Provided by: pyroman_0.5.0-1_all
pyroman - a firewall configuration utility
pyroman [ -hvnspP ] [ -r RULESDIR ] [ -t SECONDS ] [ --help ] [ --version ] [ --safe ] [ --no-act ] [ --print ] [ --print-verbose ] [ --rules=RULESDIR ] [ --timeout=SECONDS ] [ safe ]
pyroman is a firewall configuration utility. It will compile a set of configuration files to iptables statements to setup IP packet filtering for you. While it is not necessary for operating and using Pyroman, you should have understood how IP, TCP, UDP, ICMP and the other commonly used Internet protocols work and interact. You should also have understood the basics of iptables in order to make use of the full functionality. pyroman does not try to hide all the iptables complexity from you, but tries to provide you with a convenient way of managing a complex networks firewall. For this it offers a compact syntax to add new firewall rules, while still exposing access to add arbitrary iptables rules.
-r RULESDIR,--rules=RULES Load the rules from directory RULESDIR instead of the default directory (usually /etc/pyroman ) -t SECONDS,--timeout=SECONDS Wait SECONDS seconds after applying the changes for the user to type OK to confirm he can still access the firewall. This implies --safe but allows you to use a different timeout. -h, --help Print a summary of the command line options and exit. -V, --version Print the version number of pyroman and exit. -s, --safe, safe When the firewall was committed, wait 30 seconds for the user to type OK to confirm, that he can still access the firewall (i.e. the network connection wasn't blocked by the firewall). Otherwise, the firewall changes will be undone, and the firewall will be restored to the previous state. Use the --timeout=SECONDS option to change the timeout. -n, --no-act Don't actually run iptables. This can be used to check if pyroman accepts the configuration files. -p, --print Instead of running iptables, output the generated rules. -P, --print-verbose Instead of running iptables, output the generated rules. Each statement will have one comment line explaining how this rules was generated. This will usually include the filename and line number, and is useful for debugging.
Configuration of pyroman consists of a number of files in the directory /etc/pyroman. These files are in python syntax, although you do not need to be a python programmer to use these rules. There is only a small number of statements you need to know: add_host Define a new host or network add_interface Define a new interface (group) add_service Add a new service alias (note that you can always use e.g. www/tcp to reference the www tcp service as defined in /etc/services) add_nat Define a new NAT (Network Address Translation) rule allow Allow a service, client, server combination reject Reject access for this service, client, server combination drop Drop packets for this service, client, server combination add_rule Add a rule for this service, client, server and target combination iptables Add an arbitrary iptables statement to be executed at beginning iptables_end Add an arbitrary iptables statement to be executed at the end Detailed parameters for these functions can be looked up by caling cd /usr/share/pyroman pydoc ./commands.py
None known as of pyroman-0.4 release
pyroman was written by Erich Schubert <email@example.com>
iptables(8), iptables-restore(8) iptables-load(8) PYROMAN(8)