Dwall is an all-purpose firewall tool to generate an iptables firewall
out of a simple configuration. It contains about 80 predefined services
and comes with a simple 3 zone firewall example.
In essence the sysadmin only needs to define the different zones and define what traffic is allowed from one zone to another (if any).
I finally released Dwall.
If you want to contribute services/protocols, documentation or enhancements,
please send them to me !
In essence the sysadmin only needs to define the different zones and define what traffic is allowed from one zone to another (if any).
The basic functionality is in place, look at the TODO to see what is still missing. I consider this implementation a working reference implementation, I'm sure it would be best to rewrite it in some other language and that it can be improved a lot without making it more complex to configure.
Dwall has currently the following features:- Rule-sets are split up into chains (ie. traffic between different zones)
- Allows for human-readable firewall rules and allows good overview
- Make name aliases for hosts or groups of hosts (uses /etc/hosts)
- Can do mac address based filtering (uses /etc/ethers)
- Includes more than 80 predefined services
- Automatic logging of dropped connections
- Automatic backups of older rulesets
- Easy to go back in time and look at changes
- Designed so it can be used for setups where different sysadmins make changes
- Generated firewall code is documented, easy debugging
- Can be used for host security and complex network security
- Port knocking (open/close ports based on network-traffic)
- Improve the requirements checking before running
- Improve the handling of dynamic interfaces
- Integrate /etc/networks and route into the whole picture
- Generate variables for broadcast addresses (for services)
- Create framework for NAT/port-forwarding (without pre.sh or post.sh)
- Create framework for packet-mangling
- Allow Dwall to work with different subnets as zones
- Add dar-test and dar-debug tools for remote testing and debugging
- Add dar-log tool for processing dwall logfile based on dwall config info
- Add logwatch config for /var/log/dwall
If you have 3 zones you have 6 possible traffic-flows. Being:
- From local to internet (chain local-internet)
- From local to firewall (chain local-self)
- From internet to local (chain internet-local)
- From internet to firewall (chain internet-self)
- From firewall to internet (chain self-internet)
- From firewall to local (chain self-local)
zone.conf
#zonename interface #"""""""" """"""""" internet eth0 local eth1alias.conf
#hostname ip-address #"""""""" """""""""" firewall 10.0.0.1 fileserver 10.0.0.10 desktop 10.0.0.15 #zonename network #"""""""" """"""" internet 0/0 local fileserver,desktop #local 10.0.0.0/24chains/local-internet.chain
#action service from to options #"""""" """"""" """" "" """"""" allow dns,ntp desktop,fileserver all allow ftp,http,https desktop all allow msn,icq desktop allchains/local-self.chain
#action service from to options #"""""" """"""" """" "" """"""" allow ping,ssh desktop all allow ssh desktop all -p 2022scripts/post.sh
### Enable masquerading echo "iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE"
[root@firewall ~]# dwall Dwall v0.5.1, running on firewall by dag 5 aliases, 0 mac addresses, 3 zones, 83 services and 2 chains loaded. Do you want to run the new Dwall rule set ? (N/y) y Archiving old rule set to backup/dwall.20040314-193336 Running /etc/dwall/firewall, please stand by. Done. [root@firewall ~]#You can download Dwall from: