Pyroman 0.3 review

Pyroman is a flexible and fast firewall tool. Here are some key features of "Pyroman": The good: · Really fast compared to s

License: MIT/X Consortium License File size: 0K Developer: Erich Schubert

0

Pyroman is a flexible and fast firewall tool.

Here are some key features of "Pyroman":

The good:

Really fast compared to sh+awk based solutions due to using iptables-restore
Rollback to previous firewall on error to minimize risk of use
Detailed error reporting to help configuring
Easy syntax to add hosts, nats
Designed for complex networks
Written in easy to read python code
Extensively documented (Python docstrings)
You can add custom iptables rules when needed
Lots of verification checks done before execution
Designed to use the same configuration files on multiple hosts (e.g. failover firewalls or the destination host itself; it will detect if you are talking about a local or a remote host

The bad:

Not designed for single-host workstation setups
Doesn't completely hide iptables complexity from the admin (good or bad?)
Only iptables, no TC/Shaping, no IPsec, proxy arp setup, VPN, ifconfig (I use other tools for that, e.g. heartbeat)

To tease you a little more into testing, here's an example host configuration: ("dmz" is an interface alias - where the web server is connected to -, as are "INT", "DMZ" and "ANY" for clients on these interfaces)

A really simple webserver configuration.
These examples are just boring...
But without NAT they would be even more boring.

# web server
add_host(
name="web",
ip="10.100.1.2",
iface="dmz"
)
# offering, well, web service.
allow(
client="ANY DMZ INT",
server="web",
service="www ssh ping"
)
# internal hosts may access FTP, too
allow(
client="INT",
server="web",
service="ftp"
)
# setup NAT
add_nat(
client="ANY INT",
server="web",
ip="12.34.56.80"
)

(Yes, this is a python script. No, you probably won't care to write your configuration in a programming language, will you?)

What's New in This Release:
New in this version: iptables and kernel version checks (required for the new extended examples' bittorrent filter) and some minor code cleanups and refactoring.