Use Firewall Builder to set your Firewall

Firewall Builder (fwbuilder) is a graphical application that helps you configure IP packet filtering. It can compile filtering policies of various specifications you define, including iptables and Cisco and Linksys routers in various languages. This method separates the actual policies you define from the specific implementation of these policies, so that you do not have to redefine the firewall policies of the platform when changing the operating hardware,

The Fwbuilder software installation package can be found in the software warehouse of Ubuntu hard and Fedora 9. In addition, the Fwbuilder version for openSUSE 10.3 has been packaged into a one-click installation file, but it does not support openSUSE 11. In this article, I will build a test platform for 64-bit machines. The operating system is Fedora 9 and the fwbuilder version is 2.1.19. Fwbuilder is divided into two compressed files for installation: libfwbuilder and fwbuilder. You must first install the libfwbuilder file. When installing the two files, use the installation method of the common file, that is, enter the following commands in sequence:

./configure; make;  sudo make install

When configuring, you may encounter the following warning:

Running qmake: /usr/lib64/qt-3.3/bin/qmake WARNING: icns.path is not defined: install target not created

If you encounter it, I suggest you ignore it.

When you start fwbuilder, you will see the new firewall window as shown in the following figure. You can right-click an entry in the firewall tree to create a new firewall. If you choose to enable the firewall template and create an iptables firewall, a new dialog box is displayed. Fwbuilder has a series of firewalls for you to choose from, and these firewall templates can basically meet the needs of many users, so fwbuilder's Quick Start is very simple.

As shown on the screen, template 1 provides the dynamic IP address distribution (DHCP) supported by your ISP and the local fixed private subnet on your server's second network interface. Template 2 is similar to TEMPLATE 1, but it is specially designed for your local network DHCP server. TEMPLATE 3 is designed for a non-military zone (DMZ) subnetwork. Its server has three interfaces, one of which has a static IP address to connect to the Internet, and the other connects to a local private subnet, the last network interface connects to a DMZ subnetwork that can log on to the Internet,

Host fw template 1, the fourth project in the list, can only provide protection for one host and only allow incoming SSH access. Although this type of firewall policy is very simple, it can quickly install a firewall for laptop users. The Linksys firewall template is designed for the firewalls running on the Linksys router, and the c36xx template is a firewall template on the Cisco router. The network server firewall template allows the network servers that install such firewalls to communicate through HTTP and SSH.

The firewall rules of template 1 are as follows. You can click a cell in the service grid unit at the top of each window, and the corresponding bottom pane will change accordingly, so that you can edit the service settings in this cell. As we all know, it is very important that the ssh service can be used to specify which connections are acceptable. This Firewall template uses the SSH service as an option in the left-side Tree View. Unlike traditional firewalls, a tcp connection type and a port number are simply input. The services referenced in the template are only part of the system definition. It is read-only, so that you can only see details in the pane, but cannot edit them. If you are running SSH for a custom port, you can not only edit it in the SSH directory, alternatively, right-click the tree structure on the left and select "Duplicate/Place in library User" in the pop-up directory to create and copy a personal service. In addition, the Tree View list, which is slightly higher than the left-side drop-down list, allows you to select a standard (system) directory or user directory.

When you have a copy of your own SSH service port definition, you can edit it as needed. To use your own SSH service, you can drag it from the Tree View on the left to your firewall rule pane. Although all this works well, the problem that may occur on a user interface is that if the standard definition (system) Directory and the SSH service of the user directory have the same name, when you drag your custom SSH service to the firewall rules pane, you will see the SSH projects in the two panes without any indication that one is your personal directory version, the other is the standard (system) directory version. Of course, this problem can be easily solved. You only need to rename the SSH service in your user directory.

498) this. style. width = 498; "border = 0>

Figure 1

When you click firewall itself in the left-side tree structure or any firewall policy mesh displayed at the top of the window, you can edit host and firewall settings. In the host setting options, you will find the option to set the specific tool path on the computer, including rewriting various TCP settings, such as FIN and holding activity timeout, and change the Explicit Congestion Notification (ECN) and timestamp, as well as SYN cookies. In addition, the host option includes enabling kernel antispoofing support, whether the source route should be ignored, and how to treat different ICMP packets. In TEMPLATE 1, the firewall's default configuration does not explicitly change these settings.

498) this. style. width = 498; "border = 0>

Figure 2

Click the left-side tree structure or the "Firewall settings..." button in the Firewall option on the left side of the window. You can set global rules, such as limiting the number of data packets recorded at a given interval, and adding a preface and conclusion to the firewall rules generated for convenient adjustment, and specify the system path that may need to be changed during custom installation. You can specify how to reject data packets (that is, what ICMP packets are not accepted). For example, by default, data packets related to unknown connections are discarded, specify whether the established or related connections that should be accepted are displayed when the firewall rule is executed for the first time.

The NAT Tab allows you to set how the source and destination IP addresses change after server translation. To enable the server to modify these addresses, you can set a series of rules and drag the NIC in the directory tree in the left pane to the location of the source or target rule grid. NAT rules can also be used to effectively configure the source, destination, and server, modify the source and target addresses of the connection, or change the last port sent by the connection.

As shown in the following figure, the descriptive name of the NIC under the current firewall is displayed in the left pane (TEMPLATE 1 is generated here ). Of course, you can also modify its name and related services. You can also add new NICs as needed. On the screen, you can also see that the source address of any machine that tries to connect to the myssh service on the network will be recorded, so that you can see the source address of the connection on the machine where the firewall is installed.

498) this. style. width = 498; "border = 0>

Figure 3

A particularly useful function of Fwbuilder is to see all the services used by your NAT and firewall policies. When you right-click these services in the Tree View on the left or in the top pane of the window, select "Where used" in the pop-up menu. A subwindow is displayed at the bottom of the window, allows you to quickly view which NAT or firewall rules reference these services. This also allows you to review what can be connected to these services and determine whether it is NAT execution before the service can be used.

It is often inconvenient to directly use certain separate services. Many services can work together to provide the required functions. Fwbuilder allows the definition of "groups". Many of its separate service definitions are considered as a single logical unit. For example, Useful_ICMP groups includes ICMP message timeout, ping data packets, and all ICMP data packets that cannot be reached. The use of groups allows specific functional modules of the server to act as a single unit. This unit uses more logical functional units that can be edited by you, instead of remembering each service you use each time you want to allow certain combinations.

It is convenient to define NAT and routing rules on a single host. It allows you to set the data transmission mode, because sometimes data flow may cause data errors.