PCX Firewall - News


PCXFirewall Frontend 1.7 Released! - Bug fixes and official support for Debian sarge and RedHat FC[1-3].  You can now install the generated firewall script into /etc/init.d or /etc/pcx-firewall without starting it.

PCXFirewall Rules 2.6 Released! - Bug fixes.

PCXFirewall Toolkit 2.24 Released! - Added support for Debian sarge and RedHat FC[1-3].


PCXFirewall Frontend 1.6 Released! - Massive improvements and bug fixes all over the place. This is a highly recommended upgrade and is mandatory if you want to use the new xml config file version 2.2. Your xml config file can now be backed up when saving, thus allowing you to go back in time via the Manage Backups interface.

PCXFirewall Rules 2.5 Released! - disabled is now active! Config file version is now 2.2.

PCXFirewall Toolkit 2.23 Released! - changed the paths from pcx_firewall to pcx-firewall and fixed some other minor bugs and issues. Added support for the new <dynamicInterfaces> tag.


Website updated! - Due to the project being mentioned by a Linux Security article, I've updated the website to make it more obvious what this project is about and how the different files relate to each other. Feedback is requested.


PCXFirewall Frontend 1.5 Released! - Fixed the sudo install code that was not installing the generated firewall script. Added Services Import functionality to pull in extra services definitions from the template.xml config file.


PCXFirewall Frontend 1.4 Released! - Fixed the edit Path screen to require interfaces and services when creating/editing a path. Added sudo setup code for non-demo debian packages.


PCXFirewall Frontend 1.3 Released! - Adds a new dynamic-template.xml Sample config file. You can now delete Paths that are referencing Networks, Services or Zones (interfaces) when trying to Delete a Network, Service or Zone entry. There are now checks in-place to try and prevent you from accidentally not saving changes you have made to a screen.


PCXFirewall Frontend 1.2 Released! - Fixes a DNAT issue.


PCXFirewall Frontend 1.1 Released! - Fixes the delete Path issue when editing a ServiceGroup.


PCXFirewall Frontend 1.0 Released! - The first usable version of the CGI Web Frontend for the VeryTight2 rule module is now available! It handles all the config options that the VeryTight2 Rule module supports and will let you edit multiple firewall configs from the comfort of your web browser. This requires the latest versions of the Firewall toolkit and Rules packages.

PCXFirewall 2.22 Released! - Added support for the cgi web frontend via a -D DestDir and -w command line arguments. Debian is now the default OS we are generating scripts for.

PCXFirewall Rules 2.4 Released! - Lots of changes. Major features are support has been added for QUEUEing packets and supporting Bridges using the iptables bridge filtering kernel patch. New tags: <bridgeSupport> and <snortInlineSupport>. You can now also specify multiple services in a <service> tag and the i and o attributes in a path can have multiple interfaces specified.


PCXFirewall 2.21 Released! - Added support for processing the /etc/pcx_firewall/ script as part of the start/restart events of the firewall script. This will allow the user to specify rules using dynamic dns hosts and then have a cronjob that refreshes them every X minutes by calling the firewall script with the command of 'dynamic'.

*/10 * * * * /sbin/service firewall dynamic will update the dynamic rules every 10 minutes.


PCXFirewall 2.20 Released! - The shell script is now only written to disk after successfully processing everything the Rules module was doing. This provides for some post processing capabilities such as determining that dynamic interfaces are being used and making the init script start value be higher so that it lets the network come up before starting the firewall.


PCXFirewall 2.19 Released! - Looking up IP and Broadcast Addresses is now done via shell functions getIPAddress and getBroadCastAddress. These functions can handle working with the ifconfig or ip command which is now specified once and then referenced throughout the rest of the script as needed. When looking up the IP Address or Broadcast Address, aliased interfaces are now properly handled when using the ip command.


PCXFirewall 2.18 Released! - Fixed the bug in the checkForModule() shell function that was causing insmod to complain about not finding the specified module. It needed .o tacked onto the end of the filename.


Website revamped! - The website is now split into News, Toolkit and Rules sections so as to make it easier to find info on just that part of the PCX Firewall software you are working with. Added links on the main page to those sections of the SourceForge project that you most likely need to get to quickly.

PCXFirewall 2.17 Released! - Added the Network module and updated how the Interfaces module works. Updated all generated code to use shell functions and shell variables to reduce hardcoding network interfaces, host info, etc. and to reduce the duplication of validation code in regards to loading of modules and setting /proc entries.

PCXFirewall Rules 2.3 Released! - Updated to take full advantage of the features that PCXFirewall 2.17 provides. Added the usage of icmp_echo_ignore_broadcasts so that the firewall won't respond to a broadcast ping, but you can still make it respond to a direct ping. This seems to be a generally good idea. It is disabled when you stop the firewall script so the box will resume responding to broadcast pings.


