Managing A Single Firewall Policy For Multiple Servers Using Firewall Builder
Author: Mike Horn <mike [at] netcitadel [dot] com>
Firewall Builder is a firewall configuration and management GUI that supports configuring a wide range of firewalls from a single application. Supported firewalls include Linux iptables, BSD pf, Cisco ASA/PIX, Cisco router access lists and many more. The complete list of supported platforms along with downloadable binary packages and soure code can be found at http://www.fwbuilder.org.
In this tutorial we are going to cover how to use Firewall Builder clusters to manage a single firewall policy that gets deployed on multiple servers. An example of where you could use this would be managing a shared firewall policy for a collection of web servers that are all providing the same service and should have the same rules.
Normally the cluster feature is used to create high availability firewall pairs, but in this case we are going to use it creatively to create a "master" firewall policy that gets deployed on multiple servers. This allows you to create a cluster object with a "master" firewall policy and then add servers as members to this cluster that will inherit the master firewall policy.
For this tutorial we are going to use the web farm example shown below. The example starts with two servers running Linux with iptables should have identical firewall polices. We'll cover creating the firewalls and cluster and assigning rules to it. At the end we'll walk through adding a 3rd server to the cluster.
While we are using a small number of servers for this example, the technique we are using can scale to manage a common firewall policy for hundreds or more servers.
On these servers we want to implement the following basic firewall rules.
- Allow system to commuicate to its own loopback interface
- Allow inbound HTTP and HTTPS from anywhere to the server
- Allow inbound SSH from a specific set of trusted subnets
- Allow outbound connectivity to port 8009 (jboss) to a group of application servers
This tutorial assumes knowledge of basic Firewall Builder concepts and common actions like creating firewall objects and rules. You can find more information about Firewall Builder commands on the Firewall Builder website http://www.fwbuilder.org.
Step 1 - Create firewall objects for your servers
To create a cluster we first need to create the firewall objects that will be members of the cluster. Each server is represented by a firewall object in Firewall Builder. Go through the New Firewall wizard and create a firewall called web-01 with two interfaces. The first interface is the Ethernet interface "eth0" that connects the server to the Internet and the second interface is the loopback interface "lo".
After you have created the firewall object it should look like this in the object tree:
By default Firewall Builder sets the firewall object to route (forward) IP packets. Since this is a server firewall we should disable IP forwarding on the host. Do this by double-clicking on the firewall object and then click on Host OS Settings in the Editor Panel at the bottom. Change the setting for IPv4 Packet Forwarding to Off.
To create a second firewall object for web-02 you can use the Duplicate feature in Firewall Builder.
- Right-click on web-01 firewall and select Duplicate -> place in library User
- Edit the name of the newly created firewall object to web-02
- Double-click on web-02's IP object under the eth0 interface and set the IP address to 192.0.2.12 / 24
Step 2 - Create a new cluster
To create a new cluster right-click on the Clusters folder in the object tree and select New Cluster. This will launch the New Cluster wizard. Name the cluster, for example web-servers, and select both web-01 and web-02 to be members of the cluster. Since we are not using failover it does not matter which firewall is set to Master.
Click Next >
Since both servers use eth0 as the outside interface leave the interface mapping as is. If you have servers with different interface names on your server, for example if one server uses eth0 and the other server uses eth1, you can set the mapping here.
Click Next >
To make the cluster interface easy to identify update the label associated with interfaces eth0 and lo. Since we are not running our servers as a high availability cluster with failover set the Failover protocol to None.
Make sure to update both the eth0 and lo interfaces.
Click Next >
We want to create new rules for our cluster, so set the source of the cluster rules to be "do not use any, i will create new policy and NAT rules".
Once you are done you should see a new cluster object in the tree that looks like this: