On 14 Jan 2001, at 20:21, Scott C. Best wrote:
> Yes, agreed. Taking this to an extreme, you could wrap a user login
> for, say, ~firewall, into a custom shell that had nothing *but*
> compiled firewall configuration commands.
> I'm working with some others to build something like this now,
> tying it closely with ssh host-authentication for remote-management
> capability. Seems promising...
This is very interesting. I'm thinking that writing a program in
Ruby to handle this would be a good way to go - except that Ruby
doesn't run under LEAF yet, and is huge by LEAF standards. It
wouldn't be that hard to create a login under LEAF that would act as
a network transfer agent, then receive only firewall commands via an
ssh-encrypted session.
Only thing is, I'm not sure of the security implications of being
able to do this. Sounds scary to me - configuring the firewall on
the fly via the network? One sure way to bring down a firewall if it
can be configured from the outside....
As for Ruby, since it is OO, it wouldn't be hard to wrap the actual
ipchains commands up into a Class and hide the details, so that
iptables, ipchains, or ipfwadm could be used at will just by changing
the method definitions in the Class.
Thoughts?
--
David Douthitt
UNIX Systems Administrator
HP-UX, Linux, Unixware
[EMAIL PROTECTED]
_______________________________________________
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel
