JWall 1.0 HOWTO

Zachary Link,  <zack AT the DASH links DOT net>

Revision: 0.1.0
Date: 2003/08/15

This document describes how to use JWall to create and deploy application configuration scripts to remote security-related devices

1. Introduction

2. Where is the official Web Site? Is there a Mailing List?

3. What does JWall do?

4. Using JWall

5. Getting support

6. Contributors/Contributing

1.  Introduction

This document is meant to cover the usage of JWall for firewall management.  The scope is limited to the actual features and functionality of JWall itself, and assumes the reader has some knowledge of firewalls and security in general. 

2.  Where is the official web site?


Is there a mailing list?

There are a few mailing lists, each with a different purpose.



Development: (for contributors)

3.  What does JWall do?

JWall is a desktop application that allows a user to create and manage linux-based firewalls.  JWall is written in Java so it can run on most common platforms.  The remote firewalls currently require only Linux with IPTables installed and SSH running.  No Java or anything graphical runs on the firewalls themselves.  Future improvements will allow JWall to manage other types of firewalls, as well as other security-related applications, such as FreeSWAN, Snort and possibly others.

JWall is designed to handle environments with a single firewall and few rules, all the way to a large environment with many firewalls and complex rulebases.  Either one should be able to be deployed and managed easily and securely, with a minimum of effort.

JWall represents all rulebases (or policies as we'll call them) as one or more simple tables, populated with graphical objects representing various objects on your network.  For example a web server would be defined as a Host, and there are also Firewall, Network, and Group objects available.  JWall can then generate the scripts necessary to configure iptables on your remote firewalls, and securely transfer those scripts and execute them on the firewall.  JWall can also allow you to monitor multiple firewalls easily from one client console.

4.  Using JWall

4.1  Overview

a) Create objects in object tree (left panel)
b) Create a ManagedFirewall object (required)
c) Add and/or edit firewall rules
d) Add and/or edit NAT rules
e) Install Policy

4.2  Creating Objects

There are a few major categories of objects you can create, some with sub-categories.

represent networked objects with IP addresses.  The sub-classes include Host (single IP), Network (contiguous range of IPs), VPN Peer (not supported in version 1.0), ManagedFirewall (a firewalll to be managed by JWall), and Group (any combination of the above objects).

Rate objects
represent a defined number of packets over time (per iptables).

Service objects represent a certain type of IP connection, in the case of TCP or UDP that includes source and destination ports, and for ICMP that includes ICMP type and code.

To create an object, right-click on the folder in the tree in the left panel of JWall and click ADD.  Define your object in the resulting dialog box and click OK.

Common services come pre-defined, but you will need to define hosts, networks, and at least one ManagedFirewall (required to generate scripts and install policies).

4.3  Creating Firewall Rules

Click Edit -> Add Rule, to add a new blank rule to your current active policy.  Some cells can be edited by right-clicking the cell and choosing Edit Cell.  Rates and Actions are just drop down boxes, Log is just a checkbox, and comments can be entered by clicking on the comment cell and typing.

The firewall will look for packets matching the source, destination, service and rate of the packet.  If it gets a match, it will do the action chosen in the Action column.  Accept means the packet will be forwarded as necessary, Drop means the packet will not be allowed to pass, and Deny means the packet will not be allowed to pass, but a message will be sent back to the source, notifying it that the packet was not allowed.  In addition, the match will also be logged if the logged box is checked.  If the packet is not matched, the firewall will consult the next rule down the list.  By default, at the end of every rule list, JWall configures the firewall to drop anything that doesn't match.

JWall tries to account for statefullness.  Meaning that responses from a TCP connection are automatically allowed to return, without you needing to specify a rule for that.  For UDP, a rule is opened for return packets also, even though UDP is stateless.  For ICMP, rules need to be created in both directions.

4.4  Creating NAT Rules

Creating NAT rules are similar to firewall rules, but click on the NAT tab in the main window first.

In NAT rules though, the firewall will look for matches in the Original columns (Source, Destination and Service), and if it gets a match, will change the IPs to the corresponding Translated column entry.

4.4  Saving Policy

Use File -> Save or File -> Save As to save your policy.  This creates a local copy of your policy (XML format) for later use.  This should be done before trying to install your policy.

4.5  Installing Policy

Use Policy -> Install to install your policy.  A list of all your defined ManagedFirewalls will be presented, and you can choose one or more to install to.  This will create a local copy of your iptables script, copy it to the remote firewall (using scp or sftp, so sshd will need to be running on the remote firewall), chmod it if required and execute it to make it active immediately.

Alternatively, you can use Policy -> Generate Scripts to create a local copy of your iptables scripts, and then copy and execute manually.

5.  Getting support

Commercial support can be purchased.  Please email Zachary Link (zack <at> the <dash> links <dot> net) if interested.

Non-commercial suppport can be had by joining the jwall support list.

6.  Contributors/Contributing

JWall contributors

If you are interested in contributing to JWall, we need developers, testers, translators, security engineers and money.  Please contact Zachary Link (zack <at> the <dash> links <dot> net) if interested.