fwb_install(1)
NAME
fwb_install - Firewall policy installation and activation script
SYNOPSIS
fwb_install [-d wdir] -f data_file.xml object_name
DESCRIPTION
fwb_install is firewall policy installation and activation script for
Firewall Builder (see fwbuilder(1)). This script transfers compiled
rulesets via ssh to a firewall and activates them. Optionally it transfers a backup of the .xml source file, too.
The data file and the name of the firewall objects must be specified on
the command line. Other command line parameters are optional.
The firewall rules should allow ssh traffic to the firewall, or you
will lock yourself out.
INSTALLATION
You should have a ssh and sshd installed and configured properly.
Make a public/private keypair using ssh-keygen tool, the public key
goes into ~$REMOTEUSER/.ssh/ on the firewall, $SSHIDENTITY locally
points to the private key. Protect your key with a good passphrase!
Tell fwbuilder to use the script: enter
/home/vadim/Projects/fwb/fwbuilder/../usr//bin/fwb_install (a full path
and name for this script) in the "install script" entry field in the
firewall object dialog.
To customize the script you can adjust the following variables inside
of it :
- REMOTEDIR
- Specifies where the firewall script or configuration file will be placed on the firewall (default: "/etc/firewall")
- REMOTEUSER
- Specifies the user on the firewall allowed to set up the firewall rulesets (default: "root")
- DOXMLBACKUP
- Specifies whether we want to store a backup copy of the .xml on the firewall (default: "YES")
- SSHIDENTITY
- location of private ssh key (default: "${HOME}/.ssh/id_dsa")
OPTIONS
- -f FILE
- Specify the name of the data file to be processed.
- -d wdir
- Specify working directory. Policy compilers create firewall configurations and/or scripts in this directory. If this parameter is missing, then script looks in the current working directory.
CAVEATS
The firewall rules should allow ssh traffic to the firewall, or you
will lock yourself out.
The script uses address of firewall's interface which is marked as
"management". The script aborts if there is no management interface.
There still is a depenency on the current DTD structure in that the
script assumes that all firewalls are always located in the tree branch
"Firewalls". This may change in the future; the script will need to be
updated then.
This script has been developed and tested for iptables firewall on Linux systems. To the best of my knowledge, nobody used this script for any other firewall type or OS, however it should work for any firewall running on a Unix box where firewall configuration is represented in a form of a shell script. On example is ipfw used on FreeBSD or Mac OS X.
URL
Firewall Builder home page is located at the following URL: http://www.fwbuilder.org/
BUGS
Please report bugs using bug tracking system on SourceForge:
http://sourceforge.net/tracker/?group_id=5314&atid=105314
AUTHOR
David Gullasch <xonox@web.de>, <gullasch@secunet.de> Changes and corrections by Vadim Kurland <vadim@fwbuilder.org>
DISCLAIMER
(K) 2001 by David Gullasch <xonox@web.de>, <gullasch@secunet.de> All
rights reversed. Copy what you like, but give credit and include this
note. Don't blame me when this script does not do what you want it to there is no bug-free software.