Sanewall - making sense of firewalling
**************************************
http://www.sanewall.org/
************************
Sanewall is a firewall builder for Linux which uses an elegant language, abstracted to just the right level. This makes it powerful as well as easy to use, audit, and understand. It allows you to create very readable configurations even for complex stateful firewalls.
Simple but useful firewalls need only a few lines of configuration. Very complex setups with flow control and external commands can be created by using bash (http://www.gnu.org/software/bash/) commands in-line with the standard configuration language.
Sanewall can be used to produce local firewalls or router-based firewalls on any system that bash and iptables are available including full GNU/Linux servers and embedded routers such as OpenWRT (http://www.openwrt.org/).
The main goals of the Sanewall project are:
This is achieved by providing an expressive, easy-to-read, write and understand configuration language geared specifically to firewalls (a Domain Specific Language).
The language is sufficiently brief, well-structured and meaningful that a human can manage the firewall rules without the need for additional tools. The use of a simple text-file for configuration allows for optimal use with version control and file-comparison tools.
If you want to install the package from the source tar-files found here: http://download.sanewall.org/releases please read the file INSTALL first. Sanewall uses the GNU Autotools so you can get away with: ./configure && make && make install
When you first install the program a very basic sanewall.conf.example is installed, which if you rename it to sanewall.conf will allow connections out but not in. To get something more complete you have three choices:
If you are replacing FireHOL you should just be able to create the Sanewall configuration by copying firehol.conf over sanewall.conf and renaming any FIREHOL variables to SANEWALL instead.
If you have any custom services in /etc/firehol/services then you will need to update those, too.
Start from an example configuration: client-all.conf lan-gateway.conf server-dmz.conf office.conf
Have Sanewall try to generate a configuration tailored to the machine automatically by running: sanewall wizard
You should review the variables that can be configured and decide if you want to change any. The variables are documented in the "control variables" reference section of sanewall-manual.pdf and the online documentation. You can also read the man-page: man sanewall-variables
If you are running a service which is not pre-defined for you it is simple to define your own. This is documented in the "Adding Services" part of the "sanewall configuration" reference section of sanewall-manual.pdf and the online documentation. You can also read the man-page: man sanewall.conf
Finally, you will also want to ensure that Sanewall runs at boot-time. If you installed from an official package this will be configured in the usual way. For a source installation, the binary can be linked directly into /etc/init.d on many systems. In addition, some example init scripts are available here: http://bugs.sanewall.org/wiki/Init_Scripts
The main website is here: http://www.sanewall.org/
To ask questions please sign up to the list: http://lists.sanewall.org/mailman/listinfo/sanewall-users
Man pages, PDF and HTML documentation are provided as part of the package and can be found in the tarball or in your distribution's standard locations (e.g. /usr/share/doc). The latest manual is always available as PDF and online HTML here: http://download.sanewall.org/releases/latest/sanewall-manual.pdf http://download.sanewall.org/releases/latest/sanewall-manual.html
along with a list of all services supported "out of the box": http://download.sanewall.org/releases/latest/sanewall-services.html
For further help and advice the sanewall-users mailing list archive is fully searchable: http://lists.sanewall.org/pipermail/sanewall-users/
The wiki page for contributors and potential contributors is here: http://bugs.sanewall.org/wiki/Getting_Involved
The official bug tracker is here: http://bugs.sanewall.org/sanewall
The official git trees are here: http://git.sanewall.org/
If you would like to get involved, please consider subscribing to the development mailing list: http://lists.sanewall.org/mailman/listinfo/sanewall-dev
Sanewall is a fork of FireHOL (http://firehol.sourceforge.net/) which was made when development of that project stalled. A great deal is owed to that project and Costa Tsaousis for originating it. All existing FireHOL definitions should be compatible with Sanewall.
Copyright (C) 2012,2013 Phil Whineray phil@sanewall.org Copyright (C) 2003-2013 Costa Tsaousis costa@tsaousis.gr
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA