{ "info": { "author": "Hans-Kristian Bakke", "author_email": "", "bugtrack_url": null, "classifiers": [ "Development Status :: 5 - Production/Stable", "Intended Audience :: System Administrators", "License :: OSI Approved :: MIT License", "Operating System :: POSIX :: Linux", "Programming Language :: Python :: 3", "Programming Language :: Python :: 3.4", "Programming Language :: Python :: 3.5", "Programming Language :: Python :: 3.6", "Programming Language :: Python :: 3.7", "Topic :: System :: Networking :: Firewalls" ], "description": "Introduction\n============\n\nfwgen is a small framework to simplify the management of\nip(6)tables based firewalls, that also integrates ipset support and\nzones in a non-restrictive way. It is *not* an abstraction layer of the\niptables syntax, so you still need to understand how to write iptables\nrules and how packets are processed through the iptables chains. This is\nthe intended project scope to ensure all existing functionality is made\navailable. fwgen does however help you create an efficient ruleset with\nvery little effort.\n\nfwgen is mainly targeted towards network gateways and hosts which are\nconfigured via configuration management systems, often with multiple\ninterfaces and complex rulesets that very fast gets unmanagable or\ninefficient if not done right. It may not be worth the effort to install\nit if you just have a simple server where you want to allow a couple of\nincoming ports.\n\nIt has built-in mechanisms to make remote unattended deployment of linux\nfirewalls much more robust. If any kind of errors is encountered the ruleset\nis automatically rolled back to the previous running one.\nTo solve the other issue with remote deployment of firewalls, the one where\nyou deploy a valid ruleset, but you have managed to cut your own access,\nfwgen can run user defined checks that can automatically verify that the host\nis remotely accessible before storing the new ruleset. If the check command\nfails the ruleset will be rolled back.\n\nAdvantages of using fwgen:\n\n- Integrates iptables, ip6tables and ipsets in a common management framework\n- Uses a simple config file in YAML format for easy and readable configuration\n- Separation of duties between the loading of firewall rules at boot (restore files) and the rule generation (fwgen). No complex code are executed during boot/ifup.\n- Firewall operations are atomic. It either applies correctly or not, without flushing your existing ruleset, potentially leaving you temporarily exposed.\n- Automatic rollback to previous ruleset if something goes wrong\n- Supports check commands to automatically roll back ruleset if check fails\n- Combines IPv4 and IPv6 in a single non-duplicated config\n- Automatically archives rulesets which later can be easily diffed or restored\n\nRequirements\n============\n\n- Python 3 (only tested on 3.4 and later, but might work with earlier versions)\n- PyYAML\n- ipset\n\nInstallation\n============\n\n::\n\n # Debian / Ubuntu\n apt install ipset python3-yaml python3-pip -y\n pip3 install fwgen --upgrade\n\n::\n\n # CentOS 7\n rpm -ivh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm\n yum install -y python34-pip\n pip3 install fwgen --upgrade\n\nPyYAML is pulled in as a dependency automatically via pip, but you may get a compiler error if you do not have the correct dependencies installed. It will still work however, just not as fast. I recommend using the distro packaged version if you have it available. In Debian's case that is ``python3-yaml``.\n\nTo ensure persistence you must have something that loads the ruleset at boot. An example systemd service is included in `fwgen.service`_. As not all distros use systemd it is not enabled automatically, but a `helper script`_ is available to enable or update the service.