These are listed in the file "Requirements" in the docs directory. It is /usr/share/doc/fwbuilder/Requirements.
See gtk-- home page at http://gtkmm.sourceforge.net/ and follow link "Download" or directly in http://www.hvrlab.org/pub/gtkmm/
Please file a bug on Sourceforge. Provide information we might need to fix the problem (in the form of the output of the following commands):
cat /etc/issue rpm -qa | grep gnome rpm -qa | grep gtk rpm -qa | grep libxml rpm -qa | grep libsigc++ ls -la /usr/share/fwbuilder ls -la /usr/share/pixmaps/fwbuilder ldd /usr/bin/fwbuilder ldd /usr/bin/fwb_ipfilter ldd /usr/bin/fwb_iptables
Also send us core file and .xml file with your objects. If program crashes but does not generate core file (it shows "crash" dialog instead), run it as follows:
fwbuilder --disable-crash-dialog
It will dump core then.
Did you install package with corresponding compiler ? We ship compilers in a separate RPMs named like this: fwbuilder-ipchains-0.8.7-2-rh7.i386.rpm
Check if compiler dumped core. If you can't find it, you may try to run compiler manually, providing the following command line parameters:
$ fwb_ipchains -f path_to_objects.xml_file firewall_object_nameAll policy compilers have the same command line format.
We can not guarantee that Firewall Builder would work flawlessly on Debian or Mandrake or SuSe since we do not have access to these distributions for testing.
Sometimes we recieve packages built for these distributions by volunteers. In this case we post these packages in "Contribs" area on the project's page on Sourceforge. We do not verify or even try these packages and completely rely on people who submit them. We usually post information about authors, so if you have questions you can contact them directly.
We welcome help from anyone who can test Firewall Builder on these distributions and provide feedback
This is how it works now. Interactive Druid does not check for rules in existing policy and simply adds new ones. If you run Druid twice and ask it to generate the same set of rules, you'll get the same rules many times in your policy. This will be improved in subsequent releases.
Your host may or may not have its IP address assigned via PPPoE or DHCP.
Here is what you do if address is static:
See what Druid have created for you. You can edit and add rules now.
If address is dynamic:
Note also that there are now two places to look for policy: the "main" policy, this is what you saw in the old version, and policy attached to firewall interface. To see this one, open firewall object, go to tab "Interfaces" and highlight interface. For example, this is where you find your loopback rules and anti-spoofing rules.
As of version 0.9.3 we support iptables and are working on ipfilter policy compiler. We dropped support for ipchains as obsolete technology and because lack of time
RedHat Linux comes with syslog preconfigured to write all log messages with level "info" and higher to /var/log/messages, while iptables script generated by Firewall Builder by default logs everything as "debug". You need either to edit /etc/syslog.conf to make all "debug" messages to be logged, or change log level to "info" in iptables tab in firewall dialog
You can use our script logwatcher.pl available in Contrib area. It reads log file /var/log/messages and shows only the following fields from each log line:
Note though that this script drops some data logged by iptables to improve readability. You may miss some important information because of this, so in case of real problem always look in the original log!
( The following recomendations assume you are using iptables )
There are two possibilities here, depending on what IP address you want to use to access your server - that of your firewall or separate one. If you use the same address your firewall has, you can arrange access to your internal server from outside, and provide your internal users with access to the Internet using only one address. This scheme may become a limitation though if you have multiple servers inside your network which need to be accessed from outside. In the latter case you may want to use different port numbers or different addresses for access to different internal servers.
This is easy. Just add rule to the "NAT":
| Orig. Src | Orig. Dst | Orig. Srv | Transl. Src | Transl. Dst | Transl. Srv |
|---|---|---|---|---|---|
| Any | firewall | any | Original | Server | Original |
where "firewall" is the object for your firewall and "Server" is the object for your server behind the firewall.
this is it, Firewall Builder will generate iptables code for DNAT translation using firewall's IP address.
Create a rule in "NAT" in a similar way:
| Orig. Src | Orig. Dst | Orig. Srv | Transl. Src | Transl. Dst | Transl. Srv |
|---|---|---|---|---|---|
| Any | Server-NAT | any | Original | Server | Original |
where "Server-NAT" is special object with address of the translation you want to create, and "Server" is an object for your server behind the firewall.
In addition to the firewall rule, you need to set up static ARP entry and add routing. Asuming external translated address of the server is NN.NN.NN.NN, external firewall's interface is eth1 and its internal interface is eth0, the following commands would do the trick:
# arp -Ds NN.NN.NN.NN eth1 pub # route add NN.NN.NN.NN dev eth0
The first command adds static "published" ARP entry,
while the second command routes it through internal interface
As of version 0.9.3 iptables compiler can add these two commands to the generated firewall script if checkbox "Create ARP entries for DNAT translations" is checked in "iptables" tab in firewall object's dialog