firval

a netfilter firewall rules generator designed to be easier to read, write and maintain

Install

git clone https://github.com/nlm/firval
pip install ./firval

How to use

Write a yaml configuration file and feed it to firval.py, it will produce a iptables-restore compatible rule file

it means you can do this:

cat rules.yaml | firval | iptables-restore

Configuration syntax

interfaces:
  IFNAME: PHYSICALINTERFACE

addresses:
  ADDRNAME: HOSTADDR | NETADDR

ports:
  PORTNAME: PORTNUMBER

chains:
  filter|nat|mangle:
    CHAINNAME:
      - RULE
      - ...

services:
  SERVICENAME:
    proto: tcp | udp | icmp
    port: PORT-NUMBER(,PORT-NUMBER)* (only for tcp or udp)
    type: ICMP-TYPE (only for icmp)

rulesets:
  IFNAME-to-IFNAME:
    filter|nat|mangle:
      input|forward|output|...: (availability depends if in 'filter', 'nat' or 'mangle')
        - RULE
        - ...

RULE = ((accept|reject|drop|masquerade|log|nflog)
        ((not)? from ADDRNAME ((not)? port PORTNAME)?)?
        ((not)? to ADDRNAME ((not)? port PORTNAME)?)?
        ((not)? proto (tcp|udp|icmp|any))?
        (service SERVICENAME)?
        (state (new|established|invalid))?
        (limit INTEGER/TIMEUNIT (burst INTEGER)?)?
        (comment "COMMENT")?
        (prefix "LOG_PREFIX"))
        | (jump CHAINNAME)