Firewall Wizards mailing list archives
[ANNOUNCE] Fwctl 0.20 - High Level Configuration Tool For ipchains
From: "Francis J. Lacoste" <francis.lacoste () iNsu COM>
Date: Mon, 20 Sep 1999 18:30:34 -0400
Hi all, I'm posting this here because I know that there a couple of users of ipchains on this list. I'm interested on feedback about this tool. All comments are welcome. Fwctl 0.20 - High level configuration tool for ipchains ----- ---- ------------------------------------------ Fwctl is a configuration program for the linux kernel 2.2 packet filters (ipchains). Its main objectives is to make easier to configure tight rules for the packet filters without bogging down to the lowest levels of ipchains. It tries to abstract the rules related to a particular service so that the administrator can concentrate on the security policy and not the low level details. (Altough understanding the low level details is necessary to understand the interactions between different protocols.) The idea is to be able to say something like accept http -src INTERNET -dst 204.103.100.53 rather than ipchains -P input DENY ipchains -P forward DENY ipchains -P output DENY ipchains -A input -p tcp -s 0.0.0.0 -i wan0 -d 204.103.100.53 80 -j ACCEPT ipchains -A forward -p tcp -s 0.0.0.0 -i eth0 -d 204.103.100.53 80 -j ACCEPT ipchains -A output -p tcp -s 0.0.0.0 -i eth0 -d 204.103.100.53 80 -j ACCEPT ipchains -A input -p tcp -s 204.103.100.53 80 -d 0.0.0.0 ! -y -i eth0 -j ACCEPT ipchains -A forward -p tcp -s 204.103.100.53 80 -d 0.0.0.0 ! -y -i wan0 -j ACCEPT ipchains -A output -p tcp -s 204.103.100.53 80 -d 0.0.0.0 ! -y -i wan0 -j ACCEPT ipchains -A input -l -j DENY ipchains -A forward -l -j DENY ipchains -A output -l -j DENY The advantages should be obvious but in the end, the idea is to have a configuration file that is self documenting in regards to the site security policy. (Well, the part that is related to packet filters) It also support masquerading and accounting. Fwctl is distributed under the GPL or Artistic license and is available from http://indev.insu.com/Fwctl/ Fwctl is not panacea. It doesn't replace a sound security policy. It doesn't support stateful filtering (since ipchains doesn't support it). It doesn't replace host secuiryt. It doesn't bring world peace and it doesn't prevent you from shooting yourself in the foot. If you decide to add to your configuration accept ftp -src INTERNET -dst INT_NET don't be surprised if you found out that suddenly you can be TCP portscanned on unprivileged ports from the Internet. Fwctl has been extensively tested but may still contains bugs. I welcome any feedback on how to improve it. Thanks -- Francis J. Lacoste iNsu Innovations Inc. Vice-Président développement Tél.: (514) 336-5544 francis.lacoste () iNsu COM Fax.: (514) 336-8128
Current thread:
- [ANNOUNCE] Fwctl 0.20 - High Level Configuration Tool For ipchains Francis J. Lacoste (Sep 21)