HLFL Logo

Welcome to the HLFL Project !

[ About HLFL | Supported Languages | News | HLFL Syntax | Examples | Download | Mailing-Lists | CVSWeb | Links ]

What is HLFL ?

HLFL stands for "High Level Firewall Language". It translates your high level language firewalling rules into usable rules for IPChains, NetFilter, IPFilter, Cisco, and many others. Renaud Deraison, founder of the Nessus Project, initiated this project first, but it is now maintained by Arnaud Launay and discussed on the HLFL mailing-list.

Some examples of how HLFL works may be found in the examples section; the syntax is detailed in the syntax section.

Supported Languages

HLFL supports the following firewalling languages:

What's new ?

Oct 6th 2003, new HLFL release: version 0.60.1.

Feb 20th 2002, new HLFL release: version 0.60.0.

HLFL Syntax

The HLFL syntax has been designed to be simple, but yet powerful. Using short atoms such as proto src operator dst [ interface ] [ keywords ], you may design an entire firewall for a complete network.

The HLFL grammar, in ABNF notation, maybe found in the grammar file, available from the distribution or on the CVSWeb.

A more comprehensive syntax description maybe found in the syntax file, available from the distribution or on the CVSWeb.

Examples

Let's design a simple rule blocking all traffic. We want to block (deny) all protocols, from any IP address to any IP address, whatever the interface is, and by logging what comes in.

So the rule would be all (any) X log (any), meaning:

all (any) X log (any)
All protocols From any IP address Block and Log To any IP address

Which gives:

ipfilter
block out log quick   from 0.0.0.0/0  to 0.0.0.0/0
block in log quick   from 0.0.0.0/0  to 0.0.0.0/0
ipfw
ipfw="/sbin/ipfw -q"

$ipfw -f flush

$ipfw -f add deny log all from 0.0.0.0/0  to 0.0.0.0/0  out
$ipfw -f add deny log all from 0.0.0.0/0  to 0.0.0.0/0  in
netfilter
iptables="/sbin/iptables"

$iptables -F
$iptables -X

$iptables -A OUTPUT -l -s 0.0.0.0/0 -d 0.0.0.0/0 -p all   -j DROP
$iptables -A INPUT -l -s 0.0.0.0/0 -d 0.0.0.0/0 -p all   -j DROP

Download

Mailing-Lists

Three mailing-lists are available to follow development and news:

To subscribe to the lists, click on their respective links below.

Note: the hlfl list is subscribed to hlfl-announce, so you do not need to the subscribe to the two lists.

Links

HLFL is used in a variety of projects, some of which are listed below. If your project use it but you're not listed, just drop me a mail: alaunay@cusae.com.

Some of the docs are available in different languages:

HLFL has been binary packaged in the most classical distributions:

HLFL's Freshmeat resume



Copyright © 2000-2005, HLFL Project

Brought to you by
Cusae
Hosted by
Cusae
Valid XHTML 1.1 Valid CSS!