Projects / Sanewall


Sanewall is a firewall builder for Linux that uses an elegant language abstracted to just the right level. This makes it powerful and easy to use, audit, and understand. It allows you to create very readable configurations even for complex stateful firewalls. Sanewall can be used for almost any purpose, including control of any number of internal/external/virtual interfaces, control of any combination of routed traffic, setting up DMZ routers and servers, all kinds of NAT, providing strong protection (flooding, spoofing, etc.), transparent caches, source MAC verification, blacklists, and whitelists. Newer versions abstract the differences between IPv4 and IPv6, allowing you to define a common set of rules for both, while permitting specific rules for each as you need. Sanewall is a fork of FireHOL and can make use of existing FireHOL configurations.

Operating Systems

Recent releases

  •  19 Aug 2013 19:51

    Release Notes: Uses flock(1) instead of lockfile(1), since util-linux should be more commonly installed than procmail and it works much better than the built-in function. Fixes IPv4/IPv6 detection for older versions of iptables(8). Many minor improvements and cleanups.

    •  07 Jul 2013 14:26

      Release Notes: "sanewall save" now creates two files, which is what most init systems expect. "sanewall status" now identifies which blocks are IPv6 or IPv4. "sanewall condrestart" now follows convention by only restarting if already running. Various programs and files are now detected at configure-time rather than run-time.

      •  06 Jun 2013 10:59

        Release Notes: This release fixes IPv4/IPv6 auto-detection so it is not confused by VLAN interface names such as eth0.22.

        •  12 May 2013 16:59

          Release Notes: Fixes kernel version detection per 1.0.2. The configure script makes sanewall executable. The unconfigured issues a warning when it is run directly. The configure script now sets /usr/local/etc as the location for Sanewall to look in as well as store configuration files in if --sysconfdir is not given, solving bug 78. There is a switch to enable debug output. Handles domain names that refer to records that are IPv4, IPv6, or both. Fixes protection against direct use of /sbin/iptables and /sbin/ip6tables that was broken from 1.1.0.

          •  12 May 2013 15:53

            Release Notes: This release fixes kernel version detection so that it is more flexible and less error-prone (3.8-1-amd64 was breaking the original).


            Project Spotlight


            A Fluent OpenStack client API for Java.


            Project Spotlight

            TurnKey TWiki Appliance

            A TWiki appliance that is easy to use and lightweight.