                                Firewall Builder

Frequently Asked Questions

  Vadim Kurland

     vadim@fwbuilder.org

   Revision History             
   Revision $Revision: 1.41 $   $Date: 2003/11/25 08:39:48 $  Revised by: vk  

   Firewall Builder consists of an object-oriented GUI and a set of policy
   compilers for various firewall platforms. In Firewall Builder, a firewall
   policy is a set of rules; each rule consists of abstract objects that
   represent real network objects and services (hosts, routers, firewalls,
   networks, protocols). Firewall Builder helps users maintain a database of
   objects and allows policy editing using simple drag-and-drop operations.

   Preferences and object databases are stored in XML format. The GUI and
   policy compilers are completely independent. The GUI requires only minimal
   changes in order to add support for a new firewall platform even though a
   new policy compiler must be written. This provides for a consistent
   abstract model and the same GUI for different firewall platforms.
   Standardized XML data format opens possibility for many user interfaces
   and policy compiler implementations, all interchangeable.

   We have policy compilers for the popular free firewalls iptables
   http://www.iptables.org/, ipfilter http://coombs.anu.edu.au/~avalon/, pf
   http://www.benzedrine.cx/pf.html. Because of the modular architecture,
   Firewall Builder can be used to manage firewalls built on a variety of
   platforms including, but not limited to, Linux using iptables, ipfilter on
   FreeBSD or Solaris and pf on OpenBSD.

   The GUI is written using GTK-- and does not require any Gnome libraries.

   An interactive "Druid" facilitates easy kick-start. Basically, to start,
   one should create objects for the firewall and internal network and then
   use the druid. It will ask a few questions and then build a basic skeleton
   policy, which can be edited manually. The same druid can be used to add
   specific "standard" rules later on.

   We provide a mechanism for automated creation of network objects using
   information either from the /etc/hosts file or by importing DNS zones.

   Solutions to many typical problems and answers to many questions can also
   be found in Firewall Builder Users Guide
   http://www.fwbuilder.org/UsersGuide.pdf.

     ----------------------------------------------------------------------

   1. System requirements, using binary packages, compiling from source

                1.1. What firewall platforms are supported ?

                1.2. What OS does fwbuilder run on ?

                1.3. What are the system requirements for Firewall Builder ?

                1.4. Where can I download source code and binary packages
                from?

                1.5. Where can I download the latest source code and nightly
                builds from?

                1.6. Where do I get GTK-- packages for RedHat ?

                1.7. How do I compile GTK-- library on RedHat 8.0 and 9.0 ?

                1.8. I want to use binary package. What do I need to download
                and install?

                1.9. Is there an automated way to install all dependencies?

                1.10. Does Firewall Builder need GNOME?

                1.11. How do I build Firewall Builder from source?

                1.12. I am trying to compile Firewall Builder from source,
                but autogen.sh complains "libfwbuilder not installed"

                1.13. I am trying to use the latest versions of libsigc++ and
                gtk/gtkmm libraries (libsigc++-1.2.3 and gtkmm-2.0.2 ) but
                script configure in fwbuilder does not recognize them

                1.14. I am trying to install fwbuilder RPM but I get an error
                "Failed dependencies: libgdkmm-1.2.so.1" and "Failed
                dependencies: libgtkmm-1.2.so.0". How do I fix this ?

                1.15. I am trying to install fwbuilder RPM but I get a bunch
                of errors "Failed dependencies: ...". What do I need to do ?

   2. Running the program

                2.1. Now, that I installed all the packages, how do I start
                the program? (yes, this is frequently asked question)

                2.2. fwbuilder binary does not start. You get an error
                "Gtk-WARNING **: cannot open display:"

                2.3. fwbuilder binary does not start. You get an error
                "Gtk-WARNING **: cannot open display :0.0"

                2.4. fwbuilder binary does not start. You get an error
                "fwbuilder: error while loading shared libriaries:
                libfwbuilder.so.0: cannot load shared object file: no such
                file or directory."

                2.5. fwbuilder binary does not start. You get an error "
                fwbuilder: error while loading shared libraries: fwbuilder:
                undefined symbol:
                connect__Q23Gtk9ProxyNodePQ23Gtk6ObjectPCcPFv_vPQ24SigC8SlotDatab"

                2.6. fwbuilder binary does not start. You get an error
                "fwbuilder: relocation error: fwbuilder: undefined symbol:
                __tiQ23Gtk6Window"

                2.7. fwbuilder binary does not start. You get an error
                "fwbuilder: relocation error: /usr/lib/libgdkmm-1.2.so.1:
                undefined symbol: cerr

                2.8. When I run fwbuilder I get the following message: "Could
                not locate any modules for target firewall plattforms. You
                won't be able to compile firewall policy".

                2.9. fwbuilder or one of policy compilers crashes. What to do
                ?

                2.10. Firewall policy does not compile. I get error "Exec
                error (fwb_iptables) No such file or directory."

                2.11. I get "I/O Error" while compiling policy. There is no
                other indication of error though.

                2.12. fwbuilder crashes on my Debian or SuSe system. What do
                I do ?

                2.13. Data file created in the older version of fwbuilder can
                not be loaded in the latest one

   3. Building firewall policy

                3.1. when I create new firewall object, it does not let me
                choose firewall platform or host OS in the tab 'General'.

                3.2. Do I need to add rules for "ACK" packets?

                3.3. Druid seems to multiply rules in the policy

                3.4. I use iptables (or other) to protect local host. How do
                I use Firewall Builder to build policy?

                3.5. How can I configure NAT to provide access from the
                Internet to my server behind the firewall ?

                3.6. I see the firewall objects has multiple policies
                associated with it. How do these policies relate to each
                other and in what order does policy compiler scan them to
                generate firewall code?

                3.7. What does the option "Assume firewall is part of any"
                do?

                3.8. My firewall has 3 networks cards - internal (eth0), DMZ
                (eth1) and external (eth2). I want to perform NAT when
                accessing the DMZ from the *internal* network but the
                ipt-compiler insists on specifying '-o eth2' in the iptables
                command. Why does he do that? How can I persuade it to
                specify '-o eth1'?

                3.9. Unnumbered interfaces - what do we need them for ?

                3.10. I do not have time to get into all the details, how can
                I get started and configure my firewall as quick as possible?