\n\nInstalling from source\n======================\n\n::\n\n apt install python3-pip python3-venv\n git clone https://github.com/hkbakke/fwgen\n cd fwgen\n python3 -m venv venv\n . ./venv/bin/activate\n pip3 install wheel\n python3 setup.py clean --all bdist_wheel\n deactivate\n\n # On your target host\n apt install ipset python3-yaml python3-pip\n pip3 install dist/.whl --upgrade\n\nPrepare configuration file\n==========================\n\nBy default fwgen will give an error if the config file is missing. This is by design to prevent accidental application of the very restrictive default firewall settings, which basically only allows host internal traffic.\n\nTo create your initial config file you should run:\n\n::\n\n fwgen --create-config-dir\n\nUpdate the config with your ruleset. It is by default located in ``/etc/fwgen/config.yml``. Look at the `example configuration`_ for guidance. fwgen also has some built-in helper chains and defaults available for ease of use. See the `default configuration`_ for those.\n\nUsage\n=====\n\nTo generate the new ruleset:\n\n::\n\n fwgen apply\n\nTo skip confirmation:\n\n::\n\n fwgen apply --no-confirm\n\nIn addition to rules defined in the config file you can add/override rules from command line. Add ``--log-level debug`` to see the resulting complete config.\n\n::\n\n fwgen --config-json '{\"policy\": {\"filter\": {\"INPUT\": \"ACCEPT\"}}}' apply\n\nTo temporarily clear the running ruleset without overwriting the saved persistent ruleset:\n\n::\n\n fwgen apply --no-save --clear\n\nTo list archived rulesets:\n\n::\n\n fwgen show archive\n\nTo view changes between currently running and archived ruleset:\n\n::\n\n fwgen show archive \n\nYou can restore your saved or archived rulesets:\n\n::\n\n # Restores your currently saved ruleset\n fwgen apply --restore\n\n # Restores a ruleset from the archive\n fwgen apply --archive \n\n\nTo view the currently running configuration:\n\n::\n\n fwgen show running\n\nFor troubleshooting:\n\n::\n\n fwgen --log-level debug apply\n\nFor a complete list of the functionality, see:\n\n::\n\n fwgen --help\n\nfwgen check server setup\n========================\n\nIf you want to make use of the firewall check commands a script is included, `fwchk`_, intended to be hosted at the server performing the tests against your firewalls and called via SSH. As you do not want to allow remote firewalls to be able to execute arbitrary commands on the test server you should add some restrictions, and fwchk helps you enforcing those in a set of standardized checks.\n\nAdd a user for fwchk on the test server\n\n::\n\n adduser --system --group --shell /bin/bash fwchk\n\nPut fwchk somewhere logical for ease of use\n\n::\n\n cd /usr/local/bin\n wget -O fwchk https://raw.githubusercontent.com/hkbakke/fwgen/master/scripts/fwchk\n chmod +x fwchk\n\nAdd the ssh public key for the root user (normally found in ``/root/.ssh/id_rsa.pub``) from each of the fwgen firewalls requesting the checks to ``/home/fwchk/.ssh/authorized_keys`` on the test server. To restrict the key usage to running the fwchks only, a set of restrictions should be included. Example:\n\n::\n\n command=\"fwchk\",no-port-forwarding,no-x11-forwarding,no-agent-forwarding,no-pty ssh-rsa AAAAB3Nza....