Fork me on GitHub

Firelet: Distributed firewall management

Firelet is a centralized firewall management tool for small and medium scale environments.

It supports Linux-based firewall nodes.

Based on a set of rules, Firelet builds and deploys Iptables/Netfilter configurations on the firewalls on a per-need basis.


Firelet is currently under development.

Please subscribe to the mailing list for updates.
Contributors are very welcome.


Mailing list: firelet@googlegroups.com [archive]

GitHub commits feed feed

Adaptive rule deployment

Firelet deploys on each firewall only the required rules based on the directly contiguous network.

Example: A set of hosts are running in two different networks: left and right side.

The networks are routed by two firewall nodes. Also, the Server host is running a local firewall. The Client host is not running a firewall.
A rule is configured to allow Client to connect to Server. Based on the network interfaces connected to each host, only three nodes needs to be updated. A new rule is deployed to the two central firewall and the Server host (orange arrows).
Any other firewall-enabled host in the network will not receive a copy of the new rule as long as it is not on the traffic path.

Feature list

  • Centralized rule management
  • Allow and Drop rules, with various levels of logging
  • Web and command line interface
  • Hierarchical groups of hosts, based on host names and networks
  • Simple, text based configuration files
  • Configuration files versioning
  • No need for agents on the managed firewalls, just SSH and IPtables
  • No “custom” syntax to be learnt

Non-features

Firelet provides only Netfilter-based traffic filtering. Firelet does not provide:

  • Interface, routing and masquerading (1-to-many NAT) management
  • VPN management
  • Failover and load-balancing configuration
  • Configuration of non-Linux-based firewalls
  • Support for custom iptables chains and targets
  • Log analysis and correlation

However, Firelet can manage rulesets on firewalls in HA or load-balancing setups,
running masquerading, and Linux-based VPN endpoints.

Ruleset
Hosts
Host editing

Firelet online demo

The demo will be availble soon.

You can login on the online demo using:

UsernameRolePasswordComment
AdaadminadaCan edit, save, deploy, rollback.
EddyeditoreddyCan edit and save only.
RobreadonlyrobCannot make changes.

Please keep in mind that only one user can be logged in at a time. A read-only user will be added.

The “Check” and “Deploy” functions behave as they were running on a real set of firewalls.
No real firewall nodes are being used.

The documentation page is under construction.

Development roadmap

Release 0.7

  • Ruleset editing, compliation and deployment fully working
  • Basic documentation

Release 0.8

  • Debian packaging
  • Unit testing
  • Fully documented

Release 0.9

  • Fully working CLI interface

Release 1.0

  • Full unit testing and code coverage

Release 1.1

  • Search function

Release 1.2

  • Firewall "assimilation" function
  • Virtual machine appliance
  • Firewall deployment ISO image

Release 1.2

  • Ruleset review function:
    • Collecting counter status from the firewalls
    • Correlating rule usage and providing statistics
    • Detecting unused rules

Installation

The recommended installation method is to deploy the .deb package on a Debian or Ubuntu system.

TODO

Requirements:

  • Python 2.5 or 2.6 or 2.7 (2.6 recommended)
  • Git >= 1.7.1
  • python-bottle >= 0.8.0
  • python-pexpect >= 2.3
  • python-netaddr >= 0.7.4
  • python-setproctitle >= 1.0.1-1

Configuration

TODO

Firewall node installation

The firewall nodes are standard Linux-based systems. Any system matching the following requiremesnts can perform host-based or network-based firewall functions.

Requirements

  • Linux kernel (2.6 or 3.0) )with Netfilter support
  • iptables
  • iproute
  • One or more network interfaces

CPU and memory requirements depends on the amount of traffic and concurrent connections to be filtered.

Firewall node configuration

Firelet requires to access the firewall nodes using SSH and perform few sudo commands. A dedicated user account is recommended. It is recommended to name it "firelet".

Configuration steps - log on the firewall node - run "adduser firelet" - insert a random-generated password - execute visudo and insert the following lines: firelet ALL=(NOPASSWD) iptables-save firelet ALL=(NOPASSDW) iptables-restore - log on the firelet server - run "ssh-copy-id firelet@<fn>" where <fn> is the firewall node IP address or hostname Insert the password - run "ssh firelet@<fn>" and ensure that the SSH connection is established without requiring a password

Configuration backup

TODO

Usage

TODO

Ruleset editing

TODO

Hosts editing

TODO

Networks editing

TODO

Host groups editing

TODO

Configuration check

TODO

Configuation deployment

TODO

Firelet is not released yet.

You can download the current development version using Git from:

Git read-only repository

git://github.com/FedericoCeratto/firelet.git

or Git-over-https read-only repository

https://github.com/FedericoCeratto/firelet.git

Bugs and feature request are hosted on GitHub