Re: [Leaf-user] thttpd CGI Forms for administrating Firewall through browser
Hi Etienne: I think is interesting, I just want to express some thougths, let me know what all of you think: One way is to implement the logic at the lrp box itself,while may be a logical way I think it's not the better one. The way a I think will be more interesting is to be able to read configs from a (or various) LRP box/es throught a secure channel SSH and be able to change thinks via web interface in a server machine using anything you like java or perl or whatever you like, then when finish the config, transfer the files to the lrp and reboot, probabily with filesafe or other mechanism that can boot the last working config, may be we broke something more times that we want :-)) anyway I think it's important to keep the lrp as minimalist in concerns about security as you can, the space is important but secondary IMHO now that you can boot from a disk on chip or compactflash with 128 MB or more, but even that if you use a middle server to do that you can use a normal box and implement as much logic as you want... I'm listening all of you saying. What about security of that server Ok I let this for discussion too ;-) Francisco Perez El Dom 16 Sep 2001 10:13, escribiste: Hi, I'd be happy to contribute to a web interface for LEAF If there are more people interested, we could join our efforts :=) Here are some ideas First of all, the combinaison LRP/Kernel 2.4/Shorewall is not yet very common in the LRP world and I can understand the lack of feedback Eric got about his web interface. I think that allowing editing existing files through the web interface is a lot of work with a very small ROI, an applet java allowing ssh access could do the job IMHO, What we need is a higher level interface ( Like seawall, you have a few simple configuration files and a lot of work done with the data in those files) I think we could design the web interface as an editor modifying a big file ( config.web) containing shell variables definitions and a few scripts which process configuration files templates, replacing the variables in the templates by the actual values from config.web and write actual configuration files in the right place. example: the local interface ip address ( 192.168.1.254) is used in a lot of configuration files. the web interface should be able to modify this value everywhere It should be easy to add modules to the web interface ( a set of pages and a set of templates) those pages and templates could be stored in the .LRP files or in separate packages (with another file extension). now a few questions: - Should the interface be usable with the floppy version of a LEAF-like distribution ( https ? to allow remote management isnt't it too big ?) - Should we try to reuse something exisitng or build from scratch ? - Could we build our interface so that we could derive from it a set of web pages or a set of scripts using the dialog command ( being usable from the text console ) - how to permit customizations in the templates outside of the web interface ( to allow modifications not ( yet ) possible from the web interface ?? - I think that it's a big project but it should be possible PS: Maybe we could move on the leaf-devel list or elsewhere ?? Regards Etienne Charlier [EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] thttpd CGI Forms for administrating Firewall through browser
Hi Etienne, Sandro and the rest of the list I'd be happy to contribute to a web interface for LEAF If there are more people interested, we could join our efforts :=) Here are some ideas First of all, the combinaison LRP/Kernel 2.4/Shorewall is not yet very common in the LRP world and I can understand the lack of feedback Eric got about his web interface. I think you ve got a point there. I think that allowing editing existing files through the web interface is a lot of work with a very small ROI, an applet java allowing ssh access could do the job This is what i normally use myself, but I thought that there is some interest to do it with a webinterface. ( a concurrent product fli4l.de uses a windows programm as a frontend) IMHO, What we need is a higher level interface ( Like seawall, you have a few simple configuration files and a lot of work done with the data in those files) That was exactly what I liked about shorewall I think we could design the web interface as an editor modifying a big file ( config.web) containing shell variables definitions and a few scripts which process configuration files templates, replacing the variables in the templates by the actual values from config.web and write actual configuration files in the right place. That is kind of the way the eigerstein was setup. A problem is usually the multiple different lrp packets. If we could create a small yet complete interface in the packages then the central editfile could take this and return them at the appropiate moment ( sounds kind of complicated ;)) example: the local interface ip address ( 192.168.1.254) is used in a lot of configuration files. the web interface should be able to modify this value everywhere It should be easy to add modules to the web interface ( a set of pages and a set of templates) those pages and templates could be stored in the .LRP files or in separate packages (with another file extension). I think that is a good approach now a few questions: - Should the interface be usable with the floppy version of a LEAF-like distribution I personally would like it that way. ( https ? to allow remote management isnt't it too big ?) - Should we try to reuse something exisitng or build from scratch ? I think it is a good idea to complete the concept and after that look at how much we can use from existing files and how much has to be created new. - Could we build our interface so that we could derive from it a set of web pages or a set of scripts using the dialog command ( being usable from the text console ) - how to permit customizations in the templates outside of the web interface ( to allow modifications not ( yet ) possible from the web interface ?? I think about it :=) - I think that it's a big project but it should be possible PS: Maybe we could move on the leaf-devel list or elsewhere ?? I Think it is a good idea to move to the leaf-devel list. Perhaps change the subject a bit. Regards Etienne Charlier [EMAIL PROTECTED] Regards to Belgium :) Eric Wolzak http://leaf.sourceforge.net/devel/ericw ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] thttpd CGI Forms for administrating Firewall through browser
Hello All, Sandro hi all i asked myself, why there is no web-based admin tool for LRP which allows the admin to ENTER something. weblet is great but just a viewer. i first tried to use weblet for HTML forms with post or get method. i found out, that weblet don't support any methods. The weblet does accept input,. I used in my webbased shorewall configuration. If you use the original weblet, than you know that by clicking on the pictures you get another information. In the shorewall configuration weblet, I also used a bash script that runs as a result of sending the form. This is a security risk, the other problem is that to change something essential at the configuration ( firewall etc) the weblet has to be run with root rights . I didn't updated the configuration tool, for 2 reasons, got not much time, and no response at all, so I assumed that nobody was interested. BUT thttpd does! then i tried how to get form entries parsed with bash. i wrote a script which parses the entries from the user by GET method. result is: $[fieldname]=[string by user] it runs with more than one form field i'm not the bash guru, can someone have a look at my script and tell me, if there is a better way to do that (w/o writing to a temp file). I'm sorry I didn't have time to try out the script, but I can tell you about my experience with this. I used in my first version a pipe at several places data is processed | now the second proces take place and found out that for a reason I couldn't detect this didn't work out every time. the version data is processed Written_to_tempfile do something with tempfile however worked. As you usually don't have lot's of users configurating your box ;) the loss of speed with a temp file located in Ram won't be a problem IMHO i hope this example is useful for those who want to develop some html forms which allows to admin a LRP box through browser. i know that this is a potential security whole but perhaps someone knows how to protect webpages with a password in thttpd (.htaccess !?) If there are more people interested, we could join our efforts :=) greetings Sandro Minola (Script at the bottom) Example Script: #!/bin/sh STRINGS=`echo $QUERY_STRING|cut -d'' -f*` for STRING in $STRINGS ; do echo $STRING /var/tmp/wwwget.tmp done ; unset STRING ; unset STRINGS . /var/tmp/wwwget.tmp cat - /HTML-DATA Content-type: text/html HTMLHEADTITLEHTML Form TEST Page/TITLE/HEAD $(echo $NAMEOFFIELD1) $(echo $NAMEOFFIELD2) $(echo $NAMEOFFIELD?) $(rm /var/tmp/wwwget.tmp) /BODY/HTML /HTML-DATA back again ;) Eric Wolzak http://leaf.sourceforge.net/devel/ericw ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] thttpd CGI Forms for administrating Firewall through browser
Hi, Hi Eric Nice to hear from you! Thanks a lot for that info! I read the note TODO: POST method. I'm not really worried about this, as support for 'post' would only make folks try to use this as a configuration gateway, for LRP, and I really don't think it's secure enough for that. on Charles' site and based on that I thought that it's just a waste of time to try that with weblet. This was 2 months ago. At this time, I thought that POST is the only form method possible at all... (I'm not the HTML-guy.. :)) You're right, the rights are a big problem. I noticed that 10min after sending this mail to the list. I tried to run thttpd with root rights and it seems that it runs with root rights (ps aux shows that) but no root commands are executed (ipchains and ip commands). I don't have any idea why it won't run. It seems that it runs with weblet... I'll try out my script with weblet. Have a nice weekend Sandro Minola -Original Message- From: Eric Wolzak [mailto:[EMAIL PROTECTED]] Sent: Saturday, September 15, 2001 10:00 PM To: Sandro Minola; [EMAIL PROTECTED] Subject: Re: [Leaf-user] thttpd CGI Forms for administrating Firewall through browser Hello All, Sandro hi all i asked myself, why there is no web-based admin tool for LRP which allows the admin to ENTER something. weblet is great but just a viewer. i first tried to use weblet for HTML forms with post or get method. i found out, that weblet don't support any methods. The weblet does accept input,. I used in my webbased shorewall configuration. If you use the original weblet, than you know that by clicking on the pictures you get another information. In the shorewall configuration weblet, I also used a bash script that runs as a result of sending the form. This is a security risk, the other problem is that to change something essential at the configuration ( firewall etc) the weblet has to be run with root rights . I didn't updated the configuration tool, for 2 reasons, got not much time, and no response at all, so I assumed that nobody was interested. BUT thttpd does! then i tried how to get form entries parsed with bash. i wrote a script which parses the entries from the user by GET method. result is: $[fieldname]=[string by user] it runs with more than one form field i'm not the bash guru, can someone have a look at my script and tell me, if there is a better way to do that (w/o writing to a temp file). I'm sorry I didn't have time to try out the script, but I can tell you about my experience with this. I used in my first version a pipe at several places data is processed | now the second proces take place and found out that for a reason I couldn't detect this didn't work out every time. the version data is processed Written_to_tempfile do something with tempfile however worked. As you usually don't have lot's of users configurating your box ;) the loss of speed with a temp file located in Ram won't be a problem IMHO i hope this example is useful for those who want to develop some html forms which allows to admin a LRP box through browser. i know that this is a potential security whole but perhaps someone knows how to protect webpages with a password in thttpd (.htaccess !?) If there are more people interested, we could join our efforts :=) greetings Sandro Minola (Script at the bottom) Example Script: #!/bin/sh STRINGS=`echo $QUERY_STRING|cut -d'' -f*` for STRING in $STRINGS ; do echo $STRING /var/tmp/wwwget.tmp done ; unset STRING ; unset STRINGS . /var/tmp/wwwget.tmp cat - /HTML-DATA Content-type: text/html HTMLHEADTITLEHTML Form TEST Page/TITLE/HEAD $(echo $NAMEOFFIELD1) $(echo $NAMEOFFIELD2) $(echo $NAMEOFFIELD?) $(rm /var/tmp/wwwget.tmp) /BODY/HTML /HTML-DATA back again ;) Eric Wolzak http://leaf.sourceforge.net/devel/ericw ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user