PCX Firewall / News: Recent posts

PCXFirewall Frontend 1.7, PCXFirewall Toolkit 2.24 and PCXFirewall Rules 2.6 are all available for immediate consumption.

The biggest changes are that all known bugs have been fixed and the debian installation process is now smoother and should not prevent the rules packages from being installed if the user selected no to the "are you backed up?" question.

Debian Sarge and RedHat FC[1-3] are now "officially" supported as distros you can specify when creating init scripts.... read more

PCXFirewall Frontend 1.6, Rules 2.5 and Toolkit 2.23 are now available for download.

The major changes are the conversion of disabled -> active in the rules xml config files. The frontend now uses checkboxes instead of select boxes for boolean values. Data loss is prevented via the onbeforeunload event (as long as you have IE 4+, Mozilla 1.7+, Firefox 1.0+). The paths have been changed from pcx_firewall to pcx-firewall and automatic data conversion has been implemented.... read more

PCXFirewall Frontend 1.5 is now available which fixes the sudo support (activating a script now works) and adds the ability to import new services from the template config file.

PCXFirewall Frontend 1.4 is now available which fixes the issues with creating/editing Paths and not specifying the Path, interface(s) and/or service(s). This would cause JavaScript errors or the backend to blowup. The latter would lose all the changes you had made. :(

Sudo support is now attempted to be setup by the debian package (non-demo only).

The edit screens now try to detect when you have made changes and warn you when you are about to do something that would lose those changes.

When deleting a Network, Zone or Service entry, you are now prompted to delete any paths that are using them, thus making it easier to purge entries from the config file without having to manually track them down.

There is a new sample config file (dynamic-template.xml) which is a very simplistic case. The external interface is using DHCP and the only traffic accepted from the Internet is ssh. The intranet can go anywhere on the Internet. This is a good starting place to build a more complicated scenario from.

PCXFirewall Frontend 1.2 fixes the DNAT interface selection when editing a path and the action is DNAT.

Upon editing an existing path with the action = DNAT, the correct interface is now re-selected and when changing the action to be DNAT, the dnat interfaces update correctly.

A bug that prevented paths from being deleted when editing a ServiceGroup has been fixed. This is due to the way JavaScript delete's array entries. :(

Upgrade to 1.1 to be able to have the full use of the frontend.

Finally, the first usable frontend for the PCXFirewall toolkit and VeryTight2 Rule module is now available!

New versions of the PCXFirewall Toolkit and Rules modules were also released to support the Frontend.

You can get Debian packages from http://www.pcxperience.org/index.html#debian-apt

You can try out a demo of the frontend by going to http://pcxfirewall.sf.net/frontends/demo.html

Feeback and bug reports are requested. :)

Checkout the guis cvs module. I started the cgi directory to be a simple cgi web interface for the VeryTight2 Rules module. You will also need to get the latest firewall_2x module from cvs as the generator script is being updated to support the features the web interface requires.

You can't edit configs yet, but you can Create one, Delete, Clone and Generate. The Generate interface still has some work to be done, but it is usefull as it currently stands.... read more

External dynamic firewall rules support added!

The start/restart commands now also run the dynamic method which checks for the existance of /etc/pcx_firewall/dynamic_rules.sh and runs it if it exists and is executable.

This script can contain firewall rules that reference dynamic dns host names that you want to refresh every X minutes to make sure that they are always valid. You can do this from cron via
*/10 * * * * /sbin/service firewall dynamic
to refresh the dynamic firewall rules every 10 minutes.... read more

PCXFirewall 2.20 changes the way the shell script is now generated. Instead of writing to the file as we are processing the rules, we instead write to a string and only create the file if everything succeeded.

This allows for modifying already generated output after the fact. Using this capability, I have modified the chkconfig start value to be dynamic based upon the presence of dynamic interfaces or not. This allows the firewall developer to let ipsec, etc. get configured before running the firewall script itself, thus making sure all dynamic interfaces have an IP address (other than dialup interfaces).

The generated shell scrip should now be almost 100% stand-alone capable. IE, you should be able to do almost all changes needed to it to quickly change IP addresses, etc. for your firewall scenario.

This release modified the IP and Broadcast Address lookup code to call shell functions which can handle either the ifconfig or ip commands.

The ip command now handles properly aliased interfaces. eg. eth1:0, eth1:2, etc.

The bug in the checkForModule() shell function that was causing it to output can not find file when insmod was being called has been fixed. The quick solution is to just add .o after $1 on the insmod line. No other changes were made in this release.

