8. Ruleset compilation/installation

The word compilation here means the generation of the two ipfilter configuration files, ipf.conf and ipnat.conf, from the isba ruleset and objects. Before the final compilation and installation of your ruleset to target host(s), you have various ways of checking the ipfilter rules that will be generated, with a granularity as low as a single isba rule. You can preview the compilation output for your ipf or nat ruleset to check it yourself, or make isba check it. In the latter case, isba will also make ipf and ipnat check the generated ipf.conf and ipnat.conf files. These you can then save local to files on the mgt machine (and install them yourself on the target host) or let isba upload them on target host, and possibly install them in the kernel. At this point, you have the option of setting a timer-controlled automatic ruleset rollback in the event that everything is not ok and that you can't reach your target anymore. Finally you have a means of debugging your ruleset with isba's ipfilter log viewer, vlog.

Contents

Compiling one rule
Compiling to a window
Checking your ruleset
Compiling to local files
Installing on target
Ruleset auto-rollback
Debugging your ruleset

Compiling one rule to stdout
 
You want to see what ipfilter rules exactly will be generated from the isba rule number N: right-click the rule number, and choose 'compile to stdout'. In the window where you launched isba, you may see one ipfilter rule, several rules, or even no rule at all. The latter occurs where the isba rule is disabled or where it is a conditional rule that doesn't match the current default target. Compiling one rule
Compiling a ruleset to a window
 
Before uploading a ruleset to the target host, you want to see what ipfilter rules will be generated: right-click the '#' box in the Ipf or Nat ruleset, and choose 'compile to a window'. As indicated, a window pops up with the ipf or nat ruleset in it, and you can check the rules that isba has generated. You should do this before installing a ruleset on a production firewall. Compiling to a window
Checking your ruleset
 
You want to check that your ruleset compiles correctly before installing it: choose 'Check ruleset' in the Compile menu. Isba compiles the ipfilter rules to temporary files and makes ipf and ipnat check them. This only checks that all objects you use are defined, and that the ipfilter rules are syntactically correct. It does no smart checks like rule masking. Checking your ruleset
In any case, when you compile your ruleset, isba checks it and warns you if there is a problem.  
Compiling to local files
 
If you want to locally archive the ipfilter configuration files you send to targets, or if you want to upload these files manually (instead of having isba do it), click Compile > Compile to files... Isba simply compiles your ruleset and create the ipfilter configuration files ipf.conf and ipnat.conf. Compiling to local files
If your ruleset has several targets, you still can use this option to generate ipfilter configuration files for every target: when you specify the destination filenames, use the special keyword 'TARGET' somewhere in the path/names. This keyword will be replaced by each target hostname.  

For example suppose your ruleset targets are foo and bar. You select 'Compile>Compile to files ...', you choose to 'Compile for all targets', and the filenames you give for the ipf.conf and the ipnat.conf are /home/ipf/TARGET.ipf and /home/ipf/TARGET.nat: then isba will generate the files /home/ipf/foo.ipf, /home/ipf/foo.nat, /home/ipf/bar.ipf and /home/ipf/bar.nat.

For example (I forgot to check the nickel checkbox ...):

Compiling to local files for several targets


Compiling to local files
 
Installing on target
 

Your ruleset is ready for installation on an ipfilter host: select 'Compile>Compile and install'. If it has several targets, choose which one(s) you want to install on. Isba will upload the ipf.conf and ipnat.conf files to your targets.

Check the "reload rules" button if you also want isba to reload rules in the targets' kernels.

Installing ruleset on target


Ruleset installation options

 
Ruleset auto-rollback
 
The Compile and Install popup has a checkbutton labeled "automatic ruleset rollback" (see above). If you check it (and set the timeout value to the right), just before reloading rules in kernel, isba will launch the timer-controlled ruleset rollback program ipf-rollback on the target(s). Ruleset auto-rollback

This program will wait for N seconds (you specify N in the popup above), and then revert to the previous ruleset. More specifically, it will replace the ipf.conf and ipnat.conf files with the previous ones (ipf.prev and ipnat.prev) and reload rules in the kernel.

Thus, if your new ruleset behaves badly and if you can't reach your target anymore because of this, you will be able to take control again after N seconds.

 

On the other hand, if you can still reach your target (on port SSH), and if your new ruleset is OK, you can cancel the automatic ruleset rollback (before the N seconds !) by selecting "Target>Cancel auto rollback>[target-name]".

Cancelling a running auto-rollback
Debugging your ruleset
 

Once you ruleset is installed you can view the ipfilter logfile in real time with the "Target>Show Ipf log>[target-name]" menu entry. This opens an xterm and launches vlog on target through SSH.

Watching target ipfilter logs

If you have set up ipfilter logging correctly on this target (ipmon -s or -Ds running, /etc/syslog.conf redirecting ipfilter loglines to /var/log/ipflog), you will see the ipfilter log lines coming in the vlog window in real time.

In the vlog window you will notice that some fields are missing. Actually they simply are not displayed, to save some screen space. You control which fields are, and which fields are not displayed by hitting the 'o' key.

 
Each log line has a field that tells which ipfilter rule (number and group) generated this particular log line. Vlog also shows you the isba source rule number that generated the log line so you can go straight to it and correct the eventually faulty source rule. Getting the isba source rule number from logs

Isba User's Guide - last modified on 09-Jan-2002 22:27 MET - Copyright (c) 2001