I'm very new to ROS, and I'd probably like to maintain and generate all my iptables rules via something like FWBuilder.
Is there some way to bring in those rules (via bash script) into ROS?
TIA
-Greg
Re: IPTables bash script
Hi!I'm very new to ROS, and I'd probably like to maintain and generate all my iptables rules via something like FWBuilder.
Is there some way to bring in those rules (via bash script) into ROS?
TIA
-Greg
Is it FWBuilder compatible with Mikrotik devices?
Thanks
Re: IPTables bash script
In short, no.
While it's less than the best solution, I suspect, I've created a excel spreadsheet that will generate all my rules.
[At least filter and dst-nat rules.]
Not every option is there, but the most common used fields: src-addr, dst-addr etc.
Essentially each column allows me to specify things like input/output/forward Type:[tcp/udp/icmp] - then I have a hokey formula that strings everything together into the ROS script code to use in a SSH session to "paste" it in. [So shoot me, it was the best I could come up with at the time, and try as I might, I've not been bright enough to come up with something better...]
I'd much prefer to use FWBuilder, but this is the best I've come up with.
One other upside is that if I use it for all the rules, they're "documented" and portable to another firewall if needed. [Say a hot-swap replacement.]
I can also use those rules for a template for another installation.
So, all-in-all it works reasonably well, and it's better than just cranking out ROS script code to put them in, or using winbox/webfig.
-Greg
While it's less than the best solution, I suspect, I've created a excel spreadsheet that will generate all my rules.
[At least filter and dst-nat rules.]
Not every option is there, but the most common used fields: src-addr, dst-addr etc.
Essentially each column allows me to specify things like input/output/forward Type:[tcp/udp/icmp] - then I have a hokey formula that strings everything together into the ROS script code to use in a SSH session to "paste" it in. [So shoot me, it was the best I could come up with at the time, and try as I might, I've not been bright enough to come up with something better...]
I'd much prefer to use FWBuilder, but this is the best I've come up with.
One other upside is that if I use it for all the rules, they're "documented" and portable to another firewall if needed. [Say a hot-swap replacement.]
I can also use those rules for a template for another installation.
So, all-in-all it works reasonably well, and it's better than just cranking out ROS script code to put them in, or using winbox/webfig.
-Greg
Re: IPTables bash script
Hello!
I know, that this thread is quite old, but i am searching for a similar solution.
FWBuilder is great to maintain firewall-rules.
Mikrotik offers great hardware.
It would be perfect, if both solutions could be combined. FWBuilder is open-source, now.
Would anybody be interested in developing a fwbuilder-plugin for mikrotik-ROS? I would support that!
Best wishes,
Stril
I know, that this thread is quite old, but i am searching for a similar solution.
FWBuilder is great to maintain firewall-rules.
Mikrotik offers great hardware.
It would be perfect, if both solutions could be combined. FWBuilder is open-source, now.
Would anybody be interested in developing a fwbuilder-plugin for mikrotik-ROS? I would support that!
Best wishes,
Stril
Re: IPTables bash script
Hi!
I just want to reactivate that threat.
How do you config large firewall-rulesets?
I think, the concept of fwbuilder is great with its way to work with "objects".
Regards,
Stril
I just want to reactivate that threat.
How do you config large firewall-rulesets?
I think, the concept of fwbuilder is great with its way to work with "objects".
Regards,
Stril
Re: IPTables bash script
i think is up to FWBuilder developers but what is the real advantage of this?
Re: IPTables bash script
Hi!
The real advantage is to be able to easily maintain rulesets with objects for many firewalls.
My example:
I have 50 branch-offices and I have to setup an additional Active Directory Domain Controller.
In FWBuilder, I just need to add the DC to the group of "Domain Controllers" and the full set of firewall rules will be updated on ALL the firewalls of the branch Offices.
Second Example:
I have 50 branch-offices and I have to change the IP of an Active Directory Domain Controller.
In FWBuilder, I change the IP of one object and the config will be written to all the firewalls.
If I want to do this with mikrotik, I need to use Address-Lists for every rule and need to write scripts to update all the address-lists, if an ip changes and a script that can add rules and address-lists to all the firewalls.
Regards,
Stril
The real advantage is to be able to easily maintain rulesets with objects for many firewalls.
My example:
I have 50 branch-offices and I have to setup an additional Active Directory Domain Controller.
In FWBuilder, I just need to add the DC to the group of "Domain Controllers" and the full set of firewall rules will be updated on ALL the firewalls of the branch Offices.
Second Example:
I have 50 branch-offices and I have to change the IP of an Active Directory Domain Controller.
In FWBuilder, I change the IP of one object and the config will be written to all the firewalls.
If I want to do this with mikrotik, I need to use Address-Lists for every rule and need to write scripts to update all the address-lists, if an ip changes and a script that can add rules and address-lists to all the firewalls.
Regards,
Stril