[ANNOUNCE] Fwctl 0.20 - High Level Configuration Tool For ipchains

["Francis J. Lacoste" <francis.lacoste () iNsu COM>]

Hi all,

I'm posting this here because I know that there a couple of
users of ipchains on this list. I'm interested on feedback
about this tool. All comments are welcome. 

Fwctl 0.20 - High level configuration tool for ipchains
----- ----   ------------------------------------------

Fwctl is a configuration program for the linux kernel 2.2
packet filters (ipchains). Its main objectives is to make
easier to configure tight rules for the packet filters
without bogging down to the lowest levels of ipchains.

It tries to abstract the rules related to a particular 
service so that the administrator can concentrate on the
security policy and not the low level details. (Altough
understanding the low level details is necessary to understand
the interactions between different protocols.)

The idea is to be able to say something like

accept http -src INTERNET -dst 204.103.100.53

rather than

ipchains -P input   DENY
ipchains -P forward DENY
ipchains -P output  DENY
ipchains -A input   -p tcp -s 0.0.0.0 -i wan0 -d 204.103.100.53 80      -j
ACCEPT
ipchains -A forward -p tcp -s 0.0.0.0 -i eth0 -d 204.103.100.53 80      -j
ACCEPT
ipchains -A output  -p tcp -s 0.0.0.0 -i eth0 -d 204.103.100.53 80      -j
ACCEPT
ipchains -A input   -p tcp -s 204.103.100.53 80 -d 0.0.0.0 ! -y -i eth0
-j ACCEPT
ipchains -A forward -p tcp -s 204.103.100.53 80 -d 0.0.0.0 ! -y -i wan0
-j ACCEPT
ipchains -A output  -p tcp -s 204.103.100.53 80 -d 0.0.0.0 ! -y -i wan0
-j ACCEPT
ipchains -A input   -l -j DENY
ipchains -A forward -l -j DENY
ipchains -A output  -l -j DENY

The advantages should be obvious but in the end, the idea is to have
a configuration file that is self documenting in regards to the site
security policy. (Well, the part that is related to packet filters)  

It also support masquerading and accounting. 

Fwctl is distributed under the GPL or Artistic license and is available
from 

http://indev.insu.com/Fwctl/

Fwctl is not panacea. It doesn't replace a sound security policy. It
doesn't
support stateful filtering (since ipchains doesn't support it). It
doesn't
replace host secuiryt. It doesn't bring world peace and it doesn't
prevent you from shooting yourself in the foot. If you decide to add to
your
configuration 

accept ftp -src INTERNET -dst INT_NET

don't be surprised if you found out that suddenly you can be TCP
portscanned on
unprivileged ports from the Internet.

Fwctl has been extensively tested but may still contains bugs. I
welcome any feedback on how to improve it.

Thanks

-- 
Francis J. Lacoste                   iNsu Innovations Inc.      
Vice-Président développement          Tél.: (514) 336-5544
francis.lacoste () iNsu COM           Fax.: (514) 336-8128