2. Summary
  3. Files
  4. Support
  5. Report Spam
  6. Create account
  7. Log in

Introduction to OpenFWTK

OpenFWTK is Open FireWall ToolKit to, a tool that allows you to build decent "industrial-grade" firewall using opensource (and, optionally, other) software components.

The name is inherited from its ancestor, FWTK, a DARPA-sponsored project by Trusted Information Systems. OpenFWTK is the "new FWTK" under less restrictive (3-clause BSD) license and it does support original FWTK API just in case you still have some compatible code around. As relatively few people are familiar with FWTK (which once was de facto standard for building homebrew firewalls) nowdays, we provide a brief introduction here.

What is OpenFWTK, then?

Let's start with explaining what it is NOT. There is a quite common preconception what an "opensource firewall" is: a fancy web frontend to manipulate packet filter rules, or a Linux or BSD distribution which packs some "firewall-related" software together providing common administration features via GUI more or less unified way. OpenFWTK is neither one. It is not a packet filter frontend, it does not even include one. It has no GUI, nor does it include any OS distribution or third party software packages.

It is an application proxy framework.

Unlike overhyped (thanks Checkpoint marketing BS) "deep packet inspection", an application proxy does not deal with "IP packets". It implements application protocols just like client and server software do. The difference is it is designed to be secure: keeping code base as small as possible and enforcing additional controls at protocol level. So "proxy firewall" is not vulnerable to common IP layer "evasion" techniques by design and is capable of preventing exploitation of UNKNOWN vulnerabilities associated with "protocol abuse". Not all of them, but even some is better than nothing.

How does it look?

There is a policy file, called "netperm-table", describing network policy permission. It is quite similar to firewall rulesets you know, just dealing with higher layers. Say, a rule to permit ftp to outside, logging all file transfers and performing antivirus inspection may look like: 

ftp-gw: permit-host 192.168.1.* -log { retr stor }  
ftp-gw: permit-content-type * -filter icap://avserver.local/vscan

for http, rules are likely to be much more complex, but still comprehensible.

What do you need besides OpenFWTK to build a complete firewall system?

Several things, depending on your needs. You definitely need a Unix system of your favorite flavor (Linux, Solaris, *BSD, HP-UX and Interix are supported directly), a packet filter (yes, it is still needed) and several optional components: you would probably like to add an antivirus (get clamav as a free one, or use any other that may talk Milter or ICAP), and an IDS (snort will fit). A proxy log analyzer (calamaris is ok, but you may like awstats or webalizer) for w3c format is handy as well. For larger installation it is advised to have some kind of security information management system, OSSIM is a good choice. Shake, not stir.

Why bother? I can buy a firewall box all dancing and singing dirt cheap!

Because it is the only way to get a firewall you really can control and understand. Commercial brands are full of black magic: "just do this and it will work" (and you probably have just lost control on your network, allowing something unknown to pass in and out as it is not really documented what exactly does it do on lower level).

Enjoy!

OpenFWTK team

© 2012 Geeknet, Inc.   Terms of Use - Privacy Policy - Cookies/Opt Out