Future of FWBuilder

netzwerg
2014-04-15
2015-10-09
  • netzwerg
    netzwerg
    2014-04-15

    Simple question: Does it have a future?
    I've read that development has stopped. The linux kernel is introducing nftables (though iptables will still work for quite a while) and I've read that fwbuilder has problems running on newer distributions. With no one being able to tackle this, this might be the death of an extremely good tool.

    Is there hope that someone can take over or fork?
    If not - are there alternatives worth migrating to?

     
    • sirius
      sirius
      2014-05-28

      Hi, as a summer student (last summer and this summer) I'm working for UNINETT.no on Firewall Builder. Based on their needs I have added ACL on NX-OS and Junos (releasing next month) platforms, and some other bugfixes and feature requests. I've also adjusted the code so it compiles with Qt 5 (Qt 4 is still supported), and added an updated guide/script for compiling on OSX or Windows.

      What is the problem with newer distros?

      The code is published on https://github.com/UNINETT/fwbuilder and I will push more code in June (e.g. Junos code).

      I don't have time to take over the project, but I may help you fixing some bugs or make it run on newer distros.

       
      • Hi sirus,

        thank you very much, i tried to add NX-OS support by myself, but my skills were not http://dict.leo.org/#/search=sufficient&searchLoc=0&resultOrder=basic&multiwordShowSingle=on sufficient, I hav to add a shell script before the installer :-)

        Ys

        Andreas

         
        Attachments
      • Hi,

        though the improvements of Sirius (Thx, btw.) build fine on OS X Mavericks I cannot get it compiled on Windows7/64 with MinGW. This seems to be a problem with the pthread libraries. I followed the instructions in https://github.com/UNINETT/fwbuilder/blob/master/doc/README.windows execpt a small fix in net-snmp-5.7.2, where I had to # include <winsock2.h> a bit earlier in types.h.

        My ./configure in fwbuilder exits with

        configure: error: POSIX threads library not present or not configured

        Next I tried to add the W32 pthread libs from sourceware.org with no effect.

        Any other ideas anybody?

        Ys

        Andreas

         
        Attachments
        • sirius
          sirius
          2014-06-11

          I'll have a look at it and report back to you :)

           
    • Allen
      Allen
      2014-12-04

      Is anyone looking into adding nftables support?

       
  • Hello,

    I use Fwbuilder for year and I'm so sad its development seems stopped... I've looked around for alternatives but I can't find anything remotely as good and powerful...

    I'm not a QT developer, but what do you think could be done to revive this software ?

     
  • sirius
    sirius
    2015-04-07

    Hey, I totally forgot this. We have begun to move all development over to GitHub, and I have also made some binary packages for W32 and OSX. Check out the project page on GitHub: UNINETT. I'll probably continue providing unofficial binary packages on my private GitHub account for the time being.

     
  • Doug
    Doug
    2015-08-28

    Does anyone have any good alternatives since this project is dead? This really caught me off guard. I just upgraded our main firewall to centos7 and something has gone badly wrong now that it is in production that did not creep up during testing. I cannot update the firewall anymore at all due to "chain already exists" and xtables lock error. I'm in quite a bind, have used this product for years and have searched but not finding anything even remotely close.

     
    • Vadim Kurland
      Vadim Kurland
      2015-08-28

      ERROR! The markdown supplied could not be parsed correctly. Did you forget to surround a code snippet with "~~~~"?

