Welcome to the HLFL Project !

[ About HLFL | Supported Languages | News | HLFL Syntax | Examples | Download | Mailing-Lists | CVSWeb | Links ]

What is HLFL ?

HLFL stands for "High Level Firewall Language". It translates your high level language firewalling rules into usable rules for IPChains, NetFilter, IPFilter, Cisco, and many others. Renaud Deraison, founder of the Nessus Project, initiated this project first, but it is now maintained by Arnaud Launay and discussed on the HLFL mailing-list.

Some examples of how HLFL works may be found in the examples section; the syntax is detailed in the syntax section.

Supported Languages

HLFL supports the following firewalling languages:

• BSD IPFw, statefull and not statefull
• Cisco ACL
• IPFilter
• IPFWadm (Linux 2.0)
• IPChains (Linux 2.2)
• NETFilter/IPTables (Linux 2.4)

What's new ?

Oct 6th 2003, new HLFL release: version 0.60.1.

Feb 20th 2002, new HLFL release: version 0.60.0.

HLFL Syntax

The HLFL syntax has been designed to be simple, but yet powerful. Using short atoms such as proto src operator dst [ interface ] [ keywords ], you may design an entire firewall for a complete network.

The HLFL grammar, in ABNF notation, maybe found in the grammar file, available from the distribution or on the CVSWeb.

A more comprehensive syntax description maybe found in the syntax file, available from the distribution or on the CVSWeb.

Examples

Let's design a simple rule blocking all traffic. We want to block (deny) all protocols, from any IP address to any IP address, whatever the interface is, and by logging what comes in.

So the rule would be all (any) X log (any), meaning:

Which gives:

block out log quick   from 0.0.0.0/0  to 0.0.0.0/0
block in log quick   from 0.0.0.0/0  to 0.0.0.0/0

ipfw="/sbin/ipfw -q"

$ipfw -f flush

$ipfw -f add deny log all from 0.0.0.0/0  to 0.0.0.0/0  out
$ipfw -f add deny log all from 0.0.0.0/0  to 0.0.0.0/0  in

iptables="/sbin/iptables"

$iptables -F
$iptables -X

$iptables -A OUTPUT -l -s 0.0.0.0/0 -d 0.0.0.0/0 -p all   -j DROP
$iptables -A INPUT -l -s 0.0.0.0/0 -d 0.0.0.0/0 -p all   -j DROP

Download

• FTP
  • Primary FTP
• HTTP
  • Primary website
• CVS

  CVS has been deprecated. We now use subversion/SVN.

• SVN

  Be careful. The development version is bleeding-edge, and may or may not work. If you want it anyway, here's how.

  You need to checkout the module:

  svn co http://svn.hlfl.org/trunk hlfl
  

• CVSWeb

  You may also look at the sources using the ViewCVS.

Mailing-Lists

Three mailing-lists are available to follow development and news:

• hlfl: general users and developers discussion
• hlfl-cvs: CVS commits messages
• hlfl-announce: announce of new releases (very low traffic)

To subscribe to the lists, click on their respective links below.

Note: the hlfl list is subscribed to hlfl-announce, so you do not need to the subscribe to the two lists.

Links

HLFL is used in a variety of projects, some of which are listed below. If your project use it but you're not listed, just drop me a mail: alaunay@hlfl.org.

• Horatio: Authenticated Network Access
• Local Area Security Linux: L.A.S. Linux Live-CD Distribution

Some of the docs are available in different languages:

• Slovak (SK)

HLFL has been binary packaged in the most classical distributions:

• FreeBSD: hlfl 0.60.1
• Gentoo: hlfl 0.60.0 and 0.60.1
• Redhat: hlfl 0.60.1-0
• Debian: hlfl 0.60.1-1
• AIX PDSLib: hlfl 0.60.1
• Fink (MacOS): hlfl 0.60.0-1
• OpenBSD: hlfl 0.52

HLFL's Freshmeat resume

Copyright © 2000-2005, HLFL Project

Brought to you by Hosted by