PCXFirewall 2.17 implements a lot of improvements and generally makes working with the generated shell script easier.

PCXFirewall Rules 2.3 has been updated in regards to the changes the PCXFirewall 2.17 mandates.

The Website has been revamped and should provide a cleaner interface to links, etc.

Version 2.2 of the PCXFireWall Rules package is now available!

It provides hopefully the last major config file change from xml format 2.0 to 2.1. ProxyArp is now supported, you specify the interface that needs to enable it at startup and disable it at stop.

New paths are defined: ipsecToIPSec, dmzToDMZ, dialinToDialin and externalToExternal. These provide for traffic to flow in and back out of that zones interfaces.... read more

The original developers of PCX Firewall have joined forces with the newly formed St. Louis Advanced Linux Users Group (StlAdvLUG) to develop a GUI front end to the PCX Firewall toolkit. StlAdvLUG was formed to help others participate more fully in open source projects. So when they were looking for a
project to contribute to, the fine folks at Xperience, Inc. volunteered their own open source firewall. This was a nice fit for the size and interests of the group. The fact that it is hosted on SourceForge was a big plus.... read more

PCXFirewall 2.16 fixes a bug where the Mangle table checks were not being done correctly, so it was always trying to work with the new mangle chains.

If you were using the ip="" feature in any of your paths, you need to upgrade as the convert.pl script did not preserve the ip argument.

Also, you can now specify an empty dnatPort/redirectPort value.

PCXFirewall 2.15 brings support for working with the new chains in the mangle table (POSTROUTING, INPUT, FORWARD), plus a cleaned up iptables.pcx init script.

PCXFirewall Rules 2.0 is a major upgrade of the XML config format which hopefully will make specifying your rules a little easier. A new pathway <firewallToFirewall> has been added which properly handles the localNAT capabilities of a kernel patched with the newNAT and localNAT patches.

This release basically improves some error messages when dealing with the <log comment=""> tag.

Also, the ability to specify what validity checks to run in the VeryTight and VeryTight2 modules was added via the <validityChecks> tag in the <config> section.
You can disable/enable checking:
unclean
tcpFlags

See the VeryTight.html documentation on the website for more details.

The irc modules were being loaded, but only when ftp was also being loaded.

Cleaned up the SSH rules definitions in the sample xml config files.

Updated the README file with better instructions on what to do to generate a firewall script in the 3 different scenarios possible.

Modified the ConfigParser module to require the parameters in the parse method rather than in new. This allows you to parse multiple xml documents without having to recreate the object each time.

PCXFireWall 2.14 now provides a module to keep track of what netfilter modules you want loaded when the firewall starts.

PCXFireWall Rules 1.7 has updated to take advantage of the new PCXFireWall::Modules module and has also implemented other code cleanups in regards to NAT and FORWARD generated rules when you only have the external zone defined. Other configuration options have been added, so check the VeryTight.html documentation on the web.

The PCX Firewall is a perl script that generates a customized shell script to start, stop and restart the IPTables based firewall. You can build a MULTI-homed system or a Standalone system. DNAT, SNAT, Redirection, Blocking, etc. are all supported.

PCXFirewall 2.13 fixes an issue when IPv6 is enabled in the system. Other minor cleanups and improvements with script startup display have been added.

PCXFirewall Rules 1.6 has added changes to VeryTight2 where the NAT table policy is now ACCEPT and only those rules absolutely needed in the NAT table are being generated. This should increase the speed of the firewall as there are less rules to process to accept/deny traffic.
ECN support is now disabled by default at start and then re-enabled at stop.... read more

PCXFirewall 2.12 provides the QUEUE target which rounds out the final builtin targets that iptables provides. The ttl match and TTL targets were also added.

PCXFirewall Rules 1.5 provides a rewrite of how interfaces are worked with. You now specify an alias in the interface definition and the value of the alias is what is used anywhere else that the interface name would have been used before. To quickly use the system, make the alias = name for each interface being used.... read more

The release of PCXFirewall Rules 1.4 fixes an issue where IPSec host-host or host-network scenarios would silently drop any outgoing ESP traffic (FreeS/wan is dropping it, not the firewall rules) as the packet was being marked. This version no longer marks locally generated traffic.

Also, a comment attribute is now available for almost every tag, thus allowing you to remind yourself of what you were trying to do in a given service, path, etc. This feature will be used by the web front-end when it is created.