Pyroman 0.4.6

A flexible and fast firewall tool
Pyroman is a flexible and fast firewall tool.

Here are some key features of "Pyroman":

The good:

· Really fast compared to sh+awk based solutions due to using iptables-restore
· Rollback to previous firewall on error to minimize risk of use
· Detailed error reporting to help configuring
· Easy syntax to add hosts, nats
· Designed for complex networks
· Written in easy to read python code
· Extensively documented (Python docstrings)
· You can add custom iptables rules when needed
· Lots of verification checks done before execution
· Designed to use the same configuration files on multiple hosts (e.g. failover firewalls or the destination host itself; it will detect if you are talking about a local or a remote host

The bad:

· Not designed for single-host workstation setups
· Doesn't completely hide iptables complexity from the admin (good or bad?)
· Only iptables, no TC/Shaping, no IPsec, proxy arp setup, VPN, ifconfig (I use other tools for that, e.g. heartbeat)

To tease you a little more into testing, here's an example host configuration: ("dmz" is an interface alias - where the web server is connected to -, as are "INT", "DMZ" and "ANY" for clients on these interfaces)

A really simple webserver configuration.
These examples are just boring...
But without NAT they would be even more boring.

# web server
add_host(
name="web",
ip="10.100.1.2",
iface="dmz"
)
# offering, well, web service.
allow(
client="ANY DMZ INT",
server="web",
service="www ssh ping"
)
# internal hosts may access FTP, too
allow(
client="INT",
server="web",
service="ftp"
)
# setup NAT
add_nat(
client="ANY INT",
server="web",
ip="12.34.56.80"
)


(Yes, this is a python script. No, you probably won't care to write your configuration in a programming language, will you?)

last updated on:
March 10th, 2011, 8:02 GMT
price:
FREE!
developed by:
Erich Schubert
homepage:
pyroman.alioth.debian.org
license type:
MIT/X Consortium License 
category:
ROOT \ System \ Networking

FREE!

In a hurry? Add it to your Download Basket!

user rating 5

2.8/5
 

0/5

Rate it!
What's New in This Release:
  • This release cleans up rule name handling for INPUT/OUTPUT/FORWARD and ACCEPT/DROP/REJECT rules (it was a bit messy before).
  • It will now default to the kernel names, which are overridden in the base examples provided to make use of connection tracking, etc.
read full changelog

Add your review!

SUBMIT