FCT - Firewall Configuration Tool (V.1.0.7)

The Firewall Configuration Tool (FCT) is a configuration tool for setting up a firewall on a UNIX-Host with a HTML-Browser like Netscape.

Contents

 

Syntax

 

Start / Stop a single Service

 

Logfiles

 

How does it work

 

Directory Structure

 

Installation

 

Configuration

 

Todo

Syntax

The firewall is started with the following command:

firewall [-t] [-v] [-s] start | stop

Command

Options

Description

firewall

start

Start the firewall with all defined services.

stop

Stop the firewall. All is allowed, nothing will be filtered.

-t

run only in testmode, create the ./rules/<service>.rules and the ./log/<logfile>.

-v

run in verbose mode, print each īipfwadmī command.

-s

use setup-files from './setup' dir instead of 'rules' files.

fw-rules

[-t][-v] <service> [del]

add/delete the rules for a single service

create_rules

read configuration files and create all files found in the rules directory

[<service>]

only create rule for <service>, default is "all"

[Firewall]

only create rules for Firewall

save_config

[filename]

save the configuration files in a tar-file, thus you can put them on another host 
FCT-config.tar is the default

reset

Reset all Rules, same as firewall stop

 

Example

This lists all commands that are used to configure the whole firewall with all services:

root:/var/adm/FCT# ./firewall -t -v start

This deletes all commands that are used to activate the firewall:

root:/var/adm/FCT# ./firewall stop

 This may be used for startup the (allready setup) firewall :

root:/var/adm/FCT# ./firewall -s start

Start / Stop a single Service

You can start,stop every service by hand with the following command:
 

root:/var/adm/FCT# ./fw-rules [-t] [-v] [-s] <service> [add | del]

<service> is one of your defined services, the firewall-services ("Firewall") or the trusted-hosts services ("Trusted").

Example

This lists all commands that are used to configure the telnet service:

root:/var/adm/FCT# ./fw-rules -t -v telnet [add]

root:/var/adm/FCT# ./fw-rules telnet del

The above deletes all commands that are used to configure the telnet service from the actual firewall-setup, means that telnet is not longer availlable.

Logfiles

The firewall generates large logfiles which are stored in the ./log directory.

 

services.log - list all processed services by name

 

ipfwadm.log - list all īipfwadmī commands (very long)

 

ipchains.log

 

ipF.log

How does it work

The Firewall Configuration Tool uses different types of (/bin/sh) config files:
 

etc/net.cfg

Main network definitions like domainname etc.

etc/fw.cfg

Connections allowed from/to the firewall

etc/services.cfg

Connections allowed from/to the internal / perimeter networks

etc/trusted.cfg

Definition of some trusted IPīs - there are no restrictions for them 

etc/aliases.cfg

Definition of some variables that are used in the FCT

etc/config/<service>.def

The necessary IP-connections for each service

etc/config/<service>.flt

source and destination for each service

rules/<service>.rules

rules to setup the services 

setup/<service>.rules

scripts/commands to setup the services

These are the main definitions for the Firewall Configuration Tool. The available services (Firewall and Configuration) are defined in etc/fw.cfg and etc/services.cfg. The connections that are used by service have to be defined to make a service available.

The necessary IP-connections (Definition) for each service are defined in (/bin/sh) config files - they reside in etc/config/<service>.def. The definitions can be edited and also new definitions may be added.

In order to be more flexible than to enable/disable services, we define a source and destination (Screening) for each service in the (/bin/sh) config files etc/config/<service>.flt. These definitions are used to setup a screened subnet architecture.

Now we have config files with information about

 

the availabilty of a service,

 

the IP-connections used by a service,

 

the source and destination of a service.

This information is used to generate an executable script(!), which runs the corresponding ipfwadm commands. This script file contains the rules to setup the services as defined in the above config files. I call these files "rules-files" an they are stored in etc/rules/<service>.rules.

We have to create the rules files (Rules) for each service we want to use. We need all of the above information to be able to do that.

Additionally it should be possible to define external hosts of our network. These are Trusted hosts and are defined in etc/trusted.cfg. They are not restricted in any service - be careful using them.

There is a difference between the service-rules for the firewall and the service rules to other hosts. The firewall works as a gateway if either the source nor the destination of the connection is the firewall itself. A gateway has to different network interfaces and needs IP-forwarding between these two interfaces. Thatīs the reason for the different setup of these types.

