
>
	  </P
><P
>	    Then usually this error happens when old version of libgtkmm or
	    libsigc++ library is used. Check if you need to upgrade those,
	    you can use our <A
HREF="http://www.fwbuilder.org/pages/Requirements.html"
TARGET="_top"
>	      Requirements</A
> document to find out what versions you need
	    and where can you get them from.
	  </P
><P
>	    sometimes this error happens even if new rpms have been
	    installed.  In this case you need to check which library
	    gets picked up by fwbuilder when it starts. Sometimes old
	    version gets stuck somewhere on disk after upgrade and then
	    ldd loads it instead of newer one. Try to download script
	    called "check_libs.sh" from "Contribs" area on Sourceforge
	    site of Firewall Builder and then run this script like this:
	  </P
><PRE
CLASS="PROGRAMLISTING"
>	    check_libs.sh /usr/bin/fwbuilder
	  </PRE
><P
>	    it will list all dynamic libraries used by fwbuilder binary
	    and what RPM they are part of. Look for libraries which are not
	    part of any installed rpm, those are causing of the problem.
	  </P
></DIV
></DIV
><DIV
CLASS="QANDAENTRY"
><DIV
CLASS="QUESTION"
><P
><A
NAME="AEN120"
></A
><B
>3.3. </B
>fwbuilder binary does not start 3</P
></DIV
><DIV
CLASS="ANSWER"
><P
><B
> </B
>If you get this error:
	  </P
><P
>	    <PRE
CLASS="PROGRAMLISTING"
>	      fwbuilder: /lib/libc.so.6: version `GCC_3.0' not found (required by /usr/lib/libxslt.so.1)
	      fwbuilder: /lib/libc.so.6: version `GCC_3.0' not found (required by /usr/lib/libxsltbreakpoint.so.1)
	      fwbuilder: /lib/libc.so.6: version `GCC_3.0' not found (required by /usr/lib/libxml2.so.2)
	    </PRE
>
	  </P
><P
>	    Most likely you are using libxml2 and libxslt packages
	    from RedHat's distribution RawHide on your RedHat 7.1
	    system. It turns out these packages require new version of
	    glibc, compiled with gcc 3.0. This library is not
	    available for RedHat 7.1, therefore you should not be
	    using libxml2 and libxslt from RawHide on RedHat 7.1.
	  </P
><P
>	    Just follow instructions in our Requirements document and
	    download libxml2 and libxslt from ftp.xmlsoft.org, these
	    work on RedHat 7.1 and 7.2 just fine.
	  </P
></DIV
></DIV
><DIV
CLASS="QANDAENTRY"
><DIV
CLASS="QUESTION"
><P
><A
NAME="AEN129"
></A
><B
>3.4. </B
>fwbuilder or one of policy compilers crashes. What
	    to do ?</P
></DIV
><DIV
CLASS="ANSWER"
><P
><B
> </B
>	    Please file a bug on Sourceforge. Provide information we might
	    need to fix the problem (in the form of the output of the
	    following commands):
	  </P
><PRE
CLASS="PROGRAMLISTING"
>	    cat /etc/issue

	    rpm -qa | grep gnome
	    rpm -qa | grep gtk
	    rpm -qa | grep libxml
	    rpm -qa | grep libsigc++

	    ls -la /usr/share/fwbuilder
	    ls -la /usr/share/pixmaps/fwbuilder

	    ldd /usr/bin/fwbuilder
	    ldd /usr/bin/fwb_ipfilter
	    ldd /usr/bin/fwb_iptables
	  </PRE
><P
>	    Also send us core file and .xml file with your objects. If
	    program crashes but does not generate core file (it shows
	    "crash" dialog instead), run it as follows:
	  </P
><PRE
CLASS="PROGRAMLISTING"
>	    fwbuilder --disable-crash-dialog
	  </PRE
><P
>	    It will dump core then.