                3.11. Why don't you set default policy in chains to ACCEPT so
                that access to the firewall won't be blocked as soon as
                firewall script issues "iptables -F" to clean up chains? This
                disconnects my ssh session...

                3.12. what is "rule shading"? ( "shadowing" )

                3.13. Policy compiler stops processing rules with error
                message "Cannot create virtual address NN.NN.NN.NN"

   4. Installing policy on the firewall

                4.1. The XML file I save, is it transformed into iptables
                script and sent to the firewall automatically when I click on
                "Compile"? Or do I have to restart something to see the
                changes applied?

                4.2. I have ipchains installed on my RedHat 7.1 system. How
                do I switch to iptables and start using firewall script
                generated by Firewall Builder?

   5. Running firewall script

                5.1. Do I need to compile iptables into the kernel?

                5.2. I get some error when I run generates script, how can I
                figure out which rule causes this error?

                5.3. (Linux / iptables only) I've generated script for
                iptables firewall using Firewall Builder, but when I run it I
                get an error "ip: command not found". What is this command
                for and what package should I install?

                5.4. I get the following error when I run generated script
                for iptables firewall: "iptables v1.2.8: can't initialize
                iptables table 'drop': Table does not exits (do you need to
                insmod?) Perhaps iptables or your kernel needs to be
                upgraded."

                5.5. You are trying to execute iptables script generated by
                fwbuilder but get an error message "Interface eth0 does not
                exist" or similar.

                5.6. Does script generated by Firewall Builder configure
                interfaces of the firewall ?

   6. Logging

                6.1. I do not see log records in /var/log/messages, what's
                wrong?

                6.2. I've got logging working, but I think it sends too much
                information to the log so I can not really find what I am
                interested in. Is there a way to make it more readable?

                6.3. How can I get a list of connections opened through the
                firewall at any given moment of time ?

                6.4. How can I make particular rule send special text to the
                log when packet hits it?

   7. GUI

                7.1. GUI keeps asking me a question whether I want to save
                data in the dialog when I switch from one object to another.
                This is annoying, how can I get rid of it?

  1. System requirements, using binary packages, compiling from source

   1.1. What firewall platforms are supported ?

   We support iptables (available in Linux kernels 2.4.x). As of version
   0.9.3 we dropped support for ipchains as obsolete technology and because
   of lack of time. As of version 1.0.1 we support ipfilter (available for
   variety of OS, including FreeBSD, OpenBSD, Solaris and others) and added
   support for pf (OpenBSD 3.0). Version 1.0.10 and later support ipfw.
   Support for Cisco PIX is available as a commercial product (send us email
   to inquire).

   Table 1. Firewall Builder can generate configuration for the following
   firewalls and OS:

   +--------------------------------------+
   | Firewall | OS                        |
   |----------+---------------------------|
   | iptables | Linux (kernel 2.4.x)      |
   |----------+---------------------------|
   | ipfilter | FreeBSD, OpenBSD, Solaris |
   |----------+---------------------------|
   | ipfw     | FreeBSD, MacOS X          |
   |----------+---------------------------|
   | pf       | OpenBSD                   |
   +--------------------------------------+

   1.2. What OS does fwbuilder run on ?

   Our main development OS is Linux, however we test-compile our code on
   FreeBSD and OpenBSD.

   Table 2. Operating Systems Firewall Builder has been ported to

   +------------------------------------------------------------------------+
   | OS       | Distributions and versions         | Are binary packages    |
   |          |                                    | available              |
   |----------+------------------------------------+------------------------|
   | Linux    | RedHat 7.x, 8.0, 9.0, Mandrake     | yes                    |
   |          | 9.1, SuSe 8.1, 8.2                 |                        |
   |----------+------------------------------------+------------------------|
   | Solaris  | 8                                  | no                     |
   |----------+------------------------------------+------------------------|
   | FreeBSD  | 4.7 , 4.8                          | ports are available    |
   |----------+------------------------------------+------------------------|
   | OpenBSD  | 3.2                                |                        |
   |----------+------------------------------------+------------------------|
   | Mac OS X | 10.2.3 and newer                   | .info files for fink   |
   |          |                                    | packages are available |
   +------------------------------------------------------------------------+

   1.3. What are the system requirements for Firewall Builder ?

   These are listed in the file "Build" in the docs directory. It is
   fwbuilder/doc/Build if you unpack source tarball, or can be found online:
   http://www.fwbuilder.org/archives/cat_installation.html

   1.4. Where can I download source code and binary packages from?

   Binary packages and a source code for the recent release can be downloaded
   from the "Downloads" page on the project's web site
   http://www.fwbuilder.org/ or from Source Forge .

   1.5. Where can I download the latest source code and nightly builds from?

   Binary packages and a source code for the very latest code can be
   downloaded from the "CVS" section on our Source Forge site. Nightly builds
   and experimental packages are available on our ftp site
   ftp://downloads.fwbuilder.org/pub/fwbuilder/. Nightly builds include
   latest bug fixes and are great way to test and see what is going to be
   included in the next release. At the same time nightly builds are
   certainly a cutting edge of the project and may break. Be sure to make
   backup copy of your data before you use it! We usually put the latest copy
   of the ChangeLog file in the same directory, remember to always check it
   before you download.

   1.6. Where do I get GTK-- packages for RedHat ?

   Authors of GTK-- recommend using binary packages built by Ximian (see
   gtk-- home page at http://gtkmm.sourceforge.net/ and follow link
   "Download") . These packages are available for RedHat 7.3, you should be
   able to find these packages on Ximian's FTP site
   ftp://ftp.ximian.com/put/ximian-gnome

   The simplest and most reliable way to obtain correct version of these RPMs
   for RedHat 8.0 and 9.0 is to download them from the site
   http://freshrpms.net/. Direct links to these RPMs for RedHat 8.0 and 9.0
   are available from the "Downloads" page of our web site (look for
   "Downloads" in the main menu on the web site http://www.fwbuilder.org/,
   then scroll down until you find a section titled "gtkmm and sigc++
   packages for RedHat 8.0 and 9.0 (links to freshrpms.net)").

   You can also try to download packages libgtkmm1.2-1.2.9-3mdk.i586.rpm and
   libsigc++1.0-1.0.4-5mdk.i586.rpm that are part of Mandrake 9.0 and use
   them on RedHat 8.0. Note that these packages are built using gcc 3.2 and
   will NOT work on older RedHat distributions (RedHat 7.x). Use them only on
   RedHat 8.0 and later.

   See also the answer for the next question: Q: 1.7..

   1.7. How do I compile GTK-- library on RedHat 8.0 and 9.0 ?

   Our user Toby Johnson published mini-HOWTO with instructions on how to
   compile these libraries on RedHat 8.0 :

     First, read the "Red Hat 8.0" section under
     http://www.fwbuilder.org/pages/Documents/Build.html. But instead of
     looking for libgtkmm and ligsigc++ on rpmfind, download these two files:
     gtkmm-1.2.9-1.ximian.1.src.rpm and libsigc++-1.0.4-1.ximian.4.src.rpm

     (Nevermind the "redhat-73-i386"; since they're source RPM's, it won't
     matter.)

     Now, enter the following to build the binary libsigc++ package and
     install it. If your SRPM root is different that "/usr/src/redhat", make
     the appropriate changes.

 
rpm -ivh libsigc++-1.0.4-1.ximian.4.src.rpm
 rpm -ivh gtkmm-1.2.9-1.ximian.1.src.rpm
 cd /usr/src/redhat/SPECS
 rpmbuild -bb libsigc++.spec
 rpm -ivh ../RPMS/i386/libsigc++-1.0.4-1.ximian.4.i386.rpm
 rpm -ivh ../RPMS/i386/libsigc++-devel-1.0.4-1.ximian.4.i386.rpm

              

     Building the gtkmm package is a little trickier since there's a bug in
     one of the files that gcc 3.2 dies on. First, create a file named
     "/usr/src/redhat/SOURCES/gtkmm-1.2.9-editable.patch" with the following
     contents:

     --- ./src/editable.gen_h 2001-11-01 12:19:56.000000000 -0500
     +++ ./src/editable.gen_h.new 2002-11-01 10:49:55.000000000 -0500
     @@ -147,7 +147,7 @@
     namespace Gtk
     {

     - string Editable::get_chars (int start_pos = 0, int end_pos = - 1) const
     + string Editable::get_chars (int start_pos, int end_pos) const
     {
     gchar *chars = gtk_editable_get_chars (GTK_EDITABLE (gtkobj ()), start_pos, end_pos);
     string ret_val = chars;

     

     Now, modify "/usr/src/redhat/SPECS/gtkmm.spec" to include the patch.
     Find the line that begins with "Source0:" and add the following directly
     below it:

     Patch1: gtkmm-1.2.9-editable.patch

     Then find the section labeled "%prep". Add the following line after the
     "esac" line of the "case" statement (it will be the last line in the
     %prep section):

 %patch1 -p0 -b .editable

     Save the spec file, then continue with the following to build and
     install gtkmm:

     cd /usr/src/redhat/SPECS
     rpmbuild -bb gtkmm.spec
     rpm -ivh ../RPMS/i386/gtkmm-1.2.9-1.ximian.1.i386.rpm
     rpm -ivh ../RPMS/i386/gtkmm-devel-1.2.9-1.ximian.1.i386.rpm

                   

       Note: rpmbuild is part of the package "rpm-build"

     Now you're ready to install the fwbuilder 1.0.7 RPMs!

   1.8. I want to use binary package. What do I need to download and install?

   We distribute binary packages for some Linux distributions. You would need
   to download and install the following (actual names of the packages vary
   depending on the naming convention for given distribution):

     * The API: libfwbuilder

     * GUI: fwbuilder

     * Policy compiler for your firewall:

          * For iptables you need fwbuilder-ipt

          * For ipfilter you need fwbuilder-ipf

          * For OpenBSD pf you need fwbuilder-pf

          * For Cisco PIX you need fwbuilder-pix

   As policy compilers for other firewall platforms become available, they
   will appear in the download area.

   For example, for RedHat 7.3 you would need the following packages:

     * libfwbuilder-0.10.10-1.rh7.i386.rpm

     * fwbuilder-1.0.6-1.rh7.i386.rpm

     * fwbuilder-ipt-1.0.6-1.rh7.i386.rpm

   this set of packages gives you the library, GUI and policy compiler for
   iptables.

   You may also want to check what is available under "Contrib" in the
   download area. There are useful install, boot-time startup and other
   scripts contributed by users and beta-testers. Binary packages for Debian
   and SuSe are also available in "Contrib" area.

   1.9. Is there an automated way to install all dependencies?

   The answer depends on what OS and distribution this is done.

   Mandrake Linux

           One of our users suggested the following procedure that works on
           Mandrake Linux:

              * copy or download fwbuilder files to a dir on target machine

              * Start the rpm source manager (from the mandrake control
                center) and add a new local source pointing to the dir where
                you've just put the rpms save and quit

              * Open rpmdrake (again from the mandrake control center) to
                install new software. Search on fwbuilder and select the
                three RPMS you want to install. rpmdrake resolves all
                dependencies.

              * Start install.

   FreeBSD

           On FreeBSD you need to install ports libfwbuilder and fwbuilder.
           Just update your ports tree, then descend into the directory
           /usr/ports/security/fwbuilder and type "make install". This should
           install both libfwbuilder and fwbuilder, as well as all missing
           dependencies.

           To install the nightly build, download files libfwbuilder-port.tar
           and fwbuilder-port.tar from the nightly builds ftp site and unpack
           them in directories /usr/ports/security/libfwbuilder and
           /usr/ports/security/fwbuilder. Then download source code (files
           libfwbuilder-1.0.0.tar.gz and fwbuilder-1.0.10.tar.gz ) from the
           same site and put them in the /usr/ports/distfiles directory. Now
           go to /usr/ports/security/fwbuilder and type make install, it
           should install both libfwbuilder and fwbuilder, as well as missing
           packages they depend on.

   OpenBSD

           Firewall Builder is available as a port for OpenBSD. However,
           until it is a part of the standard ports tree, the port needs to
           be installed manually.

           First, install gdk-pixbuf port (with or without GNOME). The rest
           of the prerequisite ports will be installed automatically as
           needed.

           Download port files libfwbuilder-openbsd-port.tar and
           fwbuilder-openbsd-port.tar and unpack them in directories
           /usr/ports/security/libfwbuilder and
           /usr/ports/security/fwbuilder.

