fwbuilder(1) [debian man page]
fwbuilder(1) Firewall Builder fwbuilder(1)
NAME
fwbuilder - Multiplatform firewall configuration tool
SYNOPSIS
/usr/bin/fwbuilder [-ffile.fwb] [-d] [-h] [-ofile] [-Pobject_name] [-r] [-v]
DESCRIPTION
fwbuilder is the Graphic User Interface (GUI) component of Firewall Builder.
Firewall Builder consists of a GUI and set of policy compilers for various firewall platforms. It helps users maintain a database of
objects and allows policy editing using simple drag-and-drop operations. GUI generates firewall description in the form of XML file, which
compilers then interpret and generate platform-specific code. Several algorithms are provided for automated network objects discovery and
bulk import of data. The GUI and policy compilers are completely independent, this provides for a consistent abstract model and the same
GUI for different firewall platforms.
Firewall Builder supports firewalls based on iptables (Linux kernel 2.4.x and 2.6.x, see fwb_ipt(1)), ipfilter (variety of platforms
including *BSD, Solaris and others, see fwb_ipf(1)), pf (OpenBSD and FreeBSD, see fwb_pf(1)), ipfw (FreeBSD and others), Cisco PIX (v6.x
and 7.x) and Cisco IOS extended access lists.
OPTIONS
-f FILE
Specify the name of the file to be loaded when program starts.
-r When this command line option is given in combination with -f file, the program automatically opens RCS head revision of the file if
file is in RCS. If file is not in RCS, this option does nothing and the file is opened as usual.
-d Turns on debug mode. Note that in this mode the program generates lots of output on standard error. This is used for debugging.
-h Prints brief help message
-o file
Specify the name of the file for the print output, see option "-P".
-P object_name
Print rules and objects for the firewall object "object_name" and immediately exit. The program does not go into interactive mode.
Print output will be placed in the file specified with "-o" option. If file name is not given with option "-o", print output is
stored in the file "print.pdf" in the current directory.
FILES
$HOME/.qt/firewallbuilder2rc
Fwbuilder v2.1 stores user preferences in this file.
$HOME/.config/netcitadel.com/Firewall Builder.conf
Fwbuilder v3.0 stores user preferences in this file.
URL
Firewall Builder home page is located at the following URL: http://www.fwbuilder.org/
BUGS
Please report bugs using bug tracking system on SourceForge:
http://sourceforge.net/tracker/?group_id=5314&atid=105314
SEE ALSO
fwblookup(1), fwb_ipt(1), fwb_ipf(1), fwb_pf(1)
FWB
fwbuilder(1)
Check Out this Related Man Page
fwbedit(1) Firewall Builder fwbedit(1)
NAME
fwbedit - General purpose object tree editing tool
SYNOPSIS
fwbedit command [options]
DESCRIPTION
fwbedit is a general purpose object tree editing tool for Firewall Builder (see fwbuilder(1)). This tool can be used in the shell scripts
written for batch-processing of the Firewall Builder data files. Fwbedit can perform the following operations on the objects and the tree:
create new object, delete existing object, modify attributes of an object, add a reference to the given object to a group, remove reference
to an object from a group, upgrade data file and check object tree in the file and repair it if necessary. Both object and a group can be
defined by their ID or by their name and a full path in the tree (see section EXAMPLES below).
COMMANDS AND OPTIONS
:
new -f file.fwb -t objtype -n name -p parent [-c comment] [-a attrs]
Creates new object.
-f file.fwb data file
-t objtype create new object of this type
-p parent create new object as a child of this object.
This parameter is mandatory. If you are adding an address
to an interface, corresponding interface onkect must be
specified as the parent. Similarly if you need to add an
interface to a host or a firewall, corresponding host or
firewall object is the parent. If you are adding an
object to one of the standard folders, the parent is the
library you want to add the object to or correct full
path to the folder in the tree.
-n name the name of the new object
-c txt specify comment for the new object
-a attribute1[,attribute2...] : specify attributes that
define parameters of the new object (see below)
delete -f file.fwb -o object
Deletes object specified by its full path in the tree or object ID.
