On 3 Jan 2001, at 2:32, Charles Steinkuehler wrote:
> Current solutions:
> Various scripts like sea-wall, Matthew Grant's scripts, and many
> 'click the box & build a script' type programs. These solutions
> can be very easy to use, and configurable (to an extent), but they
> quickly run into problems when dealing with arbitrary situations
> that were not planned for by the script writers.
What about things like Mason, which scan typical traffic and
implement rules to match? Problem with Mason is it relies on Perl
(not nice in an embedded context).
> Other problems with the general firewall scripts I've seen include:
> Extensions to add functionality are typically difficult, and may
> have global security implications that are not immediately obvious
Main reason I went after this "shell function" approach I mentioned
before.
> The complexity level of configuration grows dramatically as the
> scripts are 'generalized' to try and do more and more things.
That's my wail about what I'm doing now...
> So what's to be done???
> First, forget about ipchains, netfilter, ACL's, packet filter rules,
> etc. These are all simply tools.
> So, what is a firewall?
You really ARE going to the beginning, aren't you? But this is a
Good Thing...
> What I alluded to previously, and am rapidly warming to the more I
> think about it, is an object oriented mechanism for building
> firewalls. Sort of a firewall construction kit, but very much in
> the abstract.
An interesting idea. It occurs to me that this could be done in esh
(EasyShell) which is LISP-oriented. I don't know how robust it is,
or how developed, but I DID compile it for LRP and create a package
for it. However, I think it requires libreadline (which I also have
in a package).
> Networks would be defined, and assigned basic classes (like DMZ,
> masqueraded internal net, routed internal net, external net, etc).
> There would be default interactions between different classes of
> networks, which could be overridden by modifying the basic class, the
> specific instance of that class for a particular network, or the
> creation of entirely new access classes (possibly by modifying or
> combining existing classes).
Using pseudo-Smalltalk, it could be a hierarchy like this:
Class Network
Subclass Internet
Subclass Masqueraded-Network
Subclass DMZ-Network
However, I don't know that interactions BETWEEN the networks would be
modifiable in an OO environment - allowing something from a
Masqueraded-Network but not the Internet.
> With the complexity of creating firewall rules, and the amount of
> money being thrown around in the networking arena, I can't believe
> there isn't something kind of like this available already (please
> someone send me a link so I don't have to start coding!).
If someone has, it doesn't work with ipchains, and if it does, it
probably isn't GNU.
> Again, the real work is in a clear and concise definition of the
> problem (what does my firewall do).
This, really, is the specific point from which one must start. The
problem is complicated, though, when the firewall operates between
multiple networks in the same box. The "firewalls" must be separated
between the different networks. With ipchains, this means two chains
in the different directions.
> If we can create a simple firewall modeling language, firewall
> construction set, or whatever you want to call it, converting the
> generated specification to an actual ruleset is pretty
> straight-forward.
That, basically, is my goal.
> I think shell-script is more than capable enough to parse and
> process the hierarchal tree of object based configuration documents
> (more buzz-word compliance :>), and we could even leverage <steal>
> an existing object-based text language (like XML or somesuch), as
> long as the actual requirements of defining a firewall are clearly
> defined and well understood.
Ohhhh? Another possibility: eforth. I find FORTH to be very nice,
and is one of my favorite languages - right up there with Smalltalk
and C :-)
> Let me know if I'm way off in left field (or orbiting mars...maybe
> left the solar-system...)
Sometimes the ball-park looks best from left field :-)
And if you left the Solar System.............. wait for me!!!! :-)
PS: If you want to use buzzwords, better spell 'em right :-)
--
David Douthitt
UNIX Systems Administrator
HP-UX, Linux, Unixware
[EMAIL PROTECTED]
_______________________________________________
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/mailman/listinfo/leaf-devel
