As an IT outsourcing provider to small and mid sized companies Lemon Computing uses Firewall Builder to manage firewalls at customer sites and in our data centre.
There is a special type of interface child object, called the Attached Network object, that represents the networks that are directly attached to the interface. Figure 5.35 shows an example firewall configuration for a firewall with two network interfaces.
In the example configuration one of the interfaces, eth0, has one IP address and the other interface, eth1, has two IP addresses as shown in Table 5.2.
Table 5.2. Attached Networks
To create an object that matches the attached networks, select an interface, right-click on the interface and select New Attached Network from the context menu as shown in Figure 5.36.
This will create a new child object under the eth1 interface object called linux-1:eth1:attached.
If you open the object for editing as shown in Figure 5.38 you will see the list of all networks that are currently attached to the eth1 interface. If you add or delete IP addresses from the interface the Attached Network object will be automatically updated.
The Attached Network object can than be used in rules just like any other Network object. Figure 5.39 shows an example of using the Attached Network object from the eth1 interface in a NAT policy rule.
Compiling this rule for an iptables firewall results in the output shown below.
echo "Rule 0 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth0 -s 10.10.10.0/24 -j SNAT --to-source 192.0.2.1 $IPTABLES -t nat -A POSTROUTING -o eth0 -s 172.16.0.0/24 -j SNAT --to-source 192.0.2.1
You can also use the Attached Network object with interfaces that are configured as "Address is assigned dynamically". In this case the script generated by Fireawll Builder will determine the attached network based on the IP address that is assinged to the interface at the time that the script is run.
The Attached Network object on Cisco ASA/PIX firewalls works the same way as it does for iptables firewalls where the Attached Network object will be expanded to include all networks that are associated with the IP address(es) assigned to the interface.
On PF firewalls the Attached Networks object translates into the "<interface>:network" configuration parameter. For example, if you create an Attached Network object on interface em0, and use that Attached Network object in a rule, the generated configuration will use the em0:network parameter in the generated configuration.
Copyright © 2000-2012 NetCitadel, Inc. All rights reserved.
Using free CSS Templates.