Build a Better Firewall-Linux HA Firewall Tutorial
About Firewall Builder
Originally started in 2000, Firewall Builder is an open-source project with thousands of users around the world using it to manage production firewalls. In addition to iptables, Firewall Builder also includes support for configuring BSD pf, Cisco ASA, PIX and FWSM firewalls, Cisco router access, ipfw and ipfilter firewalls. Commercial licenses are available for prebuilt MS Windows and Mac OS X packages.
The focus of this article is using Firewall Builder's cluster feature to manage a single firewall policy for the HA firewall pair, but let's start with a quick overview of a few key Firewall Builder concepts.
Objects form the foundation of the Firewall Builder GUI. Objects are used to represent common firewall rule elements, such as IP networks, IP hosts and TCP and UDP protocols. Firewall Builder comes with hundreds of predefined objects for common elements, like well-known TCP services. The same object can be used in firewall rules on multiple firewalls, letting users define an object once and use it as many times as needed.
After a firewall object has been created and rules have been configured for that firewall, Firewall Builder generates a script that will be run on the target firewall server to implement the firewall rules that were defined in the GUI. The process of creating this script is called compiling the firewall rules. The generated firewall script also can be used to manage interface IP addresses, static routes and various system settings.
For more information about Firewall Builder basics, go to the NetCitadel Web site (see Resources), which includes a comprehensive Users Guide.
Now, let's dive in to configuring the firewall cluster with Firewall Builder. In order to create an HA firewall pair, called a cluster in Firewall Builder, you first need to configure the individual firewall objects that will be members of the cluster.
Click the Create new firewall button in the middle of the main window to launch the new firewall wizard that provides a series of dialog windows to walk you through the process of creating a new firewall object.
Set the firewall name (lj-fw-1) and platform type (iptables) in the first dialog and click the Next button. Leave the default setting of “Configure interfaces manually” on the next dialog window, and click the Next button. The final dialog window is where the interfaces for the firewall are defined. Follow the steps shown below to add the interfaces for the lj-fw-1 firewall.
Step 1: click the green + sign to create a new interface:
Set the interface name to “eth0”.
Set the interface label to “outside”.
Click the Add address button.
Enter 192.168.1.2 with Netmask of 255.255.255.0.
Step 2: click the green + sign to create a new interface, and repeat the steps from Step 1 to configure eth1 (“eth1”, “inside”, 10.1.1.2, 255.255.255.0).
Step 3: click the green + sign to create a new interface, and repeat the steps from Step 1 to configure eth2 (“eth2”, “synch”, 192.168.100.2, 255.255.255.0).
Step 4: click the green + sign to create a new interface, and repeat the steps from Step 1 to configure lo (“lo”, “loopback”, 127.0.0.1, 255.0.0.0).
Figure 2 shows an example of the interface dialog window after the first interface, eth0, has been defined. Once all interfaces are configured, click the Finish button to create the firewall object.
The newly created firewall object will be displayed in the object tree in the left object tree panel. Right-click on the lj-fw-1 object and select Duplicate→Place in Library User from the menu. This creates an exact copy of lj-fw-1 in the object tree and opens it for editing in the editor panel at the bottom of the screen.
Rename the newly created firewall object to lj-fw-2. Click “Yes” on the warning message that is displayed about changing the name of all child objects. The lj-fw-2 firewall object will show in the object tree with all its child objects expanded.
When the firewall is duplicated, the interface IP addresses on the new firewall are the same as the interface IP addresses on the original firewall. Update the interface IP addresses to match the correct IP addresses for the eth0 interface on the lj-fw-2 firewall as shown in Figure 3. Repeat this process for IP addresses of interfaces eth1 and eth2.
The final step is to identify the interface that will be used to manage each of the lj-fw-1 and lj-fw-2 firewalls. This will be used later by the installer to determine which IP address to use to connect to the firewall. Double-click on the interface object named “eth1” of the lj-fw-1 firewall to open it for editing and check the box labeled “Management interface” in the editor panel. Repeat the process for the lj-fw-2 firewall.
|Using Salt Stack and Vagrant for Drupal Development||May 20, 2013|
|Making Linux and Android Get Along (It's Not as Hard as It Sounds)||May 16, 2013|
|Drupal Is a Framework: Why Everyone Needs to Understand This||May 15, 2013|
|Home, My Backup Data Center||May 13, 2013|
|Non-Linux FOSS: Seashore||May 10, 2013|
|Trying to Tame the Tablet||May 08, 2013|
- RSS Feeds
- Making Linux and Android Get Along (It's Not as Hard as It Sounds)
- Using Salt Stack and Vagrant for Drupal Development
- New Products
- Validate an E-Mail Address with PHP, the Right Way
- Drupal Is a Framework: Why Everyone Needs to Understand This
- A Topic for Discussion - Open Source Feature-Richness?
- Download the Free Red Hat White Paper "Using an Open Source Framework to Catch the Bad Guy"
- Tech Tip: Really Simple HTTP Server with Python
- Readers' Choice Awards
- Please correct the URL for Salt Stack's web site
17 min 15 sec ago
- Android is Linux -- why no better inter-operation
2 hours 32 min ago
- Connecting Android device to desktop Linux via USB
3 hours 1 min ago
- Find new cell phone and tablet pc
3 hours 59 min ago
5 hours 28 min ago
- Automatically updating Guest Additions
6 hours 36 min ago
- I like your topic on android
7 hours 23 min ago
- Reply to comment | Linux Journal
7 hours 44 min ago
- This is the easiest tutorial
13 hours 58 min ago
- Ahh, the Koolaid.
19 hours 37 min ago
Free Webinar: Hadoop
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers
Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.
Some of key questions to be discussed are:
- What is the “typical” Hadoop cluster and what should be installed on the different machine types?
- Why should you consider the typical workload patterns when making your hardware decisions?
- Are all microservers created equal for Hadoop deployments?
- How do I plan for expansion if I require more compute, memory, storage or networking?