Firewall Steve - a visual firewall tool
Firewalls are a necessity in today's networked world. The internet
has changed from a friendly collaborative place for academics to a
global, heavily-commercialized network for everyone. The
everyone includes malcontents and mischief-makers, who have
nothing better to do that mess around with others' computers on the
With the raised interest in security, tools such as iptables are being
applied more and more, and with their increased use, their jobs are
becoming more complex. What used to be handled by a few simple rules
can now become an administrative nightmare.
Once a ruleset gets too large, tracing and diagnosing problems can become
a chore. The goal of Firewall Steve is to be able to get a visual grasp
of the rulesets being used, and to provide a search mechanism for certain
Firewall Steve is an attempt to make some sense out of the current
rules in place on an iptables firewall. It will have two parts: a
purely visual flow graph, and a query-based sieve.
The flow graph will likely be generated using Graphviz (graphviz.org). Each table of iptables
will be separately represented, and each chain in each table will have
its own subgraph. Each rule within each chain will be a node, and the
jumps at each rule will represent an edge on the graph. If talk of
subgraphs, nodes and edges puts you off, don't worry about it -- it's
much clearer visually.
Stevegraph will allow administrators to get an overall visual
representation of their rulesets, as well as see specific rules in a
more visual manner.
The sieve will likely be a php-backed query that takes some
parameters, such as source IP, destination IP, or destination port,
and demonstrates the flow of a given packet through the firewall,
showing where the packet is ultimately accepted or denied in the
Stevesieve allows the firewall administrator to determine which rule
is allowing or denying certain packets. The most likely use would be
to determine where in the firewall, if anywhere, certain packets are
being lost, or whether the firewall can be ruled out completely.
©2002-2017 Wayne Pearson