out of curiosity, how would you make pf(4) only handle rules pertaining to a certain anchor depending on the process that's interfacing with them? i ask because; e.g., pfctl -sr should only show rules for that client, and other pf(4) operations need to be equally restricted. i know that originally you said that the loading of the rules is not up to the client but a periodic batch job, however that does not match "CheckPoint VSX"
would you make the pf driver check the uid of the caller itself and spread out this code throughout every routine that fetches and set rules, or where would you place the namespacing? On Wed, Jul 4, 2012 at 5:21 AM, Henning Brauer <[email protected]> wrote: > * Franco Fichtner <[email protected]> [2012-07-04 11:43]: >> No, the great catch here is that VSX offers you tools to manage up >> to 250 of these virtual monsters in a centralized fashion. You can >> also give control of these firewalls to your customers. You can put >> lots of OpenBSD guests on a host, but there's no way you will be >> happy when you are seriously thinking about deploying a VSX. > > ok, you've been brainwashed by marketing. > > this is not a question of the firewall at all, but a question of the > management interface around it. > > as said and I repeat it again, use anchors and build sth for specific > users to be able to edit specific anchor rulesets. could be as easy as > a file per anchor owned by the user in question and a little cronjob > that reloads your ruleset including anchors hourly or so. > > -- > Henning Brauer, [email protected], [email protected] > BS Web Services, http://bsws.de, Full-Service ISP > Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully > Managed > Henning Brauer Consulting, http://henningbrauer.com/
