Back in 1999, Vadim Kurland realized he needed a better way to configure a Linux firewall than the then-typical process of issuing cryptic commands or editing a text-based configuration file full of esoteric settings. Fortunately, he had lots of experience with commercial firewalls that he was able to apply to the problem. The result was Firewall Builder, a firewall configuration and management tool that lets administrators build firewall policies using a GUI, then push the configuration to firewall machines. It supports the open source firewall platforms iptables, pf, ipfw, and ipfilter, as well as Cisco ASA (PIX) and IOS access lists, and makes all these very different firewalls appear the same to the administrator.
Firewall Builder is intended for complex configurations, including those where multiple firewalls and routers are used, Kurland says. Administrators create objects that describe their hosts, networks, and services, then re-use the objects in policy and NAT rules on all the firewalls they manage. The program can transfer a generated configuration to each firewall and activate it there, with various safeguards to help keep administrators from locking themselves out of a remote firewall.
The software not only translates high-level policy rules into target firewall configuration language, it also analyzes rules and finds common errors. It can find optimal ways to implement certain rules depending on the chosen firewall platform, and enforces best practices in the firewall policy design.
Firewall Builder isn’t the only tool of its type. Some similar utilities provide a GUI interface for iptables or pf, some can generate configuration scripts from templates, others implement a high-level language that translates into configurations of the target firewall. Firewall Builder provides all of that as an integrated, cross-firewall package that helps administrators plan, manage, and deploy firewall configurations onto multiple machines, both locally and remotely.
The Firewall Builder code is written in C++. Kurland says in the project’s early days its interface was based on GTK+, “but later we switched to Qt to get more robust multi-OS support.” The project released a public beta of version 4.0 last week.
Kurland posted the code to SourceForge.net not long after the site was established, in 2000. “It is important to be part of the community of open source projects and developers – this helps promote the project. SourceForge also provides excellent communication with users by offering online forums, bug tracking system, mailing lists, and the file download service.”
However, the project has grown beyond SourceForge.net’s mission of hosting only open source software. “Firewall Builder is dual licensed and has commercial add-ons, so we moved the code repository to SVN on our own server, but we keep a read-only CVS repository of the older versions on SourceForge and use SourceForge for public bug tracking, online forums, mailing list, and download area for the open source part of the project.
Firewall Builder 4.0 adds the ability to configure firewall clusters. It supports clusters built with heartbeat, vrrp, and OpenAIS, and packages that manage these, such as pacemaker and others, on Linux; CARP and pfsync on OpenBSD; and Cisco PIX failover configurations. It can also generate configuration scripts to manage IP addresses of interfaces, VLANs, bridges, and bonding interfaces on the firewall. Firewall Builder 4.0 can generate a drop-in replacement firewall script for OpenWRT, and has experimental integration with IPCOP. It includes improvements in the GUI and better support for target firewalls.
In future versions the project plans to add support for VPNs and QoS, and possibly support for additional commercial firewalls such as Juniper (formerly Netscreen) devices. Kurland says, “We usually release major new version every couple of years or so and make several bugfix interim releases between that. Hopefully we’ll be able to make major releases more often.”
The project welcomes help with testing and bug reports. “We appreciate all sorts of contributed documentation, guides, and how-tos that we can publish on the project web site.”