loye.young at iycc.net
Thu Oct 11 16:10:46 UTC 2007
> I would like to replace my IPCop router with an Ubuntu Command line
> system to which I can then add some additional functionality such as VPN
> server, but the major hurdle is that Ubuntu does not provide an easy GUI
> to administer the server.
I built a network router and firewall for my former employer, using an old PII
350Mhz machine we had lying around. I used Firewall Builder (fwbuilder), and
I liked it very much. It has a comfortable GUI and provides several
out-of-the-box configurations that give you a head start on configuring your
firewall and router. The router performed as well as one costing several
thousand dollars, and it was essentially free.
Firewall and router administration inherently requires an understanding of a
lot of technical information, but Firewall Builder makes it very, very easy
to get started. It can configure many kinds of hardware (The table below
lists the operating systems that it can run. )
iptables Linux (kernel 2.4.x and 2.6.x)
ipfilter FreeBSD, OpenBSD, Solaris
ipfw FreeBSD, MacOS X
Table 2. Operating Systems Firewall Builder has been ported to
OS Distributions and versions Are binary packages available
Linux RedHat 9.0, Mandrake 10, SuSe 9.1 yes
FreeBSD 5.3 ports are available
Mac OS X 10.2.3 and newer Package is available at
Windows XP SP1 and SP2 Package is available at http://www.netcitadel.com/
The GUI would be installed on a client machine. The GUI is built with QT, so
it depends on the libqt3-mt library, but doesn't drag in the KDE libraries.
Then, when you have everything the way you like it, Firewall Builder compiles
the policy and uses ssh to install on the server. Once on the server, the
scripts can be edited by hand, or you can simply make the change on the
client GUI and recompile and send to the server.
Policy compiler for iptables generates a shell script that configures
interfaces of the firewall using information entered in the GUI, adds virtual
addresses if needed and activates firewall policy. Script checks pre-existing
configuration of the interfaces and does not make any changes if all
addresses are already configured. This means it won't break anything if you
use standard configuration tools provided by your OS and then run this
Policy compiler for ipfilter generates three
files: "firewall.fw", "firewall-ipf.conf" and "firewall-nat.conf"
(where 'firewall' is the name of the firewall opbject). The first
file, "firewall.fw", is a shell script that configures interfaces and loads
firewall policy from the other two files using /sbin/ipf and /sbin/ipnat. So,
if you use this autogenerated shell script, then the answer is yes,
interfaces will be configured. If you don't use this script and rely on the
standard scripts provided by FreeBSD, then the answer is no.
Just like in case of ipfilter, policy compiler for pf creates initialization
script in the file "firewall.fw" and a configuration file "firewall.conf". If
you use generated script "firewall.fw", then it will configure interfaces of
the firewall and load the policy. If you do not use it and simply
copy "firewall.conf" file and rename it as "/etc/pf.conf", then you need to
make all configuration using standard scripts available in OpenBSD
fwbuilder has a built-in RCS, so if you make a mistake in the configuration,
you can always roll back to a prior revision.
It did take me a little bit to get the hang of it, but that was mostly due to
my ignorance in how routers and firewalls work. I will say that fwbuilder
accelerated my learning because it let me focus on the concepts instead of
the syntax how to set up a routing table.
Give it a whirl and tell us what you think.
Isaac & Young Computer Company
More information about the ubuntu-server