-f file.fwb data file
-o object object to be deleted, full path or ID
modify -f file.fwb -o object -c comment [-a attrs]
Modifies object specified by its full path in the tree or object ID. Object can not be renamed using this operation.
-f file.fwb data file
-o object object to be deleted, full path or ID
-c txt specify comment for the new object
-a attribute1[,attribute2...] : specify attributes that
define parameters of the new object (see below)
list -f file.fwb -o object [-r|-c] [-d|-Fformat]
Prints name and ID of an object.
-f file.fwb data file
-o object object to print, full path or ID
-r print specified object and all objects under it in the tree
-c print only children objects of the given object but do not
print the object itself.
-d print full dump of all object's attributes including internal
debugging information if available, this can be very
verbose.
-Fformat_string Program recognizes macros in the format string
and replaces them with values of corresponding object's
attributes. Macro is the name of the attribute surrounded
with '%', such as '%name%' or '%address%'. Here is the
list of some attribute names: "id", "name", "path",
"comment", "type", "address", "netmask", "dnsname". TCP
and UDP service objects provide attributes
"src_range_start", "src_range_end", "dst_range_start",
"dst_range_end" for the source and destination port
ranges. ICMP and ICMP6 service objects have attributes
"icmp_type" and "icmp_code".
add -f file.fwb -g group -o object
Adds object specified by path or ID to a group, also specified by its path or ID.
-f file.fwb data file
-g group group the object should be added to,
full path or ID
-o object object to be deleted, full path or ID
remove -f file.fwb -g group -o object
Removes object from a group.
-f file.fwb data file
-g group group the object should be removed from,
full path or ID
-o object object to be deleted, full path or ID
upgrade -f file.fwb
Upgrades data file to the latest data format version.
-f file.fwb data file
checktree -f file.fwb
Checks consistency and correctness of the object tree in the given data file and repairs it if necessary.
-f file.fwb data file
merge -f file1.fwb -i file2.fwb
Objects from the file2.fwb are merged with objects in file1 and combined object tree saved in file1.fwb
-f file.fwb data file #1
-i file.fwb data file #2
import -f file1.fwb -i firewall_config.txt -o path_to_firewall_object [-d]
Firewall configuration from file firewall_config.txt is parsed and imported into data file file1.fwb. The program creates new firewall
object located in the library and with the name defined by its path path_to_firewall_object.
-f file.fwb data file #1
-i config.txt firewall configuration file
-o object_path full path to the firewall object that will be
created. This has to be full path, beginning
with the library name, such as
"/User/Firewalls/my_new_firewall"
-d avoid creating duplicate objects on import
currently (as of v4.2.0) fwbuilder supports import of iptables configuration saved with iptables-save command, as well as import of Cisco
router IOS configuration, Cisco PIX, ASA and FWSM firewalls saved with "show run" command.
ATTRIBUTES FOR THE NEW OBJECTS, BY TYPE
-t Firewall -a platform, host OS
-t IPv4 -a IP address [,netmask]
-t IPv6 -a IPv6 address [,masklen]
-t DNSName -a DNS record,run time
-t AddressRange -a start address, end address
-t ObjectGroup
-t Network -a address,netmask
-t NetworkIPv6 -a ipv6_address,netmask_length
-t Interval -a start time,start date,start day,end time, end date, end day
-t Interface -a security level,address type (dynamic or unnumbered),management
-t Host
-t TCPService -a source port range start,end,destination port range start,end,UAPRSF,UAPRSF
-t UDPService -a source port range start,end,Destination port range start,end
-t ICMPService -a ICMP type,ICMP code
-t IPService -a protocol number,lsrr/ssrr/rr/ts/fragm/short_fragm
EXAMPLES
Print contents of the object /User/Firewalls/firewall/eth0 according to the provided format. Note that object of the type "Interface" does
not have attribute that would define its address, IP address is defined by its child object of the type IPv4 or IPv6.
