JWall 1.0 HOWTO
Zachary Link, <zack AT the DASH links DOT net>
Revision: 0.1.0
Date: 2003/08/15
This document describes how to use JWall to create and deploy
application configuration scripts to remote security-related devices
1. Introduction
This document is meant to cover the usage of JWall for firewall
management. The scope is limited to the actual features and
functionality of JWall itself, and assumes the reader has some knowledge
of firewalls and security in general.
2. Where is the official web site?
jwall.sf.net
Is there a mailing list?
There are a few mailing lists, each with a different purpose.
Support:
lists.sourceforge.net/lists/listinfo/jwall-support
Announcements:
lists.sourceforge.net/lists/listinfo/jwall-milestones
Development: (for contributors)
lists.sourceforge.net/lists/listinfo/jwall-dev
3. What does JWall do?
JWall is a desktop application that allows a user to create and manage
linux-based firewalls. JWall is written in Java so it can run on
most common platforms. The remote firewalls currently require only
Linux with IPTables installed and SSH running. No Java or anything
graphical runs on the firewalls themselves. Future improvements
will allow JWall to manage other types of firewalls, as well as other
security-related applications, such as FreeSWAN, Snort and possibly
others.
JWall is designed to handle environments with a single firewall and few
rules, all the way to a large environment with many firewalls and
complex rulebases. Either one should be able to be deployed and
managed easily and securely, with a minimum of effort.
JWall represents all rulebases (or policies as we'll call them) as one
or more simple tables, populated with graphical objects representing
various objects on your network. For example a web server would be
defined as a Host, and there are also Firewall, Network, and Group
objects available. JWall can then generate the scripts necessary
to configure iptables on your remote firewalls, and securely transfer
those scripts and execute them on the firewall. JWall can also
allow you to monitor multiple firewalls easily from one client console.
4. Using JWall
4.1 Overview
a) Create objects in object tree (left panel)
b) Create a ManagedFirewall object (required)
c) Add and/or edit firewall rules
d) Add and/or edit NAT rules
e) Install Policy
4.2 Creating Objects
There are a few major categories of objects you can create, some with
sub-categories.
NetworkObjects represent networked objects with IP
addresses. The sub-classes include Host (single IP), Network (contiguous range of IPs), VPN Peer (not supported in version
1.0), ManagedFirewall (a
firewalll to be managed by JWall), and Group
(any combination of the above objects).
Rate objects represent a defined number of packets over time (per
iptables).
Service objects represent a
certain type of IP connection, in the case of TCP or UDP that includes
source and destination ports, and for ICMP that includes ICMP type and
code.
To create an object, right-click on the folder in the tree in the left
panel of JWall and click ADD.
Define your object in the resulting dialog box and click OK.
Common services come pre-defined, but you will need to define hosts,
networks, and at least one ManagedFirewall (required to generate scripts
and install policies).
4.3 Creating Firewall
Rules
Click Edit -> Add Rule, to add a new blank rule to your current
active policy. Some cells can be edited by right-clicking the cell
and choosing Edit Cell. Rates and Actions are just drop down
boxes, Log is just a checkbox, and comments can be entered by clicking
on the comment cell and typing.
The firewall will look for packets matching the source, destination,
service and rate of the packet. If it gets a match, it will do the
action chosen in the Action column. Accept means the packet will
be forwarded as necessary, Drop means the packet will not be allowed to
pass, and Deny means the packet will not be allowed to pass, but a
message will be sent back to the source, notifying it that the packet
was not allowed. In addition, the match will also be logged if the
logged box is checked. If the packet is not matched, the firewall
will consult the next rule down the list. By default, at the end
of every rule list, JWall configures the firewall to drop anything that
doesn't match.
JWall tries to account for statefullness. Meaning that responses
from a TCP connection are automatically allowed to return, without you
needing to specify a rule for that. For UDP, a rule is opened for
return packets also, even though UDP is stateless. For ICMP, rules
need to be created in both directions.
4.4 Creating NAT Rules
Creating NAT rules are similar to firewall rules, but click on the NAT
tab in the main window first.
In NAT rules though, the firewall will look for matches in the Original
columns (Source, Destination and Service), and if it gets a match, will
change the IPs to the corresponding Translated column entry.
4.4 Saving Policy
Use File -> Save or File -> Save As to save your policy.
This creates a local copy of your policy (XML format) for later
use. This should be done before trying to install your policy.
4.5 Installing Policy
Use Policy -> Install to install your policy. A list of all
your defined ManagedFirewalls will be presented, and you can choose one
or more to install to. This will create a local copy of your
iptables script, copy it to the remote firewall (using scp or sftp, so
sshd will need to be running on the remote firewall), chmod it if
required and execute it to make it active immediately.
Alternatively, you can use Policy -> Generate Scripts to create a
local copy of your iptables scripts, and then copy and execute manually.
5. Getting support
Commercial support can be purchased. Please email Zachary Link
(zack <at> the <dash> links <dot> net) if interested.
Non-commercial suppport can be had by joining the jwall
support list.
6.
Contributors/Contributing
JWall contributors
- Zachary
Link
<zack/AT/the-links.net>
- Dirk
Dittert
<dittert/AT/despammed.com>
- Seth
Bareiss <seth/AT/fureai-ch.ne.jp>
- Carlos "Bill" Nilton <bill/AT/uniq2001.com.br>
- Eckard Buchner
<ebuchner/AT/web.de>
- Phillip J
Link
<pjlink/AT/acm.org>
- Thomas Greisinger <madcow/AT/dmx.de>
If you are interested in contributing to JWall, we need developers,
testers, translators, security engineers and money. Please contact
Zachary Link (zack <at> the <dash> links <dot> net) if
interested.