Firewall Builder/zh cn

From DD-WRT Wiki

Jump to: navigation, search

Firewall Builder 是一个运行在PC上的第三方商业防火墙GUI,可以通过ssh远程管理路由器上的iptables规则。

可以从: 获得 Firewall Builder (fwbuilder) .

Prequisites: 需要开启 DD-WRT 的sshd.


[edit] 配置

  1. After starting the fwbuilder software, first you need to create the firewall object. That's done by right click to firewalls -> create new firewall. Now you are prompted for the name (Give it some like DD-WRT for example). The firewall-software in your case is "iptables" and the operating system is "Linksys/Sveasoft". Check the box to use a preconfigured firewall.
  2. Now you are presented with the different templates. Choose "linksys firewall". Now create your firewall.
  3. Now you'll be presented with your firewall. You need to make some adjutsments. First change the version in the Firewall box (the version field is directly under the platform field) to "1.2.9 or later" and commit your changes.
  4. (If you need to use PPPoE to connect to the internet) Now you see your firewall object on the left side under the folder firewalls. Expand it. There should be one interface, called "outside (dyn ext)". Double Click this interface and change the name from "vlan1" to "ppp0". Firewall Builder will prompt you, that it can do some changes for you automatically. Confirm this dialogue with yes.
  5. Now you are almost done. In the big field you see the rules of your firewall. In my opinion, the first one can't work (or better - this rule will break your DHCP for the first configuration.) So delete rule number 0. (Just do a right click on the 0 and choose "delete rule".)
  6. The next step is to tell Firewall Builder where to find the ssh tools. Just go to edit->configuration and choose the tab "SSH". On Windows I use pscp.exe and plink.exe as recommended. You can download them free of charge on the net. [1]
  7. Now you are ready to install your first iptables firewall with Firewall Builder. Press the icon with the computer and the two arrows. This will prompt you, where to save the fwbuilder file on your computer for later configuration. Just choose a name. The next step is compiling your firewall rules. And then hit install. Firewall Builder needs the connection details now. The username is "root" and you need to enter your password here. If you confirm this page, you'll see a dialogue about installing the firewall. That's all.

There are some points, you should take care of: - The basic ruleset is not secure because it allows any connection to extern. It needs to be configured to your needs. - NEVER FORGET TO ALLOW SSH ACCESS IN A RULE TO YOUR FIREWALL. OTHERWISE YOU ARE OUTSIDE OF YOUR WALL (THAT'S REALLY SECURE, ISN'T IT?). If that happens, follow some descriptions how to recover from a bad firmware flash. (My recommendation: press reset and hold while you power on, reset at least for 30 seconds and power off. Try if you can to ping your router while it's booting. If not, Good Luck!)

[edit] Firewall Builder

Use of FWBuilder 2.0.10-1 with DD-WRT V23 + JFFS2

Sure you also can use it without jffs2, but then you are somewhat limited with the size of the firewall you can build.

How to: Flash the Linksys device with dd-wrt v23 final (Go to Administration -> Firmware Upgrade). If you not have done until now, go to Administration -> Management and enable JFFS2 and Clean JFFS2 JFFS2. Then go to Administration -> Services and enable SSHD. Now start Putty.exe or any other SSH-program and login (username: root + your password). Now do:

cd /jffs

mkdir firewall

Let the SSH console open.

Now start fwbuilder.exe. Choose "Create new project file". Right click on "Firewalls" and choose "New Firewall". Enter the name of the new opject below: something like "my firewall". Choose firewall software is running "iptables". Choose OS the new firewall runs on: "Linksys/Sveasoft". Check "Use preconfigured tamplate firewall objects". Choose template "linksys firewall" and press Finish.

Double Click on my firewall and cange Version to "1.2.9 or later". Now change Host OS to "Linux 2.4/2.6". (Do not use Linksys/Sveasoft here, because you don't want to store the data in the NVRAM now, but in the jffs file system)

Choose "Firewall Settings" and choose tab compiler. Fill in the field Output file name: "firewall.fw". Choose tab installer and put in the field "Directory on the firewall where script should be installed" "/jffs/firewall/". Press OK to close the dialog. Now select from the menu Edit -> Preferences tab SSH. Enter the path for pscp.exe and plink.exe. Expand the tree under my firewall and double click on "outside (dyn ext)" and change the Name to "ppp0" if you use PPPoE to connect to the internet. Confirm the following dialog with "Yes". Now build your firewall rules.

After building your rules, choose Rules -> Install. On request choose "compile" and than "install". In the following dialog enter username "root" and your password.

In the SSH console enter:

nvram set rc_firewall=/jffs/firewall/firewall.fw

nvram commit

chmod 775 /jffs/firewall/firewall.fw

If you want to know about the free space on your jffs partition enter "df" in the SSH console.

That's all.

Comment: If you have started the PPTP Server, you must not check Load Modules (Double Click on Firewall, choose Firewall settings, choose tab script options and remove the tick on Load Modules). Otherwise the script exits with an error (+ /sbin/modeprobe ip_conntrack_pptp modeprobe: could not parse modules.dep) and doesn't load the firewall policies. If someone knows how to correct this behaviour, please post.

[edit] DD-WRT V24 和 iptables-save

Added by --Ptruman 14:49, 2 June 2008 (CEST)

fwbuilder works with files created using iptables-save - which is NOT part of DD-WRT. 如果你下载了包含 iptables-save 和 iptables-restore的 ipkg iptables-utils , 会发现不能用, 出现类似如下错误信息 :

/jffs # iptables-save 
# Generated by iptables-save v1.3.3 on Wed May 14 09:04:13 2008 
:PREROUTING ACCEPT [1791:460202] 
:OUTPUT ACCEPT [103:16861] 
Can't find library for match `tcp' 
-A PREROUTING -d -p tcp /jffs/etc/iptables # 

尽管, V24 of DD-WRT '已经 修改支持了 iptables - 尽管 iptables-save 命令现在仍不能用 - 尽管你 可以使它正常工作:)

说明 :

  1. 开启 Journalling Flash File System
  2. 运行如下命令
ln -s /usr/sbin/iptables /jffs/bin/iptables-save
iptables-save > /tmp/iptables.txt

You should now have a file called iptables.txt containing your firewall rules, which can you then use with fwbuilder :)

[edit] 扩展链接