pyroman - a firewall configuration utility
- pyroman
- [ -hvnspP ] [ -r RULESDIR ] [ -t
SECONDS ]
[ --help ] [ --version ] [ --safe ] [ --no-act ]
[ --print ] [ --print-verbose ] [
--rules=RULESDIR ]
[ --timeout=SECONDS ] [ safe ]
pyroman is a firewall configuration utility.
It will compile a set of configuration files to iptables
statements to setup IP packet filtering for you.
While it is not necessary for operating and using Pyroman, you
should have understood how IP, TCP, UDP, ICMP and the other commonly used
Internet protocols work and interact. You should also have understood the
basics of iptables in order to make use of the full functionality.
pyroman does not try to hide all the iptables complexity
from you, but tries to provide you with a convenient way of managing a
complex networks firewall. For this it offers a compact syntax to add new
firewall rules, while still exposing access to add arbitrary iptables
rules.
- -r
RULESDIR,--rules=RULES
- Load the rules from directory RULESDIR instead of the default
directory (usually /etc/pyroman )
- -t
SECONDS,--timeout=SECONDS
- Wait SECONDS seconds after applying the changes for the user to
type OK to confirm he can still access the firewall. This implies
--safe but allows you to use a different timeout.
- -h, --help
- Print a summary of the command line options and exit.
- -V, --version
- Print the version number of pyroman and exit.
- -s, --safe,
safe
- When the firewall was committed, wait 30 seconds for the user to type
OK to confirm, that he can still access the firewall (i.e. the
network connection wasn't blocked by the firewall). Otherwise, the
firewall changes will be undone, and the firewall will be restored to the
previous state. Use the --timeout=SECONDS option to change
the timeout.
- -n, --no-act
- Don't actually run iptables. This can be used to check if pyroman
accepts the configuration files.
- -p, --print
- Instead of running iptables, output the generated rules.
- -P,
--print-verbose
- Instead of running iptables, output the generated rules. Each statement
will have one comment line explaining how this rules was generated. This
will usually include the filename and line number, and is useful for
debugging.
Configuration of pyroman consists of a number of files in the
directory /etc/pyroman. These files are in python syntax, although
you do not need to be a python programmer to use these rules. There is only
a small number of statements you need to know:
- add_host
- Define a new host or network
- add_interface
- Define a new interface (group)
- add_service
- Add a new service alias (note that you can always use e.g. www/tcp to
reference the www tcp service as defined in /etc/services)
- add_nat
- Define a new NAT (Network Address Translation) rule
- allow
- Allow a service, client, server combination
- reject
- Reject access for this service, client, server combination
- drop
- Drop packets for this service, client, server combination
- add_rule
- Add a rule for this service, client, server and target combination
- iptables
- Add an arbitrary iptables statement to be executed at beginning
- iptables_end
- Add an arbitrary iptables statement to be executed at the end
- Detailed parameters
for these functions can be looked up by caling
-
cd /usr/share/pyroman
pydoc ./commands.py
None known as of pyroman-0.4 release
pyroman was written by Erich Schubert
<erich@debian.org>