Free php firewall software for linux

PCX Firewall is an IPTables firewalling solution that uses Perl to generate static shell scripts based upon the users configuration settings.
This allows the firewall to startup quickly, as it does not have to parse config files every time it starts.
Enhancements:
- All known bugs have been fixed. Support has been added for Debian Sarge and Red Hat FC[1-3] as "official" distributions to work with when generating init scripts. The ability has been added to just install the generated firewall script into /etc/init.d or /etc/pcx-firewall without starting it.

Simple Firewall is a easy tool for administration users and access control. This tool is made for Linux. Using iptables for packet filtering Write in perl Save rules with xml. That can be run in bash shell and web interface via webmin.
Enhancements:
- Perform reconfigure squid conf for all linux distros
- Fix script init for all linux distros
- Add new menu vpn
- Implemet and integrated PPTP VPN Software
- Modified install script

IPv6 FireWall script is a firewall based on ip6tables.

firewall6.sh 122 lines

#!/bin/bash

# Basic IPv6 FireWall script by Dennis Kruyt (dennis@klingon.nl)
#
# Sun Jan 5 18:26:28 2003 - DK

#debug
#set -x

cd /opt/scripts/firewall

source ./config6
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11

# change to script directory
cd ${SCRIPTSDIR}

SCRIPT=${SCRIPTSDIR}/firewall6.sh

case "$1" in
flush)
echo -e "Starting Firewall:"
${IPTABLE6} -F >> /dev/null 2>&1
${IPTABLE6} -X >> /dev/null 2>&1
echo -e "Setting defaults op ACCEPT!"
echo -e "ALERT: no firewall rules active"
#
${IPTABLE6} -P INPUT ACCEPT
${IPTABLE6} -P OUTPUT ACCEPT
${IPTABLE6} -P FORWARD ACCEPT
;;
start|reload)
echo -n "Starting Firewall: "
# paging!
#

# create a backup
TIME=`date +%s`
tar -czf /opt/backups/firewall/firewall.${TIME}.tar.gz /opt/scripts/firewall

# sending mail
mail email@address.com -s "Firewall - (re)started" < $0

# wait
sleep 1

# kerneloptions
echo -n "Loading Kernel options.."
./kernel_options6.sh

echo -n "Flushing and deleting all chains.."
${IPTABLE6} -F >> /dev/null 2>&1
${IPTABLE6} -X >> /dev/null 2>&1

# default policy
echo -n "Setting default policy DROP.."
${IPTABLE6} -P INPUT DROP
${IPTABLE6} -P OUTPUT DROP
${IPTABLE6} -P FORWARD DROP

# ?????????????
#${IPTABLE} -F -t mangle
#${IPTABLE} -t mangle -X

echo -e "Loading chains.."
# create chain blacklist
${IPTABLE6} --new blacklist
#And drop the evil ones
for i in $BLACKLIST6;do
${IPTABLE6} -A blacklist --src $i -j DROP
done

#icmp chain
${IPTABLE6} --new icmprules
${IPTABLE6} -A icmprules -p icmpv6 -j ACCEPT

# create out chain
${IPTABLE6} --new out
#localhost to localhost
${IPTABLE6} -A out --src $LOCALHOST6 --dst $LOCALHOST6 -j ACCEPT
# for now accept all outgoing IPv6 traffic
${IPTABLE6} -A out --src $SIXXS --dst $ANY6 -j ACCEPT

# create in chain
${IPTABLE6} --new in
#localhost to localhost
${IPTABLE6} -A in --src $LOCALHOST6 --dst $LOCALHOST6 -j ACCEPT
# for now accept all incomming IPv6 traffic
${IPTABLE6} -A in --dst $SIXXS --src $ANY6 -j ACCEPT

#All that are in trusted may ssh
for i in $THRUSTED6;do
${IPTABLE6} -A in -p tcp --dst $SIXXS --dport 22 --src $i -j ACCEPT
done

# jump to all ipv6 chains
${IPTABLE6} -A INPUT -j blacklist
${IPTABLE6} -A OUTPUT -j blacklist
${IPTABLE6} -A FORWARD -j blacklist

${IPTABLE6} -A INPUT -j icmprules
${IPTABLE6} -A OUTPUT -j icmprules

${IPTABLE6} -A INPUT -j in
${IPTABLE6} -A OUTPUT -j out

;;
show)
echo -e "Rules in the firewall: ${CHAIN} n"
${IPTABLE6} -L -n
;;
*)
echo -e "Usage: ${SCRIPT} {flush|start|reload|show} n"
exit 1
;;
esac
exit 0

config6 12 lines

export IPTABLE6=/sbin/ip6tables

export SCRIPTSDIR=/opt/scripts/firewall

export EXT="eth0" # device
export SIXXS="3ffe:8114:1000::50f/127" # extern

export ANY6="::/0"
export LOCALHOST6="::1/128"

export THRUSTED6=""

export BLACKLIST6="3ffe:8114:2fff:1391::1"

kernel_options6.sh 7 lines

#!/bin/bash


# forwarding on
#echo "1" > /proc/sys/net/ipv6 blablabla

# Set some other IPv6 proc settings
#echo "1" > /proc/sys/net/ipv6 blablabla

NATting SOHO firewall is a firewall script for iptables.

