Fwbuilder is a powerful firewall creation tool that works by adding objects to build a customized firewall. An object can be just about anything from a firewall, a library, a host, interface, address, DNS name, etc. The idea is you piece objects together to form a cohesive whole that works together to form a complete firewall. The only problem most run into is, when you fire up fwbuilder, where do you start? It may seem a bit confusing at first, but you know where the first step is, the rest of the journey is pretty clear.

Installing fwbuilder

I will touch briefly on installing fwbuilder, because it will not be found on your default system. And although you will find fwbuilder in your respository, it will be an outdated version. So to install the latest version first open up your /etc/apt/sources.list file and add the following (Note: I am installing this on Ubuntu 9.04.):

deb http://www.fwbuilder.org/deb/stable/ jaunty contrib

Before you update apt you will need to add the GPG key. Download that key and then issue the command:

sudo apt-key add PACKAGE-GPG-KEY-fwbuilder.asc

Now issue the command:

sudo apt-get update

Finally you can install with the command:

sudo apt-get install fwbuilder

Once installed you will find fwbuilder in the Administration sub-menu of the System menu (The entry will be labeled Firewall Builder).

Building a firewall

Figure 1

When you start up fwbuilder the main window (see Figure 1) will not seem very intuitive. The first thing you need to do is create a new firewall. To create a new firewall click the Object drop-down which is the icon to the immediate left of the User drop-down. Or you click the Object menu and select New Object (which will open the Object drop-down menu). From this drop-down select New Firewall.

When you add a new firewall object a wizard will appear. Before you can move beyond the first screen you have to do the following:

• Name your firewall.
• Select the firewall software the machine is running.
• Select the OS the firewall is running on.

In the first screen of this wizard is a very important option (if you want to make life easy for yourself). You can base your firewall on pre-configured templates. For new users this is always a good place to start. And even though you choose a pre-configured template, you can still customize this firewall.

But we’re building a customized firewall, so no templates here.

Figure 2

The next screen asks you how you want to define your interfaces. There are two methods: Manually and using SNMP to automatically discover the interfaces. Manually is the most reliable method of course so select that option and click Next.

In the device setup window (see Figure 2) you will enter the information for your networking device. Once you have entered this click Add. If you can’t figure out the MAC address you can always use the Networking Tool application under the Administration sub-menu of the System menu.

Once you have added the device click the Finish button. If you have a machine with two networking devices add your second device and then click Finish. You will now be in the window where you will add rules to your firewall. In the upper left pane click on the name of the firewall to open up the Desktop/Policy window (see Figure 3).

Figure 3

What you want to do is right click within the upper right pane and select “Insert Rule”. When the rule is inserted it will be fairly worthless. You will notice much of the policies are listed as “Any” or “All”. In order to change this you have to add new objects. Let’s say, for example, we want to create an address range that will cover our entire LAN to be used as a destination. To do this click on the Object drop-down and select New Address Range. The lower right pane will change where you can enter the values for your range. I will enter the following:

• Name: Internal LAN
• Range Start: 192.168.1.1
• Range End: 192.168.1.200

You can add a comment if you like.

Figure 4

Now click Apply and that object has been created. This is where the fun begins. As you can see (in Figure 4) my new object is listed in the lower left pane. What I do is click and drag that object into the section of the new rule I want to apply that object to. So I want the Internal Lan object to apply to the Destination section of the rule so I will drag it to that section to apply it.

Now create as many objects as you need for your firewall and click and drag them to apply them. But don’t think you have to limit yourself to one rule. You can add as many rules to this firewall as you need.

Once you have completed building your firewall right click the firewall name (in my example it would be Desktop from the upper left pane) and click “Compile”.  This will open up a compilation wizard that is simple to walk through. The compilation will create a file with the same name as the firewall and an extension of .fw.  After the compilation is complete right click the firewall name and select Install. The installation wizard is also a simple walkthrough of steps. You will have to give a user for the firewall to run under as well as the password for that user. Also you will have to select if you are going to run in test mode or not. If you are install the firewall in test mode it will not be permanent. If you install in regular mode fwbuilder will ask you how soon you want to reboot your machine (so the firewall can take effect.) I suggest running in test most first. If this works then go back through the Install process and allow for full installation (including reboot).

Final thoughts

Fwbuilder is a powerful tool that allows you to create very customized firewalls. I highly recommend this tool for anyone serious about Linux security.

That was then, this is now and in the now there are graphical front ends to help you build a firewall without having to issue a single command from the command line. One of those tools is fwbuilder. The fwbuilder tool builds iptables rulesets but does so by treating each element of the individual rule as an object, a service, or a time. Objects are addresses. Services are protocols or (as the name implies) services. Time is just as it says, time (such as day of the week or a specific time.)

To start up fwbuilder you will find the menu entry in Applications | Administration (under KDE) or in System | Administration (under GNOME). When you fire up fwbuilder you might find yourself thinking “Where do I start?” The first thing to do is go to the File menu and select New Object File. You have to give your object file a name and then save it.

fwbuilder new object

Once you have done this you are ready to start building. As you can see, in the image to the left, the drop-down icon to the left of the User drop-down is what you click to insert a new object into your object file. Click that drop-down to reveal the list of all object to insert.

The first object you must insert into your object file is the Firewall. When you select that a wizard will open up asking for a name for your firewall, what software will run the firewall, and what OS the firewall will run on. I will name my firewall “Example_Firewall”, I will choose iptables from the software list, and Linux 2.4/2.6 for the OS.

Template Chooser

Now, if you want to go the really easy route you can select to insert preconfigured template for your firewall. If you select this you will have to choose your template. Once you have taken care of this information click Next.

Once you click next you will see a list of different templates available. Each template serves a different purpose. As you click on each template a full description will reveal itself in the bottom pane.

After you select the proper template click the Finish button. Now fwbuilder will be open so you can view your template.

Ready To Insert Objects

The first thing you can do is expand the name of the firewall (in my example I would Example_Firewall) and select the object you want to view. Say you want to view the Policy of this firewall (remember this was created from a template so there are already rules applied). To do this click the “Policy” listed (once you expand the firewall) which will reveal the policy in all its glory.

fwbuilder policy editor

Because this is a template you can not edit the objects. This is one of those that you chose based on a specific, yet simple, need.

In the image to the right you can see the details of the policy included with the single interface firewall template.

If you want to create a custom firewall you would go through the same process but, at the point where you are defining your firewall you wouldn’t choose the Preconfigured Template. Instead you would leave that option unchecked and then, in the next window, choose to “Configure Interfaces Manually”. At this point you would add objects as needed and configure those objects to suit your needs.

Once your firewall is built you must then save the firewall, compile the firewall, and install the rules. Here’s the kicker with configuring your firewalls manually. You will need to know the MAC addresses of your interfaces. Fwbuilder has built in SNMP discovery which will help to map out the various interfaces on your network. To use that tool go to the Tool menu and select Discovery Druid. This tool should keep you from having to manually find and associate MAC addresses.

Final Thoughts

The fwbuilder tool is an outstanding means of creating firewalls for any situation. This article gave you a cursory glance at this powerful tool. Give it a try and build a firewall. Try the templates and, once you are familiar with the tool, build your very own customized firewall.