On 4 Jan 2001, at 2:36, Charles Steinkuehler wrote:
> > One of the things that would be (almost) required is a secondary
> > system though; which is similar to either what Donovan was
> > suggesting - run it on a workstation, and copy the files to the
> > target system -
>
> I don't think a secondary system is a requirement...you can do lots of
> very powerful things in shell script, and the code is usually pretty
> small. If necessary, some C code could be written to do things that
> were too cumbersome (or impossible) in shell-script, or possibly to
> speed up digesting of the configuration files.
In my mind, doing it on the firewall is a requirement. Take ours,
for example - it doesn't have ftp, or ftpd, or telnet, or nc, or
wget, or snarf, located on it anywhere. About the only way to get
things there is either scp or by putting a disk in - and most of the
time it will be the latter, as scp isn't installed on most stations
here.
Also, a firewall to me is a little more dynamic than you all seem to
be implying - add FTP briefly, take it out, add SSH for a specific
station, take it out, ... rules change. I'd hate to have to compile
a new set of rules every time and then copy them to disk and....
> I'm just looking for a way to describe the functionality in a
> clearer and more consistent manner than the conventional startup
> scripts and multiple config files...
As am I. My complaints against current implementations (to iterate)
are these:
1. They only generate ipchains on a one-shot deal; if you want to
repeat you have to regenerate the script and rerun it. These
utilities usually generate a shell script with all of the ipchains
rules in it.
2. They require great big things like Perl to run - and so won't run
on a small system like LRP/Oxygen/EigerStein.
3. Rather than hide the rules, they tend to "create" them - there is
no abstraction, just a rules generator.
My goals:
* Abstract the firewall concepts sufficiently so a regular person can
actually understand it (!)
* Use functions and whatever scripts to make "programming" easy for a
regular person (!)
* Use functions and whatever scripts to make firewall design simple
and powerful in the hands of the expert
> it's a shame this couldn't happen
> ITRW (the instant feedback & interaction when brain-storming is one of
> the big things lost in e-mail or other written communication).
Conference call?? Hmmm....
--
David Douthitt
UNIX Systems Administrator
HP-UX, Linux, Unixware
[EMAIL PROTECTED]
_______________________________________________
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/mailman/listinfo/leaf-devel
