III. Managing policy, NAT and routes
12. Client PC configuration.
You can use display and keyboard of fw-console with Gnome or KDE to work with fwbuilder, but I don’t recommend. On enterprise environment, fw-console will “live” on a cold Datcenter room. Is better use an ordinary PC (pc-01).
Use ssh VPN (X11Forwarding) to connect the PC to fw-console. Basically do an ssh from PC to fw-console, active X11forwarding and all you run on fw-console will be “displayed” on a PC window.
On a Linux PC (Gnome or KDE) you just enable ForwardX11 on /etc/ssh/ssh_config.
On a Windows PC you need to install some additional software (for ssh and Xserver). For this example we will use Putty (http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html) and Xming (http://sourceforge.net/projects/xming) (both Free Software).
12.1 Xming
Down load the software (http://sourceforge.net/projects/xming/files/Xming/6.9.0.31/Xming-6-9-0-31-setup.exe/download) and fonts (http://sourceforge.net/projects/xming/files/Xming-fonts/7.5.0.11/Xming-fonts-7-5-0-11-setup.exe/download)
Install both (next, next, …, finish)
12.2 Putty
You can download de full package (http://the.earth.li/~sgtatham/putty/latest/x86/putty-0.60-installer.exe) and install (next, netx … finish)
Run putty. On left menu, click on Connection. On “Seconds between keepalives” put 30. Again on left menu, click on + left SSH and then on X11. Mark the option Enable X11 forwarding. One more on left menu, click on Session. Write the IP address of fw-console (192.168.100.13) on host Nome box, fw-console on Saved Sessions and click Save button.
Later you can change a lot of other things (like fonts, colors, ….).
12.3 Test
Run Xlaunch ( Next, Next, Next, finish). Will appear as an X icon on task bar.
Doble click on fw-console (for the first time you will be asked to confirm key. Click yes). fwadmin user name and password.
cd /opt/FWadmin
fwbuilder
In a few seconds a Xwindow of fwbuilder gui (running on fw-console) will be displayed on the Windows PC.
13. Start using FWbuilder
Fwbuilder has a very good documentation. You can read the user guide (http://www.fwbuilder.org) for more instructions how to install and use fwbuilder in depth.
Run fwbuilder and close the Welcome banner.
If you has the fw-db.fwb installed, just click File, Open. Look in /opt/FWbuilder, select fw-db.fwb and Open.
If not create a new db. File, New Object File, Look in /opt/FWbuilder, File name “fw-db.fwb and Save.
14. Address, Groups, Networks, firewalls and cluster.
The HAF Corporation has a central office with 2 inside servers, dns-01 (samba file server, bind name server, dhcp) and db-01 (mysql database server). 2 external servers on DMZ, web-01 (apache/php application that uses Mysql) and mail-01 (sendmail mail server). Has 2 remote offices connected to central office with a MPLS network.
Open fw-db.fw and create the objects needed.
Addresses:
name | Address |
Broadcast-192.168.100.255 | 192.168.100.255 |
Broadcast-192.168.150.255 | 192.168.150.255 |
Broadcast-192.168.200.255 | 192.168.200.255 |
db-01 | 192.168.100.32 |
dns-01 | 192.168.100.31 |
fw-console | 192.168.100.13 |
gw-01 | 200.201.202.1 |
gw-02 | 192.168.100.1 |
gw-03 | 192.168.101.1 |
gw-04 | 192.168.102.1 |
mail-01 | 192.168.150.21 |
pc-01 | 192.168.100.120 |
web-01 | 192.168.150.22 |
Figure : addresses
On left side , click on + of object folder, then right_click over addresses folder and new address. Doble click over address object and insert name and IP address.
Networks:
name | Address | Netmask |
lan_dmz_192.168.150.0 | 192.168.150.0 | 255.255.255.0 |
lan_inside_192.168.100.0 | 192.168.100.0 | 255.255.255.0 |
lan_north_192.168.102.0 | 192.168.102.0 | 255.255.255.0 |
lan_south_192.168.101.0 | 192.168.101.0 | 255.255.255.0 |
lan_sync_192.168.255.0 | 192.168.255.0 | 255.255.255.0 |
lan_vpn_192.168.200.0 | 192.168.200.0 | 255.255.255.0 |
Figure : Networks
Like address, bot over Networks folder
Groups:
name | Members |
InsideLans | lan_inside_192.168.100.0,lan_north_192.168.102.0,lan_south_192.168.101.0 |
Servers-DNS | dns-01 |
Servers-FTP | web-01 |
Servers-MAIL | mail-01 |
Servers-NTP | fw-console |
Servers-WEB | web-01 |
Figure : Groups
Right_click over Groups folder and new group. Doble click over group object, insert the name. Then drag-and-drop or copy-and-past address or networks object to the box on right side of group name.
