FK

Intro

A while ago, I decided that the world needed a free software proxy firewall kit, as I was unhappy with the TIS fwtk. Nobody else appeared to be actively working on one (perhaps I didn't look hard enough), so I decided to have a wee go. Ian Lynagh was hacking on this task with me, but seems to have disappeared.

Status

Incomplete (see TODO and ROADMAP) but fast-maturing (see HISTORY), and nevertheless useful for quite a few things. Currently, we have:

Also desirable are proxies for:

to name but a few. I'd also like:

Download

Version 0.6.7 can be found here. Previous releases are 0.6.6 (fixes a security issue with some configurations of the httpd), 0.6.5, 0.6.4, 0.6.3, 0.6.2, 0.6.1, 0.6, 0.5, 0.4, and 0.3. Warning: earlier versions are likely to be badly bug-ridden. The package contains a changelog.

Mailing list

There is a mailing list for discussion/development. You can subscribe here, and post to it by emailing fk@hairy.beasts.org.

It remains fairly incomplete and is unaudited, but it may be interesting to some. It is copyrighted, but offered for use, modification and redistribution under the terms of the GNU General Public Licence. If I forgot to include a copy of the GNU GPL in a distribution, please contact me for more precise details.

Otherwise, the software is available to you only though recognised "fair use" terms (which, for now, I consider those which apply in the UK).

Eh?

Application proxies?

Programs which mediate the conversation between a client and a server, rather than merely (and blindly) forwarding packets. This is primarily done for reasons of access-control and security, but is also used to enforce caching. Because application proxies can examine much higher-level protocols than is advisable for kernel code, it's possible to use them to protect clients and servers against malice by ensuring that only valid protocol exchanges take place. Also, because they generally live in userspace, they can enforce fairly complex access-control rules, where simple packet filters can only offer host- and service-based access control.

fwtk?

The TIS Firewall Toolkit (no link). A suite of application proxies designed for internet firewalls. An enhanced version was (is?) sold as the TIS Gauntlet firewall. The licence is somewhat unclear -- the pessimistic view is that commercial use is not permitted (because they want you to buy Gauntlet).

Official development has now ceased, though a bunch of volunteers still maintain various extra proxies, patches and documentation for it.

It is my opinion that the FWTK has code quality issues, and that the volunteer patches are, at best, no better. (The transparency patch doesn't work on Linux, and the maintainers don't respond to fixes.)

I don't mean to imply that it is badly written or that it is riddled with security holes, but merely that it was written at a time when auditability was rather less important.

TIS?

Trusted Information Systems. Original authors/owners/etc of the fwtk. They are owned by Network Associates, Inc.

Other free proxy kits

I have a small discussion of the other free software proxy kits that I am aware of. If I missed anything, please tell me.

Related hacks

filter is a recent hack of mine for generating packet filtering rules. It accepts a high-level ruleset and generates iptables, ipchains or ipfilter rules (with Cisco IOS ACLs to follow).

Speak to me!

Please mail me about any errors or omissions, or with any questions, suggestions, problems or (especially welcome!) patches you might have.