Linux Firewalls with FWconf

This page is also available in German.

Introduction

FWconf is a frontend for Netfilter/IPtables. It offers an easy to understand and intuitive configuration language for a packet filter under Linux.

Key features include

FWconf is written in Perl. It acts as a filter, reading configuration statements in the FWconf language, parsing, and converting into a shell script with “iptables” commands. The results can safely be piped into /bin/sh. If a parse error occurs, diagnostics is written to the standard error, and no output is generated.

Invocation:

./fwconf.pl Config_File [ Config_File ... ]

Example:

./fwconf.pl myfirewall.defs myfirewall.conf  | /bin/bash

It is possible to split the configuration into several files. This has the same effect as concatenting them together before piping through fwconf.pl.

Configuration Syntax

There are five possible types of commands: group definitions, service definitions, filter rules, NAT rules, and iptables commands.

Besides commands, a configuration file may contain empty lines or comments beginning with the ‘#’ character.

Group definitions

Group definitions have the form

group  Group_Name Interface|Address [ Interface|Address ... ]

Examples:

group  INT       eth1 192.168.2.0/24                       #  Internal network
group  EXT       ppp+                                      #  Internet connection
group  RFC1918   10.0.0.0/8 172.16.0.0/12 192.168.0.0/16   #  All RFC 1918 private address ranges

The Group_Name can be any string of letters, digits, and the underscore (_) symbol. The first character must be a letter.

Interface and Adress are valid interface definitions and address ranges as understood by the -i, -o, -s, and -d options of iptables.

Note that the + character can be appended to an interface name to denote all interface of a specific type (e.g. ppp+ denotes ppp0, ppp1, etc.), or to denote alias interface (e.g. eth0+ denotes eth0, eth0:0, eth0:1, etc.).

Service definitions

Service definitions have the form

service  Service_Name  Port/tcp | Port/udp | Code/icmp | Protocol/prot [...]

Examples:

service  Ping         echo-request/icmp
service  Traceroute   33435:33524/udp
service  IPSEC        500/udp 50/prot 51/prot
service  TCPALL       1:65535/tcp
service  DNS          53/udp 53/tcp

A service definition contains one or more ports/services.

As Port, either port numbers or service names (as listed in /etc/services) can be used. Similarly, Protocol can be any protocol number or name from /etc/protocols. For the ICMP Code, see the output of ‘iptables -p icmp -h’ for a list of valid codes.

Filter rules

A filter rule is a statement of the form

accept|drop|reject[+log|+nolog]  Source_group|ALL|Local->Dest_group|ALL|Local
          Service | Port/tcp | Port/udp | Code/icmp | Protocol/prot [...]

Examples:

accept         Intern->Extern    80/tcp 443/tcp
drop+nolog     ALL->Local        ALL
reject         World->Local      auth/tcp
accept         Local->Web        Ping Traceroute TCPALL DNS

Each rule starts with a target specifier. accept means to let the connection or packet pass through; drop means that the packet is silently dropped; and reject tells the firewall to answer the packet with a corresponding error message (RST for the TCP protocol, ICMP dest unreachable otherwise).

The target may optionally be followed by +log or +nolog, which tells the firewall whether to write a syslog entry for the connection or not. The default is to log the packet.

Then follows a specification of the source and destination address for which the rule is valid. Both source and destination specifiers must be groups as defined above. There are two special groups: ALL means that any target or destination matches the rule. Local is an alias for the local machine (and matches any IP address of the local machine).

The last part of the rule specification is a list of services, separated by spaces. Each service can be a service specification as defined above, or a direct port/protocol number followed by /tcp, /udp, or /proto, or an ICMP code as described above. The special keyword ALL matches any service.

When the firewall is active, for each packet traversing the firewall, the rules are carried out from top to bottom. The packet is matched against the source, destination, and service specification of each rule. As soon as the packet matches the rule, the target is carried out, and the processing stops for this packet.

The firewall is stateful. Only packets which do not belong to an already existing connection (as defined by Netfilter’s conntrack module) is matched against the firewall ruleset. Any packet belonging to a connection is accepted without further notice. Note that this means that only the first packet of each connection is written to the log file.

NAT rules

FWconf also allows to make use of the network address translation (NAT) features of Netfilter. The syntax of a NAT rule is as follows:

snat|dnat|redirect[+log|+nolog]  Source_group|ALL|Local->Dest_group|ALL|Local=>Target_spec
                                 Service | Port/tcp | Port/udp | Code/icmp | Protocol/prot [...]
masq[+log|+nolog]  Source_group|ALL|Local->Dest_group|ALL|Local
                   Service | Port/tcp | Port/udp | Code/icmp | Protocol/prot [...]

Examples:

dnat      Extern->MyIP=>192.168.0.2    80/tcp 443/tcp
snat      Intern->Extern=>1.2.3.4      ALL
masq      LAN->DSL                     ALL
redirect  Workstations->ALL=>3128      Web

A NAT rule can be source NAT (where the source address is rewritten, after all routing and filtering is done), destination NAT (where the destination address is rewritten, before any routing and filter rules are applied), or redirecting (port forwarding) to another port of the local machine (which is often used for transparent proxying). masq is a special case of source NAT, where no explicit IP address needs to be specified.

The source and destination specification are written analogous to the filter rules. The target specification (IP address or port number) is written after the =>, where needed. Also, the service specification is done in the same way as above.

A NAT rule does not filter a packet. It only specifies how to handle a packet if it is transported. Thus, a NAT rule does only work if there is a corresponding accept rule for a specific connection.

Note also that Netfilter does only know the NAT tables prerouting, postrouting and output. Therefore, a Local on the right side of a condition (i.e. as a target specification) does almost never make sense!

IPtables commands

FWconf is a powerful firewall configuration language. However, there are some situations where a desired rule cannot be expressed with the language. In this case it is allowed to write any valid iptables rule in one line between other FWconf rules.

Note that no syntactical processing is done for iptables rules. It is therefore not guaranteed that any script generated by FWconf contains only valid iptables commands!

Examples

There is a commented example available in my wiki (currently only in German language).

TODOs

FWconf is not perfect! It is trying to simplify a firewall configuration file as much as possible while preserving the power and flexibility of Netfilter/Iptables. However, there are several areas where FWconf could be improved.

Also, this documentation can be improved.

Download

fwconf.pl (Version 1.02)