# Model NATting SOHO firewall for SP article
# by Jay Beale (jay@bastille-linux.org)
#
# Warning: youre going to have to hack this for your own purposes.
#

# Assumptions:
# your internal network is 192.168.1.0/24 on eth1
# your internet IP is 10.0.0.1 on eth0
# your internal network IP on eth1 is 192.168.1.1
#
# Additonally:
# you have another internal network, a DMZ: 192.168.2.0/24 on eth2

$INTERNAL_IP = 192.168.1.1
$INTERNAL_NET = 192.168.1.0/24

$INTERNET = 10.0.0.1

$DMZ = 192.168.2.0/24

# Insert the required kernel modules
modprobe iptable_nat
modprobe ip_conntrack
modprobe ip_conntrack_ftp

# Set default policies for packets going through this firewall box

iptables -t nat -P PREROUTING DROP
iptables -t nat -P POSTROUTING DROP
iptables -P FORWARD DROP

# Set default policies for packet entering this box

iptables -P OUTPUT ALLOW
iptables -P INPUT ALLOW

# Kill spoofed packets

for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done

# Anything coming from our internal network should have only our addresses!
iptables -A FORWARD -i eth1 -s ! $INTERNAL_NET -j DROP

# Anything coming from the Internet should have a real Internet address
iptables -A FORWARD -i eth0 -s 192.168.0.0/16 -j DROP
iptables -A FORWARD -i eth0 -s 172.16.0.0/12 -j DROP
iptables -A FORWARD -i eth0 -s 10.0.0.0/8 -j DROP

# Note:There are more "reserved" networks, but these are the classical ones.

# Block outgoing network filesharing protocols that arent designed
# to leave the LAN

# SMB / Windows filesharing
iptables -A FORWARD -p tcp --sport 137:139 -j DROP
iptables -A FORWARD -p udp --sport 137:139 -j DROP
# NFS Mount Service (TCP/UDP 635)
iptables -A FORWARD -p tcp --sport 635 -j DROP
iptables -A FORWARD -p udp --sport 635 -j DROP
# NFS (TCP/UDP 2049)
iptables -A FORWARD -p tcp --sport 2049 -j DROP
iptables -A FORWARD -p udp --sport 2049 -j DROP
# Portmapper (TCP/UDP 111)
iptables -A FORWARD -p tcp --sport 111 -j DROP
iptables -A FORWARD -p udp --sport 111 -j DROP

# Block incoming syslog, lpr, rsh, rexec...
iptables -A FORWARD -i eth0 -p udp --dport syslog -j DROP
iptables -A FORWARD -i eth0 -p tcp --dport 515 -j DROP
iptables -A FORWARD -i eth0 -p tcp --dport 514 -j DROP
iptables -A FORWARD -i eth0 -p tcp --dport 512 -j DROP

###
# Transparently proxy all web-surfing through Squid box

$SQUID = 192.168.1.2:8080
$SQUIDSSL = 192.168.1.2:443
iptables -t nat -A PREROUTING -i eth1 -tcp --dport 80 -j DNAT --to $SQUID
iptables -t nat -A PREROUTING -i eth1 -tcp --dport 443 -j DNAT --to $SQUIDSSL

# Transparently forward all outgoing mail to a relay host

$SMTP = 192.168.1.3
iptables -t nat -A PREROUTING -i eth1 -tcp --dport 25 -j DNAT --to $SMTP

# Transparently redirect web connections from outside to the DMZ web
# server

$DMZ_WEB = 192.168.2.2
iptables -t nat -A PREROUTING -i eth0 -d 192.168.1.1 -dport 80 -j DNAT --to $DMZ_WEB

# Source NAT to get Internet traffic through
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to $INTERNET


# Activate the forwarding!
echo 1 >/proc/sys/net/ipv4/ip_forward

Linux Firewall is a robust, well-designed firewall for Linux 2.4 based on netfilter/iptables. The Projectfiles.com Linux Firewall is the swiss army knife of Linux firewall software. Based on the netfilter-iptables tools, the firewall is a single shell executable written in bash with configuration options and basic documentation included in the same file. It is designed for use with all types of systems: workstations, routers, and servers, and includes advanced features for expert users and Internet Service Providers.

Here are some installation tips:

1. Download the latest rc.firewall [wget http://projectfiles.com/firewall/rc.firewall]
2. Edit the options at the beginning of the file with your favorite text editor. The script comes pre-configured to deny all incoming connections. This is suitable for a typical workstation installation. Refer to the configuration page for in depth explanation of available options.
3. Make the script executable [chmod +x ./rc.firewall]
4. Become root [su]
5. Run the script [./rc.firewall]
6. After you verify that the firewall runs without errors, you may want it to be run automatically on boot. To accomplish this, move the script to the appropriate startup script directory for your distribution [/etc/rc.d/ for Slackware, /etc/init.d/ for Gentoo] and add the following lines in your startup scripts at some point after your ethernet interfaces are configured [for example /etc/rc.d/rc.local for Slackware, and /etc/conf.d/local.start for Gentoo].

