PCX Firewall / News: Recent posts

Version 1.3 of the Firewall Rules package provides the ability to:

1) Disable TOS mangling so that QoS and Traffic Shaping can work correctly.
2) You can now do DNAT, REDIRECT and REJECT in the firewallTo<zone> tags. Not everything is implemented in the kernel though. :(
3) Generate Text, HTML or XML versions of the Perl Data structure since the data is now stored in ConfigData.pm.
4) The groundwork is now inplace for the VeryTight Web Frontend due to the ConfigData.pm module being created.

This release fixes some functionality bugs (not handling eth0:0 style interfaces) and provides a means to allow traffic to come in an interface but be destined for an IP address of the firewall that is in a different zone (internal to external IP) so that you can dnat the traffic, etc.

See the VeryTight XML Config file documentation for more details.

Added support for more network interface types. If anyone has a complete list, I would appreciate a link. This only has to do with the parser since I am trying to eliminate people giving obviously invalid data to iptables, etc.

The PCX Firewall is a perl script that generates a customized shell script to start, stop and restart the IPTables based firewall. You can build a MULTI-homed system or a Standalone system. DNAT, SNAT, Redirection, Blocking, etc. are all supported.

The latest versions now install into the Perl tree and have an install script for tarball installations that does all the work for you. Files are now put in the same locations as the rpm install would do.... read more

PCXFirewall 2.10 is now out. It fixes some minor issues in regards to reject support, adds support for matching the broadcast address of registered interfaces and provides support for an external Rules Package.

PCXFirewall Rules 1.0 is the start of the external Rules Package. It contains VeryTight.pm (which was VeryTightStatic.pm in PCXFirewall 2.9) and the support modules needed. It uses an XML config file to specify the interfaces, networks/hosts to work with and the desired traffic to allow to/through the firewall. See the web page for more details.... read more

PCXFirewall 2.9 greatly improves the ability to generate an IPTables firewall that does exactly what you want. The ability to interweave Mangle, Nat and Filter chains so that DNS related rules can be entered before the rest of the rules is now implemented.

A complete Rules Template is now included called VeryTightStatic which is a highly customizable firewall solution providing VPN support (IPSEC) from the ground up. See the man page for details on using it.

Version 2.8 now provides a Proc module which provides access to the /proc/sys/net/ipv4 and /proc/sys/net/ipv4/conf directories and all files under them. You can control which modules they apply to and when they should be updated (before rules or after rules are run).

A modified iptables rc.d/init.d script from RedHat's 7.2 distro is included that calls the startfw and stopfw scripts.

More validation of gathered info is now done in the startfw and stopfw scripts so that you won't get a broken setup by accident.

2.7 just has some documentation related
structuring cleanups and the code is now in the
SF CVS server.

The only enhancement is the ability of the
install script to name the startfw, stopfw and
restarfw scripts after the name of the rules
module they were generated from. This will allow
you to have multiple rule sets
configured/installed and be able to select which
one you want to run. The naming format is
script-rules_file. Ex: 'install -s test -t'
would generate stopfw-test, startfw-test and
restartfw-test in /etc/pcx_firewall.

Version 2.6 fixes the file permissions on the generated scripts so that you can execute them again. The install script now also supports -h and -v options (help and verbosity).

The Rules.pm file was updated so that you can now more easily support accepting DHCP requests from your ISP but only from them. Other minor tweaks and cleanups were made.

You can now reject on all protocols instead of just icmp and tcp. Pointed out to me by Arne Bernin.

In version 2.4 the generated files are now put in a directory named after the rules file being used (output if using Rules.pm). This is to make generating the scripts for multiple machines much easier. :)

The install script has been updated accordingly to support pulling the files from the different directories. It now uses getopts to look for -r or -s options to allow you to override the root path or the source directory.... read more

You now have more control over limit's, what interfaces protections are applied to and you can now create your own locations for interfaces to be grouped under. See the changelog for version 2.3 in the files section for more details.

Version 2.2 now provides you with the ability to make a Rules file for each server you are interested in or to just have your rules not be moved to Rules.pm.rpmsave whenever you do a rpm upgrade! You just have to use the Template.pm file provided to created your "Rules" file in the PCXFireWall directory and then put your rules in it. Complete notes/directions are in the README and toolkit_howto.html files.

Some enhancements and minor bugfixes were made.
Updated the Rules to cover more cases and provide a more complete starting point for most users. Made the definition of internal and external interfaces use Perl variables so you only have to modify a couple of lines at the top of startingRules and all rules will be updated. You still have to tweak some of the NAT related rules and decide if you want to disable any of the pre-defined rules.

The PCX Firewall has been completely revamped and is now a toolkit providing a perl API to the iptables command. Each iptables table is now represented by a perl module. The current modules are Filter, NAT and Mangle.

You now have complete control over what is generated, so if you don't like how something is being done, you can tweak it to your hearts content. Since we are generating the rules from a perl API, you can use perl loops, etc. to help create your ruleset.... read more

I've started initial Design work for Version 2.0 of the Firewalling generation/configuration files. The Idea I'm working with is that you should now be able to support multiple external interfaces (IP Aliases come to mind) and that there should be a config file per "Table" that defines all rules to create.

Ex: NATRules would have all entries that define DNAT, SNAT and REDIRECT entries. The user can specify the Chain to work with (POSTROUTING, PREROUTING, OUTPUT), etc. NATPolicy would define the default Policy for the NAT Table.... read more

Version 1.5 doesn't fix any bugs, per-se, just makes working with blocked_ports a little more easier and more configurable. You can specify a source port and destination to match on. You can also specify if the traffic should be logged before dropping it. A new configuration file has been added which allows you to specify traffic to block but not log. Good for traffic coming from an internal server which might be filling your logs with reject notices. (NFS comes to mind!)... read more

Version 1.4 is now available. It fixes some minor issues related to the PREROUTING chain (ICMP and DNS). If you set allowAllICMP = 1, then this allows you to actually ping yourself.

Note: If you are trying to figure out how to allow everybody in the world to access a port except for a certain network/IP, use s => ! Network or IP. This will block just the specified network or IP address and allow everybody else in.

Allowed ports may not have worked if you specified blockAllInternalTraffic = 1 and were trying to only open a port on either the internal or external interface. If you were opening it for all interfaces, you shouldn't have noticed anything. (not tested actually, but looking at the code should have worked.)

Version 1.2 is now available. It allows you to enable/disable forwarding of ICMP when you are disabling all forwarded traffic. You can optionally log ICMP packets if you are denying them.

Version 1.1 of the PCX Firewall scripts are released to the public. This is the first really usable version which supports being able to completely block all incoming/outgoing traffic except for what is opened up by the configuration files.

I would appreciate any feedback on the implementation, design, etc.