Now create the fw-01 ( the first firewall-node).
Rigth click over Firewalls folder and New Firewall.
Name fw-01, Choose firewall iptables, Choose OS Linux 2.4/2.6 , click next.
Configure manually, Next.
Click + ( 5 times to create five interfaces). For eatch interface give:
name | label | Type | Address | Netmask | type |
eth0 | inside 01 | Regular | 192.168.100.11 | 255.255.255.0 | IPv4 |
eth1 | outside 01 | Regular | 200.201.202.11 | 255.255.255.240 | IPv4 |
eth2 | dmz 01 | Regular | 192.168.150.11 | 255.255.255.0 | IPv4 |
eth3 | sync 01 | Regular | 192.168.255.11 | 255.255.255.0 | IPv4 |
lo | lo 01 | Regular | 127.0.0.1 | 255.0.0.0 | IPv4 |
Figure : fw-01 interfaces
Finish
Doble click over fw-01 object.
Check if is config as iptables, 1.3.x, Linux 2.4/2.6
Click Host OS Settings and select the options:
Options | TCP | conntrack | |||
ipv4 | On | fin | 0 | max | 131072 |
ipv6 | Off | keep | 0 | hash | 131072 |
anti spoofing | On | win | No change | disable | On |
ig broad | On | sack | No change | ||
ig all | Off | fack | No change | ||
acc source | Off | ecn | No change | ||
acc icmp | Off | syn | On | ||
ignore icmp | Off | time | No change | ||
allow dy | On | ||||
log mart | On | ||||
Figure : fw-01 OS Settings
*The conntrack_max and hashsise will depend on your traffic and available ram. More information on : http://www.wallfire.org/misc/netfilter_conntrack_perf.txt and http://conntrack-tools.netfilter.org/manual.html .
Click Firewall Settings and select options:
Compiler | instaler | Logging | script | ||||
compiler | Directory | /opt/Fwbuilder | use LOG | LOG | load | X | |
command | User name | fwadmin | log TCP num | X | turn | ||
output | log TCP op | X | verify | X | |||
generated | log IP op | X | config | ||||
assume any | use numeric | X | clear | ||||
accept tcp | X | Log level | INFO | config vlan | |||
accept estab | X | Log prefix | RULE %C -- %A | confg br | |||
drop | X | log limit | 1000 /second | conf bo | |||
log | X | active all | add virt | ||||
brid | user restore | ||||||
detect | X | ||||||
ignore | |||||||
enable | |||||||
clamp | |||||||
make tag | |||||||
add rules | |||||||
default action | |||||||
always | X | ||||||
192.168.100.13 | |||||||
install | X | ||||||
Figure : Firewall settings
Do the same for fw-02
name | label | Type | Address | Netmask | type |
eth0 | inside 02 | Regular | 192.168.100.12 | 255.255.255.0 | IPv4 |
eth1 | outside 02 | Regular | 200.201.202.12 | 255.255.255.240 | IPv4 |
eth2 | dmz 02 | Regular | 192.168.150.12 | 255.255.255.0 | IPv4 |
eth3 | sync 02 | Regular | 192.168.255.12 | 255.255.255.0 | IPv4 |
lo | lo 02 | Regular | 127.0.0.1 | 255.0.0.0 | IPv4 |
Figure : fw-02 interfaces
Now create the cluster object fw-cluster. Rigth click over Cluster folder, New Cluster.
Enter name fw-cluster
Select fw-01 and fw-02 to be used in cluster and set fw-01 as master.
Now set label for each interface
name | label |
eth0 | inside cl |
eth1 | outside cl |
eth2 | dmz cl |
eth3 | sync cl |
lo | lo cl |
Figure : fw-cluster interface lables
Next
Select protocol and add address for each interface
name | label | Protocol | Address | Netmask | type |
eth0 | inside 02 | heartbeat | 192.168.100.10 | 255.255.255.0 | IPv4 |
eth1 | outside 02 | heartbeat | 200.201.202.10 | 255.255.255.240 | IPv4 |
eth2 | dmz 02 | heartbeat | 192.168.150.10 | 255.255.255.0 | IPv4 |
eth3 | sync 02 | heartbeat | |||
lo | lo 02 | heartbeat | 127.0.0.1 | 255.0.0.0 | IPv4 |
Figure : fw-cluster interfaces config
Next
“do not use any”, Next, Finish
Click + of fw-cluster object and each interface.
Rigth click over fw-cluster:lo:members object , delete, delete
*here just an ip addr is need.
