fwb_install - Firewall policy installation and activation script

fwb_install [-d wdir] -f data_file.xml object_name

fwb_install is firewall policy installation and activation script for Firewall Builder (see fwbuilder(1)). This script transfers compiled rulesets via ssh to a firewall and activates them. Optionally it transfers a backup of the .xml source file, too.

The data file and the name of the firewall objects must be specified on the command line. Other command line parameters are optional.

The firewall rules should allow ssh traffic to the firewall, or you will lock yourself out.

You should have a ssh and sshd installed and configured properly.

Make a public/private keypair using ssh-keygen tool, the public key goes into ~$REMOTEUSER/.ssh/ on the firewall, $SSHIDENTITY locally points to the private key. Protect your key with a good passphrase!

Tell fwbuilder to use the script: enter /home/vadim/Projects/fwb/fwbuilder/../usr//bin/fwb_install (a full path and name for this script) in the "install script" entry field in the firewall object dialog.

To customize the script you can adjust the following variables inside of it :

REMOTEDIR

Specifies where the firewall script or configuration file will be placed on the firewall (default: "/etc/firewall")

REMOTEUSER

Specifies the user on the firewall allowed to set up the firewall rulesets (default: "root")

DOXMLBACKUP

Specifies whether we want to store a backup copy of the .xml on the firewall (default: "YES")

SSHIDENTITY

location of private ssh key (default: "${HOME}/.ssh/id_dsa")

-f FILE

Specify the name of the data file to be processed.

-d wdir

Specify working directory. Policy compilers create firewall configurations and/or scripts in this directory. If this parameter is missing, then script looks in the current working directory.

The firewall rules should allow ssh traffic to the firewall, or you will lock yourself out.

The script uses address of firewall's interface which is marked as "management". The script aborts if there is no management interface.

There still is a depenency on the current DTD structure in that the script assumes that all firewalls are always located in the tree branch "Firewalls". This may change in the future; the script will need to be updated then.

This script has been developed and tested for iptables firewall on Linux systems. To the best of my knowledge, nobody used this script for any other firewall type or OS, however it should work for any firewall running on a Unix box where firewall configuration is represented in a form of a shell script. On example is ipfw used on FreeBSD or Mac OS X.

Firewall Builder home page is located at the following URL: http://www.fwbuilder.org/

Please report bugs using bug tracking system on SourceForge:

http://sourceforge.net/tracker/?group_id=5314&atid=105314

David Gullasch <xonox@web.de>, <gullasch@secunet.de> Changes and corrections by Vadim Kurland <vadim@fwbuilder.org>

(K) 2001 by David Gullasch <xonox@web.de>, <gullasch@secunet.de> All rights reversed. Copy what you like, but give credit and include this note. Don't blame me when this script does not do what you want it to - there is no bug-free software.

fwbuilder(1), fwb_ipt(1), fwb_ipf(1), fwb_pf(1)