Slackware
if [ -x /etc/rc.d/rc.firewall ]; then
/etc/rc.d/rc.firewall
fi
Gentoo
if [ -x /etc/init.d/rc.firewall ]; then
/etc/init.d/rc.firewall
fi

See forum for alternate installation methods.
7. If you are using this firewall on a machine to which you do not have physical access, but can reboot remotely (for example a collocated server or a Linux router at a computer illiterate friends house), you might want to think about putting in a short delay between the time the machine boots and the initialization of the firewall. This would give you a chance to log in and disable the firewall [chmod -x] if something goes wrong. A good example might be if you have the script configured to allow you to connect from a specific remote IP address and your address changes. If you choose to implement this idea, it can be done with the following code in rc.local:

if [ -x /etc/rc.d/rc.firewall ]; then
sleep 30 && /etc/rc.d/rc.firewall | logger -t rc.firewall &
echo "Firewall init in 30 seconds. Check syslog for results."
fi

SINUS project is a application which assess the potential of security without obscurity.
The SINUS Firewall is a TCP/IP packet filter for the Linux operating system. It is distributed under the GNU General Public Licence and comes with complete source code, as the Linux operating system does.
The SINUS firewall is a free and easy way to protect your network from the malware of the Internet. It does not guarantee perfect security, however it comes with a wealth of features, including:
Filtering of all header fields in the IP, TCP, UDP, ICMP, IGMP packets.
Intelligent RIP and FTP support.
Easy to understand, text-based configuration.
Graphical management interface for configuration of several firewalls.
Dynamic rules, including counters and time-outs.
Extensive logging, alerting, and counter intelligence.
Prevention of packet and address spoofing - GNU GPL license.
To install the software, you need a Linux 2.0.x based system. We suggest you install a bare-bone system without X or any of the other nifty features which tend to have security holes. You should not install user accounts on the firewall system. Log-ins other than from the console should be forbidden (if you absolutely have to log in remotely, we strongly suggest you install a copy of ssh).
Although the software has been subject to thorough testing, and has been continuously running without crashes for over 12 months, we are confident someone will eventually unconver A BUG in the software. Therefore, it is version "0.1".
Please do not use this software as the sole means to protect your top secret data. This software is intended for:
People who want to study firewalls
People who dont trust their current firewall
People who currently dont have any protection at all (even if there are serious bugs, it cannot get worse, can it?)
Enhancements:
- NEW FEATURES
- user level authentification between firewall and management interface
- compiles and runs on libc6 (glibc2) systems.
- CHANGES
- management interface now written as Java application (JDK 1.1.6)
- detect land attack
- changed name from sf to sifi (SINUS firewall) due to change of maintainer (now Harald Weidner ).
- BUG FIXES
- TCP RST of established connections now pass through the firewall
- fixed a segfault bug in the passive FTP code

LutelWall (formerly known as Lutel Firewall) is high-level linux firewall configuration tool. It uses human-readable and easy to understand configuration to set up Netfilter in most secure way. Its flexibility allows firewall admins build from very simple, single-homed firewalls, to most complex ones - with multiple subnets, DMZs and traffic redirections. It can be used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone system. Configuration method of this firewall is made to be as simple as possible without loosing Netfilter flexibility and its security facilities.
Main features:
- flexible control over traffic using rule set
- user-defined protocols support
- support for any kind multiple external and internal interaces (and aliases)
- automated MASQUERADE / SNAT support
- easy to set up DNAT (transparent proxy, redirections to LAN/DMZ etc.)
- rate limit extensions
- packet marking for 3rd party shapers
- TOS (Type of Service) traffic optimizer
- both passive and active FTP support
- DHCP support
- can work as "workstation" firewa
- stateful TCP connection tracking with restrictive TCP chain
- blocking all stealth mode scans (FIN, Xmas Tree, Null, Windows scan or ACK scan modes (nmap -sF -sX -sN -sW -sA)
- blocking IP protocol scans (nmap -sO)
- blocking UDP scans (nmap -sU)
- blocking identification via TCP/IP fingerprinting (nmap -O)
- anti-spoof protection, including protection for aliases
- anti-smurf protection
- TCP SYN Flood protection
- UDP / ICMP Flood protection
- IANA reserved addresses checking
- SYSCTL parameters set for increased strength
- logging stealth scans (FIN, Xmas Tree, Null), ACK scan modes (nmap -sF -sX -sN), IP protocol scans (nmap -sO), UDP scans (nmap -sU), nmap fingerprinting attempts.
- autodetect of connection type (static/dynamic, external/internal)
- auto update of firewall tool
- auto update IANA reserved list
- display firewall statistics in iptables native, csv or html format
- easy deployment on all distributions
Enhancements:
- fixed iptables version checking