myfw is firewall based on iptables snipets (modules). It helps you to build your iptables firewall.
A configuration is listing ``modules'', which are containing iptables rules. Thoses modules can contain perl code, in order to facilitate writing of rules (think foreach @ntp_servers). They can also contain raw iptables commands for kick and easy start. Configs can be pre-defined, which is useful if you have multiple machines that need the same firewall rules.
myfw also generate ipac-ng rules, according to iptables chains inserted.
thoses modules can contain perl code, so that you can do :
foreach $ntp (@ntp_servers){ iptables -A OUTPUT -d $ntp -j ACCEPT }
they can also contain raw iptables commands :
iptables -A OUTPUT -d 1.2.3.4 -j ACCEPT
ipac rule file is /usr/local/etc/fw/ipac.out
you can write your own modules list in a module named config.whatever . modules written inside this file will be executed.
download myfw-xxx.tgz,
hereextract in /usr/local/etc so that you have :
/usr/local/etc/fw/base /usr/local/etc/fw/modules/
perl
optional : apt-get install libnet-netmask-perl
to start : ./base
to stop :
./base stop
-a : accept default rule instead of drop. usefull for debug in case the execution is half borked
-d : show unprocessed commands (with variables names) (good for debug) -e : show iptables commands -c : yet another debug : show what is evaluated -l : debug parse -v : level debug -f : don't touch forward (/proc/sys/net/ipv4/ip_forward) in case of fw failure -o : no cmd-owner -s <config-file> : use this special config file -i : no ipac at all old : no domain ipac (good for slow machines, shorter startup time) -i should not use ipac at all (or add another option) -r : yet another debug -t : use iptables-restore mode (does not work on woody : --sport invalid ..??) -n : no execute, just try the script
-p : print config -m <perl-script: execute perl script after definitions -m modules/<module> : will load only that module. convenient for punching holes in firewall should warn if the module is not listed in config -h help
a "deprecated module" feature is implemented. #deprecated in the module file will show a warning print whole line so you can add some explanation (use <...> instead)
install at boot :
ln -s /usr/local/etc/fw/base /etc/rcS.d/S42fw or edit /etc/rcS.d/S42fw (/usr/local/etc/fw/base -t), chmod 755 /etc/rcS.d/S42fw
# OLACCEPT : log, accept, overflow log, reject, drop # OACCEPT : accept, overflow log, reject, drop
in definition :
standard definitions :
$hostname, $hostname_ssh_port, $domain is found with hostname -f
in case the ip is dynamic, write : $hostname_ip=``dynamic'';
might be defined here : $hostname2 (alias sur eth0) $hostname_vpn_port $lan_hosts_for_hostname
ex :
my hostname is albert,
i can define $albert :
$albert=``192.168.6.2'';
if dhcp :
$albert_ip=``dynamic'';
if i have a second ip on eth0 :
$albert2=``192.168.2.2'';
if i want my_lan_hosts to be defined :
$lan_hosts_for_albert=``192.168.6.0/24'';
/usr/local/etc/fw/iptables.out
ipac-ng file : (to be included in ipac.conf : rules file = /usr/local/etc/fw/ipac.out)
/usr/local/etc/fw/ipac.out
debug ipac-ng files :
ipac with iptables chains instead of ipac rules /usr/local/etc/fw/ipacchains.out
ipac with iptables chains in comment /usr/local/etc/fw/ipacd.out
ipac with full lenght name of the ipac rule /usr/local/etc/fw/ipacnames.out
ipac add on for munin /usr/local/etc/fw/ipacm.out
real ipac file /usr/local/etc/fw/ipac.out
with myfw, you can do anything you want.
however, already written modules are designed for
eth0 as primary interface, eth1 as lan (as opposed to internet) interface.
add an option to not use ipac at all (ipac is slow when using a lot of rules(7k))
add an option to send raw commands, no modules. ex : ./base -r ``natch - paris (ssh,ping)''
1.5 : release focused on speed improvements
added the -m option (load a module only, with definitions)
(poking holes in the firewall is the typical use of -m)
added the -t option (load rules using iptables-restore)
reduce the loading time by a factor of 4 to 20.
on my box, 3400 rules : from 1min 50 to 3 sec.
wc -l iptables.out : 3400
./base 21.82s user 46.07s system 61% cpu 1:50.51 total
./base -t 0.98s user 0.37s system 46% cpu 2.920 total
1.2 : first public release
I created myfw because i was missing a tool which would allow me to do any thing with iptables, yet with possibilities to write easily efficient iptables rules.
shorewall was the closest i could try ; i tried, and for what i wanted to do, it limited me. (see OLACCEPT target)
(shorewall itself is good, but is more high level than myfw)
links to myfw :