As mentioned earlier, I’ve uploaded a new Pyroman release to Debian. I’ve also updated the download at the download page on alioth for the non-Debian users.

There is just one single user-visible change (under the hood I switched some Python API so you need python 2.4+ now, which was available in sarge already):

This version has a new command line option, “–verification-cmd”. This can be used to point to a script file to verify network connectivity. For example, you could try to send a ping to the next router, or you could ssh to another host, have it ssh back and touch a flag file in /tmp to signal success.

Similar to the –safe option, it is meant as a safety feature to avoid locking yourself out of your system. But while –safe needs to be used interactively, this new command could be used when automatically activating new firewall rules, e.g. triggered by cfengine or some other configuration management. If the verification command does not succeed, the firewall rules will automatically be rolled back to the previous state.

Note that I didn’t get around to add IPv6 support yet. It would definitely be desirable to add ip6tables support, but I currently do not have any experience with IPv6, so I’m not sure I’d know how to do things right. Of course I’d welcome any patches.

(In case you havn’t read about pyroman yet - it’s yet another tool to configure iptables firewalls. It puts a thin abstraction layer on top of iptables, but the main benefit is that it uses “iptables-restore” to quickly mass-set all the firewall rules - other tools tend to invoke several hundred iptables processes to achieve the same - and if any error occurs it will both give you a clear indication of which rule caused the error and rolling back your firewall to the previous state.)