Even though the configuration language can be complex and overwhelming with its multitude of features and options, this is not the most difficult problem in my opinion. Administrator who manages netfilter/iptables, PF or Cisco firewall all the time quickly becomes an expert in their platform of choice. To do the job right, they need to understand internal path of the packet inside Linux or BSD kernel and its interaction with different parts of packet filtering engine. Things get significantly more difficult in the installations using different OS and platforms where the administrator needs to switch from netfilter/iptables to PF to Cisco routers and ASA to implement coordinated changes across multiple devices. This is where making changes get complicated and probability of human error increases. Unfortunately typos and more significant errors in firewall or router access list configurations lead to either service downtime or security problems, both expensive in terms of damage and time required to fix.įirewall Builder (also known as fwbuilder, ) is a universal firewall configuration and management tool that lets you define security policy on a higher level of abstraction and hides internal structure of the target firewall platform. For example, it can decide which iptables chain is right for each generated iptables rule automatically, without your input. It can pick right iptables target for both policy and NAT (Network Address Translation) rules as well as properly use most popular iptables modules, all automatically. Firewall Builder generates correct PIX translation rules, choosing between “nat”, “global” and “static” commands as appropriate, using the same definition of the NAT rules as it uses for iptables and PF. It is aware of the differences between various versions of iptables, PF and other platforms and chooses optimal syntax for each to utilize new features that constantly appear in these platforms as they evolve. It enforces best practices in policy design and helps you deploy and activate generated policy on the firewall.įirewall Builder does not aim at just supporting one particular firewall platform. The goal is to be able to generate configuration for many different firewalls from the same representation in the GUI. To do this, Firewall Builder works with an abstract high level model of a firewall which incorporates features found in all target firewalls. In other words, Firewall Builder is not another iptables GUI, or PF GUI, or ipfilter GUI. Firewall Builder works with a firewall that is neither one of these, and yet at the same time it is all of them combined. It has useful features found in all of the target platforms. If a feature that it implements is not supported in some target firewall, it tries to emulate it (if possible) to make it look like the target really supports it. Since Firewall Builder works with an abstract firewall, all discrepancies go away and you always see consistent model regardless of the chosen target firewall platform.
0 Comments
Leave a Reply. |