	  </P
></DIV
></DIV
><DIV
CLASS="QANDAENTRY"
><DIV
CLASS="QUESTION"
><P
><A
NAME="AEN138"
></A
><B
>3.5. </B
>I get "I/O Error" while compiling policy. There is
	    no other indication of error though.</P
></DIV
><DIV
CLASS="ANSWER"
><P
><B
> </B
>	    Did you install package with corresponding compiler ? We ship compilers in
	    a separate RPMs named like this: fwbuilder-ipchains-0.8.7-2-rh7.i386.rpm
	  </P
><P
>	    Check if compiler dumped core. If you can't find it, you may try to run
	    compiler manually, providing the following command line parameters:
	  </P
><PRE
CLASS="PROGRAMLISTING"
>	    $ fwb_iptables  -f path_to_objects.xml   firewall_object_name
	  </PRE
><P
>	    All policy compilers have the same command line format.
	  </P
></DIV
></DIV
><DIV
CLASS="QANDAENTRY"
><DIV
CLASS="QUESTION"
><P
><A
NAME="AEN146"
></A
><B
>3.6. </B
>fwbuilder crashes on my Debian or Mandrake or SuSe
	    system. What do I do ?</P
></DIV
><DIV
CLASS="ANSWER"
><P
><B
> </B
>	    We can not guarantee that Firewall Builder would work flawlessly on Debian
	    or Mandrake or SuSe since we do not have access to these distributions for
	    testing.
	  </P
><P
>	    Sometimes we recieve packages built for these distributions by volunteers.
	    In this case we post these packages in "Contribs" area on the project's
	    page on Sourceforge. We do not verify or even try these packages and
	    completely rely on people who submit them. We usually post information
	    about authors, so if you have questions you can contact them directly.
	  </P
><P
>	    We welcome help from anyone who can test Firewall Builder on these
	    distributions and provide feedback
	  </P
></DIV
></DIV
></DIV
></DIV
><DIV
CLASS="SECT1"
><HR><H1
CLASS="SECT1"
><A
NAME="BUILDING-POLICY"
>4. Building firewall policy</A
></H1
><DIV
CLASS="QANDASET"
><DL
><DT
>4.1. <A
HREF="#AEN156"
>Do I need to add rules for "ACK" packets?</A
></DT
><DT
>4.2. <A
HREF="#AEN161"
>Druid seems to multiply rules in the policy</A
></DT
><DT
>4.3. <A
HREF="#AEN166"
>I use iptables (or other) to protect local host. How
	    do I use Firewall Builder to build policy?</A
></DT
><DT
>4.4. <A
HREF="#AEN200"
>How can I configure NAT to provide access from the
	    Internet to my server behind the firewall ?</A
></DT
><DT
>4.5. <A
HREF="#AEN262"
>I see the firewall objects has multiple policies
	    associated with it. How do these policies relate to each
	    other and in what order does policy compiler scan them to
	    generate firewall code?</A
></DT
></DL
><DIV
CLASS="QANDAENTRY"
><DIV
CLASS="QUESTION"
><P
><A
NAME="AEN156"
></A
><B
>4.1. </B
>Do I need to add rules for "ACK" packets?</P
></DIV
><DIV
CLASS="ANSWER"
><P
><B
> </B
>	    Firewall Builder uses "stateful inspection" feature of
	    underlying firewall platform. In case of iptables it loads
	    module ip_conntrack which is tracking connections opened
	    through the firewall and by the firewall itself. Since this
	    module "remembers" each connection, there is no need in
	    additional rule for "ACK" or "reply" packets. In fact, this
	    module does lot more than keeping track of opened TCP sessions
	    as it does similar thing to other protocols as well, where
	    possible. Firewall Builder also loads some other modules to
	    keep track of complex protocols, e.g. it loads module
	    ip_nat_ftp to support FTP.
	  </P
></DIV
></DIV
><DIV
CLASS="QANDAENTRY"
><DIV
CLASS="QUESTION"
><P
><A
NAME="AEN161"
></A
><B
>4.2. </B
>Druid seems to multiply rules in the policy</P
></DIV
><DIV
CLASS="ANSWER"
><P
><B
> </B
>	    This is how it works now. Interactive Druid does not check for rules in
	    existing policy and simply adds new ones. If you run Druid twice and ask
	    it to generate the same set of rules, you'll get the same rules many times
	    in your policy. This will be improved in subsequent releases.
	  </P
></DIV
></DIV
><DIV
CLASS="QANDAENTRY"
><DIV
CLASS="QUESTION"
><P
><A
NAME="AEN166"
></A
><B
>4.3. </B
>I use iptables (or other) to protect local host. How
	    do I use Firewall Builder to build policy?</P
></DIV
><DIV
CLASS="ANSWER"
><P
><B
> </B
>	    Your host may or may not have its IP address assigned
	    dynamically via PPPoE or DHCP.
