PacketFlow Firewall Generator







Project Page

  • Who is PacketFlow intended for?
    PacketFlow is intended mainly for people who already understand firewalls, and simply need a tool to help maintain those rules. When using this tool, your focus shifts from writing rules towards implementing the policies that you need.

    This doesn't mean that you shouldn't take a look at the samples and give this tool a try. There are samples provided that illustrate some common configurations.

  • What language is PacketFlow written in?
    PacketFlow is written in Python. A previous incarnation was written in Java, but after I had proved the concept I wanted it to be written in a lighter weight language that would be more appropriate to install on a firewall.

  • What do I need to run PacketFlow
    All you need is Python and the Python interface to libxml2. These are available in RedHat 8.0 and Debian testing. The APT repository provided on the download page also includes a back-port of libxml2 and libxml2-python from testing to stable (woody).

  • Why don't you have a (GTK|Qt|Swing) GUI?
    A previous incarnation did use a GUI, but I found it actually made maintaining firewalls more difficult. I would need to make a quick change, but I didn't want to open the GUI, make the changes, save the rule set, and then transfer it to the firewall. Also, I didn't always have the application conveniently available. For this reason, I've moved to a command line utility that uses an XML configuration file. This is intended to be installed directly on the firewall. If you are going to be making changes to the configuration of the firewall, what better place to keep the configuration and the application itself?

  • Why would I want to use wildcard interfaces?
    Wildcard interfaces are for scenarios where a service should be exposed on all interfaces. For example, if you have a public mail server, you could define rules for it using a wildcard access list rather than putting the same rules in several other access lists.

  • What doesn't PacketFlow do?
    PacketFlow currently does not support generating rules for NAT. In my experience, NAT rules are much easier to write by hand than filtering rules. I am still hoping at some point to provide a simple way generate NAT rules also. Logo