FWMAP

WHAT IS FWMAP ?

fwmap is a tool designed to manage your firewalls. You can build an image of your network and simply add rules to your firewall by adding used or provided services to your hosts.

NEWS

24.01.2001 fwmap-0.1.3 is now available. fwmap has a new "ruleengine" :-), and it's possible to deny packets manually, but it works horrible.
A lot of source is rewritten (i.e. fileformat), so you can not use 0.1.2 maps in 0.1.3.
I'm working on my english :-)

25.01.2001 fwmap-0.1.4 released. A lot of bugs are fixed and I hope fwmap is usable now.

11.02.2001 fwmap-0.1.5 released. Documentation added.

FEATURES

supports Linux/ipchains and Cisco Access-Control-Lists
supports other packetfilter via plug-in

SCREENSHOTS

Mainscreen	View	Edit	Sample output

DOCUMENTATION/FAQ

How can I add nodes to my map?
Rightclick on an icon and choose 'New Node'. Now enter name and type for this node and press 'OK'.

How can I add rules to my firewall?

Doubeclick one of your hosts, choose 'Allows' and 'add' a service this host should use, i.e. "tcp http 192.168.5.5" if this host should use WWW of host 192.168.5.5.

Where are the rules?

Click 'Create' and you will see them :-)

Can I trust fwmap?

No, not yet (I think you should never because it's just software...). But fwmap can help you to determine which rules you need. A good motto is: If you have less rules than fwmap you should find out why... :-)

EXAMPLES

You have a network (192.168.2.0/24) connected throu your firewall (192.168.2.1/24) to the internet. Your map and your nodelist should look like:

example1

Add the following service to your clientnet:

Use:
tcp http internet

You get:
ipchains -A input -i eth1 -p ip -s 0.0.0.0/0 -d 192.168.1.1/32 -j DENY
ipchains -A input -i eth1 -p ip -s 0.0.0.0/0 -d 192.168.2.1/32 -j DENY
ipchains -A input -i eth1 -p tcp -s 192.168.2.0/24 --sport 1024: -d 0.0.0.0/0 --dport 80 -j ACCEPT
ipchains -A input -i eth1 -j DENY -l
ipchains -A input -i ser0 -p ip -s 0.0.0.0/0 -d 192.168.2.1/32 -j DENY
ipchains -A input -i ser0 -p tcp -s 0.0.0.0/0 --sport 80 -d 192.168.2.0/24 --dport 1024: !-y -j ACCEPT
ipchains -A input -i ser0 -j DENY -l

As you can see fwmap denies all packets to your firewall automatically. If you think fwmap doesn't because there's no DENY for 192.168.1.1/32 on ser0 I can say fwmap removed this rule because there's a DENY for every packet.

Now we add a logserver on firewall/eth0 and add the following services to firewall:

Provide:
tcp telnet logserver
Use:
udp syslog logserver

You get:
ipchains -A input -i eth0 -p tcp -s 192.168.3.2/32 --sport 1024: -d 192.168.3.1/32 --dport 23 -j ACCEPT
ipchains -A input -i eth0 -p udp -s 192.168.3.2/32 --sport 514 -d 192.168.3.1/32 --dport 1024: -j ACCEPT
ipchains -A input -i eth0 -j DENY -l
ipchains -A input -i eth1 -p ip -s 0.0.0.0/0 -d 192.168.3.2/32 -j DENY
ipchains -A input -i eth1 -p ip -s 0.0.0.0/0 -d 192.168.1.1/32 -j DENY
ipchains -A input -i eth1 -p ip -s 0.0.0.0/0 -d 192.168.2.1/32 -j DENY
ipchains -A input -i eth1 -p ip -s 0.0.0.0/0 -d 192.168.3.1/32 -j DENY
ipchains -A input -i eth1 -p tcp -s 192.168.2.0/24 --sport 1024: -d 0.0.0.0/0 --dport 80 -j ACCEPT
ipchains -A input -i eth1 -j DENY -l
ipchains -A input -i ser0 -p ip -s 0.0.0.0/0 -d 192.168.2.1/32 -j DENY
ipchains -A input -i ser0 -p tcp -s 0.0.0.0/0 --sport 80 -d 192.168.2.0/24 --dport 1024: !-y -j ACCEPT
ipchains -A input -i ser0 -j DENY -l

DOWNLOAD

(fwmap uses perl_gtk)

fwmap-0.1.5.tar.gz

MENU