<x-flowed>At 08:50 AM 01/16/2001 -0600, David Douthitt wrote:
>On 16 Jan 2001, at 0:53, Mike Sensney wrote:
>
> > I would suggest some sort of watchdog feature. If the ssh link
> > breaks then revert to the previous configuration.
>
>I don't know about LRP 2.9.4 and its descendents, but LRP 2.9.7 and
>all descendents (including Oxygen) come with a watchdog daemon;
>Oxygen comes with it disabled, since I have had repeated reboots when
>the watchdog decided things were too slow and it wouldn't give up.
>I'll have to be convinced its useful and reliable, I guess. Nothing
>like working away to have the system just suddenly reboot on you.
I didn't phrase it quit right. This watchdog should watch the ssh
connection
when you are making firewall rule changes. If the ssh connection goes down
and does not get restored within a minute or two, then it should revert to
the previous firewall rule configuration. This should keep you from
inadvertently locking yourself out of your router.
> > You might want to look at hlfl before you implement this.
>
>Interesting! Though an OO firewall configuration tool from Ruby is
>probably just the thing - I'll have to check the Ruby Application
>Archives...
>
> > I just compiled it and after stripping the executable it comes to
>37964
> > bytes.
>
>I got 32604 bytes for hlfl - what did we do differently?
It's the compiler. I was using gcc-2.91.66 (egcs-1.1.2) since I was
thinking
about looking at the 2.4 kernel.
I just did a test compile of hlfl using both compilers, along with strip
and
upx. (I ran upx on the stripped binaries.)
version slink gcc new gcc
size 92,818 93,882
striped 32,608 37,964
upx 13,320 14,051
> > It generates rules for BSD ipfw, Darren Reeds's ipfilter, Linux
> > ipfwadm, ipchains and netfilter, and Cisco, though they mention
> > that the netfilter and Cisco rule generation have yet to be tested.
> > For LEAF/LRP usage we could make target specific versions. For
> > instance an ipchains-only version should be less than 15K.
>
>Interesting! Though I did not see any quick and simple way to
>extract the others - though they may be worth keeping. You can
>create a package that would then run on LRP 2.9.4 and Trevor's Disk
>(ipfwadm); LRP 2.9.7, Eiger, EigerStein, Oxygen (ipchains); and the
>new crop using Linux 2.4 ....
Remove target references from main() in hlfl.c and Makefile.
I just make an ipchains only version and compiled. It worked. Stripped size
is 15,104. Upx took the size down to 8,786. This was a hack job, usage()
should be fixed and main() cleaned up a bit. (A long term a better fix
would
be to put in conditional compile directives.)
>This looks like a very workable "procedural" (or "declarative")
>version of what I had in mind; it's not OO nor as simple as I had in
>mind, but it does satisify what I wanted: a much more SIMPLE way to
>edit firewall rules on the LEAF system itself.
I personally would like to see a few extra features. What immediately comes
to mind is support for more that just input and output rules.
>I may yet tackle a Ruby firewall generator; despite the use of a
>"generator" probably on a "Big Distro" machine, it would probably be
>a good exercise anyway...
Set it up to go either way:
ruby --------------> ipchains
|
+---> hlfl ---> ipchains
_______________________________________________
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel
</x-flowed>
