fwpolicy - a Firewall Policy toolset

$Id: fwpolicy.html,v 1.2 1999-03-11 10:58:11-08 jhardin Exp jhardin $

Introduction

fwpolicy is a project that I've recently become interested in trying to implement. I've written a firewall GUI for Linux that's been fairly well received, but needs updating for the newer kernels. I've also had comments that a GUI doesn't work particularly well for vision-impaired users, and I've noticed a lot of questions about "how do I redirect traffic to a web server behind my firewall" and the like on the Linux newsgroups - a management issue that I'd like to simplify.

After some thought about these issues (migration, accessibility, etc.) I decided that the proper approach is to separate the problem domain into three parts:

  1. The definition of the firewall - the configuration of the network topology and desired firewalling should be described in abstract terms not directly related to any one platform. This definition would be presented in the form of a structured language.

  2. The implementation of the firewall - a platform-specific tool should then read the definition file and produce the necessary commands to implement it. This can be targeted to any platform (Linux, *BSD, Solarix, Cisco routers, et. al. - even Windows NT, if it's possible to define firewalling other than manually via the GUI, and Windows '95/'98, if a third-party security tool is available) and take advantage of the strengths of the security tools available on that platform.

  3. The User Interface - the UI must be decoupled from the actual implementation of the firewall, or you run into the situation of having a great tool that only works with a specific platform (e.g. Linux 2.0.x) and for a specific subset of the possible user base (e.g. GUI users vs. text users or web users).

A little bit of research and some further thought has caused me to broaden my initial idea into something that appears to be approaching a master's level thesis project: The specification and implementation of network security policy on a site-wide basis.

This change in course was largely prompted by visiting SolSoft's NetPartitioner site, which made me realize the security policy can be specified for the entire network, and the implementation tool can look at that policy and figure out how to implement the policy on the system it's running on or (in the case of remote configuration) for.

This model scales from defining the firewall policy for a single computer in someone's home connected to the Internet via PPP up to a corporate network with multiple paths to the Internet via boundary networks and bastion hosts. It permits central definition of network security policy (at least some aspects of it) and easily distributed automated implementation of that policy.

I probably have bitten off more than I can chew by myself, so I hope to eventually make this an open-source cross-platform project (GNU fwpolicy?), but time will tell.


Tasks

Here's what I am presently working on:


Futures

What I'd eventually like to produce is a formal definition of a Firewall Policy Definition Language (I don't think it'll be comprehensive enough to warrant being called a Network Security Policy Definition Language), a GPL GUI front end (probably written using Jesper Pedersen's dotfile generator tool since I'm already familiar with it), and GPL implementation back ends for Linux 2.0.x ipfwadm and Linux 2.2.x IP Firewall Chains firewalls, with support for automatic configuration of masquerading and port forwarding.

Other things that I'd like to see are:

Volunteers are welcome...


You can contact me at <jhardin@wolfenet.com>. I'd like to hear your comments and suggestions, particularly if you know somewhere an open-source version of this (in part or in whole) is already underway. You can also visit the current version of this document, and take a look at my home page...

Linux: the soul of the Internet    Bobby approved    Best viewed with Any Browser

© 1999 by John Hardin. You may copy this page as long as the content is unchanged (you can change the formatting to fit your site if you want) and the link to the original page is left intact.