Isba - Ipfilter Source ruleset Build Application

31-jul-2003: I have no time for maintaining isba and vlog anymore
Voluntary maintainers are welcomed

Isba is a free graphical tool designed to edit IP-Filter rulesets and remotely manage IP-Filter firewalled hosts in a production environnement.

Ruleset edition: isba displays rules in typed columns (action, options, interface, source host or net, etc). Hosts, nets, services and interfaces are objects that can be given names. Objects can be organized in groups which can be used in a rule, to write, in a single line, what will be compiled into many ipf rules.

Remote management: once your ruleset is ready, isba can upload ipf.conf and ipnat.conf to the bastion host and reload rules in kernel, using a SSH encrypted connection with RSA authentication. Isba can also use SSH to download informations: current kernel rules, state table and ipfilter logs. In an emergency case, when a ruleset behaves badly on the bastion host, you can instantly replace it with a "pass all" or "block all" ruleset.

Goals

Isba was written with these goals in mind:

readability:
- rule items are 'columnized'
- named objects, groups of objects, colors
- display options to shorten rules length on screen.
maintainability:
- comments for rules and objects, comments between rules, rule separators
- with objects file including several rulesets can share objects
- ASCII/HTML exports and PostScript printing for documentation
- ruleset properties page for version, target hosts and ruleset comments
- multi-hosts features allow writing of one generic ruleset for multiple targets (conditional rules, conditional values, automatic values).
ergonomy:
- objects data are easily accessed
- objects litteral values are instantly viewed in an eval window
- mouse cut, copy, paste of objects and rules.
flexibility:
- "verbatim" rules (plain ipfilter text) can be inserted in ruleset
- litteral constants can be used in rulesets as well as named objects
- rules can be disabled individually
- rules can be locked individually
- a lock is set on a ruleset when it is being edited
- isba can send ipf.conf/ipnat.conf and reload rules on target machine via SSH
- timeout-triggered automatic ruleset rollback
- isba can display a remote state table and logs in real time
- remote commands timeouts are controlled by user (Retry/Cancel popup).

Prerequisites

Isba has been tested on Solaris/sparc, Linux/x86 and OpenBSD/x86 and should run wherever Perl/Tk runs (Unix only). It needs the following software packages:

IP-Filter 3.x.x
Perl 5.004+
perl/Tk 800.022+
SSH.

Credits

IP-Filter is a stateful TCP/IP packet filter written by Darren Reed.
Perl is an interpreted high-level programming language developed by Larry Wall.
perl/Tk is a collection of modules and code that attempts to wed the easily configured Tk widget toolkit to the powerful lexigraphic, dynamic memory, I/O, and object-oriented capabilities of Perl 5. It is written by Nick Ing-Simmons.
TableMatrix is a table/matrix widget extension to perl/Tk for displaying data in a table (or spreadsheet) format, written by John Cerney.
MListbox is a multicolumn Listbox widget extension to perl/Tk with builtin capabilites for sorting, resizing and repositioning of the columns, written by Hans Helgesen.
html2ps is a Perl5 PostScript generating script written by Jan Karrman.

Download

You can download a tarred gzipped version of isba v1.1 here.

Thanks to Brian Garfen for his orthographic and grammatical corrections on this site.
Thanks to Jean-Claude Boronine for his web design support.

Good ipfiltering !
Pierre Berthomier
isba [at] nerim [dot] net