FWBuilder - alternatives

[Stril]

Hi!

I am using fwbuilder for years and very happy with it, but the software is not developed anymore. So, I need to look for alternatives.

fwbuilder was/is a great software to:
- configure many different firewalls
- with shared objects
- possibility to use DNS-names
- no vendor-lock-in


At the moment, I am maintaining about 10 linux-firewalls, some of them HA-systems with hundreds of rules. The great thing for me is, that fwbuilder lets me hardware-independently manage the rules. If a systems changes its IP, I can simply change the referenced object.


Do you know any good alternative for this?


I tried different products, but there was never a vendor-independent approach on managing the objects.

What do you use?

Regards
Stril

 

[Azhrarn]

Old thread, but I am interested in this answer as well. Did you ever find something??

 

[vudu]

fwbuilder/fwbuilder

Looks to still be maintained.

I use PFSense. Create and alias and change the relevant IP. Can use DNS.

 

[Stril]

Hi!

I did not find any alternative... fwbuilder is still maintened, but not very active (IMHO).

Still hope to find a good alternative....

 

[Ethan Waldo]

Many years ago, probably a decade, I was looking closely at Untangle www.untangle.com. They touted the open source model and I considered contributing to their apps, but was leery of their license agreement which gave them ownership of all contributed work that they would then license back free to the author. It looks like they're still around and still have Firewall NG free. You might give it a shot and hope the policy management is one of the free apps.

 

[gaidin123]

Capirca is open source and actively developed and compiles simple text policies into dozens of firewall vendor formats including iptables, ipset, nftables, and speedway (iptables-save/restore format) and a bunch of commercial vendors such as Cisco, Juniper, PA. See the quick start guide for a simple walkthrough but you basically write a policy file that starts with a header specifying what firewall output formats you want then the terms you want like:

header {
comment:: "Example header for juniper and iptables filter."
target:: juniper edge-filter
target:: speedway INPUT
target:: iptables INPUT
target:: cisco edge-filter
}

term allow-inbound-ssh {
destination-address: MY_SERVERS
protocol:: tcp
destination-port:: SSH
action:: accept
}

"MY_SERVERS" and "SSH" in this example are references to definitions and services files respectively but imagine something like,
MY_SERVERS = 192.168.5.0/24
10.5.1.1/32
CLOUD_SERVERS # Definitions can be nested
2606:4700:4700::1111 # Example cloudflare ipv6 DNS server to show v4/v6 works fine

while the services could be:
SSH = 22/tcp
DNS = 53/tcp 53/udp # Example multi-protocol service
INT_MGMT = 22/tcp 443/tcp 5900-5910/tcp # Ranges of ports may be used

This is powerful in that this lets you maintain network security policies independent of vendor, and lets you maintain human understandable sets of IPs and ports as lists of servers and services. Once you've set up definitions and services it's trivial to write new policies. The policies themselves can even include sets of other policies so that you can re-use common rules across many policies (e.g. blocking spoofs, remote management permits, permit basics like DHCP, NTP, DNS, explicit deny all at the end, etc.).

 

[Stril]

Hi!

Capirca looks great, but it does just lack a GUI. fwbuilder was so great because its easy to get an overview and to work with queues...
I will give Capirca a try!

Thank you!