


            Firewall Builder Frequently Asked Questions


1. What are the system requirements for Firewall Builder ?

These are listed in the file "Requirements" in the docs directory. It
is /usr/share/doc/fwbuilder/Requirements.


2. Where do I get GTK-- packages for RedHat 7.0  and 7.1 ?

See gtk-- home page at http://gtkmm.sourceforge.net/ and follow link
"Download" or directly in http://www.hvrlab.org/pub/gtkmm/



3. fwbuilder or one of policy compilers crashes. What do I do ?

Please file a bug on Sourceforge. Provide information we might need to
fix the problem (in the form of the output of the following commands):

cat /etc/issue

rpm -qa | grep gnome
rpm -qa | grep gtk
rpm -qa | grep libxml
rpm -qa | grep libsigc++

ls -la /usr/share/fwbuilder
ls -la /usr/share/pixmaps/fwbuilder

ldd /usr/bin/fwbuilder
ldd /usr/bin/fwb_ipfilter
ldd /usr/bin/fwb_iptables

Also send us core file and .xml file with your objects. If program
crashes but does not generate core file (it shows "crash" dialog
instead), run it as follows:

fwbuilder --disable-crash-dialog

It will dump core then.


4. I get "I/O Error" while compiling policy. There is no other
   indication of error though.

Did you install package with corresponding compiler ? We ship
compilers in a separate RPMs named like this:
fwbuilder-ipchains-0.8.7-2-rh7.i386.rpm

Check if compiler dumped core. If you can't find it, you may try to
run compiler manually, providing the following command line
parameters:

$ fwb_ipchains -f path_to_objects.xml_file  firewall_object_name

All policy compilers have the same command line format.



5. fwbuilder crashes on my Debian or Mandrake or SuSe system. What do
I do ?

We can not guarantee that Firewall Builder would work flawlessly on
Debian or Mandrake or SuSe since we do not have access to these
distributions for testing. This is the reason we do not provide Debian
and Suse packages too. The program should compile from sources though,
so you may want to try that.

We welcome help from anyone who can test Firewall Builder on these
distributions and provide feedback


6. Druid seems to multiply rules in the policy

This is how it works now.  Interactive Druid does not check for rules
in existing policy and simply adds new ones. If you run Druid twice
and ask it to generate the same set of rules, you'll get the same
rules many times in your policy.  This will be improved in subsequent
releases.


7. ipchains compiler ignores "direction" parameter and produces lousy code

Yes, compiler for ipchains ignores direction, at least in its current
implementation. It needs to be rewritten to support it, but I was
busy getting iptables and ipfilter to work and could not spend much
time getting ipchains to work "right".  Given all the limitations of
ipchains engine, I am not even sure we should support it at all.

Anyway, compiler already makes an effort to create rules in a such way
that connection is allowed to be established in one direction. It
creates two special chains for that: tcpsync and tcpdata. Compiler
already uses "-y" flag to send all the packets with SYN flag set to
tcpsync chain. This way we can control the direction in which TCP
session gets established.

In general, the whole idea is that user should not have to worry about
direction and interfaces when policy is being designed. These
technical details should be hidden because compiler would take care of
it. Unfortunately, it is not always possible to hide them completely
and that is why they are still in the GUI, but I would like to find an
elegant way to get rid of both direction and interface in the GUI to
avoid confusion. 

*** Please note though that ipchains is not supported as of version 0.9.0








