Build Powerful Linux Firewalls with Firewall Builder

5077

Fwbuilder is a unique graphical firewall tool that allows the user to create objects and then drag and drop those objects into firewalls, to build a powerful security system for a single PC or a network of PCs. Fwbuilder supports a wide range of firewalls (Cisco ASA/PIX, Linux iptables, FreeBSD’s ipfilter, OpenBSD’s pf, and more), so its rules can be deployed on multiple platforms. Let’s take a look at using Fwbuilder on Linux, which might just become a life-long affair with a powerful security system.

Installation of Fwbuilder is as simple as searching for “fwbuilder” (no quotes) in your Add/Remove Software tool (such as Package-Kit, Synaptic, etc) and marking Fwbuilder for installation. However, if you’re installing Fwbuilder on Ubuntu, the package that will install is out of date and will not work. In order to get a working, updated Fwbuilder installed on Ubuntu, follow these steps (You will either have to su to the root user or use sudo for this to work):

  • Open /etc/apt/sources.list in a text editor.
  • Add deb http://www.fwbuilder.org/deb/stable/ maverick contrib to the bottom of that file.
  • Save and close sources.list.
  • Download the GPG key with the command wget http://www.fwbuilder.org/PACKAGE-GPG-KEY-fwbuilder.asc.
  • Install the GPG key with the command apt-key add PACKAGE-GPG-KEY-fwbuilder.asc.
  • Install the fwbuilder libraries with the command sudo apt-get install libfwbuilder.
  • Install fwbuilder with the command sudo apt-get install fwbuilder.

Once installed, Fwbuilder can be started by clicking System > Administration > Firewall Builder.

The Graphical Interface

In order to start up fwbuilder administrative privileges will be necessary. You can start fwbuilder from the command line using sudo fwbuilder or just fwbuilder. Why the difference? The former command runs fwbuilder with administrator privileges, the latter wthout. I actually recommend you running fwbuilder without admin privileges (it is not required), so the security of the system is not comprimised. Ultimately, the easiest way to start fwbuilder is by using the desktop menu (as shown above). When fwbuilder is fired up, the main window will appear (see Figure 1). From the main window, I recommend all new users click the Watch “Getting Started” tutorial button, which will open up a browser instance to a short, informative video. From that same pane (in the main fwbuilder window) a new firewall can be created or an existing firewall can be imported.

FWBuilder

In the same window there is an navigation tree (left pane). This navigation tree contains everything necessary to create a firewall. But before objects and services can be added, a new firewall must be created. Let’s begin the process of creating a new firewall, based on pre-configured templates, with fwbuilder.

Creating a New Firewall

When the Create New Firewall button is clicked, a wizard will appear to help create the new firewall. Because I recommend first-time users select from the pre-configured templates, the wizard will require the following:

  • A name for the firewall.
  • Software the firewall is based on (such as iptables).
  • The OS type the firewall runs on.
  • Select from pre-configured firewall templates (I highly recommend this be selected.)
  • Based on the template chosen, specific information for the ethernet interface will be required.

The first step in the wizard (see Figure 2) is to give the firewall a name, choose the software running the firewall, and select the operating system running the firewall. For our example the configurations will be:

  • Test Firewall
  • iptables
  • Linux 2.4/2.6

Figure 2

The name for the firewall can be any user-specified name required to indicate the purpose the firewall serves.

For those unfamiliar with “Linux 2.4/2.6”, that refers to the kernel release being used on the system. Most all Linux users will select this option.

As I mentioned earlier, for this test firewall, the pre-configured firewall templates will be used. The first screen in the wizard is where the option for pre-configured templates is chosen. After this option is chosen, the templates will be presented in the next screen (see Figure 3).

Figure 3
Make sure to read the description of the templates, otherwise the wrong template could be chosen resulting in a non-functional firewall.