In general a firewall shouldnīt be used much as a normal host - itīs primary focus should be a very secure firewall host and nothing else. And a working firewall shouldnīt need to be changed very often. You should only setup a minimal set of services on the firewall itself - maybe an incoming ssh from a special host to administrate the firewall is enough. So the setup of the servcies for the firewall itself isnīt very comfortable, you donīt want to use it very often ;-)

Because all config files are shell scripts, it is possible to define variables (Aliases) and use them in the configuration masks. See the file etc/aliases.cfg for some variables.

The only function that remains is the testing (Test) of the current setup. You have to evaluate the ipfwadm commands by hand. And you should do that acribic!

As described above, the  etc/rules directory contains all executable scripts to setup the firewall. These scripts are executed by the firewall command in a specific order:

  1. Firewall.rules - setup all services used by the firewall
  2. Firewall/<service>.rules - see above
  3. Trusted.rules - trusted host rules
  4. <lower-case service>.rules - all lower-case written *.rules files
  5. <upper-case service>.rules - all upper-case written *.rules files (must be setup by hand!)
  6. General.rules - general rules for the firewall (default policy is deny!)

I think thatīs all. Good luck.
 

Directory Structure of the FCT

The table below lists the most important directories and their usage in FCT:

Directory

Remark

Example

.

executable commands

firewall

html

the html-files

index.htm, firewall.htm, archit.htm, ... 

cgi-bin

process the html-forms 
fill the html-forms with the definitions 
create the IP-filtering rules 
other stuff

form_xxx.cgi, 
fill_xxx.cgi, 
create_xxx.cgi, 
...

log

all IP-filter commands 
all services which are processed

ipfwadm.log, ipchains.log, ipF.log 
services.log

etc/config

the definition of the service 
the screening rules for the service

telnet.def, html.def, ... 
telnet.flt, html.flt, ...

etc

config-files for basic configuration

net.cfg, fw.cfg, aliases.cfg, ...

rules

the IP-filtering rules

telnet.rules, html.rules, ...

setup

the IP-filter commands for each service 

telnet.rules, html.rules, ...

 

Installation

The "Firewall Configuration Tool" (FCT) is designed to be installed
in the directory '
/var/adm/FCT':
    su - root
    cd /var/adm
    tar xvzf firewallct-*.tgz
(You can use any other directory for installation -
 but this is not fully supported).

You have to setup a directory '/FCT' on your HTTP-Server which points
to the installation directory. If you use the apache http-server insert the
following lines in

- conf/srm.conf:
ScriptAlias /FCT/cgi-bin/ /var/adm/FCT/cgi-bin/
Alias /FCT /var/adm/FCT

 - conf/access.conf:
<Directory /var/adm/FCT/cgi-bin>
  Options ExecCGI
</Directory>

Send your httpd a SIGHUP signal to re-read the config-files.

Set the access-rights for the directories where the configuration/log -files
will be stored:

   cd /var/adm/FCT
   ./Install.sh [-strict] [[-cgi] [wwwrun]]

Now visit the file '/FCT/html/index.htm' and configure your firewall.

Configuration

There are some often used configurations for a firewall in the directory īetc/defaultī.

 

single-dynamic-IP.tar

reflects my personal configuration at home which handles dynamic IP  with PPP!

 

network-fixed-IP.tar

firewall with own IP and an internal network on device eth0

 The sample configurations are activated with the following command:

root:/var/adm/FCT# tar xvpf samples/single-dynamic-IP.tar       

Choose the configuration wich fits best your network and edit it in a HTML-Browser like Netscapes Communicator.
You can save your configuration with the following command:

root:/var/adm/FCT# ./save_config [filename.tar]       

The default filename is īFCT-config.tarī.

If you donīt want to activate a HTTP-Server on your firewall to setup the firewall configuration files, itīs a good idea to install the FCT twice on your HTTP-Server and your firewall. Configure your firewall with your HTTP-Server and save the resulting configuration as mentioned above. Then "untar" the saved configuration on your firewall and youīre done.

Btw.: Donīt forget to create the "rules"-files, because these files are executed by the firewall shell script!
 

Todo

 

Yes, the documentation ;-)

 

FAQ list

 

I think, the "sf Firewall Software" needs also a configuration tool for setup, maybe the FCT is a good point for startup ... (also the perl-Tk interface would offer a good configuration interface)

 

... and thousands of other things.

Comments and suggestions are welcome.

 

(c) 1998-April 2000 J. Friedrich