Pyroman

A flexible and fast firewall tool

The good:

The bad:

To tease you a little more into testing, here's an example host configuration: ("dmz" is an interface alias - where the web server is connected to -, as are "INT", "DMZ" and "ANY" for clients on these interfaces)

"""
A really simple webserver configuration.
These examples are just boring... ;-)
But without NAT they would be even more boring. ;-)
"""
# web server
add_host(
        name="web",
        ip="10.100.1.2",
        iface="dmz"
)
# offering, well, web service.
allow(
        client="ANY DMZ INT",
        server="web",
        service="www ssh ping"
)
# internal hosts may access FTP, too
allow(
        client="INT",
        server="web",
        service="ftp"
)
# setup NAT
add_nat(
        client="ANY INT",
        server="web",
        ip="12.34.56.80"
)
(Yes, this is a python script. No, you probably won't care to write your configuration in a programming language, will you?)

So one of the things that make pyroman very cool is this:

Saving old firewall...
**********************************************************************
Beginning firewall initialization...
**********************************************************************
An error occurred. Starting firewall restoration.
Firewall initialization failed. Rollback complete.
Firewall commit failed: Invalid ICMP type `12345', caused by rules/80_workstations.py:16
Yes: it restores the previous firewall, and gives me a filename and linenumber as well as a useful error message!

Alioth Project page with file releases

SubVersion repository including configuration sample

For more information, please contact Erich Schubert (Homepage, Blog).