PCX Firewall Toolkit

Version 2.x

Note: As of 2.11 on, you must install PCXFirewall Rules 1.1+ to have the module or any other Rules modules available.

Note: As of 04/12/2004, we are no longer building rpms, but are instead building debs.

This is a complete rewrite and implementation change.  We now provide an OO Perl API (toolkit) for working with the Filter, NAT and Mangle tables in the iptables system.   All you have to do is to modify the module to specify what you want to happen when starting or stopping the firewall.  I am not doing any behind the scenes setup as in version 1.x.  You have complete controll over what happens, when it happens, etc.  You can even use perl loops, etc. to help build your ruleset.

All standard parameters (as defined in the iptables manpage) are supported.  All targets (ACCEPT, DROP, RETURN, etc.) are provided as methods to call.    I have created methods for creating, flushing, deleting and jumping to user defined chains.  The creation of a rule will do some validation (so as not to allow obviously wrong stuff like specifying f and ! f, syn and ! syn, etc.)

The 2.x series will be the framework for future "Firewall solutions" we develop.

To see what methods are available look at the man pages.

A quick overview of how to use the toolkit for PCX FireWall 2.11+.


PCX Firewall 2.11+ only generates a single shell script file firewall which can be a standalone shell script or an init.d startup script.

PCX Firewal 2.17 has introduced a new module Network that helps associate a network/host entry you define with a Shell variable of the form NETWORK_index where index is a positive integer >= 0. You can now use "\$NETWORK_index" when specifying the source and destination values to the Filter, NAT and Mangle modules methods and as long as you registered the Network/host entry with the Networks module your shell script will now be easier to understand.

The Interfaces module now allows you to specify an alias for each interface you define. When a rule is being generated in the Filter, NAT or Mangle modules they now lookup the interface specified and use the alias value to generate an INT_alias shell variable which is output in the rule so that you can do easier substitution on the resulting shell script rather than constantly having to regenerate rules if you just need to quickly change an IP address or interface name on a global basis.

You can now generate an init style shell script (chkconfig capable) or continue generating a shell script that is suitable to be called from the iptables.pcx init script. Currently RedHat versions 7.0-7.3, 8.0 and 9 are supported. 8.0 and 9 are not yet tested though. Debian woody(stable), testing and unstable are also supported. Run generator -h to get a list of all possible arguments and what they are used for.

The generated firewall script now supports status, panic and clear actions internally. Use panic if you need to stop all traffic in, out and through your firewall. Use clear if you want to get rid of firewall rules but still allow your machine to work. Traffic will not flow through the box though.

The install script, for helping to install a generated firewall script, now requires you to specify the source directory. Run install -h to get a list of all possible arguments and what they are used for.
SourceForge Logo