In the WiFi setup I discussed in my previous post, I use DD-WRT as the OS of choice. With that choice, I was looking for a tool to help build iptables rules to make my life easier.
In my search for a tool I came across by the name of fwbuilder from fwbuilder.org. The latest version is 4.0.
The goal of the of fwbuilder is to manage your firewall rules faster through the use and reuse of objects and a nice GUI. I like this idea as it greatly speeds up policy creation and give a visual interface for reviewing your policies.
Diving in was not very intuitive. You have to start by creating an Object File. This provides little indication as to what occurred. Next you have to add a new firewall object. This prompts you to select your firewall type and an “Interface Wizard” to configure your NICs and IPs. I selected iptables 1.3.x and DD-WRT (nvram), clicked the + sign to add an interface, gave them labels, set the interface name and IP address.
Once completed, you can start building your policies. This is where my first gripe comes in. The major distinction being made between user objects and standard objects. Standard objects are predefined services, IPs, and networks. These do not appear to be user modifiable and contain generic entries like this-net and test-net. Since you can’t modify/delete them, you have these generic objects just sitting in your tree. Why??? User objects are the objects you create. This means your firewall, interfaces, networks, hosts, custom services, etc. When building a policy you simply drag the objects from the tree over to the policy and your done. The rub is most of the objects are user objects until you want to add a standard service. You have to switch from the user view to the standard view and scroll down/expand the tree till find your object. And each rule is like that.. back and forth between the user tree and the standard tree.. Big, needless, PITA.
So after you get your policies written you click the compile button. This prompts you for a place to save your fancy new iptables rules. I opened this file up and it read like an init script. Start, stop, restart sections, lots of variables, loops and checks. NOT what I expected. I was thinking iptables commands or iptables-save/restore.
When I selected DD-WRT (nvram) in the beginning, I assumed it would create an output that was appropriate for the situation. Perhaps that was my mistake or perhaps I pooched something along the way. I pasted the text into my DD-WRT firewall save box and restarted. Much to my dismay, it seemingly bricked my WRT54GL. After a few 30/30/30 resets and some power cycles it finally came up, but I was getting pretty upset at that point.
In conclusion, I wasn’t able to use fwbuilder for my project due to unexpected output and unwillingness to try to get it working. I like the idea, I think it has great potential but the execution is not what I was thinking it should be.
Three things I think would go a long way would be
Do away with the distinction between user and standard option.
Have an option to output strict iptables commands and iptables-save/restore files.
Provide a wizard for starting a new project.
Wishlist for potential growth, add in the ability to generate set commands for Vyatta.