	  </P
><P
>	    <P
></P
><UL
><LI
><P
>		  <I
CLASS="EMPHASIS"
>If address is static:</I
>
		</P
><P
>		  <P
></P
><UL
><LI
><P
>create firewall object, enter its IP
			address</P
></LI
><LI
><P
>create interface for it in "Interfaces" tab,
			mark it as "external"</P
></LI
><LI
><P
>add loopback interface named "lo", address
			127.0.0.1/255.0.0.0</P
></LI
><LI
><P
>call Druid, chose "Firewall protects local
			host" and then pick rules you want.</P
></LI
></UL
>
		</P
><P
>		  See what Druid have created for you. You can edit and add rules now.
		</P
></LI
><LI
><P
>		  <I
CLASS="EMPHASIS"
>If address is dynamic:</I
>
		</P
><P
>		  <P
></P
><UL
><LI
><P
>create firewall object, mark its address as
			"dynamic"</P
></LI
><LI
><P
>create interface for it in "Interfaces" tab,
			mark it as "external" and "dynamic"</P
></LI
><LI
><P
>add loopback interface named "lo", address
			127.0.0.1/255.0.0.0</P
></LI
><LI
><P
>call Druid, chose "Firewall protects local
			host" and then pick rules you want.</P
></LI
></UL
>
		</P
></LI
></UL
>
	  </P
></DIV
></DIV
><DIV
CLASS="QANDAENTRY"
><DIV
CLASS="QUESTION"
><P
><A
NAME="AEN200"
></A
><B
>4.4. </B
>How can I configure NAT to provide access from the
	    Internet to my server behind the firewall ?</P
></DIV
><DIV
CLASS="ANSWER"
><P
><B
> </B
>	    This question is outlined in Firewall Builder Tutorial in
	    great details, what follows is just a brief explanation. You
	    can find Tutorial online: <A
HREF="http://www.fwbuilder.org/pages/Tutorial/index.html"
TARGET="_top"
>	      http://www.fwbuilder.org/pages/Tutorial/index.html</A
>
	  </P
><P
>	    There are two possibilities here, depending on what IP address you want to
	    use to access your server - that of your firewall or virtual one. If you
	    use the same address your firewall has, you can arrange access to your
	    internal server from outside, and provide your internal users with access
	    to the Internet using only one address. This scheme may become a
	    limitation though if you have multiple servers inside your network which
	    need to be accessed from outside. In the latter case you may want to use
	    different port numbers or virtual ip addresses for access to different
	    internal servers.
	  </P
><P
>	    <P
></P
><UL
><LI
><P
>		  <I
CLASS="EMPHASIS"
>Using IP address of the firewall to
		    access your server inside.</I
>
		</P
><P
>		  This is easy. Just add rule to the "NAT":
		</P
><P
>		  <DIV
CLASS="TABLE"
><A
NAME="AEN213"
></A
><P
><B
>Table 1. </B
></P
><TABLE
BORDER="1"
CLASS="CALSTABLE"
><THEAD
><TR
><TH
ALIGN="LEFT"
VALIGN="TOP"
>Orig.Src</TH
><TH
ALIGN="LEFT"
VALIGN="TOP"
>Orig.Dst</TH
><TH
ALIGN="LEFT"
VALIGN="TOP"
>Orig.Srv</TH
><TH
ALIGN="LEFT"
VALIGN="TOP"
>Transl.Src</TH
><TH
ALIGN="LEFT"
VALIGN="TOP"
>Transl.Dst</TH
><TH
ALIGN="LEFT"
VALIGN="TOP"
>Transl.Srv</TH
></TR
></THEAD
><TBODY
><TR
><TD
ALIGN="LEFT"
VALIGN="TOP"
>Any</TD
><TD
ALIGN="LEFT"
VALIGN="TOP"
>Firewall</TD
><TD
ALIGN="LEFT"
VALIGN="TOP"
>Any</TD
><TD
ALIGN="LEFT"
VALIGN="TOP"
>Original</TD
><TD
ALIGN="LEFT"
VALIGN="TOP"
>Server</TD
><TD
ALIGN="LEFT"
VALIGN="TOP"
>Original</TD
></TR
></TBODY
></TABLE
></DIV
>
		</P
><P
>		  where "firewall" is the object for your firewall
		  and "Server" is the object for your server behind
		  the firewall.  This is it, Firewall Builder will
		  generate iptables code for DNAT translation using
		  firewall's IP address.
		</P
></LI
><LI
><P
>		  <I
CLASS="EMPHASIS"
>Using virtual IP address for translation</I
>
		</P
><P
>		  Create a rule in "NAT" in a similar way:
		</P
><DIV
CLASS="TABLE"
><A
NAME="AEN237"
></A
><P
><B
>Table 2. </B
></P
><TABLE
BORDER="1"
CLASS="CALSTABLE"
><THEAD
><TR
><TH
ALIGN="LEFT"
VALIGN="TOP"
>Orig.Src</TH
><TH
ALIGN="LEFT"
VALIGN="TOP"
>Orig.Dst</TH
><TH
ALIGN="LEFT"
VALIGN="TOP"
>Orig.Srv</TH
><TH
ALIGN="LEFT"
VALIGN="TOP"
>Transl.Src</TH
><TH
ALIGN="LEFT"
VALIGN="TOP"
>Transl.Dst</TH
><TH
ALIGN="LEFT"
VALIGN="TOP"
>Transl.Srv</TH
></TR
></THEAD
><TBODY
><TR
><TD
ALIGN="LEFT"
VALIGN="TOP"
>Any</TD
><TD
ALIGN="LEFT"
VALIGN="TOP"
>Server-NAT</TD
><TD
ALIGN="LEFT"
VALIGN="TOP"
>Any</TD
><TD
ALIGN="LEFT"
VALIGN="TOP"
>Original</TD
><TD
ALIGN="LEFT"
VALIGN="TOP"
>Server</TD
><TD
ALIGN="LEFT"
VALIGN="TOP"
>Original</TD
></TR
></TBODY
></TABLE
></DIV
><P
>		  where "Server-NAT" is special object with address
		  of the translation you want to create, and
		  "Server" is an object for your server behind the
		  firewall.
		</P
><P
>		  In addition to the firewall rule, you need to set
		  up static ARP entry and add routing. Asuming
		  external translated address of the server is
		  NN.NN.NN.NN, external firewall's interface is eth1
		  and its internal interface is eth0, the following
		  commands would do the trick:
		</P
><PRE
CLASS="PROGRAMLISTING"
>		  # arp -Ds NN.NN.NN.NN eth1 pub  
		  # route add NN.NN.NN.NN dev eth0
		</PRE
><P
>		  The first command adds static "published" ARP
		  entry, while the second command routes it through
		  internal interface
		</P
><P
>		  As of version 0.9.3 iptables compiler can add
		  these two commands to the generated firewall
		  script if checkbox "Create ARP entries for DNAT
		  translations" is checked in "iptables" tab in
		  firewall object's dialog
		</P
></LI
></UL
>
	  </P
></DIV
></DIV
><DIV
CLASS="QANDAENTRY"
><DIV
CLASS="QUESTION"
><P
><A
NAME="AEN262"
></A
><B
>4.5. </B
>I see the firewall objects has multiple policies
	    associated with it. How do these policies relate to each
	    other and in what order does policy compiler scan them to
	    generate firewall code?</P
></DIV
><DIV
CLASS="ANSWER"
><P
><B
> </B
>	    Global Policy rules apply to packets crossing the firewall,
	    regardless of the interface they ingress and egress
	    through. In case of iptables this is equivalent to the FORWARD
	    chain, although there may be no such direct correspondence in
	    other firewall platforms. Even when such correspondence does
	    exist, high level Firewall Bulder policy rule may need to be
	    converted into multiple rules going into different groups or
	    chains in the target platform code beause of number of
	    reasons. To explain this, let's consider a situation when
	    Firewall Builder has to generate code for iptables firewall
	    and the rule has "Any" as source. Obviously, if source is
	    "any", then it should cover any object, including the firewall
	    itself.  Therefore policy compiler which generates code for
	    iptables places rule into both FORWARD and OUTPUT
	    chains. However, both final iptables rules won't have
	    interface specified in them since original fwbuilder rule was
	    part of the Global Policy which is not associated with any
	    interface.
