OpenBSD Journal

PF rule generation tool for Windows

Contributed by Dengue on from the Having-trouble-with-pf? dept.

Michael Anuzis writes :
"I'm not sure how useful this is as I've been made fun of a lot for making a PF configuration tool in VB6 for windows, but VB6 is the only programing language I know and I had nothing else significant I thought I could make so I made a very simple but effective PF rule creation tool for Windows users. I never thought of submitting it to this site, although I check this site every day I never thought anyone would take my software seriously as this program is the only one I've ever really put thought into writing, but I was told today on IRC that a lot of people would benefit from it so I thought I may as well make it available. It's at http://www.anuzis.net/files/software/PF/ "

(Comments are closed)


  1. By tim () jabbo@yahoo.com on mailto:jabbo@yahoo.com

    Let's face it, you wrote some useful software, who cares what language it is in. Other peoples' Perl or C vaporware will not do anyone any good. Be satisfied with doing a better job than the critics. Ask them what language they've written their rule generator in, when someone gives you shit...

    Props to you, for writing a good tool, freely distributing it, and telling the naysayers to stuff it.

    1. By jtanner () on

      I agree completely. This is a useful tool, and you shouldn't let some script kidde beat you down about it. Way to go!

      If you're looking for additional features to implement, you could create "canned" rules, such as blocking packets from private networks on the incoming line, etc. and a way to review the rules before writing them to a file or the firewall.

      All in all, it looks like a good tool for the novice or win32 admin to use with an openbsd firewall.

      Jim

  2. By Anonymous Coward () on

    I think it's great. Mind you, I haven't tried it yet but this can attract a lot more people to OpenBSD/PF! Does it work via SSH/SCP? If not, that would be a good thing!

  3. By Anonymous Coward () on

    how about using qt?
    qt non commerical 2.3.x for windows qt 2.3.x on unix

    1. By Anonymous Coward () on

      but qt isn't a language, just a library. this presumes that the submitter knows c++ or python or perl or yaddayadda.

    2. By chris () chris@secure-packets.com on mailto:chris@secure-packets.com

      Well, I would add that if I felt there was a wide spread need for a gui.. I would offer to start a Qt gui... qt is a great interface for unix/win32 and with qt designer it's almost like a vb style builder...

      //not in a bad way, just wondering.
      is there really a need for a gui?

      ::chris

      1. By Anonymous Coward () on

        > is there really a need for a gui?

        yes - that was obviously the objective otherwise you'd just use pfctl :/

  4. By Anonymous Coward () on

    maybe you could change the banner to one with the blowfish mascot, wich is much nicer than the demon :)

  5. By Anonymous Coward () on

    Would be nice to add:

    'modulate state'

    preset port ranges 0-1024, high ftp proxy ports (I always forget that range)

    ability to enter subnet mask as 255.255.255.252 and convert it automatically.

    'built in' pf reference - just take pfctl man page and display it as text with 'help' button.

    ability to 'buffer' generated rules, so you can generate all the rules at once, review them all together and then copy-n-paste them in pf.conf via PuTTY.

    1. By Anonymous Coward () on

      Good ideas!

      I'd like to see it be able to scp/sftp the rules, and reload them from windows too - would be nice! :)

  6. By argol () argol@argol.org on www.argol.org

    Good effort. You should continue adding more features, such as generating a complet rule set.

  7. By Anonymous Coward () on

    This looks very useful. You might also consider this to be a great opportunity to learn another language if you are interested in doing so. I often find that porting an application to a new language is one of the best ways to learn.

  8. By frisco () frisco@blackant.net on http://www.blackant.net/

    the other day on misc@ someone mentioned Firewall Builder...
    http://www.fwbuilder.org/

    makes firewall rules for iptables, ipfilter and pf, but doesn't seem to run on OpenBSD, only linux.

    Maybe you can get some ideas from that product, or give them some ideas too.

