Pyroman IPv6 support
I’ve added IPv6 support to my firewall tool
Pyroman, and uploaded a
package to experimental. But of course you can just checkout the source
code from Subversion and call it as bin/pyroman
without installation.
Pyroman will try to produce a consistent set of rules for IPv4 and IPv6. Originally it was designed for complex firewalls with multiple interfaces, various rules and NAT. I have so far only tested this version on my single-host setup at home, in particular NAT might break.
Pyroman has extensive debug functions. You can try --print-verbose
to see why it produced which rules. By invoking pyroman safe
you will
tell it to revert any changes unless you type OK
at the prompt.
And if it fails to compute firewall rules, or there is some iptables error, it will also restore the previous state.
So you have plenty of options to give it a try without risking to produce a mess. Just start with configuring it to the point where you like the “–print” output. Then give the “safe” mode a try next.
Check the Pyroman homepage
for the features. There is more. Pyroman is a lot faster than most other
firewall tools, because it does not perform hundreds of iptables
invocations but uses iptables-restore
to bulk load them. This is the
fastest way to bring the firewall from one configured state into another.
For the 0.6 version of pyroman I plan to offer precomputing the firewall
rules, and use a single iptables-restore
call at bootup to setup
your firewall, with dependency tracking to see if the precomputed file is
still up to date.