WallFire

Items

What is it?

How does it work?

News

Authors

Supported systems

Download

Documentation

Mailing-lists

CVS

License

Credits

Related stuff

 
What is it?

The goal of the WallFire project is to build a very general and modular firewalling application based on Netfilter or any kind of low-level framework.
It will enable to manage every aspect of a firewall administration, from configuration to monitoring, intrusion detection, etc...
WallFire will provide command line and interactive tools as well as X Window or Web front-ends.

WallFire is "libre" (free as a speech, in English) software. It is mainly written in C++ and is intended to run on every *nix system.



 
How does it work?

  • Concepts
    WallFire is a package that will be composed of:
    • a server side:
      • wfpolicyd, a daemon which can run on any host and centralises the rules and policy management
      • wfcommitd, a daemon which runs on the firewall(s) itself and commits the firewalling rules, whatever platform it is running on and whatever tools are available on the latter.
      So you will need to run a wfcommitd daemon on each firewall, but only one wfpolicyd for a whole site.
    • a client side:
      • some libraries (for example wfnetobjs) on which every operation relies
      • wfconvert, the tool which imports/translates rules from/to any supported firewalling language
      • wflogs, the log analysis and reporting tool
      • wfadmin, the administration shell tool
      • xwfadmin, the X (Qt) administration front-end, which is useful, but not compulsory
      • webfire, the Web administration interface (in PHP).


    Of course, client and server parts can (should?) be run on different hosts. All communications will be authentificated and encrypted (via SSL).
    Every data (network objects, rules, logs) will be importable/exportable in XML.

    So far, the things that have been implemented are: some libraries (wfnetobjs for example), the wfconvert (which is quite functionnal now) and wflogs (which is mature and fully functionnal) commands.

    Note that wfconvert and wflogs can be used locally, independantly of other WallFire tools.

  • Screenshots: wflogs HTML report example.


 
News

  • Mar 2 2005: release of wfnetobjs-0.2.4 and wfconvert-0.4.1
  • Feb 18 2005: release of wfnetobjs-0.2.3 and wfconvert-0.4.0
  • Sep 6 2004: Hervé Eychenne was invited to the 3rd Netfilter Workshop, which took place in Erlangen (Germany), just before Linux Kongress.
    Here is the summary of the Workshop.
  • May 24 2004: release of wfnetobjs-0.2.2 and wflogs-0.9.8
  • May 8 2004: release of wfnetobjs-0.2.1 and wfconvert-0-3.1
  • Apr 30 2004: release of wfconvert-0.3.0, which is a major improvement over the previous version
  • Apr 28 2004: release of wfnetobjs-0.2.0
  • Jan 8 2004: release of wflogs-0.9.7
  • Oct 30 2003: release of wfnetobjs-0.1.8 and wflogs-0.9.6
  • Aug 18 2003: Hervé Eychenne was invited to the Netfilter workshop 2003, which took place in Budapest. I made a talk about the WallFire project, and about my wishlist for Netfilter, especially from the WallFire point of view. Here are the slides in MagicPoint format, or in HTML.
    Here is the summary page of the Workshop.
  • Apr 7 2003: release of wflogs-0.9.5
  • Feb 17 2003: wflogs, libwfnetobjs0 and libwfnetobjs0-dev packages are now available in Debian sid (unstable). Debian woody (stable) i386 binary packages are also available (via an apt repository) on  http://people.debian.org/~kelbert/ (see download section). Many thanks to Jean-Michel Kelbert, the wallfire Debian packager.
  • Jan 30 2003: release of wfnetobjs-0.1.7 and wflogs-0.9.4
  • Oct 30 2002: release of wfnetobjs-0.1.6, wfconvert-0.2.0, and wflogs-0.9.3
  • Sep 26 2002: the netobjs library was taken out of wfconvert, and became a separate source tree, used by wfconvert and wflogs. Release of wfnetobjs-0.1.5, wfconvert-0.1.5, and wflogs-0.9.2
  • Aug 21 2002: release of wfconvert-0.1.4 and wflogs-0.9.1
  • Aug 17 2002: release of wflogs-0.9.0, with a Debian package by Guillaume Morin.
  • Jul 29 2002: release of wfconvert-0.1.3 and wflogs-0.0.5
  • Jul 12 2002: I'm doing a talk about WallFire, as part of the  security topic at the  Libre Software Meeting.
    Here are the slides in MagicPoint format, or in HTML.
  • Jun 20 2002: release of wflogs-0.0.4
  • May 30 2002: release of wfconvert-0.1.2 and wflogs-0.0.3
  • May 3 2002: public release of wfconvert-0.1.1 and wflogs-0.0.2
  • Apr 5 2002: I was hired by KDX Ingenierie, spending half of my job time on WallFire development. See credits section.
  • Mar 7 2002: first public release of a WallFire tool: wfconvert-0.1.0. Who said "vaporware"?! ;-)


 
Authors

  • Author: Hervé Eychenne <rv _AT_ wallfire.org>

    Please avoid using this address. Use the different mailing-lists instead.

  • Debian package maintainer: Jean-Michel Kelbert <kelbert _AT_ debian.org>.


 
Supported systems

WallFire is intended to work on real systems such as Unix, especially Linux and *BSD.
  • Server part:
    The goal of WallFire is not to reinvent the wheel. It relies on existing firewalling backends. So in the future, the firewalling part will be able to run on:
    • Netfilter: Linux 2.4 and 2.6
    • Ipchains: Linux 2.2
    • IP Filter: NetBSD, FreeBSD, OpenBSD, Solaris, SunOS 4, IRIX, HP-UX.

    For the moment, only netfilter rules will be generated. Feel free to help!

  • Client part:
    As the GUI can be run on any host (not obligatorily the firewall), it should not be too difficult to find an adequate client platform.
    • Native GUI:
      The native WallFire graphical user interface xwfadmin will be based on Qt, so it will run on every system supporting it.
      Please note: the GUI is only a graphical layer based on the WallFire framework, so it would be quite easy to program another (in Gtk--, for example). Yet, I can only discourage such projects in the first place, as there are still so many things to do for the moment without having to disperse... Think of the Jabber project: so many GUIs, and so few working correctly...
    • Web GUI:
      In the worst case, WebFire, the WallFire Web administration interface will be there to solve this problem. It is less user-friendly but more "universal".


 
Download

WallFire is released under the GNU GPL (see license section).

Please note that you need wfnetobjs to compile wflogs. Both source trees should be untarred from the same directory.

It is strongly recommended to use wflogs with libadns (an asynchronous DNS resolution library), which speeds up things greatly on large log files.

Debian packages:

  • wflogs, libwfnetobjs0 and libwfnetobjs0-dev packages are now available in Debian sid (unstable)
  • i386 binary packages are also available for Debian woody (stable) (via an apt repository). All you have to do is add
    deb http://people.debian.org/~kelbert/ stable main
    
    to your /etc/apt/sources.list file.
    Then run apt-get update && apt-get install wflogs, for example.
    Note: Debian binary packages made for woody should also work on sid, but you'd better use standard sid packages available through your usual Debian apt mirror.

Upstream files:

  • Mar 2, 2005: wfnetobjs version 0.2.4: ChangeLog
    • Gzipped source code: wfnetobjs-0.2.4.tar.gz [535 Kb]
      [HTTP]
      md5sum: 6d4886c396a5dd87257c93bf3027e6f6
    • Bzipped source code: wfnetobjs-0.2.4.tar.bz2 [397 Kb]
      [HTTP]
      md5sum: 089ce965053f046ade9cbccc8c018b5d
  • May 24, 2004: wflogs version 0.9.8: ChangeLog
    • Gzipped source code: wflogs-0.9.8.tar.gz [731 Kb]
      [HTTP]
      md5sum: cee2ac33ca3c284f9253b492f793624c
    • Bzipped source code: wflogs-0.9.8.tar.bz2 [493 Kb]
      [HTTP]
      md5sum: 5e9c345113d986beeab243bed4ec94b5
  • Mar 2, 2005: wfconvert version 0.4.1: ChangeLog
    • Gzipped source code: wfconvert-0.4.1.tar.gz [609 Kb]
      [HTTP]
      md5sum: 8f56efeb864d542ab7cb80a957456204
    • Bzipped source code: wfconvert-0.4.1.tar.bz2 [445 Kb]
      [HTTP]
      md5sum: 24670c5939e7c91d0a5bb8ecd76084d1


 
Documentation



 
Mailing-lists

To post to these lists, send your email to: <listname@lists.wallfire.org>.



 
CVS

For the moment, only wflogs and wfconvert are under CVS, wfnetobjs will follow soon.
  • Anonymous CVS access:
    • How to check out source anonymously through pserver:
      • Type the following:
        $ cvs -d:pserver:anonymous@cvs.wallfire.org:/cvsroot/wallfire/ login
        and just press Enter, as there is no password for anonymous login.


      • Then, to retrieve the module you want, type:
        $ cvs -d:pserver:anonymous@cvs.wallfire.org:/cvsroot/wallfire/ co .

      • Then, in each source tree directory, type:
        $ ./autogen.sh

      • After initial checkout, you can go into this directory and execute cvs commands without the -d tag. For example:
        $ cvs update

    • If you want to receive real-time notification of checkins in the CVS tree, you may subscribe to the wallfire-checkins@lists.wallfire.org mailing-list.
      See http://wwwlists.wallfire.org/mailman/listinfo/wallfire-checkins/
    • Daily snapshot of the whole CVS tree.
    • CVS source code browser.


    Please be aware that there may be a little delay (depending on SourceForge servers) between the last changes and their availability through anonymous access.

  • Developer CVS access (via SSH) for coreteam members: none yet.


 
License

This program is "libre" software, which means free as a free speech, not free beer! (which doesn't imply I don't enjoy a free beer occasionally ;-)
It is released under the terms of the GNU General Public License (GPL).


 
Credits

I started developing WallFire in year 2001 as a personal project.
I'd like to thank KDX Ingenierie for having sponsored me betweek 2002 and 2004.

I did some stuff for Netfilter in its early stages, in the spring of 1999. I would like to thank Netfilter initial author Paul "Rusty" Russell for his competence, his kindness and uncomparable sense of humor.

And finally I would like to thank the frenetic Sophie without whom my slides would not be what they are...



 
Related stuff

  • Netfilter/iptables: the powerful firewalling framework for Linux 2.4 and 2.6.
  • IPFilter: the excellent packet filter issued from *BSD systems (well... even if there has been some licensing problems recently).
  • Ipchains: the firewalling tool of Linux 2.2.


Note: this page is generated by a template. Be aware of this before submitting patches containing formatting information against this page.


Hervé Eychenne, Saturday 26th of November 2005
SourceForge.net Logo