This MiniHOWTO is describing my own experience on configuring administrator workstation (and firewall) to deploy a ``Firewall Builder'' generated policy to remote FreeBSD-and-ipfilter-based firewall using SSH.
To follow this HOWTO you need SSH client installed on your workstation
(computer you run fwbuilder).
Your SSH client have to provide 'ssh' command for remote shell
and 'scp' command for secure file transfer.
It has to support public key authentication, as fwbuilder will not ask you for a password for SSH connection.
I'm using OpenSSH 3.5 client and scripts are provided with this HOWTO depends on the OpenSSH
'ssh' and 'scp' command line format. They could be or could be not compatible with other
SSH clients.
Ok. You have a SSH client. Do you have a private/public key pair for authentication? If you do not know probably you do not have them.
This key pair could be generated by the following command (OpenSSH syntax):
ssh-keygen -t dsa -N "" -f $HOME/.ssh/id_dsa
This command will create the DSA key pair with empty passphrase
and save keys in the default location. Run ssh-keygen as user you are using to run fwbuilder.
Do not use user 'root' for these purposes!
Public key will be in the '$HOME/.ssh/id_dsa.pub' file.
Remember this, we will need this information in nearest future.
Deploy-to-remote script is provided with this HOWTO as file 'deploy-ipf-remote.sh'.
Place it somewhere and set the ``Policy install script'' parameter
on the ``Compile/Install'' tab of the firewall properties in fwbuilder.
Insert a username you would like to use to connect to the firewall to the ``Command line parameters for this script'' parameter on the same tab. Leave this parameter empty if you would like to use current user name.
The 'deploy-ipf-remote.sh' script performs the following tasks:
1. Connects to the firewall as user you provides and creates a subdirectory in this user home dir.
Directory name is produced by the 'date +%Y%m%d-%H%M%S' command.
2. Copy firewall definition XML file to the firewall to the 'policy.xml' file
in the subdirectory created on the previous step.
Copy '.fw' script to the 'script.fw' file, 'Firewall-ipf.conf' file
to the 'ipf.rules' file and 'Firewall-nat.conf' file to the 'ipnat.rules' file
in the same subdirectory.
3. Calls the '/usr/local/bin/sudo /usr/local/sbin/deploy-ipf-freebsd.pl' command on the firewall.
See below about a '/usr/local/bin/sudo' installation and configuration.
1. Name of the firewall in the policy is used as a hostname for SSH connection by the remote-policy-install script. So, use a real hostname a firewall name.
2. Do not forget to allow SSH access from your workstation to the firewall. Otherwise you will loose control on the firewall after policy installation.
Firewall has to be accessible from administrator workstation by SSH and public key (RSA or DSA) has to be enabled. I do not have too much to say because these requirements are satisfied in a default FreeBSD installation.
Create group 'fwadmin'
pw groupadd fwadmin
Create (if not already exists) account for firewall administration. For example - 'fwadmin'.
pw useradd fwadmin -g nobody -c "&-at-`hostname`" -d /home/fwadmin -s /bin/sh mkdir -p /home/fwadmin/.ssh chown -R fwadmin:wheel /home/fwadmin/ chmod -R 700 /home/fwadmin/.ssh
Add firewall administrator to the 'fwadmin' group
pw groupmod fwadmin -m fwadmin
Take the public (not private!) key you have generated in step ``Public key'' and put it
to the file 'authorized_keys' in the '.ssh' subdirectory of the home directory of your user.
Make your user an owner of this file.
Check SSH configuration by the following command:
ssh YourUserHere@YourFirewallHere 'printf "User: `id`\n\tHost: `hostname`\n\tDirectory: `pwd`\n"'
Note: do not forget to do this test. ``known_hosts'' file has to be updated
You have to see something like
User: YourUserInfoHere
Host: YourFirewallHere
Directory: HomeDirOfYourUserHere
If not - something wrong.
Local deploy script is provided with this HOWTO as file 'deploy-ipf-freebsd.pl'.
Place this file to the '/usr/local/sbin' directory and make it not writable by anyone
and executable for anyone.
chmod 555 /usr/local/sbin/deploy-ipf-freebsd.pl
The '/usr/local/sbin/deploy-ipf-freebsd.pl' script performs the following tasks:
1. Obtain 'ipfilter_program', 'ipfilter_rules', 'ipnat_program',
'ipnat_rules' variables from system configuration file '/etc/rc.conf'
(or '/etc/defaults/rc.conf').
2. Parses 'script.fw' file provided by user to extract all 'sysctl'
and 'add_addr' commands.
3. Adjusts all 'sysctl' parameters which are requested to be adjusted in 'script.fw'
and allowed to be adjusted in '/usr/local/sbin/deploy-ipf-freebsd.pl'.
4. Bring all requested IP aliases up.
5. Reload ipfilter and ipnat policy from the user-provided files.
6. Copy user-provided files to the proper place to make them loadable during system startup.
'/usr/local/sbin/deploy-ipf-freebsd.pl' does not run any user-provided scripts or commands.
To run '/usr/local/sbin/deploy-ipf-freebsd.pl' you will need the following software installed:
Perl interpreter v. 5.004 or higher.
Perl modules: 'Tie::IxHash', 'Config::ReadAndCheck', 'UniLog',
'Net::Ifconfig::Wrapper', 'File::Copy' (standard), 'POSIX' (standard).
Non-standard modules could be obtained from CPAN (http://search.cpan.org).
Do you have 'sudo' utility installed? If not - install it from packages or ports.
Run '/usr/local/sbin/visudo' command and add the following lines to the 'sudoers' file:
# Host_Alias FIREWALLS = <YourHostNameHere> Defaults:%fwadmin !lecture # %fwadmin FIREWALLS = NOPASSWD: /usr/local/sbin/deploy-ipf-freebsd.pl #
These lines will allow 'fwadmin' group members run the command '/usr/local/sbin/deploy-ipf-freebsd.pl'
as user 'root' without entering password.
Configuration finished. You can try to deploy the policy using ``Install'' option
in the ``Rules'' fwbuilder menu.
I suggest you to test deployment with a simple ``allow all from any to any'' policy. Just in case...
deploy-ipf-freebsd.pl - install policy locally
deploy-ipf-remote.sh - copy policy to remote system and call local install script on it
Adopt this HOWTO and relative scripts
for PuTTY SSH client when fwbuilder for Win32 will be released.
Adopt this HOWTO and relative scripts
for other types of firewalls supported by the fwbuilder.
Daniel Podolsky, <tpaba@cpan.org>