On Thu, 4 Jan 2001, David Douthitt wrote:
> > Ouch. So you're looking to do this on the fly without flushing and
> > recreating all the rules? Could be interesting...
>
> No, not really. See below.
>
> This is what I'm thinking of: the typical one-shot firewall rules
> generator goes like this (say to change a SMTP server):
>
> 1. Run generator
> 2. Answer a lot of questions:
> Do you want DNS? yes
> From where? internal
> To where? 999.999.999.999
> Do you want telnet?
> ...and so on
> 3. Save script
> 4. Install script
> 5. Restart machine/rules
>
> I'm envisioning this:
<snip>
Oh good gods. You mean that none of these morons that have been writing
those scripts can't do simple if-then tree logic?
Q: Do you want to build rules or modify?
(IF $Q = Build, then goto NEW;
ELSE goto Mod)
A: Modify
[Mod]
Q: What do you wish to modify?
Services
DMZ
Proxy ARP
...and so on. C'mon, I could do this kinda crap in BASIC when I was eight
- and as seen above, it was the last time I did any programming - so why
can't these firewall programs incorporate it?
> > Define here what you mean by abstraction, please? You managed to
> > lose me mostly here, as that's what I've been envisioning. Unless
> > of course you meant that they're nothing more than a formatter for
> > the actual rulesets.
>
> I'm not sure what you mean by formatter, but here is what I'm
> envisioning now (whipping syntax out on the fly):
Formatter as in, take plain english and output it as IPChains. =)
> ----clip----
> network inside {
> expect 172.16.0.0/16;
> network-interface eth0;
> interface masq;
> }
<cut stuff>
> How's that?
Right. Taking that as a formatter. I think we need to draw back and get
all of us looking at the same layer here, as I can barely remember what
layer I was thinking on when I wrote that.
> Hidden assumptions would be a) reject or deny all policy; b) reject
> all malformed and surprising packets. Only thing the writer need be
> concerned about really is allowing services.
Right, I like this. As my Modern History teacher was fond of saying, "Keep
It Simple 'cause you're Stupid. I mean..." =)
--
George Metz
Commercial Routing Engineer
[EMAIL PROTECTED]
_______________________________________________
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/mailman/listinfo/leaf-devel
