What is ITVal?

ITVal is the IP Tables Validator, an open source query engine for detecting configuration holes in IP Tables. ITVal helps system administators better understand their firewall security policy by allowing them to ask simple questions about their system and view the answers in a simple and concise format. It is the work of Robert Marmorstein and Dr. Phil Kearns at the College of William and Mary.

How can I use ITVal?

ITVal has a simple command line interface which allows you to specify a rule file and a query file to be processed. The rule file can be obtained using the command iptables -L -n on your firewall. The query file can be written using a very simple English-like language (query examples can be found on the documentation page). Output is generated to stdout, but can be redirected to a file.

What can it do?

Currently, ITVal can process simple IPTables filtering rules on a single firewall. Work is underway to support NAT and packet mangling and to support composition of multiple firewall rulesets.

What can't it do?

ITVal is designed to work with the NetFilter firewall system in Linux 2.4 and 2.6 systems. It does not support ipfw, ipchains, or commercial firewalls such as Checkpoint FW-1.