husk - firewall wrapper

fukawi2 · 2010-11-01 07:47:34

So here's a project I've been working on -- implementing the proprietary firewall language used at my (past) job that wraps around iptables. Full background of what and why: http://github.com/fukawi2/husk/blob/master/ABOUT

It allows expression of rules in somewhat of a more free-form, and certainly more readable format than raw iptables commands. For example:

match calls from LAN to NET
accept protocol tcp ports 80,443 # Allow web access
accept protocol tcp port rsync destination address abs.archserver.org # Allow rsync to pull ABS updates for ArchLinux
reject all protocol tcp port 6666:6669 # no irc
intercept protocol tcp port 25 # force all smtp to go through the smtp gateway on this box
end match calls

match table input
accept protocol tcp port ssh # SSH Administration
end match table

(That's only a very small example of part of a rule file)

For more info, check the README: http://github.com/fukawi2/husk/blob/master/README
Download available through SourceForge: https://sourceforge.net/projects/husk/
Also available in the AUR: http://aur.archlinux.org/packages.php?ID=42482

I'd love some testers to break it and let me know what I've missed in my testing. I of course hope it will be useful for others too

It is definitely still 'alpha' or 'beta' stage. Documentation is certainly fairly weak, but I hope it's good enough that most Archers will be able to figure out what I'm on about

AdulteratedJedi · 2010-11-01 08:18:53

Love the name mate

Indeed the Idea also, I always preferred pf over iptables and found it a bore to switch back and forth when I needed to (host based firewalls), so Like you I Intended to create a DSL around it.

I've forked the project, and will certainly test for you, and maybe send in some patches.

mikesd · 2010-11-01 08:29:51

Nice. At work we use shorewall though at home I just use raw iptables. I like that you can still use raw iptables rules in your system. Will definitely check it out.

fukawi2 · 2010-11-01 08:47:39

Thanks for the feedback guys -- by the way, I don't claim to be any good at Perl, but so far I'm getting the job done

mikesd wrote:

I like that you can still use raw iptables rules in your system

Well the husk can't do everything

fukawi2 · 2010-11-05 12:08:19

Bump to 0.3.2 on SF and AUR... Now with Makefile to make install/uninstall easier!

fukawi2 · 2010-11-27 00:05:05

Is anyone using this? I've pretty much achieved most of what I want it to do for now, so more ideas would be good

Ledti · 2010-12-01 14:03:25

Whoa, this is great. I've been wanting to learn more about firewalls and network security in general for a while now, but have been put off by those raw iptables commands you mentioned.

I've looked over the configuration files and README, and while nearly all of it is intelligible enough where I feel I'll be able to grasp it eventually, I am somewhat confused by the network interfaces examples.

warning: obvious newb ahead!

I have one wireless device and one ethernet device represented as wlan0 and eth0 respectively. Perhaps it's just the naming scheme you chose, but what would the correct setup according to the example rule files you included?

NET makes me think of the devices I'd use to connect to the web, which would be both wlan0 and eth0 (through a router). What would be LAN be? I'm also a little confused about why you skipped eth0 in the README file's SETUP section.

Sorry for the slight hijack.

Edit: Whoops, I just came across Shorewall's documentation which helped a lot. I suppose I should have Google'd some more. ;_;

Last edited by Ledti (2010-12-01 15:16:02)

fukawi2 · 2010-12-01 21:47:16

Thanks for the feedback -- it's good hear someone else's perspective. Things that make perfect sense to me, I of course haven't thought of everyone else's possible situations

Ledti wrote:

I've been wanting to learn more about firewalls and network security in general for a while now, but have been put off by those raw iptables commands you mentioned.

I think all (at least most) of the compiled output includes a comment stating which line of the rules.conf file that iptables command came from, so you can look at what you write in rules.conf and match that up to the compiled output to help you learn the iptables if you want

Ledti wrote:

NET makes me think of the devices I'd use to connect to the web, which would be both wlan0 and eth0 (through a router). What would be LAN be?

I'm guessing you're on a laptop? What I would do in this situation is name like:

name eth0 as LAN
name wlan0 as WLS

Then create a target for your traffic, linked from both 'match calls' blocks such as:

match target INCOMING
accept protocol tcp port ssh
etc etc
end match target

match calls from LAN to BOX
INCOMING all
end match calls

match calls from WLS to BOX
INCOMING all
end match calls

This way you have one 'target' to maintain, but it is applied to both wlan0 and eth0. You can also create rules specific for each interface by inserting them in the respective 'match calls' instead of the 'INCOMING' target.

Ledti wrote:

I'm also a little confused about why you skipped eth0 in the README file's SETUP section.

Probably because eth0 just connects to my ADSL modem in my setups so eth0 doesn't actually carry any traffic apart from the ADSL PPP tunnel. I'll have a look at updating that.

Last edited by fukawi2 (2010-12-01 21:54:00)

Ledti · 2010-12-02 07:41:48

fukawi2 wrote:

Thanks for the feedback -- it's good hear someone else's perspective. Things that make perfect sense to me, I of course haven't thought of everyone else's possible situations
Ledti wrote:
I've been wanting to learn more about firewalls and network security in general for a while now, but have been put off by those raw iptables commands you mentioned.
I think all (at least most) of the compiled output includes a comment stating which line of the rules.conf file that iptables command came from, so you can look at what you write in rules.conf and match that up to the compiled output to help you learn the iptables if you want
Ledti wrote:
NET makes me think of the devices I'd use to connect to the web, which would be both wlan0 and eth0 (through a router). What would be LAN be?
I'm guessing you're on a laptop? What I would do in this situation is name like:
name eth0 as LAN
name wlan0 as WLS
Then create a target for your traffic, linked from both 'match calls' blocks such as:
match target INCOMING
accept protocol tcp port ssh
etc etc
end match target

match calls from LAN to BOX
INCOMING all
end match calls

match calls from WLS to BOX
INCOMING all
end match calls
This way you have one 'target' to maintain, but it is applied to both wlan0 and eth0. You can also create rules specific for each interface by inserting them in the respective 'match calls' instead of the 'INCOMING' target.
Ledti wrote:
I'm also a little confused about why you skipped eth0 in the README file's SETUP section.
Probably because eth0 just connects to my ADSL modem in my setups so eth0 doesn't actually carry any traffic apart from the ADSL PPP tunnel. I'll have a look at updating that.

Yeah, thanks. That definitely clarifies things for me. I just assumed the default configuration was for a setup similar to mine, but it wasn't, which is where my confusion came from.

fukawi2 · 2010-12-03 12:08:23

Urgh, my past employer is claiming copyright... I've never even seen the code for their compiler, let alone copied it, so the only thing they can claim I've copied is the language....

Nevertheless, I've taken down the GitHub and SourceForge pages until I can work this out.

Sorry folks, will keep you posted.

Arch Linux

#1 2010-11-01 07:47:34

husk - firewall wrapper

#2 2010-11-01 08:18:53

Re: husk - firewall wrapper

#3 2010-11-01 08:29:51

Re: husk - firewall wrapper

#4 2010-11-01 08:47:39

Re: husk - firewall wrapper

#5 2010-11-05 12:08:19

Re: husk - firewall wrapper

#6 2010-11-27 00:05:05

Re: husk - firewall wrapper

#7 2010-12-01 14:03:25

Re: husk - firewall wrapper

#8 2010-12-01 21:47:16

Re: husk - firewall wrapper

#9 2010-12-02 07:41:48

Re: husk - firewall wrapper

#10 2010-12-03 12:08:23

Re: husk - firewall wrapper

Board footer