7. Remote Management

This chapter is useful only if you have made a distributed installation and created the SSH channels that will enable isba to launch remote commands on target hosts.

You will be able to do the following things from your management station:


Specifying targets
The Target menu
Updating a ruleset
Inspecting a target
Watching a target
Watching all targets

  • upload the ipfilter configuration files to target hosts
  • reload target host kernel rules with optional automatic ruleset rollback
  • manually rollback kernel rules to previous ruleset
  • download the target's current ipfilter configuration files
  • download the target's current kernel rules
  • see a target's state table in real time
  • follow a target's ipfilter logfile in real time (vlog)
  • open a secure terminal on a target (xterm through SSH)
All remote operations are run through a secure SSH channel.  
Specifying target hosts

To be able to perform the various remote management tasks, isba needs to know certain information on each target host a ruleset is made for:

  1. the target hostname or IP address
  2. the SSH user on this target
  3. should this user run sudo for launching ipf commands ?
  4. the ipfilter configuration directory on this target (e.g. /etc/opt/ipf)
  5. the ipfilter filtering rules filename on this target (e.g. ipf.conf)
  6. the ipfilter translating rules filename on this target (e.g. ipnat.conf)

This information is placed in the 'Ruleset targets' table in the Properties tab. Each ruleset has its own target definitions. For example:

Specifying target hosts

Specifying target hosts

A few remarks about the columns of this table:

Column 1: in the event that the target has several interfaces, you must place here the IP address that may be reached from the management station. If you put a hostname instead of an IP address, isba tries to resolve the name to an IP address first using the internal objects. It then looks in /etc/hosts if not found. In both cases the same remark applies: the resolved IP address must be reachable from the management station.

Column 2: this is the user that isba uses to run commands on the target host through SSH ("ssh user@target command"). It can either be root or an unpriviledged user, or it can be left empty: in this case, remote SSH commands are run under the user isba runs as.

Column 3: if the SSH user is set to root, the 'use sudo' flag is probably useless (uncheck it).

Columns 4, 5, 6: if you kept the default locations for ipfilter configuration files when you compiled ipfilter, you can quickly set the columns 4, 5 and 6 by using the default paths menu and selecting the OS of the target. For example, if your target runs Solaris, the default configuration directory and filenames are /etc/opt/ipf, ipf.conf and ipnat.conf.

The Target menu

Remote management features are found in the Target menu. The latter allows you to get or to send information from/to one of the ruleset targets (or even any other host). You can:

  • see the ipf.conf/ipnat.conf files of a remote target
  • see the current kernel rules of a remote target
  • see the ipfilter logs in real time
  • see the state table in real time
  • revert to previous ruleset
  • cancel a ruleset autorollback countdown
  • immediately change the kernel rules to a "pass all" firewall
  • immediately change the kernel rules to a "block all" firewall

The target menu

If your ruleset has more than one target, one of them is called the Default Target. This is only a speed-up mechanism: all remote management features can be applied to any of the ruleset targets or to the current default target. Default target
However, when you compile one rule to stdout isba compiles it "for the default target". That is to say, if your rule is a conditional rule, or if it has conditional objects, then the ipfilter rules generated may depend on the current default target. Or no rule may even be generated.  

You can change the default target either from the Target menu, or from the 'Default target: xxxx' popup menu just above the rules. This menu appears only if your ruleset has more than one target. For example:


Changing the default target

From the Target menu, you can also perform remote management tasks on machines other than the targets of your current ruleset. You select Target > [any remote mgt task] > other target ..., and a window pops up for you to specify the other-target information isba needs (name, IP address, SSH user, sudo flag, ipfilter config files).

Once these parameters are entered, isba remembers them (in your Preferences file) so that you may access them quickly: if you right-click the 'Target name' entry, you find here a menu with all machines you have already defined.

As you have already entered the above information for the targets of your rulesets, you don't have to enter it again: it show up automatically in the popup menu.

Other target ...




Remote managing other targets than your ruleset ones

Updating a target's ruleset

We describe here the actions that may change the kernel ruleset on a target host.

The first action is the compilation-and-installation of an isba ruleset on a target. You do this from the Compile menu (see Installing on target).

Installing a ruleset
From the compile'n'install popup you can optionally set a countdown timer so that N seconds after the current ruleset is installed, the target will automatically rollback to the previous one, unless you cancel the countdown in the meantime (see Ruleset auto-rollback). You cancel a running countdown with the "Cancel auto-rollback" menu entry in the target menu. Cancelling a running auto-rollback countdown
Each time you install a ruleset on a target, the previous files are renamed to ipf.prev and ipnat.prev. Thanks to these backup files, you can manually rollback to the previous ruleset with the "Rollback ruleset now" entry. Manual ruleset rollback

Alternately, if the ruleset you just installed on your target behaves badly, you can instantly change it to a "pass all" or a "block all" ruleset ("Emergency pass all" and "Emergency block all" features). A popup window lets you confirm or cancel the operation.

Imagine you install a ruleset on a non-firewall machine (e.g. a server in a DMZ, that must be protected from its neighbours), and you realize it cuts an important data flow (e.g. it stops a running backup) ... "Emergency pass all" is your friend.

Or, you install a ruleset on a firewall, you're being probed and you realize you left a hole as big as a house ... "Emergency block all" is a fast means of filling the breach.

"Emergency block all" removes the ipf and ipnat rules and also cuts all current connections (it flushes the state table).

The "Emergency block all" ruleset is in fact a "block all but SSH from the management station": packets with source or destination port 22 between target and the management host are let through. So you can go on managing it.

Emergency pass all
Emergency block all
Inspecting a target's configuration
Through the Target menu you can:  
  • download the current ipfilter configuration files (ipf.conf and ipnat.conf)
  • download the current kernel ipf and ipnat rules
Show ipf/ipnat rules
Show kernel rules
In both cases the rules are displayed in a separate window, from where they can be copied and pasted.  
Watching a target's state
Through the Target menu you can:  
  • see the target host state table evolution in real time (ipfstat -t)
  • see the target host ipfilter logs in real time (vlog)
Show State table
Show Ipf logs
In both cases data are displayed in an xterm window. If the state table window disappears immediately, it may be because you haven't compiled ipfilter with ncurses (-DSTATE_TOP).  
Watching all targets' logs
If your management station receives your targets' ipfilter logs (see logs centralization setup), you can watch the logs of all your targets in a single window (vlog). Log lines of all machines are chronologically sorted. Watching all targets' logs
To open the centralized logs window, select: Target > Show Ipf logs > local host.  

Isba User's Guide - last modified on 09-Jan-2002 22:10 MET - Copyright (c) 2001