<x-flowed>At 08:39 AM 01/15/2001 -0600, David Douthitt wrote:
>On 14 Jan 2001, at 20:21, Scott C. Best wrote:
>
> > Yes, agreed. Taking this to an extreme, you could wrap a user login
> > for, say, ~firewall, into a custom shell that had nothing *but*
> > compiled firewall configuration commands.
>
> > I'm working with some others to build something like this now,
> > tying it closely with ssh host-authentication for remote-management
> > capability. Seems promising...
>
>This is very interesting. I'm thinking that writing a program in
>Ruby to handle this would be a good way to go - except that Ruby
>doesn't run under LEAF yet, and is huge by LEAF standards. It
>wouldn't be that hard to create a login under LEAF that would act as
>a network transfer agent, then receive only firewall commands via an
>ssh-encrypted session.
>
>Only thing is, I'm not sure of the security implications of being
>able to do this. Sounds scary to me - configuring the firewall on
>the fly via the network? One sure way to bring down a firewall if it
>can be configured from the outside....
I seem to recall an event with one of the Internet backbone companies a
couple of years ago. They did some modifications to their border routers en
mass over the network. I'm not entirely sure what went wrong, but there
were
reports of technicians having to physically go to each router and perform a
hard reset. :-)
I would suggest some sort of watchdog feature. If the ssh link breaks then
revert to the previous configuration.
>As for Ruby, since it is OO, it wouldn't be hard to wrap the actual
>ipchains commands up into a Class and hide the details, so that
>iptables, ipchains, or ipfwadm could be used at will just by changing
>the method definitions in the Class.
You might want to look at hlfl before you implement this. Charles mentioned
it in a recent post. http://freshmeat.net/projects/hlfl/?highlight=hlfl
I just compiled it and after stripping the executable it comes to 37964
bytes. It generates rules for BSD ipfw, Darren Reeds's ipfilter, Linux
ipfwadm, ipchains and netfilter, and Cisco, though they mention that the
netfilter and Cisco rule generation have yet to be tested. For LEAF/LRP
usage we could make target specific versions. For instance an ipchains-only
version should be less than 15K.
I made a package out of the executable and its support file "services.hlfl"
and it weighs in at 14K.
_______________________________________________
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel
</x-flowed>