    -f

    1. By Anonymous Coward () on

      please don't mention FirewallBuilder - that's one big pile of crap. The authors are most likely on drugs when they code. Just look at the code and the way everything is done there... Scary sight. I am glad that there is no port of FirewallBuilder to OpenBSD - the idea of having a GUI for firewalls is good, but the implementation is terrible.

      1. By Anonymous Coward () on

        i agree entirely there. Not only were they smoking crack but it was bad crack and had rat shit in it.

        not that i hate fwbuilder or anything...

        1. By Anonymous Coward () on

          ROFL!

    2. By Anonymous Coward () on

      There's this too:
      http://inc2.com/isba/

      It's for IPF, but VERY nice the way it works/looks. I've written the author, and he doesn't have the time to make it completely compatible with PF yet (shouldn't be too much work), unless someone else has the ability to do that?

      Works via ssh, and all!

  9. By Ben Johnson () ben-deadly@johnsonworld.-no-s-pam-.com on www.johnsonworld.com


    If your software works and is usefull, then it's good software. You might consider makinng a Java version of your software - most operating systmes that are running a GUI usually can run Java software. You get the benefit of letting your software run on almost any operating system and Java is a good step to take after VB.

    1. By Anonymous Coward () on

      I'd rather have VB. Why?

      • I use windows 2000 on my workstation, as I'm (ironically) sure the large proportion of sysadmins do.
      • Its native to windows, which has the runtime built in. Download exe, virus scan, double click, sorted (like PuTTY for example).
      • Java runtime is bloatware that installs all sorts of crap like a tray icon, java plugin this that and the other.
      • Java is a ton slower and heavier on system utilisation and memory than native compiled VB.

      1. By Anonymous Coward () on

        First let me say that this is a great tool. Thank you!

        As far as the argument of VB over Java: The person arguring that VB is over all 'better' obviously does not maintain a large scale heterogenius environment. Veritas tools, Quest Software's Foglight, and alot of other high-profile / high-end tools are written in Java so that people like me (and every other Sys Admin I know) can admin and monitor our networks from our Sun/Linux/BSD/whatever machines. While I tend to agree that there REALLY needs to be some shaving on the java runtime - it is still the most capable cross platform gui out there.
        Not a flame - just an observation.

  10. By jose nazario () jose@crimelabs.net on mailto:jose@crimelabs.net

    using libdnet (http://libdnet.sf.net/) and gtk you can build a cross platform tool: UN*X and Win32 (dnet supports both, and gtk can build GUIs on both, too). dnet will allow you to write firewall rules in pf, ipf, ipchains, and netfilter/iptables.

  11. By Barry () on

    Haven't looked at your app, but I will, I'm in the same boat as you. Love OpenBSD, but my only programming experience is with VB. Have dabbled in Perl and PHP, though.

    Consider using PHP:
    - Easy to code, perhaps easier than VB
    - Portable to just about any OS
    - You could run it right off your website, provide a service to the world, no user install necessary
    - Perfect for spitting out text i.e. pf.conf

    Netcraft says you're running an OpenBSD box for you website. PHP would be easy to add to you're current setup.

    1. By Anonymous Coward () on

      Yeah, there's a brilliant idea. NOT! Turn a local app into a web based application and write it in a web scripting language. Jesus H. Christ. I'm glad you don't develop software for a living. Grab python, ruby or java and port it. Doesn't vb generate c code? Port the gui pieces with qt or whatever. Don't f%cking use a webserver based scripting language. There may be more than one way to do things. But try to use the right toolo for the right job.

      1. By Niall O'Higgins () on http://www.sig11.com

        Nothing wrong with web frontends to firewall rulesets. They are extremely useful in fact. Just look at Astaro [www.astaro.com], where they did just this, and did it well.

        Comparable to Firewall 1's GUI, but web based - they obviously copied many of the interface concepts. I believe its written in Perl, and sits on Apache+mod_ssl.

