[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pfctl with web interface

To: misc@openbsd.org
Subject: Re: pfctl with web interface
From: Chuck Yerkes <chuck+obsd@2003.snew.com>
Date: Thu, 5 Jun 2003 16:52:13 -0400
Content-Disposition: inline
Mail-Followup-To: Chuck Yerkes <chuck+obsd@2003.snew.com>,misc@openbsd.org
References: <080101c32b39$8a84e000$bc6c949f@artis> <20030605081513.GA22941@miracle.mongers.org>
User-Agent: Mutt/1.4i

[no need to cc me, I'm on the list]

Quoting Jesper Louis Andersen (jlouis@mongers.org):
> Quoting Artis Caune (ac-lists@latnet.lv):
> > 
> > I'm writing web interface for pf/brconfig/...
> > just want to be sure that I'm doing everything right!
> > I have devided pf rules in coulpe of files, for easy
> > interaction with web: like
> > "pf_option; pf_scrub; pf_qos; pf_nat and pf_rules"
> 
> May I ask why? I find the approach problematic, since you do not need
> web-access to the firewall rules. 

You'd run a shell on your firewall?

> * Firewall rules are a write-once problem (at least with the newer
>   features in PF). It is deeply rooted in your security policy anyway,
>   so I do not see why a web-GUI for it would make it any easier. I fail
>   to see why changing it at another phase than the construction-phase is
>   necessary. 

I have a number of machines with no sshd access,
I have a number of customers who are NOT going to
use vi to write pf code.  But I'd love to have them
be able to open up port FOO without calling me
(and they don't want me billing them for a 5 minute
task).

The alternative, for many people, is to use something
easier for them to use, like a Windows product.

And in the real world, that's what's there.

So me?  I'd LOVE a front end that made something 
like pf more accessible and more usable.
> 
> * A firewall you can access with a webbrowser serving dynamic content
>   will pose a bigger risk than one without.

If I run it on interface 0 (the BLUE one - the one
that comes up as 192.168.x.y and serves DHCP), then
it's not accessable from the Internet.

I've long argued that "if vi is too hard, then you
shouldn't be running a firewall."

Unfortunately, I've found that when it IS too hard,
they often AREN'T running a firewall (or worse, they
are running something from MS as their "faux firewall").

A GUI front end to the rules means that the backend
script can 
1) do sanity checks and
2) put in defaults around those rules.

If the GUI offers a pulldown to 
[SSH | Web | DNS | Mail | POP | IMAP]  and [ALLOW | BLOCK]
and hides the scrubbing, etc, etc, then we all win.

cat pf.HEADER.conf pf.GUIRESULTS.conf pf.TRAILER.conf |pfctl -f -


Works for me.

I'm tired of being attacked by peoples' rooted windows machines.

References:
- pfctl with web interface
  - From: "Artis Caune" <ac-lists@latnet.lv>
- Re: pfctl with web interface
  - From: "Jesper Louis Andersen" <jlouis@mongers.org>

Prev by Date: Re: Quick mySQL question?
Next by Date: ntpd config
Prev by thread: Re: pfctl with web interface
Next by thread: Re: pfctl with web interface
Index(es):
- Date
- Thread