Build a Better Firewall-Linux HA Firewall Tutorial

Tired of maintaining your expensive commercial firewalls? Check out how combining Firewall Builder with a Linux HA firewall pair can provide a big solution at a low price.
Deploying the Rules to the Cluster

The final step in the process is generating the firewall scripts and installing them on the firewall cluster members. To keep the article short, I'm using the root user to install the Firewall Builder-generated firewall scripts on the firewall servers, but Firewall Builder also supports using nonroot users with proper sudo rights. This is covered in the on-line Users Guide.

Before you can install the rules on the cluster member, firewalls create a directory called /etc/fw on both lj-fw-1 and lj-fw-2 servers. This is the default location where Firewall Builder will install the generated firewall script.

As previously mentioned, the process where Firewall Builder converts the rules into a firewall script that will be run on the firewall is called compiling the rules. To compile and use the built-in installer to deploy the rules, click on the Install button at the top of Firewall Builder to launch the install wizard.

Click the check box next to the cluster name, and make sure the Install check boxes are selected for both lj-fw-1 and lj-fw-2. If there are any errors in the configuration, the compiler will display these; otherwise, you will see a dialog window (Figure 9) showing that the cluster was compiled successfully. When the cluster is compiled, a firewall for each member of the cluster is created and saved locally on the machine where Firewall Builder is running.

Figure 9. Cluster Compiler Status Window

Clicking Next on this window launches the installer dialog window (Figure 10). Each firewall in the cluster will have its own installer window. The installer uses SCP to transfer the firewall script that was generated for the cluster member to the firewall. After the firewall script is copied, Firewall Builder logs in using SSH to run the script. The installer includes an option to run in verbose mode, which displays each command as it is being run on the remote firewall. After the install completes, a new installer appears for lj-fw-2, and the same process is repeated.

Figure 10. Installer Window for Cluster Member lj-fw-1

This article just skims the surface of using Firewall Builder to configure firewall clusters. You can find much more information in the Firewall Builder Users Guide, including how to install custom policies on an individual cluster member, which is available on-line at the NetCitadel Web site.

Mike Horn is the co-founder of NetCitadel LLC, the company that develops and supports Firewall Builder. He has worked on network and security technologies for more than 15 years at companies ranging from small startups to large global Internet Service Providers.



Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Hi, if i set in my policy a

LukeLuke1979's picture

if i set in my policy a NAT or route, the fwbuilder (compile and install process) set in auto the new routing entry and create the virtual ip address for the NAT ?

And when the active node switch, will be removed this ip addresses in auto ?