Firewall Builder ---------------- How to compile and install -------------------------- Firewall builder uses GNU autoconf. To compile run ./configure in the distribution's topmost directory, then run make depend make and then make install to install binary, program files and icons. The latter command should be run as root as they need write permissions to a number of system directories. Package gets installed as follows: o all binaries go to $(prefix)/bin/ o package data files go to $(prefix)/share/fwbuilder o icons go to the directory $(prefix)/share/pixmaps/${PACKAGE} . By default configure sets $(prefix) to /usr/local. If you want to install to /usr/bin and /usr/share/fwbuilder, run configure with the option "--prefix=/usr" Autoconf and automake --------------------- To rebuild script configure run autoconf in the top directory. Autoconf needs file aclocal.m4 to build configure properly. We do not use automake. glade and fwbuilder.glade file ------------------------------ you need at least glade-- installed on your system if you want to rebuild source code from fwbuilder.glade file. If you do not need to do anything like that, then you do not need neither glade nor glade-- on your system. Use "make from-glade" to rebuild sources from glade. We do not use automake, so if you simply use "Build" button in glade, you are going to get whole bunch of automake files built for you by glade which are not going to be used. Make changes to GUI using glade, save project and then do "make from-glade". Files and directories --------------------- On the first run Firewall Builder creates preferences file .fwbuilder.xml in user's home directory using template preferences file it finds in ${prefix}/share/fwbuilder directory. On subsequent runs Firewall Builder automatically reads preferences from the file .fwbuilder.xml. After the start it either reads user's data file (provided via "-f" command line option) or default data file objects_init.xml from directory ${prefix}/share/fwbuilder. Both template preferences file fwbuilder_prefs.xml and initial objects database "objects_init.xml" get installed by distribution in ${prefix}/share/fwbuilder and never change. These can always be used as backup copies for the fresh start. User can specify working directory using "Options" dialog. Data files are assumed to be found in the working directory and compilers will be given command-line option specifyng this directory for the output files to be created in. If working directory left blank, then compiler will be given directory object data file has been loaded from. Object Types ------------ For all objects defined in the system, GUI remembers object name and comment. These two are most general parameters which are independent of the object type. Besides of these two common ones, each type defines number of its own parameters Host ---- GUI stores host address and list of interfaces. For each interface it stores name, address, netmask and boolean flag which marks external interfaces. In case host runs SNMP agent, GUI allows to store SNMP communities as well. Network ------- GUI stores address and netmask for networks Firewall -------- GUI stores address, list of interfaces and SNMP communities just like for host. Besides that, the following parameters can be assigned: platform version path and filename for compiler (if different from default for given platform) additional command line parameters for compiler Services --------- IP -- Generalized IP protocol. GUI manipulates with the following data: protocol number Boolean flags for some protocol options ICMP ---- GUI accepts and then passes to compiler two parameters: type and code. Code value -1 means any code, compiler should generate code which would take only icmp type into account. TCP --- GUI accepts four numbers: beginning and end of the source and destination port ranges. It also accepts boolean values for TCP flags SYN, ACK, FIN, RST. UDP --- Just like for TCP, GUI accepts four numbers: beginning and end of the source and destination port ranges. TIME ---- Object of this type stores definition of two moments of time: when rule should be enabled and when it should be disabled. Rule assumed to be active between these two moments of time and inactive the rest of the time. Moments can be defined as recurring on daily basis. The implementation is very much system dependent and should be done by compiler and scripts on the firewall itself. One of the ways to do it would be like this. Firewall has simple script ran by cron every 1 or 10 min. Compiler generates some sort of time schedule file, which this script reads. Script then turns rule on or off depending on the current time and data in the time schedule file GUI accepts following data for this object: "Enable" time: min1 - minutes of the hour ( 0..59 ) hour1 - hour of the day ( 0..23 ) day1 - day of the month ( 1..31 ) month1 - month of the year ( 1..12 ) year1 - year dayofweek1 - day of week for recurring events ( 1..7 ) "Disable" time: min2 - minutes of the hour ( 0..59 ) hour2 - hour of the day ( 0..23 ) day2 - day of the month ( 1..31 ) month2 - month of the year ( 1..12 ) year2 - year dayofweek2 - day of week for recurring events ( 1..7 ) "-1" assigned to any of these parameters means "Any".