Fwctl 0.28
Sponsored Links
Fwctl 0.28 Ranking & Summary
File size:
0.078 MB
Platform:
Any Platform
License:
Perl Artistic License
Price:
Downloads:
897
Date added:
2007-05-11
Publisher:
Francis J. Lacoste
Fwctl 0.28 description
Fwctl is a Perl module to configure the Linux kernel packet filtering firewall.
SYNOPSIS
use Fwctl;
my $fwctl = new Fwctl( %opts );
$fwctl->dump_acct;
$fwctl->reset_fw;
$fwctl->configure;
Fwctl is a module to configure the Linux kernel packet filtering firewall using higher level abstraction than rules on input, output and forward chains. It supports masquerading and accounting as well.
Why Fwctl ? Well, say you are the kind of paranoid firewall administrator which likes his firewalls rules tight. Very tight. Say the kind, that likes to distinguish between a SYN and ACK packet when accepting a TCP connection (anybody configuring packet filters should care about that last point), or like to specify the interface name on each rules. (Whether this is really need, or such a stance is relevant, is not the point.) How would such an administrator proceed ? First of all you deny everything on all interfaces and on all chains (input, forward and output) and turn on logging. Now starting from this configuration (in which Fwctl puts the firewall on initialization), say you want to enable ping from the internal network to the internal ip. What rules do you need ? You need a rule on the input chain to accept the echo-request packet and a rule on the output chain to accept the echo-reply request. Right ? Well, what about the loopback. For sure, when we say from local net to local ip, this imply local ip to local ip ? Then you add a rule to the output chain with the loopback interface, and a rule on the input rule to the loopback chain. And we didnt even start forwarding yet ! Add masquerading to the lot and multi connections protocols like FTP and you got something unmanageable. So you start accepting things you shouldnt to get your job done and in the end your filters look like emmenthal.
Fwctl handles all the complexity of this, so that when you say
accept ftp -src FTP_PROXY -dst INTERNET -noport
you dont accept too much of what you didnt intend. (Well you just opened arbitrary TCP connections to unprivileged ports on the Internet from your proxy server, but thats because of the FTP protocol, not because your cheating on the firewall rules.)
Fwctl works with entity known as service. A service can be ftp, netbios, ping or anything else. The service abstraction handles all the communication necessary for that application. (The UDP and TCP communication in DNS, or the control, data and passive connections for FTP.)
Additionally, to handle all the special case with ANY specification, when the src of dst imply a local IP, or masquerading, in short for Fwctl to be able to deduce the interface implicated by the src and dst portion of a rules you need to provide it with your network topology. Fwctl must guess from your topology the routing decision that will be made in the kernel. In the best of worlds, Fwctl should contains the same routing algorithm as the one in the kernel. Well, it doesnt so if you are using fancy routing feature, Fwctl wont work. In fact, it can only handle something equivalent to simple static routing. You have been warned.
So in short, to configure your packet filters with Fwctl you need to
Define your network topology using the interfaces file.
(Optional) Define meaningful aliases for hosts and networks which are part of your configuration.
Implement your security policy using high level abstract rules in the rules file.
Finally, Fwctl is extensible. You can easily add services modules using the Fwctl::RuleSet module which contains all the primitive you need to handle all the special cases involved in the input, forward and output chain selection.
SYNOPSIS
use Fwctl;
my $fwctl = new Fwctl( %opts );
$fwctl->dump_acct;
$fwctl->reset_fw;
$fwctl->configure;
Fwctl is a module to configure the Linux kernel packet filtering firewall using higher level abstraction than rules on input, output and forward chains. It supports masquerading and accounting as well.
