Problem solve Get help with specific problems with your technologies, process and projects.

Firewall resources to the rescue!

Firewall resources to the rescue! Gary Smith talks about IPFilter, Firewall Builder, Isba and SANS security policies.

It's been a quiet day at Solaris Security Central until your boss walks in and says, "Corporate is coming down...

on us for not having a firewall between the research department and the rest of the network. There's no money in budget for hardware or software, and we need it done by next Friday."

You hang your head in disgust as he walks out and you wonder if it's too late to get started on a career as a long haul trucker. As your chin rests on your chest, you notice a Sparc 20 you had forgotten about lurking underneath your desk. Your hardware problems are solved, but what about firewall software?You have no money to spend.

IPFilter to the rescue! IPFilter by Darren Reed is a software package for Solaris and other operating systems that can be used to provide firewall and Network Address Translation (NAT) services as a loadable kernel module. With IPFilter, you can block/pass/reject packets across multiple interfaces, perform forward and reverse NAT, send back an ICMP error and/TCP reset for denied packets, keep packet state information for TCP, UDP and ICMP packet flows, and even use redirection to setup transparent proxy connections.

But writing up the ruleset is a real drag with nothing more than the editor-of-your-choice as your primary tool. Firewall Builder and Isba to the rescue! These two programs are the Superman and Batman of ruleset building applications. Firewall Builder consists of an object-oriented GUI and a set of policy compilers for various firewall platforms including IPFilter. In Firewall Builder, the user creates a firewall policy as a set of rules; each rule consists of abst/pract objects that represent real network objects and services (hosts, routers, firewalls, networks, protocols). Firewall Builder helps users maintain a database of objects and allows policy editing using simple drag-and-drop operations. Firewall Builder is the work of Vadim Kurland and Vadim Zaliva.

Isba is a firewall ruleset builder by Pierre Berthomier. Isba is a free graphical tool designed to edit IPFilter rulesets and remotely manage IPFilter firewalled hosts in a production environment. Isba displays rules in typed columns (action, options, interface, source host or net, etc). Hosts, nets, services and interfaces are objects that can be given names. Objects can be organized in groups which can be used in a rule, to write, in a single line, what will be compiled into many IPFilter rules. Both programs promote the readibilty, maintainability, and flexibility of firewall rulesets.

Okay, so now where do you get started on a policy for the firewall?SANS to the rescue! The SANS Institute has created the SANS Security Policy Resource page, a consensus research project of the SANS community. The ultimate goal of the project is to offer everything you might need for rapid development and implementation of information security policies. And now the best part: there's no charge for this! You don't need lots of money to put in an effective firewall and policy. All you need are the right resources.

Check out IPFilter at, Firewall Builder at, isba at, and the sample security policies from SANS at There's no need to consider so drastic a career change with tools like these at hand.

This was last published in April 2002

Dig Deeper on Network device security: Appliances, firewalls and switches

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.