PCXFirewall Rules 2.2 Released! - Converted to XML config file format version 2.1.  Fixed the bug in where multiple <info> entries in a dnat or redirect action would only use the last info's dport value instead of being empty to use them all.  Added proxy_arp support and new paths ipsecToIPSec, dmzToDMZ, dialinToDialin and externalToExternal.  VeryTight2 now has the NAT table default Policies set back to DROP which required the return of explicit ACCEPT rules for PREROUTING, POSTROUTING and OUTPUT related rules.  The only real difference between VeryTight and VeryTight2 now is that VeryTight marks all rules and uses the mark for matching whereas VeryTight2 does not.  Add to migrate from version 2.0 to 2.1 of the xml config file format.


PCXFirewall 2.16 Released! - Fixes the bug where the Mangle table checks were not catching the stderr output and so the mangle table chains were always trying to be worked with.


PCXFirewall Rules 2.1 Released! - Fixed the bug where the ip value was not converted over when in a path. Also, the xml output code was not aware of the ip value (which was part of the problem). dnatPort and redirectPort can now take an empty value, like they should have all along. It is highly recommended you upgrade.


PCXFirewall 2.15 Released! - Added support for the new mangle table chains (POSTROUTING, FORWARD and INPUT). Cleaned up the iptables.pcx init script.

PCXFirewall Rules 2.0 Released! - Major update to the XML config format. Almost everything can now be disabled. See the VeryTight.html documentation for details. Added the <firewallToFirewall> path which will allow for correctly doing local NAT (but only if your kernel is patched with the newNAT and localNAT patches). There is a conversion script ( which will take your version 1.7 config file to the new version 2.0 format.


PCXFirewall Rules 1.9 Released! - Improved error messages when dealing with log comments. Updated the config version to 1.7 and added <validityChecks> to the <config> section. Updated VeryTight and VeryTight2 modules to limit the validity checks they do to what the user specified via the <validityChecks> tag.


PCXFirewall Rules 1.8 Released! - Fixed the bug where irc modules were being loaded, but only when ftp modules were loaded. Cleaned up the SSH rules in the sample xml config files. Modified the ConfigParser module to require the parameters in the parse method instead of in new(). This allows for better re-use of the module.


PCXFirewall 2.14 Released! - Added netfilter modules support module PCXFireWall::Modules.  This is used to output code to determine if a module needs to be insmod'ed.  Updated html versions of the man pages.

PCXFirewall Rules 1.7 Released! - Added support for the PCXFireWall::Modules module.  Cleaned up some NAT and FORWARD related issues when only the external zone was enabled (in VeryTight and VeryTight2 modules).
Updated the xml config version to 1.6 and now require module="VeryTight2" when using the VeryTight2 rule module.  Added config option to enabled/disable ECN support in the startingRules method.  Added config section for specifying whether the kernel has iptables modularly or not.  Also, provided means to specify whether the ftp and irc conntrack/nat modules are needed and if they need any special options.


PCXFirewall 2.13 Released! - Fixed an IPv6 issue and updated the iptables.pcx script.

PCXFirewall Rules 1.6 Released! - Updated VeryTight2 to have the NAT table be ACCEPT by default and only have the absolute minimum rules necessary in the NAT table. This should speed up the parsing of the firewall rules as filtering is now only being done in the FILTER table. ECN is now being disabled on start and then re-enabled on stop of the firewall rules.


PCXFirewall 2.12 Released! - Added QUEUE and TTL Targets and --ttl match.

PCXFirewall Rules 1.5 Released! - Added alias to interface definition.  This allows specifying the interface to work with in the paths to be much easier.  You use the alias rather than the actual interface so that if your internal and external interfaces swapped you don't have to go through every path and change eth0 to eth1, etc.  Started optimizing the generated rules.  Branched to which does not mark the incoming packets to determine where they came from, etc.  A complete rewrite of the chains being used is planned.


PCXFirewall Rules 1.4 Released! - Locally generated packets are no longer being marked as this causes IPSec packets (protocol 50/51) to be silently dropped as they attempt to leave the firewall.  If anyone is using FreeS/wan, etc., you should upgrade to this version!  Added the comment attribute to almost every tag available to allow you to define meanings to what you are configuring, etc.  This feature will be used extensively by the web front-end, when it is created.


