0

fwbuilder seems to always want to write the firewall rules directly to the device that will run them, however I want to write them to a rules file that I can then maintain and update to the device via configuration management (ansible).

Clarification: Want the rules written out in a format suitable for consumption by iptables-restore.

Is this possible?

Evan
  • 349
  • 1
  • 3
  • 6
  • http://www.fwbuilder.org/4.0/docs/users_guide5/overview.shtml : *"Firewall Builder helps you write and manage configuration for your firewalls. It **writes iptables shell scripts**, pf.conf files, Cisco router access lists, or PIX configurations for you. You can then **copy and paste configurations generated by Firewall Builder, copy the files manually**"* ==> which is the same as when you would use your configuration management system to deploy those scripts. – HBruijn Mar 01 '17 at 12:46
  • The iptables shell scripts are different to what I'm asking for. That's an actual script to apply the rules to the kernel. I'm wanting the rules in a format suitable input into iptables-restore. – Evan Mar 01 '17 at 20:18

1 Answers1

2

fwbuilder does not generate "straight" iptables-restore compatible script out of the box but it is possible to do with some modifications. there are two parts to this:

First, turn checkbox "Use iptables-restore to activate policy" in the tab "Script" in firewall settings dialog). Turn all other functions of the generated script off in the same tab.

The rules are in iptables-restore format but since the default generated script wants to send them to the standard input of iptables-restore, they are generated like this:

    (

    echo '*filter'
    # ================ Table 'filter', automatic rules
    echo :INPUT DROP [0:0]
    echo :FORWARD DROP [0:0]
    echo :OUTPUT DROP [0:0]
    # accept established sessions
    echo "-A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT "
    echo "-A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT "
    echo "-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT "
    # ================ Table 'filter', rule set Policy
    #
    # Rule  0 (global)
    echo ":Cid5468X36359.0 - [0:0]"

     . . . . . . . . 

    echo "-A POSTROUTING -o eth1   -s 10.0.18.0/24  -j SNAT --to-source 74.123.224.162 "
    echo "-A POSTROUTING -o eth1   -s 10.0.22.0/24  -j SNAT --to-source 74.123.224.162 "
    #
    echo COMMIT


    ) | $IPTABLES_RESTORE; IPTABLES_RESTORE_RES=$?

you can replace the real iptables-restore with your own utility that will pick these rules up from stdin and store them in a file, which will be in the right iptables-restore format (this is what you want). The utility can be something simple, such as "tee file". To take over iptables-restore, open "Host OS Settings " dialog in the firewall properties, go to the tab "Paths" and change the path for iptables-restore, replacing it with a path and the name of your utility or a script.

Since you do not use default script format fwbuilder expects, its built-in policy installer won't work anyway. So what you need to do is run generated script to generate proper iptables-restore file and then install it where it belongs. How you do the latter part is up to you.

You can also change the format of the generated script to remove parts you do not need. Generated script is built using a template which you can modify. See chapter 13 "Configlets" of the Users Guide. The idea is to "dumb down" generated script to leave only iptables rules that should already be in the iptables-restore format and remove everything else. I think the rules will still be in the form of "echo -A INPUT ..." so you'll need to actually run generated script to get the rules in the format you need.

vadimk
  • 326
  • 2
  • 3