It will compile a set of configuration files to iptables statements to
setup IP packet filtering for you.
While it is not necessary for operating and using Pyroman, you should
have understood how IP, TCP, UDP, ICMP and the other commonly used
Internet protocols work and interact. You should also have understood the
basics of iptables in order to make use of the full functionality.
does not try to hide all the iptables complexity from you, but tries to
provide you with a convenient way of managing a complex networks firewall.
For this it offers a compact syntax to add new firewall rules, while still
exposing access to add arbitrary iptables rules.
Load the rules from directory
instead of the default directory (usually
seconds after applying the changes for the user to type
to confirm he can still access the firewall. This implies
but allows you to use a different timeout.
Print a summary of the command line options and exit.
Print the version number of
-s, --safe, safe
When the firewall was committed, wait 30 seconds for the user to type
to confirm, that he can still access the firewall (i.e. the network
connection wasn't blocked by the firewall).
Otherwise, the firewall changes will be undone, and the firewall will be
restored to the previous state.
option to change the timeout.
Don't actually run iptables. This can be used to check if
accepts the configuration files.
Instead of running iptables, output the generated rules.
Instead of running iptables, output the generated rules. Each statement
will have one comment line explaining how this rules was generated. This
will usually include the filename and line number, and is useful for
Configuration of pyroman consists of a number of files in the directory
These files are in python syntax, although you do not need to be a python
programmer to use these rules. There is only a small number of statements
you need to know:
Define a new host or network
Define a new interface (group)
Add a new service alias (note that you can always use
e.g. www/tcp to reference the www tcp service as defined in /etc/services)
Define a new NAT (Network Address Translation) rule
Allow a service, client, server combination
Reject access for this service, client, server combination
Drop packets for this service, client, server combination
Add a rule for this service, client, server and target combination
Add an arbitrary iptables statement to be executed at beginning
Add an arbitrary iptables statement to be executed at the end
Detailed parameters for these functions can be looked up by caling