<--introduction ^--Firewall Steve--^ planning-->

Firewall Steve - a visual firewall tool - design


The first step is to get the firewall rules into a useable format. Because there are a variety of ways administrators might have their tables loaded, we will avoid trying to read any setup files, but will concentrate on the rules that are in the currently running iptables.

iptables-xml is an add-on module for iptables that exports the current ruleset in well-formed XML. XML provides the perfect conduit for this information, as both Stevegraph and Stevesieve fit well as targets for XML processing.

We might also want to support those that do not have iptables-xml on their system, so I will consider writing a parser for the output of iptables -L.

I've yet to investigate the form of the iptables-xml output, but I will assume for now that its schema will be acceptable for internal use in Firewall Steve.


The easier part of Firewall Steve should be the flow graph. Using XSLT, we should be able to get a set of rules to properly generate the .dot file needed for Graphviz. Using XSLT to generate the .dot file will also allow users to customize the output.

Stevegraph should be a command-line program that can be run by an administrator that will dump out an image file of the flow graph. Do we have Stevegraph pull the rules directly from iptables (requiring root access), or expect the rules to exist in a file (requiring an extra step on the part of the user), or both? Should there also be a web-based method for retrieving the flow graph? A PHP script could do both, perhaps.


PHP will allow both an interactive webpage for retrieving sieve rules from the user, as well as access to XML processing. A single webpage powered by PHP can let the user try different packets and see how their life through the firewall flows.

Additionally, the same PHP script could be used from the command line to provide a non-browser method of testing different scenarios.
<--introduction ^--Firewall Steve--^ planning-->

©2002-2017 Wayne Pearson