FWBuilder - alternatives

Discussion in 'Networking' started by Stril, May 2, 2018.

  1. Stril

    Stril Member

    Joined:
    Sep 26, 2017
    Messages:
    146
    Likes Received:
    6
    Hi!

    I am using fwbuilder for years and very happy with it, but the software is not developed anymore. So, I need to look for alternatives.

    fwbuilder was/is a great software to:
    - configure many different firewalls
    - with shared objects
    - possibility to use DNS-names
    - no vendor-lock-in


    At the moment, I am maintaining about 10 linux-firewalls, some of them HA-systems with hundreds of rules. The great thing for me is, that fwbuilder lets me hardware-independently manage the rules. If a systems changes its IP, I can simply change the referenced object.


    Do you know any good alternative for this?


    I tried different products, but there was never a vendor-independent approach on managing the objects.

    What do you use?

    Regards
    Stril
     
    #1
  2. Azhrarn

    Azhrarn New Member

    Joined:
    Dec 8, 2018
    Messages:
    1
    Likes Received:
    0
    Old thread, but I am interested in this answer as well. Did you ever find something??
     
    #2
  3. vudu

    vudu New Member

    Joined:
    Dec 30, 2017
    Messages:
    20
    Likes Received:
    4
    fwbuilder/fwbuilder

    Looks to still be maintained.

    I use PFSense. Create and alias and change the relevant IP. Can use DNS.
     
    #3
  4. Stril

    Stril Member

    Joined:
    Sep 26, 2017
    Messages:
    146
    Likes Received:
    6
    Hi!

    I did not find any alternative... fwbuilder is still maintened, but not very active (IMHO).

    Still hope to find a good alternative....
     
    #4
  5. Ethan Waldo

    Ethan Waldo New Member

    Joined:
    Dec 9, 2018
    Messages:
    2
    Likes Received:
    0
    Many years ago, probably a decade, I was looking closely at Untangle www.untangle.com. They touted the open source model and I considered contributing to their apps, but was leery of their license agreement which gave them ownership of all contributed work that they would then license back free to the author. It looks like they're still around and still have Firewall NG free. You might give it a shot and hope the policy management is one of the free apps.
     
    #5
  6. gaidin123

    gaidin123 New Member

    Joined:
    Dec 28, 2018
    Messages:
    1
    Likes Received:
    0
    Capirca is open source and actively developed and compiles simple text policies into dozens of firewall vendor formats including iptables, ipset, nftables, and speedway (iptables-save/restore format) and a bunch of commercial vendors such as Cisco, Juniper, PA. See the quick start guide for a simple walkthrough but you basically write a policy file that starts with a header specifying what firewall output formats you want then the terms you want like:

    header {
    comment:: "Example header for juniper and iptables filter."
    target:: juniper edge-filter
    target:: speedway INPUT
    target:: iptables INPUT
    target:: cisco edge-filter
    }

    term allow-inbound-ssh {
    destination-address: MY_SERVERS
    protocol:: tcp
    destination-port:: SSH
    action:: accept
    }

    "MY_SERVERS" and "SSH" in this example are references to definitions and services files respectively but imagine something like,
    MY_SERVERS = 192.168.5.0/24
    10.5.1.1/32
    CLOUD_SERVERS # Definitions can be nested
    2606:4700:4700::1111 # Example cloudflare ipv6 DNS server to show v4/v6 works fine

    while the services could be:
    SSH = 22/tcp
    DNS = 53/tcp 53/udp # Example multi-protocol service
    INT_MGMT = 22/tcp 443/tcp 5900-5910/tcp # Ranges of ports may be used

    This is powerful in that this lets you maintain network security policies independent of vendor, and lets you maintain human understandable sets of IPs and ports as lists of servers and services. Once you've set up definitions and services it's trivial to write new policies. The policies themselves can even include sets of other policies so that you can re-use common rules across many policies (e.g. blocking spoofs, remote management permits, permit basics like DHCP, NTP, DNS, explicit deny all at the end, etc.).
     
    #6
  7. Stril

    Stril Member

    Joined:
    Sep 26, 2017
    Messages:
    146
    Likes Received:
    6
    Hi!

    Capirca looks great, but it does just lack a GUI. fwbuilder was so great because its easy to get an overview and to work with queues...
    I will give Capirca a try!

    Thank you!
     
    #7
Similar Threads: FWBuilder alternatives
Forum Title Date
Networking Peplink - Barracuda - anybody using it - SD-WAN-alternatives Jun 6, 2018
Networking Mellanox Connectx-2 temperature (and alternatives?) May 2, 2018
Networking alternatives to Ubiquiti mFI's Oct 7, 2017

Share This Page