^--Firewall Steve--^ design-->

Firewall Steve - a visual firewall tool

Introduction

Firewalls are a necessity in today's networked world. The internet has changed from a friendly collaborative place for academics to a global, heavily-commercialized network for everyone. The everyone includes malcontents and mischief-makers, who have nothing better to do that mess around with others' computers on the internet.

With the raised interest in security, tools such as iptables are being applied more and more, and with their increased use, their jobs are becoming more complex. What used to be handled by a few simple rules can now become an administrative nightmare.

Once a ruleset gets too large, tracing and diagnosing problems can become a chore. The goal of Firewall Steve is to be able to get a visual grasp of the rulesets being used, and to provide a search mechanism for certain queries.

Firewall Steve

Firewall Steve is an attempt to make some sense out of the current rules in place on an iptables firewall. It will have two parts: a purely visual flow graph, and a query-based sieve.

Stevegraph

The flow graph will likely be generated using Graphviz (graphviz.org). Each table of iptables will be separately represented, and each chain in each table will have its own subgraph. Each rule within each chain will be a node, and the jumps at each rule will represent an edge on the graph. If talk of subgraphs, nodes and edges puts you off, don't worry about it -- it's much clearer visually.

Stevegraph will allow administrators to get an overall visual representation of their rulesets, as well as see specific rules in a more visual manner.

Stevesieve

The sieve will likely be a php-backed query that takes some parameters, such as source IP, destination IP, or destination port, and demonstrates the flow of a given packet through the firewall, showing where the packet is ultimately accepted or denied in the firewall.

Stevesieve allows the firewall administrator to determine which rule is allowing or denying certain packets. The most likely use would be to determine where in the firewall, if anywhere, certain packets are being lost, or whether the firewall can be ruled out completely.
^--Firewall Steve--^ design-->

©2002-2017 Wayne Pearson