This is the command fwb_pf that can be run in the OnWorks free hosting provider using one of our multiple free online workstations such as Ubuntu Online, Fedora Online, Windows online emulator or MAC OS online emulator
PROGRAM:
NAME
fwb_pf - Policy compiler for OpenBSD packet filter "pf"
SYNOPSIS
fwb_pf [-vVx] [-d wdir] [-o output.fw] [-i] -f data_file.xml object_name
DESCRIPTION
fwb_pf is a firewall policy compiler component of Firewall Builder (see fwbuilder(1)).
This compiler generates code for OpenBSD Packet Filter (pf). Compiler reads objects
definitions and firewall description from the data file specified with "-f" option and
generates pf configuration files and firewall activation script.
All generated files have names that start with the name of the firewall object. Firewall
activation script has extension ".fw" and is simple shell script that flushes current
policy, loads new filter and nat rules and then activates pf. PF configuration file name
starts with the name of the firewall object, plus "-pf.conf". NAT configuration file name
also starts with the name of the firewall object, plus "-nat.conf". For example, if
firewall object has name "myfirewall", then compiler will create three files:
"myfirewall.fw", "myfirewall-pf.conf", "myfirewall-nat.conf".
The data file and the name of the firewall objects must be specified on the command line.
Other command line parameters are optional.
OPTIONS
-f FILE
Specify the name of the data file to be processed.
-o output.fw
Specify output file name
-d wdir
Specify working directory. Compiler creates firewall activation script and PF
configuration files in this directory. If this parameter is missing, then all
files will be placed in the current working directory.
-v Be verbose: compiler prints diagnostic messages when it works.
-V Print version number and quit.
-i When this option is present, the last argument on the command line is supposed to
be firewall object ID rather than its name
-x Generate debugging information while working. This option is intended for debugging
only and may produce lots of cryptic messages.
NOTES
Support for PF has been introduced in version 1.0.1 of Firewall Builder
Supported features:
o both pf.conf and nat.conf files are generated
o negation in policy and NAT rules
o grouping in "from", "to" and ports using '{' '}' syntax
o if checkbox "Scrub" is checked in the rule options dialog, and rule's action is
Accept, the compiler generates two (almost) identical rules: first with action
'scrub' and the second with action 'pass quick'
o stateful inspection in individual rule can be turned off in rule options dialog. By
default compiler adds "keep state" or "modulate state" to each rule with action
'pass'
o rule options dialog provides a choice of icmp or tcp rst replies for rules with
action "Reject"
o compiler adds flag "allow-opts" if match on ip options is needed
o compiler can generate rules matching on TCP flags
o compiler can generate script adding ip aliases for NAT rules using addresses that
do not belong to any interface of the firewall
o compiler always adds rule "block quick all" at the very bottom of the script to
ensure "block all by default" policy even if the policy is empty.
o Address ranges in both policy and NAT
Features that are not supported (yet)
o custom services
What will not be supported (at least not anytime soon)
o policy routing
URL
Firewall Builder home page is located at the following URL: http://www.fwbuilder.org/
Use fwb_pf online using onworks.net services