      Hi
      
      similar problem is described here:
      http://www.linuxquestions.org/questions/linux-security-4/iptables-chain-already-exists-4175533137/
      
      too bad I did not see this post before. Anyway, there are couple of things
      you can do
      
      Are there any other errors besides "chain already exists" ? Fwbuilder
      generates code to reset iptables tables before rules are added. If tables
      could not be reset, attempt to create new chain will cause "chain already
      exists" error because the chain hs not been cleared. The code that clears
      tables is in the function reset_iptables_v4() in the generated script. The
      function normally looks like this:
      
      reset_iptables_v4() {
        $IPTABLES -P OUTPUT  DROP
        $IPTABLES -P INPUT   DROP
        $IPTABLES -P FORWARD DROP
      
      cat /proc/net/ip_tables_names | while read table; do
        $IPTABLES -t $table -L -n | while read c chain rest; do
            if test "X$c" = "XChain" ; then
              $IPTABLES -t $table -F $chain
            fi
        done
        $IPTABLES -t $table -X
      done
      }
      
      I suspect the path in the /proc file system could have changed and is not
      /proc/net/ip_tables_names  anymore. I can not test this though since I dont
      have CentOS 7 system anywhere.
      
      Try to turn on debugging in the script  (Firewall Settings dialog, tab
      "Script") and see if you get any errors that may help us understand where
      exactly in the script the failure occurs. You can check
      /proc/net/ip_tables_names manually and see if it is there and what its
      contents is. It should be just a list of table names "nat", "mangle",
      "filter"
      
      If this is indeed the case and the problem is that the script can't clear
      tables and chains, then you can add corresponding iptables commands to the
      "prolog" part of the script manually. You can do it in Firewall Settings
      dialog, tab "Prolog/Epilog". Any of the three options for "Insert prolog
      script" parameter should be fine
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      On Fri, Aug 28, 2015 at 7:33 AM, Doug <tuckerd@users.sf.net> wrote:
      
      > Does anyone have any good alternatives since this project is dead?  This
      > really caught me off guard.  I just upgraded our main firewall to centos7
      > and something has gone badly wrong now that it is in production that did
      > not creep up during testing.  I cannot update the firewall anymore at all
      > due to "chain already exists" and xtables lock error.  I'm in quite a bind,
      > have used this product for years and have searched but not finding anything
      > even remotely close.
      >
      >
      > ---
      >
      > [Future of FWBuilder](
      > https://sourceforge.net/p/fwbuilder/discussion/16372/thread/d06b6ae9/?limit=25#fa23
      > )
      >
      >
      > ---
      >
      > Sent from sourceforge.net because you indicated interest in <
      > https://sourceforge.net/p/fwbuilder/discussion/16372/>
      >
      >
      >
      > To unsubscribe from further messages, please visit <
      > https://sourceforge.net/auth/subscriptions/>
      >
      
       
  • cbastos
    cbastos
    2015-10-09

    Hi.

    I have found a solution for the issue above.
    You need to replace the code:

    reset_iptables_v4() {
      $IPTABLES -P OUTPUT  DROP
      $IPTABLES -P INPUT   DROP
      $IPTABLES -P FORWARD DROP
    
    cat /proc/net/ip_tables_names | while read table; do
      $IPTABLES -t $table -L -n | while read c chain rest; do
          if test "X$c" = "XChain" ; then
            $IPTABLES -t $table -F $chain
          fi
      done
      $IPTABLES -t $table -X
    done
    }
    

    for this one

    reset_iptables_v4() {
      $IPTABLES -P OUTPUT  DROP
      $IPTABLES -P INPUT   DROP
      $IPTABLES -P FORWARD DROP
    
      $IPTABLES --flush
      $IPTABLES -X
      $IPTABLES --flush
      $IPTABLES --flush FORWARD
      $IPTABLES --flush INPUT
      $IPTABLES --flush OUTPUT
      $IPTABLES --table nat --flush
      $IPTABLES --table nat --delete-chain
      $IPTABLES --table mangle --flush
      $IPTABLES --table mangle --delete-chain
      $IPTABLES --delete-chain
    }
    

    To make this solution permanent find the file "reset_iptables" and edit it.
    Usualy this file is located at /usr/share/fwbuilder-your_fwbuider_version/configlets/linux24/reset_iptables
    This solution works for kernel version 2 and 3.

    Regards,
    Carlos.