           Enter directory /usr/ports/security/fwbuilder and type "make
           install". This should install API library libfwbuilder, the GUI
           and all policy compilers.

   Mac OS X

           On Mac OS X you need to install Firewall Builder as a fink
           package. Download files libfwbuilder.info and fwbuilder.info from
           the "Downloads" page on our web site and put them in the directory
           /sw/fink/dists/local/main/finkinfo/ on your Macintosh. If you are
           trying to install the nightly build, then you also need to
           download source code archive (files libfwbuilder-1.0.0.tar.gz and
           fwbuilder-1.0.10.tar.gz ) from the same site and put them in the
           directory /sw/src. Then just type fink install fwbuilder. This
           should install both libfwbuilder and fwbuilder, as well as missing
           packages they need.

   1.10. Does Firewall Builder need GNOME?

   As of version 0.9.7 Firewall Builder does not need GNOME anymore. All
   widgets which are part of libgnomeui library have been rewritten so
   Firewall Builder now uses only gtk+ and gtk-- libraries. This should
   simplify porting to other OS and should make it possibly to use Firewall
   Builder on Linux systems using KDE.

   1.11. How do I build Firewall Builder from source?

   first of all, you need to obtain source. One way is to download source
   tarball from our download page. You need to grab two packages:
   libfwbuilder-N.N.N.tar.gz and fwbuilder-M.M.M.tar.gz , where N.N.N and
   M.M.M are respective versions of both packages/

   Or, if you want to try the code we are currently working on, you can do
   anonymous CVS checkout from our site on Sourceforge. Just open this URL:
   http://sourceforge.net/cvs/?group_id=5314 and follow instructions. In this
   case make sure you get both libfwbuilder and fwbuilder modules.

   In either case, once you got source and unpacked it on your machine, you
   need to check that all dependencies are satisfied and you have all the
   libraries fwbuilde ruses installed on your machine. You can check list of
   libraries here: http://www.fwbuilder.org/archives/cat_installation.html

   Now you can build. First go to the directory libfwbuilder and run script
   ./autogen.sh. This script checks dependencies and customises our code for
   your system. This script accepts the following parameters:

   

     * --prefix - specify directory prefix where you want libfwbuilder
       installed

     * --with-templatedir=DIR - specify directory for template files and DTD

     * --with-glib-prefix=PREFIX - specify prefix directory where glib is
       installed

     * --disable-glibtest - do not compile and run glib test program

     * --without-openssl - compile libfwbuilder without encryption support
       (certain functions won't work, such as support for fwbd daemon)

     * --with-openssl-prefix=PREFIX - specify prefix directory where openssl
       library is installed

     * --without-ucd-snmp - compile libfwbuilder without support for SNMP
       (certain functions won't work, such as network discovery)

   If system you are using for build has additional libraries installed in
   /usr/local/lib, then you either need to add this directory to your
   LD_LIBRARY_PATH environment variable, or supply path for each lbrary as a
   parameter for autogen.sh. Unfortunately at this time our script does not
   support specification of the installation path for all the libraries we
   use, so setting LD_LIBRARY_PATH is probably safier way.

   If your system has all the libraries installed in the standard place, or
   has dynamic linker configured so that it can find libraries wherever they
   are installed, then you do not need to worry about LD_LIBRARY_PATH.

   Once you are done with autogen.sh, run "make all" in libfwbuilder
   directory and see that it does not end with an error. If it does, then
   either autogen.sh could not find some library, or there is something
   peculiar about your system that we do not support yet. Please verify again
   that you have all the libraries needed (check with Build) and that
   autogen.sh worked fine. If nothing helps, report the problem to us.

   After "make all" have worked to the end and did not produce any errors,
   you need to install the library. By default it installs in /usr/local/lib
   and libfwbuilder-config script installs in /usr/local/bin. You will need
   root priviliges to install there, so become root and run "make install" in
   the directory libfwbuilder. If you do not wish to install in /usr/local,
   you can use parameter --prefix=PREFIX when you run autogen.sh

   Once libfwbuilder is installed, you can move on and compile fwbuilder. The
   procedure is the same: go to the directory fwbuilder, run "./autogen.sh",
   then "make all" and "make install".

   1.12. I am trying to compile Firewall Builder from source, but autogen.sh
   complains "libfwbuilder not installed"

   As of version 0.9.6 the code has been split into three major parts: API,
   GUI and policy compilers. You need to download, compile and install API
   for the rest to compile. The API comes in a separate source archive called
   libfwbuilder-0.10.0.tar.gz. Compile and install it as usual, using
   "./autogen.sh; make; make install" procedure.

   1.13. I am trying to use the latest versions of libsigc++ and gtk/gtkmm
   libraries (libsigc++-1.2.3 and gtkmm-2.0.2 ) but script configure in
   fwbuilder does not recognize them

   gtk and gtkmm 2.0 are different libraries with different API. fwbuilder
   won't work with them. Please stick with recommended versions of libsigc++
   and gtk/gtkmm.

   1.14. I am trying to install fwbuilder RPM but I get an error "Failed
   dependencies: libgdkmm-1.2.so.1" and "Failed dependencies:
   libgtkmm-1.2.so.0". How do I fix this ?

   You need to install library gtkmm-1.2. See the list of prerequisite RPMs
   in the "Installation" guide here:
   http://www.fwbuilder.org/archives/cat_installation.html

   1.15. I am trying to install fwbuilder RPM but I get a bunch of errors
   "Failed dependencies: ...". What do I need to do ?

   You need to install prerequisite libraries. See the list of RPMs in the
   "Installation" guide here:
   http://www.fwbuilder.org/archives/cat_installation.html

     Note: Do not use options "--force" or "--nodeps" when you install
     fwbuilder RPMs. If rpm complains about unsatisfied dependencies, this
     means your system is missing some libraries, or wrong versions are
     installed. Forcing the package install won't fix that, most likely it
     will fail in one way or another.

  2. Running the program

   2.1. Now, that I installed all the packages, how do I start the program?
   (yes, this is frequently asked question)

   Just type "fwbuilder" on the command line prompt (in xterm or
   gnome-terminal)

   2.2. fwbuilder binary does not start. You get an error "Gtk-WARNING **:
   cannot open display:"

   Firewall Builder GUI is an X application, that is, it needs X server to
   display it on the screen. The program determines how to connect to the X
   server using environment variable DISPLAY; you probably do not have this
   environment variable if you get an error like that. The simplest way to
   avoid this problem is to start fwbuilder from the shell window in Gnome or
   KDE environment.

