[fw-wiz] a cutting-edge open-source network security project


The dynamic firewall daemon (DFD) sets up and (optionally) maintains
your packet filter (firewall) rules. It is a framework, not a specific
implementation. My goal is for it to be capable of doing almost
anything that you'd want to do to firewall rules. Some people call
them reactive firewalls, and they are akin to IPS systems. The
philosophy behind DFD is to be the only program which modifies your
firewall rules, and by doing so, it can enforce policies and allow
multiple clients to request changes from it.

The basic idea behind DFD is to do one thing, and do it well. The DFD
programs are designed to be able to exploit virtually any capability
of the underlying firewall, and adds several abilities. Its text
command API, which is similar to the Unix shell, is designed to
decouple the programs which invoke R-box functions (sniffers, snort,
etc.) from the details of the R-box implementation (specifically,
firewall rules). DFD allows you to define a set of firewall rules (any
of which may be active at a given time) and a set of commands which
transform them in specific ways. Put simply, the other components of
your IDS shouldn't need to know what kind of firewall you are using,
much less what rule chain you want them to insert the block rules on,
or the syntax of the rules, etc. Everything else talks to DFD, via an
easy-to-use command line API, and it can do this over the network if
you wish, using nothing more complicated than netcat.

I'm actively maintaining the python/OpenBSD/pf implementation, which can
be found here:

I am looking for someone to take over the python/Linux/iptables
implementation, which can be found here:

Actually, I'm looking to stimulate interest in any way. I am not using
Linux as a firewall so think it would be best to find someone interested
in taking it over, who can try out new ideas and bounce ideas off of me,
potentially with some cooperation or healthy competition.


I've written a simple sniffer that detects bittorrent traffic and sets
up port forwarding on the NAT/DFD box so that it "just works". You
stop using it on one internal machine, start with another, and it
"just works" again, no manual intervention needed.

Another idea is to "federate" against attacks, so that when your IDS
(say, snort) detects an attack from an external entity, you block that
entity at multiple locations (each of which run DFD, but which may run
entirely different OSes and firewalls). This hasn't been implemented
but could prove itself rapidly useful (if engineered carefully).

Anyway, I think there's a LOT of room for innovation and development
of an ecosystem of tiny little programs that all interoperate around
DFD, making the network smarter.

If you're interested, please join the mlist, it's very low-traffic (at
the moment):

Comments, ideas on where else to find recruits, etc., very welcome.
For quickest response, cc directly to travis@xxxxxxxxxxxxxxxxx,
as email to this address goes into the firewalls folder.
A Weapon of Mass Construction
My emails do not have attachments; it's a digital signature that your mail
program doesn't understand. | http://www.subspacefield.org/~travis/
If you are a spammer, please email john@xxxxxxxxxxxxxxxxx to get blacklisted.

Attachment: pgphp3dMovxXH.pgp
Description: PGP signature

firewall-wizards mailing list

Relevant Pages

  • Re: [fw-wiz] a cutting-edge open-source network security project
    ... I don't need DFD for this and if I'm using un*x software as my firewall, ... Using DFD for this is a not likely to go anywhere because support ... line example ruleset it quickly get tedious. ...
  • Re: [fw-wiz] a cutting-edge open-source network security project
    ... I don't need DFD for this and if I'm using un*x software as my firewall, I probably need to be looking at a whole lot of things to understand what's going wrong ... Using DFD for this is a not likely to go anywhere because support for it isn't already built into bit-torrent tools ... above it says "have you ever wanted to have a queue of the last N blocked hosts" but it seems to provide nothing to support adding a host to that queue. ... The rules define my security policy, what changes is the set of IP#'s that I want to apply segments of my security policy to. ...
  • Re: Good wireless signal - but browser cannot find it?
    ... But when I gave the command to see the route table, ... But his browser cannot find any connection and displays the error page ... The firewall is Norton - but disabling it temporarily made no difference. ... ping resolver1.opendns.com ...
    ... > I need to setup the firewall IPTABLES on CentOS. ... You set up the firewall using command line commands. ... > allow to acces FROM the LAN only to a computer with MAC ADRESS xxxxxx. ...
  • Re: Adobe Reader will not launch in XP Home Edition SP 2
    ... for older versions of Adobe Reader all the way back to 5.x, ... and then when trying to launch the reader by clicking on a pdf file I get ... It might be your firewall, ... Results of command "notepad c:\test.txt" ...