Time period: 1 week, 2 weeks, 1 month, etc

2011-11-20
2013-03-05
  • Fajar Priyanto
    Fajar Priyanto
    2011-11-20

    Hi all,
    I'm exploring fwbuilder 5.0.0.3568  and it's absolutely gorgeous! Very easy to use, intuitive, and quite comprehensive.
    Except that I need to be able to setup a policy based on certain period of time e.g. 1 week, 2 weeks, 1 month, etc.

    I know there is already a 'time column', but I need to everytime calculate on what date e.g. 2 weeks fall on.
    If not too much to ask, a standard 'self-calculating' time asset would be very handy.

    Thank you,
    Fajar.

     
  • Mike Horn
    Mike Horn
    2011-11-21

    Thanks for the kind words!  Firewall Builder can only generate commands that can be installed on the supported firewall platforms.  What firewall platform are you using and what's an example of the rule you want to generate?

     
  • Fajar Priyanto
    Fajar Priyanto
    2011-11-30

    Hi Mike,
    Sorry I miss your reply.
    I'm using Ubuntu 10.04. By choosing the iptables version in the Fwbuilder settings, the time object works.

    The case I need time object is for example:
    A user requests that his VM can connect to the internet (tcp 80, 443) for "3 months".

    In Fwbuilder I have to do this:
    - Create the policy, put http group. No problem.
    - Create new time object. In this case: From Nov 30, to Feb 28 (more less). Put it into the rule. It works.

    But this will become a problem as time goes by. There will be numerous "Time Object" in the Fwbuilder. Because for every user request, I have to create New Time Object. I cannot "reuse" the existing one, because it has different time span.

    Don't you agree?

    Currently I use bash script for it:
    1. Create the iptables rules
    2. Create related cronjob to automatically delete the rule after the time period.
    It works, but not as elegant as Fwbuilder. That's why I want to use Fwbuilder if possible.

    I really hope the feature can be added to Fwbuilder.
    Thank you.

     
  • Vadim Kurland
    Vadim Kurland
    2011-11-30

    I understand the problem you are trying to solve, but I dont see how this can be helped. How do you propose this "self calculating" time object would work ?

     
  • Fajar Priyanto
    Fajar Priyanto
    2011-11-30

    Well, I'm no developer. Pls pardon me if this sounds silly.

    1. Regarding the "self-calculating" time object.
    Fwbuilder would calculate the time needed everytime the Time Object is put into a rule.
    So, for example: 1 month time object. Every time the user drag it into a rule, Fwbuilder would calculate the time start/stop, etc in the rule.

    2. Regarding the "validity" of the rule related to the Time Object.
    a. The validity itself is already set in the iptables rules. So nothing to be done. Except, the invalid rule will keep staying in the policy. As time goes by, this could make the rule getting dirty by invalid/expired rules.
    b. Could there be a way for Fwbuilder to clean up expired rules based on the Time Object? I don't know how this could be achieved, internally in the Fwbuilder calculation or in the host itself. Maybe both. Maybe Fwbuilder can create a cronjob to check for the validity of the rules based on the Time Object.

     
  • Vadim Kurland
    Vadim Kurland
    2011-11-30

    Fwbuilder can not compute start time when user drags an object into the rule. The problem with this is that there is nowhere for it to save calculated start date. It could save it in the object, but that means you need separate object  for each user and rule which is what you do not want to do.

    fwbuilder could calculate start date when you compile the policy and generate iptables configuration with that start date and end date 3 month in advance. However this means it would recalculate it every time you recompile your rules. So, if you added a rule for  user 1 today, then it would work fine until you need to add another rule for user 2, say a week from now. The time frame for user 1 would reset when you recompile policy.

    your idea with a cron job is probably the best one.

     
  • Fajar Priyanto
    Fajar Priyanto
    2011-11-30

    Due to the nature of Fwbuilder that it will "replace" the current rules everytime we compile and install, I can think of another approach:
    1. Create the rule as needed in Fwbuilder. Put something special in the comment, like: EXP 20120530 (Expired 2012-05-30) and the corresponding Time Object, maybe TO-123.
    2. Then using a script, input some info about the rules, and set cronjob to send email "reminder" to delete the rule and the Time Object.

    It's not a good solution, but gives some help in remembering to delete expired rules and Time Object.

     
  • Vadim Kurland
    Vadim Kurland
    2011-11-30

    if you can identify the VM by its ip address, then you could use module "ipset" to build a rule to match a set of ip addresses and manage the set using cron job outside of iptables and fwbuilder. See here:

    http://www.fwbuilder.org/4.0/docs/users_guide5/address-table-object.html

    specifically the section "5.2.14.1. Using Address Tables Objects with iptables IP Sets"

    Script generated by fwbuilder understands commands "reload_address_table" , "add_to_address_table", "remove_from_address_table" which makes it easier to write a script to manage the list of ip addresses of the VMs. You still need to keep track of the expiration date for each VM somewhere.

     
  • Fajar Priyanto
    Fajar Priyanto
    2011-11-30

    I see. Interesting approach.

    So with this I'd do:
    - Set the rules needed in Fwbuilder. Probably need to think of commonly requested rules by the users. And prepare the ipset.
    - Write a script to delete expired IP from the ipset files.

    Advantage:
    - Less manual work in deleting expired rules.

    Disadvantage:
    - Only works best if the rules needed can be easily "grouped". May become complex in the long run.

    Ok let me think about it :)

    One last thing. Can Fwbuilder log any changes we make in the policy? This is important to audit or backtrack if we need to.

     
  • Vadim Kurland
    Vadim Kurland
    2011-11-30

    about logging: you can have the log if you enable RCS support in the GUI. Then, every time you make a change and exit the program, it will ask you to enter a log record describing the change you made.

    http://www.fwbuilder.org/4.0/docs/users_guide5/rcs.html

     
  • Fajar Priyanto
    Fajar Priyanto
    2011-11-30

    Excellent. Sorry I miss that.
    Thanks a lot for your kind help Vadim.
    Much appreciated.