Clifford Heath wrote:
What you're suggesting requires some of the same things I'd like to use for butler, my secret-knock program. Namely, a ipf/ipnat API that contains the rule parser and code to manage dynamic rules. As it is, I'm going to get butler to call a preprocessor and then run ipf. I suppose that the ipf command line forms a type of API, but it isn't as powerful as I'd like.
An API would also support the construction of a rule-management user interface, perhaps remote, which would be a good thing.
Spawning ipf/ipnat to send it rules would work, but be somewhat undesirable. It would be nicer if, as you suggest, sufficient support with rules could be lifted into a libipf or similar - so that one could talk directly with the kernel (without having to talk directly with the kernel).
But, if I understand things correctly, it should be possible for me to also send ioctl()s to accomplish the rules add/remove - that is what the commands do AFAIK. If the ioctl()s did not change too often between version revisions, that could be stable enough to be worth doing.
I believe it can if you don't use -F (for flush).
Ah! I hadn't taken the seconds it would to read the man-page. I just assumed everything would go according to the plan.. :)
I'm not familiar with the work that's happening in the Linux world, but I do know that there's been a lot of work on iptables & ipchains, so perhaps they would be alternatives for you.
I would rather not run Linux. Also it would be preferable to invest a little time to make something that would work on all OSs. Failing that, work on all that support IPFilter :)
I would imagine I could potentially also add rules to "log" any RST
Meaning that the service has gone down but not the computer. That would be useful.
Just a means of detecting a shutdown service faster. I was concern about the potential DOS side-effects if I went to trust this RST directly. But I suppose you could just trigger an immediate "service-recheck" instead of trusting it implicitly.
I have never done any rules with "log" yet, so I only have a vague idea on how they work. I'm guessing I can read /dev/ipmon to read any rules that were hit by a "log" entry.
Thanks to those that have replied. I'm somewhat spoiling for another interesting project to work on, so I might end up working on this for the fun of it.
Lund
-- Jorgen Lundman | <[EMAIL PROTECTED]> Unix Administrator | +81 (0)3 -5456-2687 ext 1017 (work) Shibuya-ku, Tokyo | +81 (0)90-5578-8500 (cell) Japan | +81 (0)3 -3375-1767 (home)