Doble click over fw-cluster:eth3:members object, Edit protocol, set use unicast, OK
Doble click over fw-cluster:eth2:members object, Edit protocol, set use unicast, OK
Doble click over fw-cluster:eth0:members object, Edit protocol, set use unicast, OK
*heartbeat was configurated with unicast
Doble click over fw-cluster:eth1:members object, Type None
*there is no heartbeat over this interface
*fwbuilder will generate “internal rules” to permit heartbeat packets
fw-01 eth0 ó fw-02 eth0
fw-01 eth2 ó fw-02 eth2
fw-01 eth3 ó fw-03 eth3
Doble click over State Sync Group, Manage Members, select eth3 of fw-01 on left box and > to add to righ box. Select eth3 of fw-02 too. OK
*conntrackd is configured to use eth3.
*fwbuilder will generate “internal rules” to permit conntrackd packets
fw-03 eth0 ó fw-02 eth3
15. Policy, nat and routes.
Routes:
The cluster-firewall will need 2 routes. One to 2 remote offce networks and other for internet (default route).
On cluster fw-cluster object, doble click over Routing folder
#0
On right box, right click and insert Rule
Drag-and-drop or copy-and-past network objects lan_north and lan_south to Destination box
Drag-and-drop or copy-and-past address object gw-02 to Gateway box
Drag-and-drop or copy-and-past interface object eth0 of fw-cluster to Interface box
*route #0 is done (lan_N and lan_S to gw-02 over eth0)
#1
Right click over the #0 of existing route, add rule below
Drag-and-drop or copy-and-past address object gw-01 to Gateway box
Drag-and-drop or copy-and-past interface object eth1 of fw-cluster to Interface box
*route #1 is done (default to gw-01 over eth1)
NAT:
The cluster-firewall will need 4 NATs
On cluster fw-cluster object, doble click over NAT folder
#0
On right box, right click and insert Rule
Drag-and-drop or copy-and-past cluster fw-cluster object to Original Src box
*no NAT for firewall packets
#1
Right click over the #0 of existing nat, add rule below
Drag-and-drop or copy-and-past group object InsideLans, network objects lan_dmz and lan_vpn to Original Src box
Drag-and-drop or copy-and-past group object InsideLans, network objects lan_dmz and lan_vpn to Original Dst box
*no NAT for local lans
#2
Right click over the #1 of existing nat, add rule below
Drag-and-drop or copy-and-past fw-cluster:eth1:ip object to Original Dst box
Drag-and-drop or copy-and-past address object web-01 Translated Dst box
Change from User to Standard Objects on the Up left menu
Drag-and-drop or copy-and-past Services-TCP-http and Services-TCP-ftp objects to Original Srv box
*no packets from internet to 200.201.202.10 for services http or ftp will be redirected to web-01
#3
Right click over the #2 of existing nat, add rule below
Drag-and-drop or copy-and-past Services-TCP-smtp object object to Original Srv box
Change from Standard to User Objects on the Up left menu
Drag-and-drop or copy-and-past fw-cluster:eth1:ip object to Original Dst box
Drag-and-drop or copy-and-past address object mail-01 Translated Dst box
*no packets from internet to 200.201.202.10 for service smtp will be redirected to mail-01
#4
Right click over the #3 of existing nat, add rule below
Drag-and-drop or copy-and-past group object InsideLans, network objects lan_dmz and lan_vpn to Original Src box
Drag-and-drop or copy-and-past fw-cluster:eth1:ip object to Translated Src box
*any other packet (to internet) NAT with 200.201.202.10 address
Policy:
The cluster-firewall will need 30 Policy
On cluster fw-cluster object, doble click over Policy folder
#0
On right box, right click and insert Rule
Drag-and-drop or copy-and-past cluster fw-cluster interface lo object to Interface box
Right click over the Acction box, accept
*all firewall internal packts are accepted
Save fwbuilder database
File, save or click on disk icon (up left)
16. Compile.
Now you need compile the firewall. This accion check your rules, nat and policy and generate a script for each firewall-node.
Rigth click over fw-cluster object, compile. Next.
If all is OK, a success message appears on left side of window.
If any thing is rong, error messages will appear on Processe log box. Fix problems and compile again.
Finish
*Now there are 2 scripts (fw-01.fw and fw-02.fw) on /opt/FWbuilder folder on fw-console host. Nothing has done on fw-01 and fw-02 hosts yet.
17. Install new policy.
Now you need install new policy on the walls (fw-01 and fw-02) by copying and running those scripts on firewall-nodes. Don’t worry; fwbuilder will do it for you.
Rigth click over fw-cluster object, install.
*You can select fw-nodes individualy if need.
Next.
OK (for the first node)
*the script is copied to the node and run on the node.
OK (for the second node)
*the script is copied to the node and run on the node.
If all is OK, a success message appears on left side of window.
If any thing is rong, error messages will appear on Processe log box.
Finish
*Now each script generated on compile process are copieted to each fw-node (fw-01.fw and fw-02.fw) and executed to activate new rules.
*You can see a message on /var/log/messages of fw-console for each fw-node indicating the new policy.
No comments:
Post a Comment