Why Fwctl ? Well, say you are the kind of paranoid firewall administrator which likes his firewalls rules tight. Very tight. Say the kind, that likes to distinguish between a SYN and ACK packet when accepting a TCP connection (anybody configuring packet filters should care about that last point), or like to specify the interface name on each rules. (Whether this is really need, or such a stance is relevant, is not the point.) How would such an administrator proceed ? First of all you deny everything on all interfaces and on all chains (input, forward and output) and turn on logging. Now starting from this configuration (in which Fwctl puts the firewall on initialization), say you want to enable ping from the internal network to the internal ip. What rules do you need ? You need a rule on the input chain to accept the echo-request packet and a rule on the output chain to accept the echo-reply request. Right ? Well, what about the loopback. For sure, when we say from local net to local ip, this imply local ip to local ip ? Then you add a rule to the output chain with the loopback interface, and a rule on the input rule to the loopback chain. And we didnt even start forwarding yet ! Add masquerading to the lot and multi connections protocols like FTP and you got something unmanageable. So you start accepting things you shouldnt to get your job done and in the end your filters look like emmenthal.
Fwctl handles all the complexity of this, so that when you say
accept ftp -src FTP_PROXY -dst INTERNET -noport
you dont accept too much of what you didnt intend. (Well you just opened arbitrary TCP connections to unprivileged ports on the Internet from your proxy server, but thats because of the FTP protocol, not because your cheating on the firewall rules.)
Fwctl works with entity known as service. A service can be ftp, netbios, ping or anything else. The service abstraction handles all the communication necessary for that application. (The UDP and TCP communication in DNS, or the control, data and passive connections for FTP.)
Additionally, to handle all the special case with ANY specification, when the src of dst imply a local IP, or masquerading, in short for Fwctl to be able to deduce the interface implicated by the src and dst portion of a rules you need to provide it with your network topology. Fwctl must guess from your topology the routing decision that will be made in the kernel. In the best of worlds, Fwctl should contains the same routing algorithm as the one in the kernel. Well, it doesnt so if you are using fancy routing feature, Fwctl wont work. In fact, it can only handle something equivalent to simple static routing. You have been warned.
So in short, to configure your packet filters with Fwctl you need to
Define your network topology using the interfaces file.
(Optional) Define meaningful aliases for hosts and networks which are part of your configuration.
Implement your security policy using high level abstract rules in the rules file.
Finally, Fwctl is extensible. You can easily add services modules using the Fwctl::RuleSet module which contains all the primitive you need to handle all the special cases involved in the input, forward and output chain selection.
Fwctl 0.28 Screenshot
Fwctl 0.28 Keywords
Fwctl 0.28
FTP
TCP
packet filtering firewall
to configure
Packet filtering
Linux kernel
filtering firewall
Local IP
Perl module
Fwctl
packet
firewall
rules
configure
kernel
Bookmark Fwctl 0.28
Fwctl 0.28 Copyright
WareSeeker periodically updates pricing and software information of Fwctl 0.28 full version from the publisher, so some information may be slightly out-of-date. You should confirm all information before relying on it. Software piracy is theft, Using crack, password, serial numbers, registration codes, key generators is illegal and prevent future development of Fwctl 0.28 Edition. Download links are directly from our publisher sites, torrent files or links from rapidshare.com, yousendit.com or megaupload.com are not allowed
Featured Software
Want to place your software product here?
Please contact us for consideration.
Contact WareSeeker.com
Related Information
linux kernel development
how to configure a router
packet filtering firewalls
packet filter
what is packet filtering firewall
understanding linux kernel
stateful packet filtering firewall
packet and times
rules of the road
linux kernel source
what is packet filtering
dynamic packet filtering firewall
poker rules
packet 8
rules of tennis
packet loss
how to configure a linksys router
linux kernel version
Related Software
BW Acct is a bandwidth accounting and reporting application. Free Download
Simple Firewall is a easy tool for administration users and access control. Free Download
Simple Firewall is a easy tool for administration users and access control. Free Download
Dwall is an all-purpose firewall tool to generate an iptables firewall out of a simple configuration. Free Download
Nuface is a Web-based administration tool that generates Edenwall, NuFW, or simple Netfilter firewall rules. Free Download
fwknop implements an authorization scheme that requires only a single encrypted packet to communicate various pieces of info. Free Download
Regular Expression, Arbitrary Protocol, Opensource Filtering Firewall (Reapoff) is an arbitrary protocol proxy. Free Download
IPChains::PortFW is a Perl module to manipulate portfw masquerading table. Free Download
Latest Software
Popular Software
Favourite Software
