About Site Map Submit Contact Us Log in | Create an account
Create an account Log In
Average Rating
User Rating:
Visitors Rating:
My rating:

Write review
See full specifications

linux default iconFirewall Builder Publisher's description

Firewall Builder is a multi-platform firewall configuration and management system.

Thousands of users around the globe rely on Firewall Builder to help simplify their firewall management. Here are just a few of the reasons new users are joining the Firewall Builder community every day.

Easy-to-Use GUI
Instead of dealing with cryptic command lines Firewall Builder provides an easy-to-use interface that lets users drag-and-drop objects to create even the most complex firewall rules.

Supported Firewalls
From a single management application Firewall Builder supports a wide range of firewalls including Linux iptables, BSD pf, Cisco router access lists, Cisco ASA/PIX, Cisco FWSM and many more (complete list).

Object Model
Firewall Builder stores all user defined objects, like IP networks and server addresses, in a central database. Once an object is created it can be used in rules on multiple firewalls including different types of firewalls.

Device Management
Firewalls are more than just rules. Firewall Builder can also manage other critical device configurations like network interfaces and static routes.

Supported Platforms
Firewall Builder supports GUI based firewall policy configuration and management on Linux iptables, Cisco router ACL, Cisco ASA/PIX, OpenBSD pf, FreeBSD ipfw and ipfilter and HP ProCurve ACL.

Object Models
The Firewall Builder GUI is based on the concept of user defined objects. Users can create objects, such as an E-mail server, that can be used by multiple firewalls in their rules. And the search funtion makes it easy to find everywhere an object is being used.

Support for meta objects allows users to define a group object and use that group object in a rule. Groups can contain multiple types of child objects. For example, a group could include a mix of networks, hosts and address ranges. When Firewall Builder generates the rules for a target device that doesn't support group elements in its command syntax Firewall Builder will automatically create individual rules to match all the child objects in the group.

Rules Validation
Using powerful inspection logic Firewall Builder analyzes configured firewall policies to identify:
* Rules that aren't supported by a particular target platform
* Invalid rules that might be the result of user error, such as NAT'ing UDP into TCP
* Rule shadowing, which are rules that traffic will never reach due to an earlier rule matching the traffic first

Rules Compiler
The built-in rules compiler generates platform specific firewall rules. The compiler understands the differences between device types and software versions ensuring that it will generate the right rules for each type of target device.

Individual rules can be compiled in the GUI to the target platform command syntax at any time giving the user instant visibility to the specific commands that would be deployed to the firewall.

Integrated Installer
Firewall Builder uses SSH and SCP to securely deploy your firewall configurations to the target devices. To help avoid situations where a firewall change accidentally blocks access to the device Firewall Builder includes functions to automatically revert a device firewall configuration to the previous version.

Advanced Feature Configuration Support
In addition to the features shown above Firewall Builder includes support for configuring advanced features including:

* Cluster support for Cisco ASA/PIX, Linux iptables and OpenBSD pf firewalls
* Dynamic live rule updates on Linux iptables (via ipset module) and OpenBSD pf
* Run time options to have rule objects, like interfaces, determined on firewall startup
* Predefined templates, including firewall rules, for common deployment scenarios
* Device configuration of interface IP addresses, static routes, VLAN and bridge interfaces
* Configuration versioning control using RCS
* User defined pre and post firewall startup scripts

What's New in This Release:

GUI Updates:

· moved "batch install" button from the main installer wizard to the dialog where user enters their password. Now user can start in a non-batch install mode but continue in batch install mode at any time if all their firewalls authenticate with the same user name and password.
· see #2628 fixed crash that happened if user create new firewall object from a template and changed one of the ip addresses, while another firewall object created from the same template already existed in the tree.
· see #2635 Object type AttachedNetworks is not allowed in the "interface" rule element.
· The drop-down list of interfaces for the "route-through" rule option for PF and iptables should include not only cluster interfaces, but also interfaces of all members. This way, we can make compiler generate configuration "pass in quick on em0 route-to { ( em0 ) } ... " for a rule of a PF cluster. Here "em0" is an interface of a member, not the cluster.
· fixes #2642 "GUI crashes if user cancels newFirewall dialog".
· fixes #2641 "newFirewall dialog does not accept ipv6 addresses with long prefixes". The dialog did not allow ipv6 addresses of inetrfaces with netmask > 64 bit.
· fixes #2643 "GUI crashes when user cuts a rule, then right-mouse click in any rule element of another"
· added check to make sure user does not enter netmask with zeroes in the middle for the IPv4 network object. Netmasks like that are not supported by fwbuilder.
· fixes #2648 "right mouse click on firewall object in "Deleted objects" library causes GUI crash"
· fixes SF bug 3388055 Adding a "DNS Name" with a trailing space causes failure.
· fixes SF bug 3302121 "cosmetic mis-format in fwb Linux paths dialog"
· fixes SF bug 3247094 "Nomenclature of IP address edit dialog". Network ipv6 dialog says "Prefix length".
· see #2654 fixes GUI crash that occured if user copied a rule from file A to file B, then closed file B, opened file C and tried to copy the same rule from A to C'
· see #2655 Interface names are not allowed to have dash "-" even with interface verification off. We should allow "-" in the interface name for Cisco IOS
· see #2657 snmp network discovery crashed if option "Confine scan to network" was used.
· fixes #2658 "snmp network discovery creates duplicate address and network objects"
· enable fwbuilder to take advantage of GSSAPIAuthentication with openssh using suggestion by Matthias Witte witte@netzquadrat.de
· fixed a bug (no number): if the file name user entered in "Output file name" field in the "advanced settings" dialog of a firewall object ended with a white space, policy installer failed with an error "No such file or directory"
· fixed SF bug #3433587 "Manual edit of new service Destination Port END value fails". This bug made it impossible to edit the value of the end of the port range because as soon as the value became less than the value of the beginning the range, the GUI would reset it to be equal to the value of the beginning of the range. This affected both TCP and UDP service object dialogs.
· fixes #2665 "Adding text to comment causes rule to go from 2 rows to 1 row". Under certain circumstances, editing rule comment caused the GUI to collapse corresponding row in the rule set view so that only the first object of each rule element that contained several objects was visible.
· fixes #2669 "Cant inspect custom Service object in Standard objects library".
· Changes in policy importer for all supported platforms

Changes that affect import of PIX configurations:

· changed token name from "ESP" to "ESP_WORD" to avoid conflict with macro "ESP" that happened during build on OpenSolaris
· see #2662 "Crash when compiling ASA rule with IP range". Need to split address range if it is used in "source" of a rule that controls telnet, ssh or http to the firewall itself and firewall's version is >= 8.3. Commands "ssh", "telnet" and "http" (those that control access on the corresponding protocols to the firewall itself) accept only ip address of a host or a network as their argument. They do not accept address range, named object or object group. This is so at least as of ASA 8.3. Since we expand address ranges only for versions = 1.4.4. The fix done for #3059893 was only in the policy compiler but needs to be done in both policy and nat compilers.

Changes in support for PF (FreeBSD, OpenBSD):

· see #2636 "carp : Incorrect output in rc.conf.local format". Should use create_args_carp0 instead of ifconfig_carp0 to set up CARP interface vhid, pass and adskew parameters.
· see #2638 "When CARP password is empty the advskew value is not read". Should skip "pass " parameter of the ifconfig command that creates carp interface if user did not set up any password.
· fixed SF bug #3429377 "PF: IPv6 rules are not added in IPv4/IPv6 ruleset (anchor)". Compiler for PF did not inlcude rules generated for IPv6 in generated PF anchor configuration files.
· fixed SF bug 3428992: "PF: rules order problem with IPv4 and IPv6". Compiler for PF should group ipv4 and ipv6 NAT rules together, before it generates ipv4 and ipv6 policy rules.
· Several fixes in the algorithms used to process rules when option "preserve group and addresses table object names" is in effect
· fixes #2674 NAT compiler for PF crashed when AttachedNetworks object was used in Translated Source of a NAT rule.

Changes in support for Cisco IOS ACL:

· fixes #2660 "compiler for IOSACL crashed when address range appears in a rule AND object-group option is turned ON"
· fixed SF bug 3435004: "Empty lines in comment result in "Incomplete Command" in IOS".

Changes in support for ipfw:

· fixed SF bug #3426843 "ipfw doesn't work for self-reference, in version".

Changes in support for Cisco ASA (PIX, FWSM):

· see #2656 "Generated Cisco ASA access-list has duplicate entry". Under certain circumstances policy compiler fwb_pix generated duplicate access-list lines.

Other changes:

· see #2646 and SF bug 3395658: Added few ipv4 and ipv6 network objects to the Standard objects library: TEST-NET-2, TEST-NET-3 (RFC 5735, RFC 5737), translated-ipv4, mapped-ipv4, Teredo, unique-local and few others.

System Requirements:

No special requirements.
Program Release Status: Minor Update
Program Install Support: Install and Uninstall

Is Firewall Builder your software?

Manage your software

Most Popular

linux default icon GPass 0.5.1
GPass is a password manager for the GNOME2 desktop.
linux default icon ClarkConnect 5.0
The ClarkConnect solution is built on the stability and security of Linux.
linux default icon Endian Firewall Community 2.5.1
A turn-key Linux security distribution based on IPCop and Red Hat
linux default icon OpenSSH 5.9
OpenSSH is a FREE version of the SSH connectivity tools that technical users of the Internet rely on
linux default icon Quick Heal AntiVirus for Linux 10.00
Anti-virus software with a proactive defense

Related Category

» Firewalls (44)
» Other (285)