> > Various scripts like sea-wall, Matthew Grant's scripts, and many
> > 'click the box & build a script' type programs. These solutions
> > can be very easy to use, and configurable (to an extent), but they
> > quickly run into problems when dealing with arbitrary situations
> > that were not planned for by the script writers.
>
> What about things like Mason, which scan typical traffic and
> implement rules to match? Problem with Mason is it relies on Perl
> (not nice in an embedded context).
This might work for a single user, or small network, but fails misserably in
a large network environment. Plus, I'm more of a 'correct by design' kind
of guy...
> > So, what is a firewall?
>
> You really ARE going to the beginning, aren't you? But this is a
> Good Thing...
:->
> > What I alluded to previously, and am rapidly warming to the more I
> > think about it, is an object oriented mechanism for building
> > firewalls. Sort of a firewall construction kit, but very much in
> > the abstract.
>
> An interesting idea. It occurs to me that this could be done in esh
> (EasyShell) which is LISP-oriented. I don't know how robust it is,
> or how developed, but I DID compile it for LRP and create a package
> for it. However, I think it requires libreadline (which I also have
> in a package).
Lisp (or something lisp-like) would probably do well at processing the
files, but then so would x86 assembly (which is of course, what is
ulitmately going to be used :> )
I really don't want to think too much about any implementation details, as
I'm still wrestling with how best to describe a firewall. Once this
structure is worked out, making shell, forth, esh, or whatever parse the
description should be reasonably straight-forward.
> Using pseudo-Smalltalk, it could be a hierarchy like this:
>
> Class Network
> Subclass Internet
> Subclass Masqueraded-Network
> Subclass DMZ-Network
>
> However, I don't know that interactions BETWEEN the networks would be
> modifiable in an OO environment - allowing something from a
> Masqueraded-Network but not the Internet.
This is along the lines of what I'm thinking...the problem is specifying and
structuring all the interactions in a way that makes sense, while not
loosing any functionality by generalizing too much (or wind up making it
just as hard to customize as hand-editing the scripts in the first place).
Then there's the problem of setting up NAT, proxy-arp, bridging, QOS...
<EEK!!!>
> > I think shell-script is more than capable enough to parse and
> > process the hierarchal tree of object based configuration documents
> > (more buzz-word compliance :>), and we could even leverage <steal>
> > an existing object-based text language (like XML or somesuch), as
> > long as the actual requirements of defining a firewall are clearly
> > defined and well understood.
>
> Ohhhh? Another possibility: eforth. I find FORTH to be very nice,
> and is one of my favorite languages - right up there with Smalltalk
> and C :-)
Forth is pretty cool. Interpreted languages in general provide a method to
create powerful functions in minimal space (like shell-script, the
interpreted language of LRP), and are very appropriate for thin or embedded
systems, where space is at a premium.
> PS: If you want to use buzzwords, better spell 'em right :-)
Never was much good at spelling :<
Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)
_______________________________________________
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/mailman/listinfo/leaf-devel