\n\nExample fwgen config on the firewalls:\n\n::\n\n check_commands:\n # Available tests:\n #\n # tcp-test \n # Tests if a TCP port is open on the target\n #\n # ping-test \n # Tests if the target is reachable by ping\n #\n # default-tests \n # Test if TCP port 22 is open at the target and if it is reachable by ping\n #\n - ssh -o ConnectTimeout=2 fwtest@ default-tests \n - \n - \n\n.. _example configuration: https://gitlab.proikt.com/hk/fwgen/raw/master/fwgen/doc/examples/config.yml\n.. _default configuration: https://gitlab.proikt.com/hk/fwgen/raw/master/fwgen/etc/defaults.yml\n.. _fwgen.service: https://gitlab.proikt.com/hk/fwgen/raw/master/fwgen/doc/examples/fwgen.service\n.. _helper script: https://gitlab.proikt.com/hk/fwgen/raw/master/scripts/enable-systemd-service\n.. _fwchk: https://gitlab.proikt.com/hk/fwgen/raw/master/scripts/fwchk\n\n\n", "description_content_type": "", "docs_url": null, "download_url": "", "downloads": { "last_day": -1, "last_month": -1, "last_week": -1 }, "home_page": "https://github.com/hkbakke/fwgen", "keywords": "linux firewall iptables ip6tables ipset", "license": "MIT", "maintainer": "", "maintainer_email": "", "name": "fwgen", "package_url": "https://pypi.org/project/fwgen/", "platform": "", "project_url": "https://pypi.org/project/fwgen/", "project_urls": { "Homepage": "https://github.com/hkbakke/fwgen" }, "release_url": "https://pypi.org/project/fwgen/0.19.0/", "requires_dist": [ "pyyaml", "pylint ; extra == 'test'", "pytest ; extra == 'test'", "pytest-cov ; extra == 'test'" ], "requires_python": "", "summary": "A simple management framework for ip(6)tables based firewalls", "version": "0.19.0" }, "last_serial": 5965205, "releases": { "0.14.1": [ { "comment_text": "", "digests": { "md5": "ca138a9eb75262885825b74025a8e88d", "sha256": "5d0e82b066be82a2f6d8fd6f9264d18471d29056427595831363e816bda1e561" }, "downloads": -1, "filename": "fwgen-0.14.1-py3-none-any.whl", "has_sig": false, "md5_digest": "ca138a9eb75262885825b74025a8e88d", "packagetype": "bdist_wheel", "python_version": "py3", "requires_python": null, "size": 18642, "upload_time": "2018-01-10T08:36:39", "url": "https://files.pythonhosted.org/packages/2c/b3/0f6c1a1291ce49b33394d954d03b28c6db9f1c8a6acb1e76219a78119aab/fwgen-0.14.1-py3-none-any.whl" } ], "0.15.0": [ { "comment_text": "", "digests": { "md5": "51627dfde79fb571a4922e2227c55a47", "sha256": "078c4857000d3415ac1da8e390d8243914aa0a777dc0ef31bd62b4a87d89b709" }, "downloads": -1, "filename": "fwgen-0.15.0-py3-none-any.whl", "has_sig": false, "md5_digest": "51627dfde79fb571a4922e2227c55a47", "packagetype": "bdist_wheel", "python_version": "py3", "requires_python": null, "size": 20853, "upload_time": "2018-01-12T23:30:29", "url": "https://files.pythonhosted.org/packages/d4/4f/6fa56c0d28f019763a988ea6aec9c7b988f9c122daea6e6e9ff87fdfb56d/fwgen-0.15.0-py3-none-any.whl" } ], "0.16.0": [ { "comment_text": "", "digests": { "md5": "bd6c6d83ab5123a09794577e57ddff1d", "sha256": "cc45533985ca9803a7fe9f5bdae1096038f49286d1895eaa7b9121ffb56aefdd" }, "downloads": -1, "filename": "fwgen-0.16.0-py3-none-any.whl", "has_sig": false, "md5_digest": "bd6c6d83ab5123a09794577e57ddff1d", "packagetype": "bdist_wheel", "python_version": "py3", "requires_python": null, "size": 20949, "upload_time": "2018-01-13T13:16:04", "url": "https://files.pythonhosted.org/packages/93/51/e3ed1e700382acab1bbb04f239eb29753157cf378fa1efc38a7afb95e461/fwgen-0.16.0-py3-none-any.whl" } ], "0.16.1": [ { "comment_text": "", "digests": { "md5": "e4eb8c23129f461870f1e0153349f25a", "sha256": "63c20faffea794424a9b3523f7ae65bc3d4fd7698cc4690517204dc10efd0ac8" }, "downloads": -1, "filename": "fwgen-0.16.1-py3-none-any.whl", "has_sig": false, "md5_digest": "e4eb8c23129f461870f1e0153349f25a", "packagetype": "bdist_wheel", "python_version": "py3", "requires_python": null, "size": 20925, "upload_time": "2018-01-15T11:21:34", "url": "https://files.pythonhosted.org/packages/1b/63/cc1d4a0ac6113deea4eba149143c2fe686390de5a92695c231eaa6782782/fwgen-0.16.1-py3-none-any.whl" } ], "0.16.2": [ { "comment_text": "", "digests": { "md5": "85ba02095f5fe0964550b20bf7132671", "sha256": "48b39153bf831d4db962233b0968822044dab32b2ba37c89a37f9c7730fd9eb7" }, "downloads": -1, "filename": "fwgen-0.16.2-py3-none-any.whl", "has_sig": false, "md5_digest": "85ba02095f5fe0964550b20bf7132671", "packagetype": "bdist_wheel", "python_version": "py3", "requires_python": null, "size": 20939, "upload_time": "2018-01-15T12:39:27", "url": "https://files.pythonhosted.org/packages/73/cb/3ce5587a119d88e0cd72aef391471e960b4dade1711c5a4aeefb597c5892/fwgen-0.16.2-py3-none-any.whl" } ], "0.17.0": [ { "comment_text": "", "digests": { "md5": "366f4bd165ae0a3cd437da0fd061f7ee", "sha256": "87ddb623fe9668bb27c5aac70696c5a0ae802d0596ab35f9a50b4be8740636e8" }, "downloads": -1, "filename": "fwgen-0.17.0-py3-none-any.whl", "has_sig": false, "md5_digest": "366f4bd165ae0a3cd437da0fd061f7ee", "packagetype": "bdist_wheel", "python_version": "py3", "requires_python": null, "size": 21238, "upload_time": "2018-02-12T02:06:22", "url": "https://files.pythonhosted.org/packages/98/96/b07cbcffcd29e23947218db737894380a2c58464cbe38a7ccce4c81b420d/fwgen-0.17.0-py3-none-any.whl" } ], "0.18.0": [ { "comment_text": "", "digests": { "md5": "b0db63ee5a131569d4a3a073e224bb69", "sha256": "731c32b0e649fe126ce5f30386410bc0776ab40e2a3d155cc4487c0bdf948354" }, "downloads": -1, "filename": "fwgen-0.18.0-py3-none-any.whl", "has_sig": false, "md5_digest": "b0db63ee5a131569d4a3a073e224bb69", "packagetype": "bdist_wheel", "python_version": "py3", "requires_python": null, "size": 21959, "upload_time": "2018-02-27T00:27:19", "url": "https://files.pythonhosted.org/packages/b1/0e/a63e51f9827ba93606201d4d8725b92564f2a316c77f1d742dc783d77356/fwgen-0.18.0-py3-none-any.whl" } ], "0.18.1": [ { "comment_text": "", "digests": { "md5": "124356067c894e0a024392af31bcc247", "sha256": "30cac3c1ea235c496b12adaaee87359b3530509c86509d3cbd89c901239155b7" }, "downloads": -1, "filename": "fwgen-0.18.1-py3-none-any.whl", "has_sig": false, "md5_digest": "124356067c894e0a024392af31bcc247", "packagetype": "bdist_wheel", "python_version": "py3", "requires_python": null, "size": 21916, "upload_time": "2018-02-28T20:33:25", "url": "https://files.pythonhosted.org/packages/3f/89/1de30d7f3aff326126838f308cff9c212b0e1caed74807f2b28cdc733b81/fwgen-0.18.1-py3-none-any.whl" } ], "0.18.2": [ { "comment_text": "", "digests": { "md5": "ac4f692408a1f987c0b4b34a0f661dca", "sha256": "c1df9f2cb2ad770bbf9661d42d20a350de2fe01d38212c4ca5dcff32627109a7" }, "downloads": -1, "filename": "fwgen-0.18.2-py3-none-any.whl", "has_sig": false, "md5_digest": "ac4f692408a1f987c0b4b34a0f661dca", "packagetype": "bdist_wheel", "python_version": "py3", "requires_python": null, "size": 23229, "upload_time": "2018-03-03T18:38:57", "url": "https://files.pythonhosted.org/packages/bf/58/0191848d4885774d0be3d2ce19bef1f3a7a0a746f24407899c37460de7e4/fwgen-0.18.2-py3-none-any.whl" } ], "0.19.0": [ { "comment_text": "", "digests": { "md5": "cb7c02e6e65c1551cfa8ccbd4e4997ff", "sha256": "5616103830766d46a18bdb51ea011d419d7e0a6d6b92c7c3da75044dbd768e9a" }, "downloads": -1, "filename": "fwgen-0.19.0-py3-none-any.whl", "has_sig": false, "md5_digest": "cb7c02e6e65c1551cfa8ccbd4e4997ff", "packagetype": "bdist_wheel", "python_version": "py3", "requires_python": null, "size": 20150, "upload_time": "2019-10-12T19:46:08", "url": "https://files.pythonhosted.org/packages/d9/50/7a6b0f0a56227c9b5bc68a15f6b840a62246c24ad777b6482e0582052f45/fwgen-0.19.0-py3-none-any.whl" } ] }, "urls": [ { "comment_text": "", "digests": { "md5": "cb7c02e6e65c1551cfa8ccbd4e4997ff", "sha256": "5616103830766d46a18bdb51ea011d419d7e0a6d6b92c7c3da75044dbd768e9a" }, "downloads": -1, "filename": "fwgen-0.19.0-py3-none-any.whl", "has_sig": false, "md5_digest": "cb7c02e6e65c1551cfa8ccbd4e4997ff", "packagetype": "bdist_wheel", "python_version": "py3", "requires_python": null, "size": 20150, "upload_time": "2019-10-12T19:46:08", "url": "https://files.pythonhosted.org/packages/d9/50/7a6b0f0a56227c9b5bc68a15f6b840a62246c24ad777b6482e0582052f45/fwgen-0.19.0-py3-none-any.whl" } ] }