Finally, in the last screen of the wizard (see Figure 4), the network interfaces are named. Since each pre-configured template offers different hardware configurations (such as a single external interface, versus a single external and single internal interface) the screen displayed will depend upon which firewall template is selected.

In this example, a single interface template has been chosen.

In my example, I am creating a firewall for a single interface host which happens to be a desktop machine. The desktop machine uses DHCP for network addressing, so nothing really needs to be changed in the screen shown in Figure 3. Should the device use a static address, then the address for the network interface would need to be entered. Once complete, click the Finish button and the template will be loaded into the main screen (see Figure 4).Figure 4

The firewall has been created from the template. It’s time to add objects.

Adding Objects

Fwbuilder now has a basic template ready to be edited. If this is just a very basic firewall (for instance, for a single desktop machine) a lot of times the firewall based on the template will work, with little or no modifications. But to really take advantage of the power of fwbuilder, it is important to know how to build and add objects.

For our newly created template, let’s add an internal host (that will have full access to the hosting machine) to the firewall. To do this a new object must be built. To add a new machine, a new Host object will be added. To do this, follow these steps:

  • Right-click the Hosts entry in the left navigation (under objects).
  • Select New Host.
  • Give the new host a name and click Next.
  • Select Configure interfaces manually and click Next.
  • Enter the information for the host to be configured (Name, Label, Static IP, IP Address) and click Finish.

Configure as many hosts as needed to be added to the firewall. With these hosts now added to the Object Tree, it is possible to drag and drop those hosts into the firewall. To do this expand the navigation tree for Hosts, find the desired host to be added, and drag and drop the host into the firewall. Of course it is best practice to first create a new rule in your firewall chain that can accommodate the new object. To create a new rule, follow these steps:

  • Select where the new rule is to be placed in the chain.
  • Right-click the rule in the chain where the new rule is to be located.
  • Select either Insert New Rule or Add New Rule Below (depending upon where the new rule needs to live in the chain.)

The new rule will be placed within the chain. This new rule will be fairly generic and will Deny all traffic. Obviously, this new rule must be edited. Let’s use our newly created host object in the new rule. Since this object is a host, that object will be placed into either the Source or Destination section of the newly created firewall rule. Since the newly created Host object lives within the internal network (and assumes that host can be trusted) it will be added to the new rule as a Source and will be allowed to pass through the firewall.Figure 5

Find the newly created Host Object in the Object Tree and drag and drop it to the Source section of the newly created rule (see Figure 5).

With the new host added as a source, it is now important to allow that source into the host.

It is clear, in the current state, the host just added is not allowed into the destination. In order to change that Deny (a red dot) to Allow (a green dot) right click the Deny entry for the new rule and select Accept. The red dot will change to a green dot, indicating the host is allowed through. If there are multiple hosts to add, create new rules for each host and repeat the same process.

Hosts are not the only object that can be added. Services (such as HTTP, SMB, FTP, SSH, etc) can be added for further flexibility and security. Services are added to the Object tree in the same way hosts are added. Services are also added into the firewall in the same way Hosts are added.

Compiling and Installing

Once the firewall has been created, it is necessary to compile and install the firewall. These two processes will make sure the firewall is correctly built, compiled such that the firewall is in a form the system can use, and installed so the firewall is being used by the system. These processes are simple. Upon completion of the firewall do the following:

  1. Save the firewall by clicking the Save button.
  2. Compile the firewall by clicking the Compile button and walking through the easy to use Compile Wizard.
  3. Install the firewall by clicking the Install button.

As soon as the installation is complete, the firewall will be running. This installation will also ensure the firewall runs upon reboot of the machine. If changes are made in the currently running firewall, it is necessary to re-compile and re-install the firewall.

Final Thoughts

Firewall Builder is an incredibly powerful and flexible security tool that any Linux administrator should get to know. This tool is far better at creating firewalls than tools like Gufw, but doesn’t require the command line fu as does iptables. And with Firewall Builder, both very simple (yet powerful) firewalls can be created as can incredibly complex and powerful firewalls.