Firewall Builder
----------------
How to compile and install
--------------------------
Firewall builder uses GNU autoconf. To compile run
./configure
in the distribution's topmost directory, then run
make depend
make
and then
make install
to install binary, program files and icons. The latter command should
be run as root as they need write permissions to a number of system
directories. Package gets installed as follows:
o all binaries go to $(prefix)/bin/
o package data files go to $(prefix)/share/fwbuilder
o icons go to the directory $(prefix)/share/pixmaps/${PACKAGE} .
By default configure sets $(prefix) to /usr/local. If you want to
install to /usr/bin and /usr/share/fwbuilder, run configure with the
option "--prefix=/usr"
Autoconf and automake
---------------------
To rebuild script configure run autoconf in the top directory.
Autoconf needs file aclocal.m4 to build configure properly. We do not
use automake.
glade and fwbuilder.glade file
------------------------------
you need at least glade-- installed on your system if you want to
rebuild source code from fwbuilder.glade file. If you do not need to
do anything like that, then you do not need neither glade nor glade--
on your system.
Use "make from-glade" to rebuild sources from glade. We do not use
automake, so if you simply use "Build" button in glade, you are going
to get whole bunch of automake files built for you by glade which are
not going to be used. Make changes to GUI using glade, save project
and then do "make from-glade".
Files and directories
---------------------
On the first run Firewall Builder creates preferences file
.fwbuilder.xml in user's home directory using template preferences
file it finds in ${prefix}/share/fwbuilder directory. On subsequent
runs Firewall Builder automatically reads preferences from the file
.fwbuilder.xml.
After the start it either reads user's data file (provided via "-f"
command line option) or default data file objects_init.xml from
directory ${prefix}/share/fwbuilder. Both template preferences file
fwbuilder_prefs.xml and initial objects database "objects_init.xml"
get installed by distribution in ${prefix}/share/fwbuilder and never
change. These can always be used as backup copies for the fresh start.
User can specify working directory using "Options" dialog. Data files
are assumed to be found in the working directory and compilers will be
given command-line option specifyng this directory for the output
files to be created in. If working directory left blank, then compiler
will be given directory object data file has been loaded from.
Object Types
------------
For all objects defined in the system, GUI remembers object name and
comment. These two are most general parameters which are independent
of the object type. Besides of these two common ones, each type
defines number of its own parameters
Host
----
GUI stores host address and list of interfaces. For each interface it
stores name, address, netmask and boolean flag which marks external
interfaces.
In case host runs SNMP agent, GUI allows to store SNMP communities as
well.
Network
-------
GUI stores address and netmask for networks
Firewall
--------
GUI stores address, list of interfaces and SNMP communities just like
for host. Besides that, the following parameters can be assigned:
platform
version
path and filename for compiler (if different from default for given platform)
additional command line parameters for compiler
Services
---------
IP
--
Generalized IP protocol. GUI manipulates with the following data:
protocol number
Boolean flags for some protocol options
ICMP
----
GUI accepts and then passes to compiler two parameters: type and code. Code
value -1 means any code, compiler should generate code which would take only
icmp type into account.
TCP
---
GUI accepts four numbers: beginning and end of the source and
destination port ranges. It also accepts boolean values for TCP flags
SYN, ACK, FIN, RST.
UDP
---
Just like for TCP, GUI accepts four numbers: beginning and end of the
source and destination port ranges.
TIME
----
Object of this type stores definition of two moments of time: when
rule should be enabled and when it should be disabled. Rule assumed to
be active between these two moments of time and inactive the rest of
the time. Moments can be defined as recurring on daily basis.
The implementation is very much system dependent and should be done by
compiler and scripts on the firewall itself. One of the ways to do it
would be like this. Firewall has simple script ran by cron every 1 or
10 min. Compiler generates some sort of time schedule file, which
this script reads. Script then turns rule on or off depending on the
current time and data in the time schedule file
GUI accepts following data for this object:
"Enable" time:
min1 - minutes of the hour ( 0..59 )
hour1 - hour of the day ( 0..23 )
day1 - day of the month ( 1..31 )
month1 - month of the year ( 1..12 )
year1 - year
dayofweek1 - day of week for recurring events ( 1..7 )
"Disable" time:
min2 - minutes of the hour ( 0..59 )
hour2 - hour of the day ( 0..23 )
day2 - day of the month ( 1..31 )
month2 - month of the year ( 1..12 )
year2 - year
dayofweek2 - day of week for recurring events ( 1..7 )
"-1" assigned to any of these parameters means "Any".
