Firewall Builder

Different rule set when importing from v3

Forum: Open Discussion

Creator: Javier Barroso

Created: 2012-08-24

Updated: 2013-03-05

Javier Barroso
2012-08-24

Hello,

I want to upgrade my fwbuilder from v3 to v5.

When I import the fwb file, v5 tell me about there are rules that overwrite other rules (global vs iface specific rules). So I have to disable that specific rules. I don't know if it is possible to config v5 to ignore that overwriten rules.

The problem is that when I install the imported fwb file in fw, the behaviour is different to the original fwb file. It drops some ICMP packets (no rule with ICMP protocol was disabled) and some other frames which are allowed in the original fwb.

Do you have any hint ? Maybe I need to replicate my fw and play … but it has ~ 14 ifaces :-(, a lot of work to simulate our networks …

Thank you very much

Link

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Vadim Kurland
2012-08-24

I am not sure what is going on here. What was the error you've got about rules that overwrite other rules ?

Link

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Javier Barroso
2012-08-28

Hello, there is the messages error:

FWGest:Policy:13: error: Rule '13 (global)' shadows rule '29 (eth4)' below it
FWGest:Policy:38: error: Rule '38 (global)' shadows rule '40 (eth4)' below it
FWGest:Policy:37: error: Rule '37 (global)' shadows rule '41 (eth4)' below it
FWGest:Policy:4: error: Rule '4 (global)' shadows rule '68 (eth17)' below it
FWGest:Policy:8: error: Rule '8 (global)' shadows rule '90 (eth17)' below it

All warnings are ok for me ( I understand firewall will work idem), but rule 41 have a item that I don't understand how it can be a destination (the own firewall, but it own ip is inside the network allowed) .

I'm attaching a picture with rule 41.

If you need that I attach both (v3 and v4 scripts generated), please tell me

Thank you very much

PD: (Oh, I cannot attach an image, the destination in rule 41 have a network and the same firewall object)

Link

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Vadim Kurland
2012-08-28

sounds like either you have to fix rules that shadow each other, or you can turn the function that detects rule shadowing off. You can turn it on and off in the firewall object "advanced" settings dialog.

Link

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Javier Barroso
2012-08-28

Thank you vkurland.

I will try disable detecting rule shadow … (I made a quick search in internet about, but I guess I didn't use the correct words ;) )

It is a production firewall, but I will try to deactivate one by one rule, to debug the issue.

Thank you very much!

Link

If you would like to refer to this comment somewhere else in this project, copy and paste the following link: