File: pyroman.8

package info (click to toggle)
pyroman 0.4-3
  • links: PTS
  • area: main
  • in suites: etch, etch-m68k
  • size: 256 kB
  • ctags: 213
  • sloc: python: 1,049; sh: 60; makefile: 9
file content (162 lines) | stat: -rw-r--r-- 3,897 bytes parent folder | download | duplicates (6)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
.TH PYROMAN 8
.SH NAME
pyroman \- a firewall configuration utility
.SH SYNOPSIS
.hy 0
.na
.TP
.B pyroman
[
.B \-hvnspP
] [
.BI \-r " RULESDIR" 
] [
.BI \-t " SECONDS" 
]
.br
[
.B \-\-help
] [
.B \-\-version
] [
.B \-\-safe
] [
.B \-\-no\-act
]
.br
[
.B \-\-print
] [
.B \-\-print-verbose
] [
.BI \-\-rules= "RULESDIR"
]
.br
[
.BI \-\-timeout= "SECONDS"
] [
.B safe
]
.SH DESCRIPTION
.B pyroman
is a firewall configuration utility.
.PP
It will compile a set of configuration files to iptables statements to
setup IP packet filtering for you.
.PP
While it is not necessary for operating and using Pyroman, you should
have understood how IP, TCP, UDP, ICMP and the other commonly used
Internet protocols work and interact. You should also have understood the
basics of iptables in order to make use of the full functionality.
.PP
.B pyroman
does not try to hide all the iptables complexity from you, but tries to
provide you with a convenient way of managing a complex networks firewall.
For this it offers a compact syntax to add new firewall rules, while still
exposing access to add arbitrary iptables rules.
.SH OPTIONS
.PD 0
.TP
.BI \-r " RULESDIR," \-\-rules= "RULES "
Load the rules from directory
.I RULESDIR 
instead of the default directory (usually
.B /etc/pyroman
)
.TP
.BI \-t " SECONDS," \-\-timeout= "SECONDS "
Wait
.I SECONDS 
seconds after applying the changes for the user to type
.B OK 
to confirm he can still access the firewall. This implies
.I \-\-safe 
but allows you to use a different timeout.
.TP
.BR \-h ", " \-\-help
Print a summary of the command line options and exit.
.TP
.BR \-V ", " \-\-version
Print the version number of
.B pyroman
and exit.
.TP
.BR \-s ", " \-\-safe ", " safe
When the firewall was committed, wait 30 seconds for the user to type
.B OK
to confirm, that he can still access the firewall (i.e. the network
connection wasn't blocked by the firewall). 
Otherwise, the firewall changes will be undone, and the firewall will be
restored to the previous state. 
Use the
.BI \-\-timeout= "SECONDS"
option to change the timeout.
.TP
.BR \-n ", " \-\-no\-act
Don't actually run iptables. This can be used to check if
.B pyroman
accepts the configuration files.
.TP
.BR \-p ", " \-\-print
Instead of running iptables, output the generated rules.
.TP
.BR \-P ", " \-\-print-verbose
Instead of running iptables, output the generated rules. Each statement
will have one comment line explaining how this rules was generated. This
will usually include the filename and line number, and is useful for
debugging.
.SH CONFIGURATION
Configuration of pyroman consists of a number of files in the directory
.IR /etc/pyroman .
These files are in python syntax, although you do not need to be a python
programmer to use these rules. There is only a small number of statements
you need to know:
.TP
.B add_host
Define a new host or network
.TP
.B add_interface
Define a new interface (group)
.TP
.B add_service
Add a new service alias (note that you can always use
e.g. www/tcp to reference the www tcp service as defined in /etc/services)
.TP
.B add_nat
Define a new NAT (Network Address Translation) rule
.TP
.B allow
Allow a service, client, server combination
.TP
.B reject
Reject access for this service, client, server combination
.TP
.B drop
Drop packets for this service, client, server combination
.TP
.B add_rule
Add a rule for this service, client, server and target combination
.TP
.B iptables
Add an arbitrary iptables statement to be executed at beginning
.TP
.B iptables_end
Add an arbitrary iptables statement to be executed at the end
.TP
Detailed parameters for these functions can be looked up by caling
.nf
cd /usr/share/pyroman
pydoc ./commands.py
.fi

.SH BUGS
None known as of pyroman-0.4 release

.SH AUTHOR
.B pyroman
was written by Erich Schubert <erich@debian.org>

.SH SEE ALSO
.BR iptables (8),
.BR iptables-restore (8)
.BR iptables-load (8)