pyroman - a firewall configuration utility
- [ -hvnspP ] [ -r RULESDIR ] [
-t SECONDS ]
[ --help ] [ --version ] [ --safe ] [ --no-act ]
[ --print ] [ --print-verbose ] [
[ --timeout=SECONDS ] [ safe ]
is a firewall configuration utility.
It will compile a set of configuration files to iptables statements to setup IP
packet filtering for you.
While it is not necessary for operating and using Pyroman, you should have
understood how IP, TCP, UDP, ICMP and the other commonly used Internet
protocols work and interact. You should also have understood the basics of
iptables in order to make use of the full functionality.
does not try to hide all the iptables complexity from you, but
tries to provide you with a convenient way of managing a complex networks
firewall. For this it offers a compact syntax to add new firewall rules, while
still exposing access to add arbitrary iptables rules.
- -r RULESDIR,--rules=RULES
- Load the rules from directory RULESDIR instead of
the default directory (usually /etc/pyroman )
- -t SECONDS,--timeout=SECONDS
- Wait SECONDS seconds after applying the changes for
the user to type OK to confirm he can still access the firewall.
This implies --safe but allows you to use a different timeout.
- -h, --help
- Print a summary of the command line options and exit.
- -V, --version
- Print the version number of pyroman and exit.
- -s, --safe, safe
- When the firewall was committed, wait 30 seconds for the
user to type OK to confirm, that he can still access the firewall
(i.e. the network connection wasn't blocked by the firewall). Otherwise,
the firewall changes will be undone, and the firewall will be restored to
the previous state. Use the --timeout=SECONDS option to
change the timeout.
- -n, --no-act
- Don't actually run iptables. This can be used to check if
pyroman accepts the configuration files.
- -p, --print
- Instead of running iptables, output the generated
- -P, --print-verbose
- Instead of running iptables, output the generated rules.
Each statement will have one comment line explaining how this rules was
generated. This will usually include the filename and line number, and is
useful for debugging.
Configuration of pyroman consists of a number of files in the directory
. These files are in python syntax, although you do not
need to be a python programmer to use these rules. There is only a small
number of statements you need to know:
- Define a new host or network
- Define a new interface (group)
- Add a new service alias (note that you can always use e.g.
www/tcp to reference the www tcp service as defined in /etc/services)
- Define a new NAT (Network Address Translation) rule
- Allow a service, client, server combination
- Reject access for this service, client, server
- Drop packets for this service, client, server
- Add a rule for this service, client, server and target
- Add an arbitrary iptables statement to be executed at
- Add an arbitrary iptables statement to be executed at the
- Detailed parameters for these functions can be looked up by
None known as of pyroman-0.4 release
was written by Erich Schubert <firstname.lastname@example.org>