----------------------------------------------------------------------- PFconf V 0.8.1 (2004-11-19) 2002-2004 by Volker Tanger ----------------------------------------------------------------------- PFconf (Packet Filter CONFig tool) is a very simple script collection to ease working with "naked" packet filters, especially Linux IPTABLES netfilter facility. Most ACLs (packet filters) don't work with "group" objects where one can list tables of IP addresses and networks for which one rule is applied. OpenBSD's "PF" is the notable exception to this rule. So if you have three mail servers and 5 protocols (smpt, pop3, pop3s, imap, imaps) you will need to write 15 rules instead of one - and not forget a single permutation. With PFconf you only need one rule - and the script will take care of the necessary permutations. These scripts are designed to be fairly simple, leave way room for comments (who ordered that, why is this rule here, etc) - and the usual quartett: small, efficient, portable and easy to use. NAT handling and management scripts (when is a rule due for re-evaluation) will come soon. Target conversion for Cisco ACLs as well as for OpenBSD's PF will probably follow not far behind... Requirements: * Unix Shell (tested with BASH) * standard Unix text tools (fgrep, cut, head, ...) * packet filter supported by the scripts (currently only Linux' IPTABLES) KNOWN ISSUES: * A misspelled target within a group will simply be missing without error message * missing documentation FEATURE WISH LIST / ROADMAP: * NAT handling * Abstract targets (accept/reject/drop) * Management tools * more target scripts Updates will be available at http://www.wyae.de/software/pfconf/ Please check there for updates prior to submitting patches! There is a user/developer mailing list available. To subscribe send a mail with "subscribe fwtools" as subject to minimalist@wyae.de For bug reports and suggestions or if you just want to talk to me please contact me at volker.tanger@wyae.de ----------------------------------------------------------------------- Setup ----------------------------------------------------------------------- Please see "example.sh" - more docs later. Script will result in a "FILENAME.iptables.sh" script when run. PFconf (Packet Filter CONFig tool) Copyright (C) 2002-2004 Volker Tanger This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. http://www.gnu.org/copyleft/gpl.html ------------------------------------------------------------------------ HISTORY ------------------------------------------------------------------------ November 2004 v0.8.1 * Volker Tanger - missed enabling statefulness added (i.e. the "related,established ACCEPT" rules) - added "phoning home" to demo script - allow firewall to go out to anywhere November 2004 v0.8.0 * Volker Tanger - initial publishment ----------------------------------------------------------------------- Shortcut: Distributable under GPL ----------------------------------------------------------------------- Copyright (C) 2003-2004 Volker Tanger This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. or on their website http://www.gnu.org/copyleft/gpl.html -----------------------------------------------------------------------