PCXFirewall Rules 1.3 Released! - You can now disable the TOS mangling so QoS and Traffic Shaping will work.  You can now reject, dnat and redirect in firewallTo<zone> tags.  The perl data structure for the Config File is now stored in  This module provides validation and output code which will be used by the VeryTight Web Frontend.  You can output XML, text or HTML versions of the data structure that is stored in


PCXFirewall Rules 1.2 Released! - Added support for eth0:0 style interfaces.  icmp rate limiting is now implemented.  Added ability to turn off rate limiting of the defined rule types for debugging purposes, etc.  You can now specify the IP Address you want the zoneToFirewall paths to work with rather than the incoming interfaces IP Address.  This allows for internal machines to work with "external" machines the same as someone coming from outside.  Think of the external IP as dnating all it's traffic to a dmz machine or an internal machine.  If your internal machines go to access the external IP the traffic is going to be dropped (currently) without using the hack I just implemented.
The ConfigParser module now provides getModuleName() and getModuleVersion() methods so that future programs (web frontend) can determine what config file they are working with in an easy manner.  Added the ability to specify the xml config file to work with as a string of xml data.


PCXFirewall 2.11 Released! - The core perl modules are now installed into the Perl tree. is now in the Rules Package.  Improved installation scripts now automate the install process for tarball users.   A single shell script is now created (firewall). You call it with the start, stop or restart argument that you want to happen.  Other than that nothing has changed.

PCXFirewall Rules 1.1 Released! - Migrated to using XML::LibXML instead of XML::XPath. and are now in the Perl tree.  Fixed a major bug where a path that was referencing a zone that was disabled would cause any other path nodes after it to be skipped that were related to it, even if they were valid.   Added support to limitFrom MAC addresses.


PCXFirewall Rules 1.0 Released! - VeryTightStatic -> VeryTight.  Uses an xml config file to specify the interfaces, networks and zones to work with and what traffic you want to allow to/through the firewall.  Requires PCXFirewall 2.10 to work.

PCXFirewall 2.10 Released! - Removed  Fixed reject-with being required in reject even though it is legal for it to be optional.  Added support for matching broadcast IP Address on a per interface basis using inInterfaceBroadcast and outInterfaceBroadcast.  Added support for specifying a config file to the Rules module being generated from.  This is currently only for VeryTight.


Mailing list available! - There is now a discussion mailing list available on SourceForge.  Go here to signup.

PCXFirewall 2.9 Released! - Reorganized the output code so that race conditions of needing the Filter chain done and the NAT chain, etc. to get DNS to work correctly.  You can now specify that rules are setup related (create,delete,flush chains, policy, jump, return - by default) or normal.  If I detect a DNS related rule then I force it to be setup specific so that any DNS rules get processed before we encounter any rules that may have a fqdn to resolve.  Added a new Template Rules module called VeryTightStatic which represents a completely locked down firewall scenario where you punch holes through for very specific purposes.  It supports IPSEC connections (outside only) and you can specify what servers different protocols are allowed to connect to, etc.  Redirection to the firewall and DNat to internal servers is also supported.  See the man page for details on configuring it.


PCXFirewall 2.8 Released! - A generic /proc interface is now available to work with all entries under /proc/sys/net/ipv4.  You can now specify to use ip or ifconfig to determine what an IP Address is for a dynamic interface.  Improved error trapping in the shell scripts.  An rc.d/init.d script is now included called iptables.pcx which will run the startfw/stopfw scripts for you, etc.


PCXFirewall 2.7 Released! - The install script now supports naming the stopfw, startfw and restartfw scripts based upon the rules file that they were generated from.  This allows for multiple Rule Sets being installed on a box which will allow the administrator to select which rule set to run as needed.  This was done mainly for Redundant VPN support we are working on.


README file is now translated to Portuguese! - Go here to view the translated files.  This was done by Ricardo Castanho de O. Freitas.


PCXFirewall 2.6 Released! - Fixed the file permission of the created shell scripts.  Updated the install script and the files.


PCXFirewall 2.4 Released! - When files are generated they are now put in their own directory named after the rules file used (output for  This is to make supporting multiple machines much easier. :)  The install script has been updated accordingly to support pulling from the different directories.  See the toolkit documentation for more details.

PCXFirewall 2.5 Released! - Removed protocol check in reject method so that it is now valid to reject on any protocol.  See man page for iptables to determine valid reject-with values.  This was pointed out to me by Arne Bernin.  He is currently working on a web front-end which will use the PCX Firewall 2.x for the backend.


A Web Based Configuration application is being developed which will use the PCX Firewall Toolkit as the actual behind the scenes firewall script generator.  Look for this in the near future.


PCXFirewall 2.3 Released! Changed the way limit's are applied to Rules and LOG rules.  Made it possible to create your own locations to group interfaces by.  Any of the antiSpoofing, logMartians, icmpRedirects or sourceRouting methods can now have the interface specified to enable/disable or all to apply to all interfaces.  (all is what it previously defaulted to.)

PCXFirewall 2.0 Released!

Complete rewrite, provides API to Filter, NAT and Mangle tables.

SourceForge Logo