Who is PacketFlow intended for?
PacketFlow is intended mainly for people who
already understand firewalls, and simply need a tool
to help maintain those rules. When using this tool,
your focus shifts from writing rules towards
implementing the policies that you need.
This doesn't mean that you shouldn't take a look at
the samples and give this tool a try. There are
samples provided that illustrate some common
configurations.
What language is PacketFlow written in?
PacketFlow is written in Python. A previous
incarnation was written in Java, but after I had
proved the concept I wanted it to be written
in a lighter weight language that would be more
appropriate to install on a firewall.
What do I need to run PacketFlow
All you need is Python and the Python interface to
libxml2. These are available in RedHat 8.0 and
Debian testing. The APT repository provided on the
download page also includes a back-port of libxml2
and libxml2-python from testing to stable (woody).
Why don't you have a (GTK|Qt|Swing) GUI?
A previous incarnation did use a GUI, but I found it
actually made maintaining firewalls more difficult.
I would need to make a quick change, but I didn't
want to open the GUI, make the changes, save the
rule set, and then transfer it to the firewall.
Also, I didn't always have the application
conveniently available. For this reason, I've
moved to a command line utility that uses an XML
configuration file. This is intended to be installed
directly on the firewall. If you are going to be
making changes to the configuration of the firewall,
what better place to keep the configuration and the
application itself?
Why would I want to use wildcard interfaces?
Wildcard interfaces are for scenarios where a
service should be exposed on all interfaces.
For example, if you have a public mail server, you
could define rules for it using a wildcard access
list rather than putting the same rules in several
other access lists.
What doesn't PacketFlow do?
PacketFlow currently does not support generating
rules for NAT. In my experience, NAT rules are much
easier to write by hand than filtering rules. I am
still hoping at some point to provide a simple way
generate NAT rules also.