I’ve added IPv6 support to my firewall tool Pyroman, and uploaded a package to experimental. But of course you can just checkout the source code from Subversion and call it as bin/pyroman without installation.

Pyroman will try to produce a consistent set of rules for IPv4 and IPv6. Originally it was designed for complex firewalls with multiple interfaces, various rules and NAT. I have so far only tested this version on my single-host setup at home, in particular NAT might break.

Pyroman has extensive debug functions. You can try --print-verbose to see why it produced which rules. By invoking pyroman safe you will tell it to revert any changes unless you type OK at the prompt.

And if it fails to compute firewall rules, or there is some iptables error, it will also restore the previous state.

So you have plenty of options to give it a try without risking to produce a mess. Just start with configuring it to the point where you like the “–print” output. Then give the “safe” mode a try next.

Check the Pyroman homepage for the features. There is more. Pyroman is a lot faster than most other firewall tools, because it does not perform hundreds of iptables invocations but uses iptables-restore to bulk load them. This is the fastest way to bring the firewall from one configured state into another. For the 0.6 version of pyroman I plan to offer precomputing the firewall rules, and use a single iptables-restore call at bootup to setup your firewall, with dependency tracking to see if the precomputed file is still up to date.