HowTo define Obj aliases, & use in F...

pgnd
2010-10-20
2013-03-05
  • pgnd

    pgnd - 2010-10-20

    my FWB firewall addresses multiple LAN boxes.
    each box has the usual host/IP object defined in FWB, e.g.,
    box1.loc 192.168.1.1, name = BOX1
    box2.loc 192.168.1.2, name = BOX2
    box3.loc 192.168.1.3, name = BOX3
    ( etc )
    any given box may have multiple host services running, e.g.
    box1.loc
    dns,  port 53
    imap, port 143
    box2.loc
    smtp, port 25
    box3.loc
    smtp, port 25
    www,  port 443
    ( etc )
    when writing a manual firewall script, i typically define/assign alias $VARs to the various services, e.g. effectively,
    LAN_DNS    = '$IP(box1.loc)'
    LAN_IMAP   = '$IP(box1.loc)'
    LAN_SMTP_1 = '$IP(box2.loc)'
    LAN_SMTP_2 = '$IP(box3.loc)'
    and then, in firewall rules, since my rule logic/workflow are in fact SERVICE related, i reference the service/host aliases, e.g., ${LAN_DNS}.
    this is of particular value when the # of LAN boxes, and services they host is large &/or frequently changing.
    how is this best accomplished within FWB gui?
    I can certainly define alias VARs in the preload script.  not clear if I can then reference those VARs in/vai the GUI.  in any case, such assignments in preload are hardly dynamic.

     
  • Mike Horn

    Mike Horn - 2010-10-21

    When you use Firewall Builder you don't need to define variables for things like server IP addresses, instead you use objects to manage that.  Instead of creating a variable with box1.loc = 192.168.1.1 you would create an Addresses object in the tree and call it box1 and set its IP address attribute to 192.168.1.1.

    If you have multiple servers that are performing the same function, for example DNS servers, you can create a Group object for this and place the Addresses objects of the DNS servers in to this group.  Then when you write a rule you can use this Group object and Firewall Builder will automatically include all the DNS servers in the group in the generated rule.

    If you are just getting started with Firewall Builder there are a few documents I would suggest taking a look at:

    http://www.fwbuilder.org/4.0/quick_start_guide.html
    http://www.fwbuilder.org/4.0/docs/users_guide/

     
  • pgnd

    pgnd - 2010-10-21

    sorry, that doesn't address the issue of my question.
    let's try again.
    yes, i'm aware I can "create an Addresses object in the tree and call it box1 and set its IP address attribute to" 1.2.3.4  ...
    i have an individual box serving multiple functions.
    e.g., box @ ip = 1.2.3.4
    as above, i create an addressobject "BOX1". w/ IP = 1.2.3.4.
    that one box provides multiple services.  currently, those are,
    DNS_SERVER (port 53)
    IMAP_SERVER (port 145)
    WEB_SERVER (port 80)
    now, i want to:
    "point" the VAR "DNS_SERVER"  at $BOX1
    "point" the VAR "IMAP_SERVER" at $BOX1
    "point" the VAR "WEB_SERVER"  at $BOX1
    i.e., create addressobject "aliases" ( for lack of a currently better term),
      DNS_SERVER  = $BOX1
      IMAP_SERVER = $BOX1
      WEB_SERVER  = $BOX1
    not create new AddressObjects, each assigned the same IP.
    then, my want to construct my policy rules using, e.g., the $DNS_SERVER alias NOT the $BOX1 alias.
    in this way, if i at some time choose to move only ONE service, say $DNS_SERVER, to another BOX, i only have to change the alias in one place.

     
  • Vadim Kurland

    Vadim Kurland - 2010-10-21

    you can create group object with name "DNS_SERVER" and put address object "box1" into this group. Then you use the group object in your firewall rules. If at some point you move dns to another host, all you need to do is create new address object "box2" and put it into the same group and remove box1 from it. This way, you dont have to touch your rules because rules refer to the group rather than actual address objects.

     
  • Mike Horn

    Mike Horn - 2010-10-21

    Firewall Builder doesn't support the concept of "aliases", but I'm not sure I understand how changing an alias and changing the attribute of an address object are different.  Apologies if I'm not correctly understanding your question.

    In your example you want:

    DNS_SERVER = $BOX1 (1.2.3.4)
    IMAP_SERVER = $BOX1 (1.2.3.4)

    This is so you can write a bunch of rules that use the $DNS_SERVER alias.  Then in the future you might move the IMAP service to a different server, so now you change the alias like so:

    IMAP_SERVER = $BOX2 (5.6.7.8)

    Since in your rules you used the IMAP_SERVER alias you only make one change and all the affected rules are updated.

    This is basically the same if you have an Addresses object called IMAP_SERVER with IP address 1.2.3.4 and then you change its IP address to 5.6.7.8.  This change will automatically take effect in all your rules that use the IMAP_SERVER object so you only need to make one change.

    I hope that helps and again sorry if I'm not understanding your question correctly.

     

Log in to post a comment.