When presented with the task of building a firewall on Linux, you inevitably think in terms of a lot of commands and scripts. You create a list of the hosts and servers on your network and then supply their IPs and MACs to complex iptable (the de facto firewall on Linux) commands. You juggle with syntax errors and typos. An alternative is Firewall Builder that makes building firewall on Linux really intuitive.
With Firewall Builder, you initially create a list of the hosts and IP addresses on the network. You then define the network interfaces for the firewall on your network. All this is done graphically and is wizard based. Finally, while building policies you just drag and drop the hosts and addresses onto the rules.
Get the taste
On the October's PCQuest DVD, we gave the Firewall Builder RPMs. If you are running PCQLinux 2004, install the RPMS by using the following command.
Switch to X Window. In a terminal window or in the 'Run Application' box, type 'fwbuilder' to launch the Firewall Builder. A prompt appears and asks whether you want to open an existing project or create a new one. Click on 'Create new project file'. Here type any name for the file, say pcqfw, and save it. Click on Next and then on Finish. An explorer-like interface of the Firewall Builder will greet you.
Define the firewall
First you must define a firewall, which means defining the network information of the Linux machine designated for the firewall, on your network.
Right click on User>Firewalls and select 'New Firewall'. Note that the firewall machine need not be the same machine as the one on which you are running the Firewall Builder. The Firewall Builder can even connect to a remote machine through SSH (Secure Shell) to set up the firewall on it. Let's call the firewall pcqfirewall. For the firewall software, select iptables from the drop down and for the OS select Linux 2.4/2.6 and click on Next. Select the option 'Configure interfaces manually'. You then need to specify the details of network interfaces (typically eth0 and eth1), since a firewall machine usually has two network interfaces, one connected to the private network and the other to the Internet (usually via a router). For the label, you can specify 'inside' and 'outside' for the private and Internet network interface, respectively. Click on Finish. Expand the pcqfirewall by clicking on the '+'. Right click on the interface labeled 'inside' and check the option 'Managed interface'.
Add network objects
With Firewall Builder, you treat all the networked entities such as IP addresses, networks and hosts as objects. The next step is to create all these entities. This is similar to maintaining a list of the hosts and addresses of your network. Click on '+' along with Objects. This will expand the tree to provide you the options to add the objects. You can right click on each of the options and select New to add a new IP address, address range and host. As an example let's add a host (a machine) on the network.
For this right click on Hosts and select 'New Host'. Enter a name, say, shekhar's machine. Click on Next and then select 'Configure interfaces manually'. Fill in the network details for the host such as
Use the following commands on the host machine to find the MAC address of the network card.
ipconfig /all (in Windows)
ifconfig (in Linux)
Click on Finish.
A simple rule
Now we will set up a firewall rule to deny access to shekhar's machine. For this, select pcqfirewall from the drop-down list at the top right corner. Click on Rules>Insert Rule from the menu. You would see something as follows on the right pane.
Source Destination Service Action Time Options Comment
Any Any Any Deny Any
This rule denies access to all the machines connected on any port,but we want the access to be denied only to shekhar's machine. So in place of 'Any' for the Source, we will have to substitute 'shekhar's machine'. Drag and drop 'shekhar's machine' within Objects>Hosts onto 'Any' under the Source. Thats it, we have constructed a firewall rule.
To install the rule on the firewall machine (pcqfirewall in our case), click on Rules>Compile and then click on Rules>Install. When prompted for the user name and passphrase, enter root and the corresponding password for the firewall machine's root login.
Using the library
A set of existing objects in its library makes it even easier to use a Firewall Builder. For example, suppose you want to allow access to the MySQL (a SQL database) database server only from a specific host. Then first define the host as explained above. To allow access to the MySQL database server, we need to find out the port at which the server runs. How often do we remember the correct port number of the services? Here is where the library comes handy. On Firewall Builder, click on the drop down on the top left corner and select Standard. Here click on Services>TCP. Right click on mysql from the list of services and select Duplicate>Place in library user. Now select User from the drop down. Insert the rule as explained above. Drag and drop the host (who can access MySQL) as already explained. Now we hjyyuneed to specify the service. For this click on Services>TCP and drag and drop mysql onto 'Any' under the Service. Click on Rules>Compile and Rules>Install.
In this article we have just touched the surface of this comprehensive tool. For more information on it you can refer to www.fwbuilder.org.
Shekhar Govindarajan IT4Enterprise