A long time ago in a distant galaxy I wrote a few firewall rules for iptables. At the time, they were more than sufficient to protect my lonely router from the filthy internet. My network gradually grew over the course of many years and since that time these firewall rules have been mangled, munged, and otherwise become unparseable to all but the most adept Linux operating system. Over the past two weeks, I set forth on a journey to take what was a lagoon full of random packet filtering rules and organize them in such a way that they actually made sense to a human. About a week ago, I decided to update my firewall rules for all my Ubuntu machines. Historically, I just took what I used on the original firewall and applied a version of those rules to my other machines. It's kind of like taking bad DNA and having babies, you may not end up with a good final product. In fact, I had so many duplicate rules and rules that didn't maintain state that I'm surprised packets could actually find their way through the firewall chains.

I wanted a GUI that produced nice, clean firewall rules that I could understand after they were generated and perhaps tweak them need be. Now there are a variety of applications that provide support for creating and managing firewall rules. However, after evaluating a few of them, one application rose to the surface, Firewall Builder.

According to the Firewall Builder website:

'Firewall Builder is multi-platform firewall configuration and management tool. It consists of a GUI and set of policy compilers for various firewall platforms. Firewall Builder uses object-oriented approach, it helps administrator maintain a database of network objects and allows policy editing using simple drag-and-drop operations. Firewall Builder currently supports iptables, ipfilter, OpenBSD PF and Cisco PIX.'

After about an hour of being confused out of my mind, things started to snap into place and I began to understand how this fine application worked. But could it really generate rules the way I would expect, only time would tell. I started out with my internal servers and created new firewall rulesets. Worked like a charm, so I decided to tackle the challenge of re-inventing the rules to my router/firewall that contains four interfaces. Once I understood how to DNAT and SNAT, everything else was a piece of cake. FWBuilder then compiled my desires into a single file that contained all my firewall rules, iptables in my case.

The resulting set of rules are clean, even to a human. Here's an example of one of the rules I created to prevent spoofed RFC1918 packets from entering my network.

Not bad ey? While I could probably talk for a few hours on why this tool has been so helpful for me, I wouldn't want to ruin all the fun. If you are at all interested in finding a better way than a text editor to manage your firewall rules, make sure you give Firewall Builder a try.