Firewall GUI

Loye Young loye.young at
Thu Oct 11 16:10:46 UTC 2007

> I would like to replace my IPCop router with an Ubuntu Command line
> system to which I can then add some additional functionality such as VPN
> server, but the major hurdle is that Ubuntu does not provide an easy GUI
> to administer the server. 
I built a network router and firewall for my former employer, using an old PII 
350Mhz machine we had lying around. I used Firewall Builder (fwbuilder), and 
I liked it very much. It has a comfortable GUI and provides several 
out-of-the-box configurations that give you a head start on configuring your 
firewall and router. The router performed as well as one costing several 
thousand dollars, and it was essentially free. 

Firewall and router administration inherently requires an understanding of a 
lot of technical information, but Firewall Builder makes it very, very easy 
to get started. It can configure many kinds of hardware (The table below 
lists the operating systems that it can run. )

Table 1. 
Firewall	OS
iptables	Linux (kernel 2.4.x and 2.6.x)
ipfilter	FreeBSD, OpenBSD, Solaris
ipfw		FreeBSD, MacOS X
pf		OpenBSD

Table 2. Operating Systems Firewall Builder has been ported to
OS			Distributions and versions			Are binary packages available
Linux			RedHat 9.0, Mandrake 10, SuSe 9.1	yes
			Ubuntu							yes
FreeBSD		5.3								ports are available
Mac OS X		10.2.3 and newer					Package is available at
Windows XP	SP1 and SP2	Package is available at

The GUI would be installed on a client machine. The GUI is built with QT, so 
it depends on the libqt3-mt library, but doesn't drag in the KDE libraries. 

Then, when you have everything the way you like it, Firewall Builder compiles 
the policy and uses ssh to install on the server. Once on the server, the 
scripts can be edited by hand, or you can simply make the change on the 
client GUI and recompile and send to the server. 

Policy compiler for iptables generates a shell script that configures 
interfaces of the firewall using information entered in the GUI, adds virtual 
addresses if needed and activates firewall policy. Script checks pre-existing 
configuration of the interfaces and does not make any changes if all 
addresses are already configured. This means it won't break anything if you 
use standard configuration tools provided by your OS and then run this 

Policy compiler for ipfilter generates three 
files: "firewall.fw", "firewall-ipf.conf" and "firewall-nat.conf" 
(where 'firewall' is the name of the firewall opbject). The first 
file, "firewall.fw", is a shell script that configures interfaces and loads 
firewall policy from the other two files using /sbin/ipf and /sbin/ipnat. So, 
if you use this autogenerated shell script, then the answer is yes, 
interfaces will be configured. If you don't use this script and rely on the 
standard scripts provided by FreeBSD, then the answer is no.

Just like in case of ipfilter, policy compiler for pf creates initialization 
script in the file "firewall.fw" and a configuration file "firewall.conf". If 
you use generated script "firewall.fw", then it will configure interfaces of 
the firewall and load the policy. If you do not use it and simply 
copy "firewall.conf" file and rename it as "/etc/pf.conf", then you need to 
make all configuration using standard scripts available in OpenBSD 

fwbuilder has a built-in RCS, so if you make a mistake in the configuration, 
you can always roll back to a prior revision.

It did take me a little bit to get the hang of it, but that was mostly due to 
my ignorance in how routers and firewalls work. I will say that fwbuilder 
accelerated my learning because it let me focus on the concepts instead of 
the syntax how to set up a routing table. 

Give it a whirl and tell us what you think. 

Happy Trails, 

Loye Young
Isaac & Young Computer Company
Laredo, Texas

More information about the ubuntu-server mailing list