	  </P
><P
>	    Interface Policy rules are associated with certain network
	    interface of the firewall. Unlike Global Policy rules,
	    direction can be specified for Interface Policy rules. This
	    provides a mechanism for dealing with situations where knowing
	    both interface and direction is neccessary, for example
	    setting up anti-spoofing rules. Since situations like this are
	    rare, we recommend placing most of the firewall rules in the
	    Global Policy and only those rules which can not be
	    implemented in any other way into Interface Policy.
	  </P
><P
>	    At the same time there are target platforms which require that
	    all rules are always associated with interfaces. In this case
	    using Global Policy rules may not be practical because writing
	    policy compiler capable of guessing correct interface may be
	    too complex. One example of such platform is Cisco routers,
	    where access lists (ACL) are always associated with
	    interfaces.
	  </P
><P
>	    When policy compiler generates code for the target platform,
	    it first scans NAT rules, then Interface Policies, then Global
	    Policy. This determines the order in which lines of the target
	    code are generated.
	  </P
></DIV
></DIV
></DIV
></DIV
><DIV
CLASS="SECT1"
><HR><H1
CLASS="SECT1"
><A
NAME="INSTALL"
>5. Installing policy on the firewall</A
></H1
><DIV
CLASS="QANDASET"
><DL
><DT
>5.1. <A
HREF="#AEN273"
>The XML file I save, is it transformed into iptables
	    script and sent to the firewall automatically when I click
	    on "Compile"? Or do I have to restart something to see the
	    changes applied?</A
></DT
><DT
>5.2. <A
HREF="#AEN278"
>I have ipchains installed on my RedHat 7.1
	    system. How do I switch to iptables and start using
	    firewall script generated by Firewall Builder?</A
></DT
></DL
><DIV
CLASS="QANDAENTRY"
><DIV
CLASS="QUESTION"
><P
><A
NAME="AEN273"
></A
><B
>5.1. </B
>The XML file I save, is it transformed into iptables
	    script and sent to the firewall automatically when I click
	    on "Compile"? Or do I have to restart something to see the
	    changes applied?</P
></DIV
><DIV
CLASS="ANSWER"
><P
><B
> </B
>	    "Compile" only calls compiler, which produces a file called
	    after the name of the firewall object, with ".fw"
	    extension. This file contains iptables sript which needs to be
	    activated. There are two ways to activate it: 1) you can
	    simply run it by hand. 2) you can use custom shell script to
	    copy this file to where it should be and then run it. If you
	    put this script in the "Policy Install Script" field in
	    "Compile/Install" tab of the firewall's object dialog, then
	    menu item "Rules/Install" will be activated. We have examples
	    of the install script in the "Contrib" area on Sourceforge. We
	    do not ship this script with the product because the
	    installation and activation procedure is too different on
	    different installations. We might standardise on one or
	    another version in the future, but for now it is add-on
	    feature and we rely on contributors to send us examples of
	    their install scripts. You do not need to reboot your firewall
	    to activate the new policy. Iptables script generated by
	    Firewall Builder has a code to do a "clean up" job by removing
	    all previous iptables settings, before it loads new ones.
	  </P
></DIV
></DIV
><DIV
CLASS="QANDAENTRY"
><DIV
CLASS="QUESTION"
><P
><A
NAME="AEN278"
></A
><B
>5.2. </B
>I have ipchains installed on my RedHat 7.1
	    system. How do I switch to iptables and start using
	    firewall script generated by Firewall Builder?</P
></DIV
><DIV
CLASS="ANSWER"
><P
><B
> </B
>	    You do not need to uninstall ipchains, but you need to deactivate it.
	  </P
><P
>	    As root, run the following command:
	  </P
><PRE
CLASS="PROGRAMLISTING"
>	    # chkconfig --level 2345 ipchains off
	  </PRE
><P
>	    if you do not want to reboot at this point, run the following to stop and
	    remove ipchains from the memory:
	  </P
><PRE
CLASS="PROGRAMLISTING"
>	    # /etc/rc.d/init.d/ipchains stop
	    # rmmod ipchains
	  </PRE
><P
>	    Now simply run iptables script created by fwbuilder to activate your
	    firewall.
