PacketFlow Firewall Generator is an XML based firewall generator. It takes an XML configuration file that defines the firewall policy and generates a list of iptables commands to implement this policy. It is primarily intended for use on dedicated firewalls, but it can be used in other scenarios. It makes dealing with many interfaces easy.
PacketFlow works on the concept of interface "security levels." New connections are allowed to flow down hill from interfaces with a high security level to interfaces with a low security level. This approach tends to make rule sets much shorter, even with many interfaces.
Access lists allow you to override the default behavior of the security levels. Access lists are defined between interfaces. There is also support for incoming, outgoing, and wildcard access lists. Wildcard access lists allow you to easily allow new connections to a particular service from any interface. Access lists are applied only to "new" connections, and once a connection has been established, you no longer need to deal with it specifically.
The first thing to do is evaluate what you need your firewall to do. This is probably the most important part. Once you know what you are trying to accomplish, study the samples in the samples directory of this distribution. There are many configurations for this software, and one is likely to give you a place to start.
Once you have a configuration, you need to generate the rules from it. This is done by running the packetflow program with the file name as its argument. For now, it sends the rules to STDOUT, so probably want to redirect them into a file.
What's New in This Release:
· This version no longer uses the unclean match, because it isn't available in kernel 2.6.
· The Debian packages have been updated to work correctly with newer releases, and the version has been updated to 1.0.