This is the file README for tkfirewall. For installation documentation please
read the file INSTALL.

-----------------------------------------------------------------------------

                                 TKFirewall

-----------------------------------------------------------------------------

Tkfirewall is a general-purpose GUI for IP filter configuration.
It was build around two main design issues:

1. General-purpose editing of firewall filter lists

I was trying to create filter lists for a router with many interfaces and I
needed a tool that would visualize the filters for me. Just looking at a list
of ipfwadm statements was to awkward: if you wanted to know the effects of
changing or adding a filter near the top of a list you would have to read
through all the filter statements and comments down the list to find out
whether this would change their semantics.

Another problem with plain lists was that Linux supports three filter lists
(or chains nowadays) of filters: input, forwarding and output filters. I
wanted to have the possibility to look at all of these three lists at the same
time. I decided to put them next to each other. Then I would be able to follow
the path of a packet through all these filters without rushing through a long
list again.  (The list typically had the input filters first, then the
forwarding filters and then the output filters. As filter design means
comparing blocks of one kind of filters to blocks of the other kinds of
filters, this would be too confusing - a mode of working inadequate for such a
delicate configuration.)

I could have solved this with just using three xterms, editing the text of one 
filter list in each of them. But then I realized that there was still another
feature that would facilitate editing filter lists: grouping filter blocks in
categories that I could minimize to a button labeled with a short comment and
maximize by pushing the button. This feature would allow for editing a group
of filters, closing the group (or category, as I called them) and dealing with
the group as a whole. This would make it easier to work on the overall
structure of the filter lists by only looking at groups, moving groups around,
cutting, copying and pasting them anywhere. (Well, yes, we call this
"abstraction" in computer science - I just like flowery language when I work
too late.)

Last, but not least, I found it necessary to make changing filter information
quick, easy and less error-prone. So I decided to use a push-button, listbox
and cut-and-paste design with a bit of colour support to make the type of
rules easily distinguishable.

I chose not to produce a GUI that only gives you the choice of selecting
several pre-configured filter configuration like "SMTP access to this machine -
yes/no?", because it would limit the possibilities too much. Additionally, it
must be easy to cross-check the filter configuration, since most filter
designs depend on filter ordering and interaction. I would not (yet) let a
program check the correctness of the design. 


2. Automization of filter list creation for many network architectures

As administration of computers always consumes too much time, I decided to
include a scanner that would automatically build a filter configuration by
analyzing the network configuration. The scanner was first build to work only
in the environment where I was experimenting with tkfirewall. But then I
needed to generalize it a bit.

Now I think the scanner should be rewritten for several reasons. I will only
list some of them here:

- make scanning possible for all network architectures
- include a GUI for scanner configuration; maybe this should be a graphical
  representation of the network paths for services. The user should be able to
  fiddle with these on a higher level of abstraction. Then the scanner would
  generate filter lists as input to tkfirewall. This could be used to verify
  the design - currently manually, but later half automatically as well.
- more research is needed (maybe a look at Firewall-1 or others).

-----------------------------

Tkfirewall can be used with or without tkfirewallscan. The scanner still
suffers from the aforementioned limitations and it is certainly not very
user-friendly yet. But still you might want to try it out by calling

	tkfirewall -scan

as user root (tkfirewallscan and convmask must be installed somewhere in the
$PATH).

Anyway, I would recommend starting tkfirewall for the first time with

	tkfirewall -load scan-demo.tkfw

This will start tkfirewall and load a demonstration filter list. As 



-----------------------------------------------------------------------------
Note for this release:

This version was finished in March 1998, except for a few comments and
bugfixes. I had no time to work on the documentation yet, but some friends
asked me to give it away anyway, since it might be usable even without much
documentation (it is a GUI, after all). The most important documentation is
the filter feature description which can be found in the ipfwadm man-page.
More information is available in the Firewall-HOWTO. And the standard books
about firewalls in TCP/IP networks are

	Cheswick, Bellovin: Firewalls and Internet Security, Addison-Wesley
	Chapman, Zwicky: Building Internet Firewalls, O'Reilly

-----------------------------------------------------------------------------

Enjoy.
