On Wed, 3 Jan 2001, Mike Sensney wrote:
> Here is my attempt at restating the problem.
(Steps in holding up a REALLY LARGE Stop Sign)
Not picking on you Mike, but you're the first to step out into the open on
this issue, and the first to do more than hint about the possibility.
Are we looking at a rewrite of how firewalling configuration is done? Or
are we looking at redoing firewalling altogether? The latter seems to me
like reinventing the fifth wheel. I don't see it going that way
necessarily, but failing to clarify this right now in the early phases
could lead to a lot of misunderstandings and "wasted" work.
> Charles mentions the various tools in current use, like Seawall and
> the extended scripts and what is wrong with them. (Not easily
> extended and/or modified beyond their original limited purpose.)
Sounds like application layer, which is good...
> Where I see the problem is that current routing/firewall design
> philosophy centers on the router. Instead the focus should be on
> subnets and how the various subnets in a network relate to each
> other. Then finally what routers are used to connect the subnets.
To me, this sounds like an implementation of VPN/IPSec/Tunnels rather than
straight firewalling. Realise too, that if we want to get technical and
proper, LRP DOESN'T firewall, it filters packets.
> Take a real world problem like Charles' TX facility. You should be
> able to describe the TX facility (or any other network) to our
> hypothetical compiler as one unified specification. Then the compiler
> should be able to generate the firewall/routing rules for each and
> every router on the network, including the Cisco from the one unified
> specification.
Ideally, yes. The problem there lies with how exactly you get the program
to understand what it's looking at. It's a lot easier to write a program
that parses a text file for keywords and changes them into IPChains,
Netfilter, ipfwadm, or Cisco ACL commands than it is to get the same
program to understand basic and intermediate level networks intelligently
enough to be able to turn a diagram into a fully-functioning and effective
firewall.
Personally, I'd like this more than just the firewall builder, because it
would then mean that you could quite easily configure the entire LRP
system.
One of the things that would be (almost) required is a secondary system
though; which is similar to either what Donovan was suggesting - run it on
a workstation, and copy the files to the target system - or possibly
something along the lines of modmaker, where you go to a website and
configure it for your network there. Personally, I'd rather see something
that can run via a small webserver like Charles' weblet stuff, but that's
me.
As an aside, speaking of modmaker, I took a look at the stuff that I got
from Ray a little while back, and quickly realised that I was way in over
my head. What's worse is that Mozilla wouldn't display it. I think that,
if Modmaker is to ever reappear in the light of day, it would require a
ground-up rewrite. =( It's been suggested to me by a friend of mine that
PHP and shell scripts may not be the best way to do that, so I'm going to
investigate some other options, that I may end up being able to tie back
into the OO-firewall stuff. I'll keep everyone posted.
--
George Metz
Commercial Routing Engineer
[EMAIL PROTECTED]
_______________________________________________
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/mailman/listinfo/leaf-devel
