On Feb 19, 2007 at 2038 +0100, Franck Joncourt appeared and said:
> René Pfeiffer wrote:
> > I am aware that there are several rule editors out there (such as
> > FWbuilder). I am more interested in a low-level approach having simple
> > rules that can be parsed easily and possibly distributed among multiple
> > firewall systems.
>
> I do not think there is another way to work at low level without writing
> rules by yourself. The more you write, the more you understand.
Well, yes, but maybe my mail wasn't written well enough. I agree that
people who really want to learn the capabilities and the internals of
Netfilter should do that by writing scripts. My question was directed at
another scenario - time for an example. I am sysadmin for a couple of
Netfilter firewalls that run smoothly for many years now. Most setups
are fairly static or only changed by sysadmins who know what they are
doing. Some firewalls protect a NATed DMZ with development servers
running on a Xen host. The developers frequently start new servers with
new services (mostly HTTP and HTTPS) on a virtualised server with a
static IP. They need this server for a couple of weeks or months, then
they deactivated it. Maybe they wish to reactivate it after a period of
time just to run some additional tests.
Now the rule you need for this setup are NAT/NAPT translation rules and,
of course, filter rules. The Netfilter machine in question handles this
by virtue of a Bash script that contains a couple of functions. The
problem is that the developers wish to tell the firewall which IP and
port to translate and to allow access to by using a minimal set of
parameters. They don't care for NAT, NAPT, marking packets or policy
routing. They simply wish to switch on a service and switch it off
again. (IMHO this is not the "right" approach to firewalling, but this
is another story.)
So that's the reason I why I asked before writing yet another rule
language and yet another parser.
> This is not my job, and I am far from being an expert, but I should
> say, distibuted rules among multiple systems, is not that simple ; it
> depends on your needs. Can a script for a router be useful for a
> server ? It can be complicated to get a script working on both
> systems.
Yes, the distribution of rules was another use I had in mind, mainly as
a means to copy a working configuration to another firewall machine in
case of deceased hardware. I don't intend to magically "autoparse" rules
between machines that have completely different roles. ;)
Best regards,
René.
--
)\._.,--....,'``. Let GNU/Linux work for you while you take a nap.
/, _.. \ _\ (`._ ,. R. Pfeiffer <lynx at luchs.at> + http://web.luchs.at/
`._.-(,_..'--(,_..'`-.;.' - System administration + Consulting + Teaching -
Got mail delivery problems? http://web.luchs.at/information/blockedmail.php
pgpBmbMdQvTLL.pgp
Description: PGP signature
|