  12. By drauku () drauku@drauku.net on http://drauku.net

    if you need this tool (and on windows?!?), you have no place in making firewalls. you should back away slowly from the gui tool, and read the man page and know what the heck you are doing! it isnt that complicated either.

    i dont get why some need this tool. seems there are people that are too damn lazy to read a man page, and take an easy gui way out... *cough* linuxconf anyone?

    1. By zippy () jdeari01@longisland.poly.edu on mailto:jdeari01@longisland.poly.edu

      Ok any person using this tool managed to install OpenBSD. If this is the case then I agree said person should be able to read the man page. However, assumning that this tool, which I haven't used, completly satisfies the firewall needs of 100 people the those 100 people can be reading documentation for something else like samba. And if those 100 people turn around and install SWAT a web based samba config utility then they can spend the time they save reading perl manpages or whatever. I built routers with NAT/firewall manually using FreeBSD and OpenBSD reading the man pages. I use vi as my samba config tool. This gives me a greater knowledge of Samba and the various routing/filtering tools available for BSDs, but less time to do other things. We all need to develop specialities, but that requires us to make choices and not learn other things. There are many people that use OpenBSD to build routers out of old boxes and use them to provide internet connectivity to windows machines. This tool might allow one sysadmin of such a network to experiment with replacing there Wink2k file servers with Samba. If so then woo-hoo.

    2. By ThomasJ () on

      Don't you read?
      This guy wrote a working piece of software *for* *the* *heck* *of* *it*!
      He likes OpenBSD, he read the man page, and found it fun to write some software which fills in the tokens of the pf language.
      Nobody is assuming that this software is the proper newbie way to make rules, but is def. the proper way to learn to program. If he continues this way, OpenBSD will some day have patches submitted by the guy.
      Don't EVER discourage somebody who takes steps to do programming for the community, despite it can't be included in the release.

    3. By Anonymous Coward () on

      Go away. Anyone that tells genericly how and when to use a tool without knowing the intents and qualifications of their self-made generalized user has no place here. It's remarkable stupidity when someone blatantly reveals their biases while trying to make a holier-than-thou recommendation.

  13. By Chris Walker () cwalker@at@axion-rbaa.dot.com on mailto:cwalker@at@axion-rbaa.dot.com

    There is definitely a need for such a tool. Let me humbly describe my own situation:

    I am a CS student currently working as intern at a non-IT company, who asked me to create and install a firewalling system for their network. I am new to BSD myself, and all this company uses is microsoftware.
    I have managed to work my way around the various FAQs and man pages to get OpenBSD and pf to work by hand, but I feel there's no way the ms-sysadmins will keep the system up-to-date after I leave, unless I set up and document simple, foolproof methods to do so.

    Therefore, any tool allowing easy point-and-click administration, like pf rule updates straight from windows (over ssh), would definitely help the guys here stay ahead of things. I just know they won't take the time and pain to get their hands dirty otherwise.

    ...just in case you needed motivation to keep going!

    CW

  14. By Nick Buraglio () nick@buraglio.com.nospamplease on mailto:nick@buraglio.com.nospamplease

    I think it's great that you wrote it. Who gives a damn what language it's in. Good job.

  15. By TheBrothaULuv2H8 () spam@derrickonline.org on https://www.derrickONLINE.org

    This is exactly what I've been looking for, but I was hoping to find something for IPTables. There are tons of apps for a GUI based IPTables rule generator but I would love to find something written for Windows. Any plans on creating one . =)

    1. By Matt Lauer () mattorola7@hotmail.com on mailto:mattorola7@hotmail.com

      As an experienced programmer of VB, and owner of a web programming firm, there is not always time to sit and learn the command-line syntax. This is time consuming and costly. This program has a niche. Command-line snobs beware. Clearly to write a program to translate into cl, one must have know the cl to do it! Nice job!

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]