   2.3. fwbuilder binary does not start. You get an error "Gtk-WARNING **:
   cannot open display :0.0"

   See previous question. In this case though your environment variable
   DISPLAY is set, but the program fwbuilder can not connect to the X server.
   In this situation you won't be able to run any application using X, check
   if that's the case by trying to start "xclock". This may be happening
   because of many different reasons, such as X server is not running, X
   authenitcation failure, or DISPLAY variable reassigned its value by the
   shell login script or many others. This problem falls outside the scope of
   this document, please search on the Internet for the answer. Here are few
   URLs to make troubleshooting easier:

     * http://www.openssh.org/faq.html

     * http://en.tldp.org/HOWTO/XDMCP-HOWTO/ssh.html

     * http://en.tldp.org/LDP/intro-linux/html/sect_10_03.html

   2.4. fwbuilder binary does not start. You get an error "fwbuilder: error
   while loading shared libriaries: libfwbuilder.so.0: cannot load shared
   object file: no such file or directory."

   Then the GUI binary (fwbuilder) can not find API library libfwbuilder. If
   you are using our binary packages, then make sure you download and install
   package called libfwbuilder. If you compiled from sources, then perhaps
   you installed libfwbuilder with default prefix /usr/local/, therefore
   library went to /usr/local/lib. Dynamic linker ldd can not find it there.

   You have the following options:

     * create environment variable LD_LIBRARY_PATH with value /usr/local/lib
       and run fwbuilder from this environment.

     * add /usr/local/lib to the file /etc/ld.so.conf and run ldconfig so it
       will rescan dynamic libraries and add them to its cache.

     * recompile libfwbuilder and fwbuilder with prefix /usr/, this will
       install libfwbuilder.so.0 in /usr/lib. ldd will find it there without
       any changes to environment variables or /etc/ld.so.conf file. To
       change prefix you need to run autogen.sh with command line parameter
       "--prefix=/usr". Do this both for libfwbuilder and fwbuilder.

   2.5. fwbuilder binary does not start. You get an error " fwbuilder: error
   while loading shared libraries: fwbuilder: undefined symbol:
   connect__Q23Gtk9ProxyNodePQ23Gtk6ObjectPCcPFv_vPQ24SigC8SlotDatab"

   Then usually this error happens when old version of libgtkmm or libsigc++
   library is used. Check if you need to upgrade those, you can use our Build
   document to find out what versions you need and where can you get them
   from.

   sometimes this error happens even if new rpms have been installed. In this
   case you need to check which library gets picked up by fwbuilder when it
   starts. Sometimes old version gets stuck somewhere on a disk after upgrade
   and then ldd loads it instead of newer one. Try to download script called
   "check_libs.sh" from "Contribs" area on Sourceforge site of Firewall
   Builder and then run it like this:

             check_libs.sh /usr/bin/fwbuilder
          

   it will list all dynamic libraries used by fwbuilder binary and what RPM
   they are part of. Look for libraries which are not part of any installed
   rpm, those cause the problem.

   2.6. fwbuilder binary does not start. You get an error "fwbuilder:
   relocation error: fwbuilder: undefined symbol: __tiQ23Gtk6Window"

   Most likely you are trying to run fwbuilder binary built for RedHat 7.3 or
   Mandrake 8.2 on RedHat 8.0 or Mandrake 9.0 system. Latest versions of both
   RedHat and Mandrake are based on new compiler gcc 3.2, which uses
   different name mangling algorithm for C++ code and therefore produces
   binaries which are incompatible with those compiled with older versions of
   gcc. You need to either recompile libfwbuilder and fwbuilder yourself, or
   use binaries compiled for RedHat 8.0 or Mandrake 9.0.

   2.7. fwbuilder binary does not start. You get an error "fwbuilder:
   relocation error: /usr/lib/libgdkmm-1.2.so.1: undefined symbol: cerr

   You are trying to run fwbuilder on RedHat 8.0 where you installed older
   version of libgtkmm and libsigc++ libraries. Or may be you have upgraded
   your older RedHat 7.3 to 8.0 and still use old libgtkmm and libsigc++ that
   were installed before the upgrade. Latest versions of both RedHat and
   Mandrake are based on new compiler gcc 3.2, which uses different name
   mangling algorithm for C++ code and therefore produces binaries which are
   incompatible with those compiled with older versions of gcc. RedHat does
   not include these two libraries in their distribution, so you need to add
   them yourself. Question "Q: 1.6." explains where you can get binary
   packages from or how you can compile them yourself.

   2.8. When I run fwbuilder I get the following message: "Could not locate
   any modules for target firewall plattforms. You won't be able to compile
   firewall policy".

   You need to install a package that provides support for your firewall
   platform.

     * For iptables you need fwbuilder-ipt

     * For ipfilter you need fwbuilder-ipf

     * For OpenBSD pf you need fwbuilder-pf

     * For Cisco PIX you need fwbuilder-pix

   2.9. fwbuilder or one of policy compilers crashes. What to do ?

   Please file a bug on Sourceforge. Provide information we might need to fix
   the problem:

     * what version of fwbuilder do you run, did you install prebuilt binary
       packages or compiled it yourself ?

     * Provide the output of the following commands:

                 cat /etc/issue

                 rpm -qa | grep gtk
                 rpm -qa | grep libxml
                 rpm -qa | grep libxslt
                 rpm -qa | grep libsigc++

                 ldd /usr/bin/fwbuilder
                 ldd /usr/bin/fwb_ipf
                 ldd /usr/bin/fwb_iptables
              

     * Download script "check_libs.sh" from Contrib area on our Sourceforge
       page and run it as follows:

                 check_libs.sh fwbuilder
              

       include its output in your bug report.

   Also send us core file and .xml file with your objects.

   2.10. Firewall policy does not compile. I get error "Exec error
   (fwb_iptables) No such file or directory."

   You need to install corresponding policy compiler. Our prebuilt compilers
   come in a separate RPMs named like this:
   fwbuilder-iptables-1.0.1-1rh7.i386.rpm

   2.11. I get "I/O Error" while compiling policy. There is no other
   indication of error though.

   Did you install package with corresponding compiler ? Our prebuilt
   compilers come in a separate RPMs named like this:
   fwbuilder-iptables-1.0.1-1rh7.i386.rpm

   Check if compiler dumped core. If you can't find it, you may try to run
   compiler manually, providing the following command line parameters:

             $ fwb_iptables  -f path_to_objects.xml   firewall_object_name
          

   All policy compilers have the same command line format.

   2.12. fwbuilder crashes on my Debian or SuSe system. What do I do ?

   We can not guarantee that Firewall Builder would work flawlessly on Debian
   or SuSe since we do not have access to these distributions for testing.

   Sometimes we recieve packages built for these distributions by volunteers.
   In this case we post these packages in "Contribs" area on the project's
   page on Sourceforge. We do not verify or even try these packages and
   completely rely on people who submit them. We usually post information
   about authors, so if you have questions you can contact them directly.

   We welcome help from anyone who can test Firewall Builder on these
   distributions and provide feedback

   2.13. Data file created in the older version of fwbuilder can not be
   loaded in the latest one

   Sometimes this happens when you skip several versions trying to upgrade
   the program. There used to be a bug in the upgrade procedure somewhere
   around version 1.0.4 which broke automatic upgrades from versions before
   1.0.4 to versions after that. If this happens to you, upgrade your data
   file using script fwb-upgrade.sh that you can find in Contrib/Scripts area
   on our SourceForge site.

  3. Building firewall policy

   3.1. when I create new firewall object, it does not let me choose firewall
   platform or host OS in the tab 'General'.

   As of version 1.0.4, code and GUI dialogs supporting target firewall
   platform and host OS are not included in the GUI but rather come within
   additional packages. If your firewall is iptables, you need to install
   package fwbuilder-ipt. If it is ipfilter, then you need package
   fwbuilder-ipf. For OpenBSD PF you would need fwbuilder-pf.

   3.2. Do I need to add rules for "ACK" packets?

   Firewall Builder uses "stateful inspection" feature of underlying firewall
   platform. In case of iptables it loads module ip_conntrack which is
   tracking connections opened through the firewall and by the firewall
   itself. Since this module "remembers" each connection, there is no need in
   additional rule for "ACK" or "reply" packets. In fact, this module does
   lot more than keeping track of opened TCP sessions as it does similar
   thing to other protocols as well, where possible. Firewall Builder also
   loads some other modules to keep track of complex protocols, e.g. it loads
   module ip_nat_ftp to support FTP.

   3.3. Druid seems to multiply rules in the policy

   This is how it works now. Interactive Druid does not check for rules in
   existing policy and simply adds new ones. If you run Druid twice and ask
   it to generate the same set of rules, you'll get the same rules many times
   in your policy. This will be improved in subsequent releases.

   3.4. I use iptables (or other) to protect local host. How do I use
   Firewall Builder to build policy?

   Your host may or may not have its IP address assigned dynamically via
   PPPoE or DHCP.

     * If address is static:

          * create firewall object, enter its IP address

          * create interface for it in "Interfaces" tab, mark it as
            "external"

          * add loopback interface named "lo", address 127.0.0.1/255.0.0.0

          * call Druid, choose "Firewall protects local host" and then pick
            rules you want.

       See what Druid have created for you. You can edit and add rules now.

     * If address is dynamic:

          * create firewall object, mark its address as "dynamic"

          * create interface for it in "Interfaces" tab, mark it as
            "external" and "dynamic"

          * add loopback interface named "lo", address 127.0.0.1/255.0.0.0

          * call Druid, choose "Firewall protects local host" and then pick
            rules you want.

   3.5. How can I configure NAT to provide access from the Internet to my
   server behind the firewall ?

   This question is outlined in Firewall Builder Users Guide
   http://www.fwbuilder.org/UsersGuide.pdf and online tutorial "Firewall
   Builder Cookbook" http://www.fwbuilder.org/archives/cat_cookb.html in
   great details.

   3.6. I see the firewall objects has multiple policies associated with it.
   How do these policies relate to each other and in what order does policy
   compiler scan them to generate firewall code?

   Each firewall has a Global Policy, a policy associated with each interface
   and a NAT policy.

   Global Policy rules apply to packets crossing the firewall, regardless of
   the interface they ingress and egress through. In case of iptables this is
   equivalent to writing a rule without "-i interface" or "-o interface"
   clause. Rule like this will match packets using only their addresses and
   protocol information. Interface policy rules, on the other hand, always
   get "-i interface" or "-o interface", depending on their direction
   setting.

     Note: One common misconception is that interface rules somehow control
     access to that interface. This is not the case.

   Since Interface Policy rules are associated with certain network interface
   of the firewall and support direction, they provide a mechanism for
   dealing with situations where knowing both interface and direction is
   neccessary, for example setting up anti-spoofing rules. Since situations
   like this are rare, we recommend placing most of the firewall rules in the
   Global Policy and only those rules which can not be implemented in any
   other way into Interface Policy.

   There are firewalls which require that all rules are always associated
   with interfaces. Even in this case you can place policy rules in the
   Global Policy because our compiler can properly deduct correct interface
   the rule should be associated with.

   When policy compiler generates code for the target platform, it first
   scans NAT rules, then Interface Policies, then Global Policy. This
   determines the order in which lines of the target code are generated.

   3.7. What does the option "Assume firewall is part of any" do?

   The option "Assume firewall is any" is needed for those firewalls where
   rules that control access to the firewall machine and rules that control
   access to machines behind the firewall use different syntax or different
   commands. Currently two plaforms require and use this option: iptables and
   Cisco PIX.

   In iptables, rules controlling access to the firewall should go into INPUT
   chain (or rules controlling packets originated on the firewall should go
   to OUTPUT chain), while rules that control traffic going through the
   firewall go into the FORWARD chain. Generally, a rule may yield code for
   either chain depending on the addresses used in SRC and DST. If address
   used in DST matches one of the addresses of the firewall, then code goes
   into INPUT chain. There are two ways to interpret "any" though. We can say
   that "any" means anything, including the firewall. In this case this rule
   should put code into both INPUT and FORWARD chain. If we do not assume
   that firewall is part of any, then the generated code goes only into the
   FORWARD chain.

   The algorithms used by the policy compiler are the same regardless of the
   network configuration, so this logic applies in the case when firewall
   protects local host, too.

   3.8. My firewall has 3 networks cards - internal (eth0), DMZ (eth1) and
   external (eth2). I want to perform NAT when accessing the DMZ from the
   *internal* network but the ipt-compiler insists on specifying '-o eth2' in
   the iptables command. Why does he do that? How can I persuade it to
   specify '-o eth1'?

   mark interface DMZ as external

   3.9. Unnumbered interfaces - what do we need them for ?

   We need them to be able to assign rules to an interface, but skip it in
   src or dst if firewall object is used in src/dst rule elements. This may
   be useful in configurations with VPN (imagine unnumbered VPN interface
   through which packets exit the tunnel).

   3.10. I do not have time to get into all the details, how can I get
   started and configure my firewall as quick as possible?

   Here is quick step by step procedure. Please note that this would work
   only for simple network configurations!

    1. create Network object for your internal network

    2. create a Firewall object for your firewall. Do not forget to choose
       firewall platform in the "General" tab of the dialog.

    3. Add interfaces to the firewall (open firewall object, then use main
       menu "Insert / Interface"). Add address to each interface (open
       interface object, then use main menu "Insert / Address"). Do not
       forget to add loopback interface as well (name 'lo', address
       127.0.0.1).

    4. Mark interface that connects you to the Internet as "External".

    5. Use main menu "Rules / Help me build firewall policy" and choose
       network topology that describes your network. Generate rules and see
       what you've got.

   3.11. Why don't you set default policy in chains to ACCEPT so that access
   to the firewall won't be blocked as soon as firewall script issues
   "iptables -F" to clean up chains? This disconnects my ssh session...

   I won't do this because I believe that currently the script does "The
   Right Thing". Here is why:

   The script sets default policy in all chains to "DROP" before it clears
   all the rules. This is necessary because firewall and possibly machines
   behind it become wide open as soon as script clears the policy. Script
   needs to wipe out old rules before it installs new ones, so setting
   default policy to DROP is the only way to ensure there is no time window
   during which firewall does not offer any protection. One may argue that
   this window is really short, because script immediately loads new rules,
   but this is not always so. What if some rule contained an error and did
   not load? What if script has been interrupted and did not activate whole
   bunch of rules? In the end, it is always better to block access and thus
   prevent potential security problems, even if this comes at a price of some
   inconvenience.

   3.12. what is "rule shading"? ( "shadowing" )

   Shadowing happens because a rule is a superset of a subsequent rule and
   any packets potentially matched by the subsequent rule have already been
   matched by the prior rule.

   3.13. Policy compiler stops processing rules with error message "Cannot
   create virtual address NN.NN.NN.NN"

   This happens when you are using an option "Create virtual addresses for
   NAT rules". The problem is that policy compiler needs to be able to
   determine interface of the firewall to assign virtual address to. In order
   to do that it scans all interfaces trying to find subnet requested NAT
   address is on. Sometimes firewall's interface has an address which belongs
   to a different network than NAT address specified in the rule; in this
   case compiler can not identify an interface and aborts.

   The NAT rule still can be built without "-i" or "-o" option, but automatic
   assignment of virtual address is impossible. You need to turn off option
   "Create virtual addresses for NAT rules" in the tab "Firewall" of firewall
   dialog and configure this address manually.

  4. Installing policy on the firewall

   4.1. The XML file I save, is it transformed into iptables script and sent
   to the firewall automatically when I click on "Compile"? Or do I have to
   restart something to see the changes applied?

   "Compile" only calls compiler, which produces a file called after the name
   of the firewall object, with ".fw" extension. This file contains a
   firewall sript which needs to be activated. There are two ways to activate
   it: 1) you can simply copy it to the firewall machine and then run it by
   hand; 2) you can use a shell script to copy this file to where it should
   be and then run it. If you put the full directory path and file name for
   this script in the "Policy Install Script" field in "Compile/Install" tab
   of the firewall's object dialog, then menu item "Rules/Install" will be
   activated. Using this menu item causes GUI to call the script, which is
   supposed to copy generated firewall script to the firewall machine and run
   it there. Usually such script uses SSH to securely access firewall
   machine. Several contributed install scripts are available in the
   "Contrib" area on Sourceforge and script 'fwb_install' is included in the
   package. The installation and activation procedure is different on
   different OS, so please use these scripts with caution.

   Script fwb_install that is part of the package is intended for Linux and
   iptables, although it can be easily modified to support ipfilter and pf.
   It has been contributed to the project by David Gullasch ( <xonox@web.de>
   , <gullasch@secunet.de> ), please contact him if you have problems or
   questions.

   You do not need to reboot your firewall to activate the new policy.
   Iptables script generated by Firewall Builder has a code to do a "clean
   up" job by removing all previous iptables settings, before it loads new
   ones.

   4.2. I have ipchains installed on my RedHat 7.1 system. How do I switch to
   iptables and start using firewall script generated by Firewall Builder?

   You do not need to uninstall ipchains, but you need to deactivate it.

   As root, run the following command:

             # chkconfig --level 2345 ipchains off
          

   if you do not want to reboot at this point, run the following to stop and
   remove ipchains from the memory:

             # /etc/rc.d/init.d/ipchains stop
             # rmmod ipchains
          

   Now simply run iptables script created by fwbuilder to activate your
   firewall. This will immediately activate your new firewall policy; you can
   always check if your new rules are loaded using command "iptables -L -n".

   There still is a problem of activating the policy at a boot time.
   Different OS deal with it using deifferent scripts that get installed in
   the directory /etc/rc.d/init.d (scripts in this directory are called in
   sequence when machine boots.) RedHat's standard iptables setup depends on
   their scripts iptables-save and iptables-restore. If you wish to stick
   with RedHat's standard scripts, simply run these commands:

             # /etc/rc.d/init.d/iptables save
             # chkconfig --level 2345 iptables on
          

   This will save your configuration to RedHat's standard file
   /etc/sysconfig/iptables in iptables-save format (which is different!) and
   then will restart it every time you reboot your firewall.

   If you do not want to use their scripts, you can use script
   "firewall-initscript" available in the "Downloads" area on our web site.
   This script comes with a README file which describes its usage.

  5. Running firewall script

   5.1. Do I need to compile iptables into the kernel?

   Iptables can either be compiled into the kernel or as a modules, it does
   not really matter. If some of the modules are missing, then respective
   feature won't work and you will get an error trying to load generates
   script. For example, if you compile everything into the kernel and leave
   ipt_LOG module out, then logging will stop working and you will get errors
   trying to load rules with logging turned on. Look into iptables HOWTO and
   Tutorial for more details as this problem is not really specific to
   Firewall Builder.

   Here is (incomplete) list of modules taken from my firewall :

     * ipt_limit

     * ipt_REJECT

     * ipt_multiport

     * ipt_MASQUERADE

     * ipt_REDIRECT

     * ipt_state

     * ipt_LOG

     * iptable_drop

     * iptable_filter

     * iptable_nat

     * ip_conntrack

     * ip_nat_ftp

     * ip_tables

     * ip_conntrack_ftp

   RedHat Linux comes with all iptables code compiled as modules.

   5.2. I get some error when I run generates script, how can I figure out
   which rule causes this error?

   You can turn debugging on (look for a checkbox in the tab "Firewall" in
   firewall dialog). This simple generates firewall script with shell option
   "-x" so it will print all commands while executing. This way you can see
   which command causes the error and trace it back to the policy rule.

   5.3. (Linux / iptables only) I've generated script for iptables firewall
   using Firewall Builder, but when I run it I get an error "ip: command not
   found". What is this command for and what package should I install?

   This tool is part of the package 'iproute'; we use it to manage virtual IP
   addresses needed for some NAT rules.

   5.4. I get the following error when I run generated script for iptables
   firewall: "iptables v1.2.8: can't initialize iptables table 'drop': Table
   does not exits (do you need to insmod?) Perhaps iptables or your kernel
   needs to be upgraded."

   You get this error because you used option "Log all dropped packets"
   (there is a checkbox in the 'Firewall' tab). This option requires
   "dropped" patch from patch-o-matic. You either need to turn this option
   off, or apply corresponding patch and recompile both ketnel modules and
   command-line utilities for iptables.

   5.5. You are trying to execute iptables script generated by fwbuilder but
   get an error message "Interface eth0 does not exist" or similar.

   There are several conditions that may cause this error.

   The script generated by fwbuilder uses tool /sbin/ip to verify
   configuration of the firewall interfaces and make sure that interfaces of
   the real firewall machine correspond to the interface objects created in
   the GUI. You may get this error if the tool /sbin/ip is not installed on
   your system. All modern Linux distributions come with the package iproute2
   which includes /sbin/ip; check if iproute2 is installed and /sbin/ip
   exsits.

   Another case when you may encounter this error is when firewall script is
   executed prematurely during the boot sequence and interface really does
   not exist at that time. For example, interface ppp0 is created only when
   the system is configured for PPP and daemon pppd is running. If firewall
   script is activated before the daemon started during the boot sequence,
   interface ppp0 is not there yet, which leads to this error. Make sure you
   start firewall script after all interfaces has been initialized.

   5.6. Does script generated by Firewall Builder configure interfaces of the
   firewall ?

   iptables:

   Policy compiler for iptables generates a shell script that configures
   interfaces of the firewall using information entered in the GUI, adds
   virtual addresses if needed and activates firewall policy. Script checks
   pre-existing configuration of the interfaces and does not make any changes
   if all addresses are already configured. This means it won't break
   anything if you use standard configuration tools provided by your OS and
   then run this script.

   ipfilter:

   Policy compiler for ipfilter generates three files: "firewall.fw",
   "firewall-ipf.conf" and "firewall-nat.conf" (where 'firewall' is the name
   of the firewall opbject). The first file, "firewall.fw", is a shell script
   that configures interfaces and loads firewall policy from the other two
   files using /sbin/ipf and /sbin/ipnat. So, if you use this autogenerated
   shell script, then the answer is yes, interfaces will be configured. If
   you don't use this script and rely on the standard scripts provided by
   FreeBSD, then the answer is no.

   pf:

   Just like in case of ipfilter, policy compiler for pf creates
   initialization script in the file "firewall.fw" and a configuration file
   "firewall.conf". If you use generated script "firewall.fw", then it will
   configure interfaces of the firewall and load the policy. If you do not
   use it and simply copy "firewall.conf" file and rename it as
   "/etc/pf.conf", then you need to make all configuration using standard
   scripts available in OpenBSD (/etc/rc.conf).

  6. Logging

   6.1. I do not see log records in /var/log/messages, what's wrong?

   RedHat Linux comes with syslog preconfigured to write all log messages
   with level "info" and higher to /var/log/messages, while iptables script
   generated by Firewall Builder by default logs everything as "debug". You
   need either to edit /etc/syslog.conf to make all "debug" messages to be
   logged, or change log level to "info" in iptables tab in firewall dialog

   6.2. I've got logging working, but I think it sends too much information
   to the log so I can not really find what I am interested in. Is there a
   way to make it more readable?

   You can use our script logwatcher.pl available in Contrib area. It reads
   log file /var/log/messages and shows only the following fields from each
   log line:

     * Date and time

     * rule number (assuming you use default setting for the rule prefix
       which looks like this: "RULE %N -- %A")

     * rule action (Deny/Reject/Accept)

     * interface

     * protocol

     * source address and source port

     * destination address and destination port

     * ICMP type and code for ICMP packets

   Note though that this script drops some data logged by iptables to improve
   readability. You may miss some important information because of this, so
   in case of real problem always look in the original log!

   Another, more elaborate version of the same script is logwatcher2.pl. It
   is also available in Contrib area.

   6.3. How can I get a list of connections opened through the firewall at
   any given moment of time ?

   You can use our script connwatcher.pl available in Contrib area. It prints
   the contents of the connections table every second, sort of like top shows
   processes active in the system.

   6.4. How can I make particular rule send special text to the log when
   packet hits it?

   You can use rule options dialog and add unique log prefix for this rule.
   Open rule options dialog by right mouse clicking on rule element in the
   "Options" column. This way you can make rules generate special lines in
   the log, which you can later process with automated script, ot simply use
   while troubleshooting your policy.

  7. GUI

   7.1. GUI keeps asking me a question whether I want to save data in the
   dialog when I switch from one object to another. This is annoying, how can
   I get rid of it?

   Open Options dialog (under menu "Edit"), choose in the tree
   "GUI"->"Behavior" and check checkbox "Automatically save data in dialogs
   while switching between objects".
