Why I use (well, wrote) my firewall tool

Wouter Verhelst wonders

why you would use a firewall config tool (apart from a GUI) instead of writing iptables rules directly.

While I do just use a couple of iptables statements in a shell script here on my laptop, this is not manageable for larger networks IMHO. In fact, I wrote my Pyroman firewall admin tool for the very reason that it replaced an existing iptables script which was a pain to maintain. I’m talking 300-400 lines here. Four networks, two failover firewalls, a dozen of servers in the DMZ network some of which with extra access rights into the internal network (such as accessing the LDAP directory).

And no full-time admin to take care of them.

So I needed a firewall script that everybody can edit and that won’t fail miserably when they make a mistake. A script with extensive error checking and that prevents people from locking themselves out. With an easy syntax.

The first approach was in Perl, and already worked quite good. The rewrite then was in Python, and the users (read: fellow volunteer “admins”, that don’t know the firewall by heart as I do) liked it a lot. They now could add new hosts and services without depending on me to update the firewall.

This is a configuration file they’ll immedeately understand:

# add the web server
add_host(
        name="web",
        ip="10.100.1.2",
        iface="dmz"
)
# offering, well, web service.
allow(
        server="web",
        client="ANY DMZ INT",
        service="www ssh ping"
)

In contrast to any pure iptables script.

It also helps to require them to commit their changes to a SVN repository (for getting the changes synched to the failover firewall) - that way you have version control and undo.