HowTo: Creating Firewall and Cluster Objects In Firewall Builder

Here I present an abbreviated explanation of the process of creating firewall and cluster objects. More detailed step-by-step guides are available in sections “Firewall Object” and “Cluster Object” of the Firewall Builder Users Guide.

As usual, to create a firewall object I use main menu “Object/New object” which opens a menu of object types:

Figure 4. Creating first member firewall object

Figure 4. Creating first member firewall object

After I choose the type “Firewall”, a wizard used to create new firewall object opens:

Figure 5. Choosing the name, platform and host OS for the firewall object

Figure 5. Choosing the name, platform and host OS for the firewall object

To make things simpler, I am going to use preconfigured template object “web server” that comes with the package. This object represents a machine with one interface “eth0” and comes with some basic firewall policy that can be useful as a starting point for the firewall configuration for a web server.

Figure 6. Choosing template firewall object

Figure 6. Choosing template firewall object

Template firewall object has IP address that does not match address chosen for this example. The next page of the wizard allows me to change the address and add two more:

Figure 7. Changing ip address of the firewall object

Figure 7. Changing ip address of the firewall object

Once I am done changing ip addresses and click “Finish”, the new firewall object is created and is added to the library of objects that was opened at the moment. In this example this library is called “Cookbook2”. I “floated” the object tree panel to make the screenshot more compact. You can see the new firewall object in the tree, its interfaces and ip addresses, as well as preconfigured policy rule set on screenshot Figure 8:

Figure 8. Firewall object created from the template

Figure 8. Firewall object created from the template

The member firewall object’s interface “eth0” has only one IP address which is its own, in our example Virtual addresses managed by heartbeat will be added to the cluster object later.

Next, I create the second member firewall linux-test-2 with its own ip address:

Figure 9. Two member firewall objects

Figure 9. Two member firewall objects

Because our firewall objects represent web servers which should never have to forward packets, we should turn ip forwarding off. To do this, double click the firewall object in the tree to open it in the editor, then click “Host OS settings” button and turn IP forwarding off as shown in Figure 10. Turning ip forwarding off in this dialog has several consequences: generated firewall script will actually turn it off on the server and Firewall Builder policy compiler will not generate any rules in the FORWARD chain.

Figure 10. Turn off ip forwarding

Figure 10. Turn off ip forwarding

Now that I have both firewall objects, I can create cluster object that will represent my HA pair. To do this, I select both firewall objects in the tree by clicking on them while holding Ctrl key, then click right mouse button to open context menu and choose item “New cluster from selected firewalls”:

Figure 11. Create cluster object from two member firewalls

Figure 11. Create cluster object from two member firewalls

This opens a wizard that will walk you through the process of creating new cluster object. The wizard was opened using “New cluster from selected firewalls” menu, because of that there are only two firewall objects in the list. If I used main menu “Object/New Object” and then “New Cluster”, I would see all firewalls defined in my data file in the list which can be quite long.

Figure 12. Choosing the name for the new cluster object

Figure 12. Choosing the name for the new cluster object


A word about “Master” column. Not all failover protocols require one of the member firewalls to be designated as “master”. Most protocols used on Linux don’t, so you can disregard this setting on the first page of the wizard. It is needed for other platforms, such as PIX. In this sense setting “master” on the first page of the wizard is not optimal. We will rectify this in the future versions of Firewall Builder.

Figure 13. Choosing interfaces of the member firewalls

Figure 13. Choosing interfaces of the member firewalls

This page of the wizard allows me to establish correspondence between interfaces of the member firewalls create cluster interface objects that will represent them. Cluster interface object should have the same name as corresponding member firewall interfaces. The program tries to guess what interfaces of the member firewalls can be used for the cluster and in a simple configuration like the one I am working with, guesses right.

On the next page of the wizard I can choose failover protocol used by the cluster on each interface (in principle, I can run different protocols on different interfaces) and virtual IP addresses.

Figure 14. Choosing IP addresses for the interfaces of the cluster

Figure 14. Choosing IP addresses for the interfaces of the cluster

Next page of the wizard is particularly interesting. Here I can choose which member firewall policy to use for the cluster. This feature is designed mostly for those who convert from the old manually maintained configuration of redundant firewalls to the new cluster object and want to reuse policy rules that used to belong to one of the member firewalls.

Figure 15. Cluster will inherit rules of one of the member firewalls

Figure 15. Cluster will inherit rules of one of the member firewalls

When new cluster object inherits policy and other rule sets of one of the members, the program copies rules from the designated member to the cluster, then it creates copies of all member firewalls, clears their rule sets and sets the cluster up to use these copies as members. It keeps old member firewall objects in the file, but they are marked as inactive and renamed. These objects are kept as a backup in case you may want to check their configuration or copy rules. New cluster object is shown in Figure 16:

Figure 16. New cluster object

Figure 16. New cluster object

Each cluster interface has child “Failover group” object with the name “firewall:eth0:members” or similar. This is where you configure associated member firewall interfaces. Double click this object in the tree and then click “Manage Members” button in the dialog. Select interfaces of the member firewalls in the panel on the left hand side and click arrow button to add them to the list on the right. When you create cluster object using the wizard, the Failover Group objects are created automatically.

Figure 17. Failover group object

Figure 17. Failover group object

Failover Group object not only ties interfaces of the member firewalls together, it is also the place where you configure failover protocol and its parameters. I am using heartbeat in this example and failover group object “web_server_cluster:eth0:members” is configured with this protocol as shown in Figure 17. To configure parameters of the protocol, click “Edit protocol parameters” button. This opens dialog Figure 18:

Figure 18. Parameters of heartbeat protocol

Figure 18. Parameters of heartbeat protocol

These parameters are used to generate policy rules that permit packets of the protocol.

About the author: This article seires is contributed by Vadim Kurland {vadim at fwbuilder DOT org}, the main author of Firewall Builder.

🐧 Please support my work on Patreon or with a donation.
🐧 Get the latest tutorials on Linux, Open Source & DevOps via:
CategoryList of Unix and Linux commands
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
0 comments… add one

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre> for code samples. Problem posting comment? Email me @