As a demonstration, I'm running isowall on a "Raspberry Pi", a $50 hobbyest Linux machine. The laptop in this picture may be infected with a virus. I want the laptop to still access the Internet, but not access my local network, where it may spread the infection. As you can see, the laptop has a direct Ethernet link to the Raspberry Pi running isowall (short purple cable to white USB Ethernet), which then links to the rest of my home network (grey cable).
The command-line on the Raspberry Pi looks like the following. As you can see, the infected laptop has an IP address of 10.20.30.207 and connects via 'eth1', but it can only exchange packets with the local router (and hence the Internet), and not any of the other devices on the local network.
The security guarantee of isowall rests on the fact that there is no TCP/IP stack bound to 'eth1'. Isowall has it's own TCP/IP. Today's firewalls fail because they are extensions to the existing network stack of the operating system. This introduces a huge attack surface and a lot of complexity, meaning hackers can attack the firewalls themselves, and users will misconfigure firewall rules. What isowall does is separate the two duties: TCP/IP firewalling is done wholly separate from the Linux TCP/IP stack.
You can see his principle when you run 'ifconfig'. As you can see, 'eth1' has no IP address assigned to the network adapter. The infected machine can attack this Ethernet port all it wants, it won't get anywhere, because there's nothing listening on that Ethernet except for isowall.
Another security guarantee that isowall provides is that it prevents common user configuration errors. It has the simplest, most necessary configuration options possible. This is shown in the above picture, where all the options are specified on the command-line. This means all options can be read to verify that you are secure.
Let's say that you do something wrong, and add an IP address to 'eth1'. If isowall detects this, it will refuse to startup. If this is done after isowall is running, it'll shut down with a nasty warning message, as shown below.
Lastly, there is another security guarantee: simple code. All the TCP/IP packet parsing and evaluation is contained in the function "is_valid()" at the top of the file "main.c" in the isowall source code. Anybody can read this code and verify that isowall doesn't have a bug that would allow a hacker to bypass or attack the firewall.
ConclusionIsowall is for the paranoid. Let's say that you fear the smartest hackers in the world have infected your laptop. You want to connect it to the Internet to so you can analyze what it's doing, but you don't want the infection to spread. Isowall is probably the best guarantee you'll get.
Notes: In the above demonstration, notice the option "--reuse-external". Isowall is actually intended for use in systems with three adapters, where you control the system over 'eth0', then bridge between 'eth1' and 'eth2'. However, the Raspberry Pi has power issues, and can't always power two additional Ethernet adapters. Thus, I use 'eth0' both for the control connection (with an operating system IP address) and the 'external' network. This is perfectly secure as far as I can tell, though it breaks the model a bit.