	  </P
><P
>	    RedHat's standard iptables setup depends on their scripts iptables-save
	    and iptables-restore. If you wish to stick with RedHat's standard scripts,
	    simply run these commands:
	  </P
><PRE
CLASS="PROGRAMLISTING"
>	    # /etc/rc.d/init.d/iptables save
	    # chkconfig --level 2345 iptables on
	  </PRE
><P
>	    This will save your configuration to RedHat's standard file
	    /etc/sysconfig/iptables in iptables-save format (which is different!) and
	    then will restart it every time you reboot your firewall.
	  </P
><P
>	    If you do not want to use their scripts, you can use script
	    "firewall-install" available in our Contrib area on SourceForge. This
	    script comes with a README file which describes its usage.
	  </P
></DIV
></DIV
></DIV
></DIV
><DIV
CLASS="SECT1"
><HR><H1
CLASS="SECT1"
><A
NAME="LOGGING"
>6. Logging</A
></H1
><DIV
CLASS="QANDASET"
><DL
><DT
>6.1. <A
HREF="#AEN295"
>I do not see log records in /var/log/messages, what's wrong?</A
></DT
><DT
>6.2. <A
HREF="#AEN300"
>I've got logging working, but I think it sends too
	    much information to the log so I can not really find what
	    I am interested in. Is there a way to make it more
	    readable?</A
></DT
><DT
>6.3. <A
HREF="#AEN325"
>How can I get a list of connections opened through the
	    firewall at any given moment of time ?</A
></DT
></DL
><DIV
CLASS="QANDAENTRY"
><DIV
CLASS="QUESTION"
><P
><A
NAME="AEN295"
></A
><B
>6.1. </B
>I do not see log records in /var/log/messages, what's wrong?</P
></DIV
><DIV
CLASS="ANSWER"
><P
><B
> </B
>	    RedHat Linux comes with syslog preconfigured to write all log
	    messages with level "info" and higher to /var/log/messages,
	    while iptables script generated by Firewall Builder by default
	    logs everything as "debug". You need either to edit
	    /etc/syslog.conf to make all "debug" messages to be logged, or
	    change log level to "info" in iptables tab in firewall dialog
	  </P
></DIV
></DIV
><DIV
CLASS="QANDAENTRY"
><DIV
CLASS="QUESTION"
><P
><A
NAME="AEN300"
></A
><B
>6.2. </B
>I've got logging working, but I think it sends too
	    much information to the log so I can not really find what
	    I am interested in. Is there a way to make it more
	    readable?</P
></DIV
><DIV
CLASS="ANSWER"
><P
><B
> </B
>	    You can use our script logwatcher.pl available in Contrib
	    area. It reads log file /var/log/messages and shows only the
	    following fields from each log line:
	  </P
><P
>	    <P
></P
><UL
><LI
><P
>Date and time</P
></LI
><LI
><P
>rule number (assuming you use default setting for the
		  rule prefix which looks like this: "RULE %N -- %A")</P
></LI
><LI
><P
>rule action (Deny/Reject/Accept)</P
></LI
><LI
><P
>interface</P
></LI
><LI
><P
>protocol</P
></LI
><LI
><P
>source address and source port</P
></LI
><LI
><P
>destination address and destination port</P
></LI
><LI
><P
>ICMP type and code for ICMP packets</P
></LI
></UL
>
	  </P
><P
>	    Note though that this script drops some data logged by
	    iptables to improve readability. You may miss some important
	    information because of this, so in case of real problem always
	    look in the original log!
	  </P
><P
>	    Another, more elaborate version of the same script is
	    logwatcher2.pl. It is also available in Contrib area.
	  </P
></DIV
></DIV
><DIV
CLASS="QANDAENTRY"
><DIV
CLASS="QUESTION"
><P
><A
NAME="AEN325"
></A
><B
>6.3. </B
>How can I get a list of connections opened through the
	    firewall at any given moment of time ?</P
></DIV
><DIV
CLASS="ANSWER"
><P
><B
> </B
>	    You can use our script connwatcher.pl available in Contrib
	    area. It prints the contents of the connections table every
	    second, sort of like top shows processes active in the system.
	  </P
></DIV
></DIV
></DIV
></DIV
></DIV
></BODY
></HTML
>