Dwall is an all-purpose firewall tool to generate an iptables firewall
out of a simple configuration. It contains about 80 predefined services
and comes with a simple 3 zone firewall example.
In essence the sysadmin only needs to define the different zones and
define what traffic is allowed from one zone to another (if any).
I finally released Dwall.
If you want to contribute services/protocols, documentation or enhancements,
please send them to me !
The basic functionality is in place, look at the TODO to see what is still missing.
I consider this implementation a working reference implementation, I'm sure it would
be best to rewrite it in some other language and that it can be improved a lot
without making it more complex to configure.
Dwall has currently the following features:
- Rule-sets are split up into chains (ie. traffic between different zones)
- Allows for human-readable firewall rules and allows good overview
- Make name aliases for hosts or groups of hosts (uses /etc/hosts)
- Can do mac address based filtering (uses /etc/ethers)
- Includes more than 80 predefined services
- Automatic logging of dropped connections
- Automatic backups of older rulesets
- Easy to go back in time and look at changes
- Designed so it can be used for setups where different sysadmins make changes
- Generated firewall code is documented, easy debugging
- Can be used for host security and complex network security
I'd like to implement the following items:
- Port knocking (open/close ports based on network-traffic)
- Improve the requirements checking before running
- Improve the handling of dynamic interfaces
- Integrate /etc/networks and route into the whole picture
- Generate variables for broadcast addresses (for services)
- Create framework for NAT/port-forwarding (without pre.sh or post.sh)
- Create framework for packet-mangling
- Allow Dwall to work with different subnets as zones
- Add dar-test and dar-debug tools for remote testing and debugging
- Add dar-log tool for processing dwall logfile based on dwall config info
- Add logwatch config for /var/log/dwall
This is a simple setup for a firewall with 2 interfaces. With 2 interfaces you have 3 zones, namely
internet, local and self. (self being the firewall)
If you have 3 zones you have 6 possible traffic-flows. Being:
- From local to internet (chain local-internet)
- From local to firewall (chain local-self)
- From internet to local (chain internet-local)
- From internet to firewall (chain internet-self)
- From firewall to internet (chain self-internet)
- From firewall to local (chain self-local)
If a chain does not exist, no traffic is allowed in that direction. The following simple example
will only allow traffic from the local network to internet and to the firewall itself.
zone.conf
#zonename interface
#"""""""" """""""""
internet eth0
local eth1
alias.conf
#hostname ip-address
#"""""""" """"""""""
firewall 10.0.0.1
fileserver 10.0.0.10
desktop 10.0.0.15
#zonename network
#"""""""" """""""
internet 0/0
local fileserver,desktop
#local 10.0.0.0/24
chains/local-internet.chain
#action service from to options
#"""""" """"""" """" "" """""""
allow dns,ntp desktop,fileserver all
allow ftp,http,https desktop all
allow msn,icq desktop all
chains/local-self.chain
#action service from to options
#"""""" """"""" """" "" """""""
allow ping,ssh desktop all
allow ssh desktop all -p 2022
scripts/post.sh
### Enable masquerading
echo "iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE"
[root@firewall ~]# dwall
Dwall v0.5.1, running on firewall by dag
5 aliases, 0 mac addresses, 3 zones, 83 services and 2 chains loaded.
Do you want to run the new Dwall rule set ? (N/y) y
Archiving old rule set to backup/dwall.20040314-193336
Running /etc/dwall/firewall, please stand by.
Done.
[root@firewall ~]#
You can download Dwall from: