On 4 Jan 2001, at 4:15, George Metz wrote:
> On Wed, 3 Jan 2001, David Douthitt wrote:
> Ouch. So you're looking to do this on the fly without flushing and
> recreating all the rules? Could be interesting...
No, not really. See below.
This is what I'm thinking of: the typical one-shot firewall rules
generator goes like this (say to change a SMTP server):
1. Run generator
2. Answer a lot of questions:
Do you want DNS? yes
From where? internal
To where? 999.999.999.999
Do you want telnet?
...and so on
3. Save script
4. Install script
5. Restart machine/rules
I'm envisioning this:
1. Edit text configuration file
2. Find line that says:
allow smtp from any-inside to 10.1.1.1
3. Change line to
allow smtp from any-inside to 10.9.7.7
4. Restart rules (not machine)
The time savings is good, and the maintainability and comprehension
is much better.
> Define here what you mean by abstraction, please? You managed to
> lose me mostly here, as that's what I've been envisioning. Unless
> of course you meant that they're nothing more than a formatter for
> the actual rulesets.
I'm not sure what you mean by formatter, but here is what I'm
envisioning now (whipping syntax out on the fly):
----clip----
network inside {
expect 172.16.0.0/16;
network-interface eth0;
interface masq;
}
network world {
expect any;
network-interface eth1;
interface route;
}
proto smtp {
source-port unpriv;
dest-port 25;
proto-type tcp;
}
host any-inside {
network inside;
ip 172.16.0.0/16;
}
host smtp-server {
network internet;
ip 10.9.7.7;
}
allow smtp from any-inside to smtp-server
----clip----
How's that?
Hidden assumptions would be a) reject or deny all policy; b) reject
all malformed and surprising packets. Only thing the writer need be
concerned about really is allowing services.
--
David Douthitt
UNIX Systems Administrator
HP-UX, Linux, Unixware
[EMAIL PROTECTED]
_______________________________________________
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/mailman/listinfo/leaf-devel