fwbedit list -f x.fwb -o /User/Firewalls/firewall/eth0 -F "type=%type% name=%name% id=%id% %comment%"
Print contents of the object /User/Firewalls/firewall/eth0 and all its child objects. This is the way to see addresses and netmasks. Inter-
face object does not have attribiute "address" so the program ignores macro "%address%" when it prints interface.
fwbedit list -f x.fwb -o /User/Firewalls/firewall/eth0 -F "type=%type% name=%name% id=%id% %comment% %address%" -r
Print group object /User/Objects/Addresses
fwbedit list -f x.fwb -o /User/Objects/Addresses -F "type=%type% name=%name% id=%id% %comment%"
Print group object /User/Objects/Addresses and all address objects inside of it:
fwbedit list -f x.fwb -o /User/Objects/Addresses -F "type=%type% name=%name% id=%id% %comment%" -r
Print address objects inside group /User/Objects/Addresses but do not print the group object itself:
fwbedit list -f x.fwb -o /User/Objects/Addresses -F "type=%type% name=%name% id=%id% %comment%" -c
Print addresses and netmasks of all interfaces of all firewalls in the form of their full object tree path, followed by the type, id,
address and netmask:
fwbedit list -f x.fwb -o /User/Firewalls -F "%path% %type% %id% %address% %netmask%" -r | grep IP
Print names, platform and version information for all firewall objects defined in the data file:
fwbedit list -f x.fwb -o /User/Firewalls -F "%name% platform: %platform% version: %version%" -c
Print name, source and destination port ranges for all TCP services in the folder TCP of the user-defined group User:
fwbedit list -f x.fwb -o /User/Services/TCP -c -F "name='%name%' est=%established% %src_range_start%-%src_range_end% :
%dst_range_start%-%dst_range_end%"
Print icmp type and code for all ICMP services in the folder ICMP of the user-defined group User:
fwbedit list -f x.fwb -o /User/Services/ICMP -c -F "name='%name%' icmp_type=%icmp_type% icmp_code=%icmp_code%"
Add IPv6 address to one of the interfaces of firewall object "firewall":
fwbedit new -f x.fwb -p /User/Firewalls/firewall/eth3 -t IPv6 -n eth3-v6-addr -a 2001:470:1f05:590::2,64
Add reference to the Host object 'A' to the group 'B':
fwbedit add -f x.fwb -g /User/Objects/Groups/B -o /User/Objects/Hosts/A
Add reference to the object with ID id3D71A1BA to the group with ID id3D151943. If objects with given IDs do not exist, fwbedit prints an
error message and does not make any changes in the data file.
fwbedit add -f x.fwb -o id3D71A1BA -g id3D151943
Add reference to the object with ID id3D71A1BA to the group 'testgroup':
fwbedit add -f x.fwb -o id3D71A1BA -g /User/Objects/Groups/testgroup
The following script uses fwbedit "list" command to print IDs of all Address objects in the folder /User/Objects/Addresses , then cycles
through the obtained list and uses fwbedit to add them to the group "group1".
fwbedit list -f x.fwb -o /User/Objects/Addresses -F "%id%" -c |
while read id; do
fwbedit add -f x.fwb -g /User/Objects/Groups/group1 -o $id;
done
Here is slightly more complex example. The following script uses fwbedit "list" command to print types and IDs of all Address objects in
the folder /User/Objects/Addresses , then filters them using grep to get only IPv6 objects and finally cycles through the obtained list and
uses fwbedit to add them to the group "group1".
fwbedit list -f x.fwb -o /User/Objects/Addresses -F "%type% %id%" -c |
grep IPv6 |
while read type id; do
fwbedit add -f x.fwb -g /User/Objects/Groups/group1 -o $id;
done
URL
Firewall Builder home page is located at the following URL: http://www.fwbuilder.org/
BUGS
Please report bugs using bug tracking system on SourceForge:
http://sourceforge.net/tracker/?group_id=5314&atid=105314
SEE ALSO
fwbuilder(1),
FWB
fwbedit(1)