Re: any web management gui for pf ?

[Siju George]

On Sun, Mar 14, 2010 at 11:32 AM, PP;QQ P(P8P?P8QP8P=
 wrote:
> Hello,
>
> is there any GUI (like pfsense) around which can be installed on a
> clean OpenBSD box (or even two CARP-connected boxes) for pf management
> ?
> I've found comixwall, but it seems to be dead already.
>

Is this what you ar e looking for?

http://www.fwbuilder.org/

I never used it and dont think I will ever use it. editing pf.conf is
just so easy :-)

--Siju

Re: any web management gui for pf ?

[FRLinux]

On Sun, Mar 14, 2010 at 9:45 AM, Daniel Ouellet  wrote:
> Then why don't you use pfsense and port it back to OpenBSD.

I have never used pfsense but I see from the frontpage that it has
been forked from m0n0wall. Back then, m0n0wall did not support IPv6
(although now it does:
http://m0n0.ch/wall/list-announce/showmsg.php?id=0/59).

That is one of the reasons which pushed me to use OpenBSD on my
soekris (that is a few years back in 2007, at the time, i even tried
to enable it myself with some level of success:
http://forum.m0n0.ch/index.php/topic,1038.0/topicseen.html)

According to some searching, it looks like IPv6 in pfsense is not a
given (http://remcobressers.nl/2009/08/configuring-native-ipv6-pfsense/
- http://thread.gmane.org/gmane.comp.security.firewalls.pfsense.support/14962)
and this is a killer for me.

Cheers,
Steph

Re: any web management gui for pf ?

[Илья Шипицин]

2010/3/14 Daniel Ouellet :
> On 3/14/10 3:48 AM, P P;Q Q  P(P8P?P8Q P8P= wrote:
>>
>> the problem was described very precisely "pf gui like pfsense, but
>> installable on clean OpenBSD box", wasn't it ?
>
> Then why don't you use pfsense and port it back to OpenBSD.

because I don't like to waste my time and do things that have been already
done.
I will port it to OpenBSD, it shouldn't be that hard. I just wanted to
know that no such project already exists.

>
> After all pf was created on OpenBSD and works better on OpenBSD anyway and
> the license of pfsense is BSD.
>
>
http://www.pfsense.org/index.php?option=com_content&task=view&id=42&Itemid=62
>
> So, if that's what you really want, then help yourself and make it work and
> you will have exactly what you want.
>
> You have been told there isn't one decent and you want pfsense like, so use
> that and bring it to OpenBSD as you want.
>
> And right on the pfsense website there is a big logo with "Commercial
> Support Available" If you can't do it, then pay them to do it for you and
> your team will have what they want.

don't tell me what to do and you will not listen where you should go to.

by the way, I was not asking what to do, I asked "is there a web gui
for pf around?"

don't be afraid, I will ask what to do if I will need to.

>
> But frankly, I would very much recommend you to simply edit the pf.conf and
> refer to the manual if you have question, there isn't anything that will
> ever do it better, really no joke or punch intended, there isn't anything
> that will come close to it.
>
> Best of luck.
>
> Daniel

Re: any web management gui for pf ?

[Daniel Ouellet]

On 3/14/10 3:48 AM, PP;QQ P(P8P?P8QP8P= wrote:

the problem was described very precisely "pf gui like pfsense, but
installable on clean OpenBSD box", wasn't it ?


Then why don't you use pfsense and port it back to OpenBSD.

After all pf was created on OpenBSD and works better on OpenBSD anyway 
and the license of pfsense is BSD.


http://www.pfsense.org/index.php?option=com_content&task=view&id=42&Itemid=62

So, if that's what you really want, then help yourself and make it work 
and you will have exactly what you want.


You have been told there isn't one decent and you want pfsense like, so 
use that and bring it to OpenBSD as you want.


And right on the pfsense website there is a big logo with "Commercial 
Support Available" If you can't do it, then pay them to do it for you 
and your team will have what they want.


But frankly, I would very much recommend you to simply edit the pf.conf 
and refer to the manual if you have question, there isn't anything that 
will ever do it better, really no joke or punch intended, there isn't 
anything that will come close to it.


Best of luck.

Daniel

Re: any web management gui for pf ?

[Bret S. Lambert]

On Sun, Mar 14, 2010 at 12:42:21PM +0500,  ??? wrote:
> the situation is pretty clear - any web gui for pf, something what
> pfsense already is, but installable on "clean" OpenBSD box. you
> probably do not make sense what are mailing lists for.
> mailing lists are for asking questions and for answering questions. if
> you have nothing to say except "read the fantastic manual", please,
> keep quiet.
> 
> "read the fantastic manual" doesn't help anybody. it does't make no
> point at all.

I never pointed you at a manual; I asked for clarification and gave you
a path to solving your problem, which apparently left you all butthurt.

I'm sorry I didn't hold your hand and tell you you were special.

> 
> 2010/3/14 Bret S. Lambert :
> > On Sun, Mar 14, 2010 at 12:30:58PM +0500,  ??? wrote:
> >> I just want to make sure there's no wheel already invented ))
> >
> > While that's a fair enough thing to do, you didn't really tell
> > anybody what you were going to use the wheel for.
> >
> > I could continue the metaphor, but that would quickly become
> > illegible, so I'll just reiterate:
> >
> > State the problem you're trying to solve before try to enlist
> > the help of others in solving it.

Re: any web management gui for pf ?

[Илья Шипицин]

the problem was described very precisely "pf gui like pfsense, but
installable on clean OpenBSD box", wasn't it ?


> State the problem you're trying to solve before try to enlist
> the help of others in solving it.

read the letter before answering to it.


2010/3/14 Bret S. Lambert :
> On Sun, Mar 14, 2010 at 12:30:58PM +0500,  ??? wrote:
>> I just want to make sure there's no wheel already invented ))
>
> While that's a fair enough thing to do, you didn't really tell
> anybody what you were going to use the wheel for.
>
> I could continue the metaphor, but that would quickly become
> illegible, so I'll just reiterate:
>
> State the problem you're trying to solve before try to enlist
> the help of others in solving it.

Re: any web management gui for pf ?

[Илья Шипицин]

the situation is pretty clear - any web gui for pf, something what
pfsense already is, but installable on "clean" OpenBSD box. you
probably do not make sense what are mailing lists for.
mailing lists are for asking questions and for answering questions. if
you have nothing to say except "read the fantastic manual", please,
keep quiet.

"read the fantastic manual" doesn't help anybody. it does't make no
point at all.

2010/3/14 Bret S. Lambert :
> On Sun, Mar 14, 2010 at 12:30:58PM +0500,  ??? wrote:
>> I just want to make sure there's no wheel already invented ))
>
> While that's a fair enough thing to do, you didn't really tell
> anybody what you were going to use the wheel for.
>
> I could continue the metaphor, but that would quickly become
> illegible, so I'll just reiterate:
>
> State the problem you're trying to solve before try to enlist
> the help of others in solving it.

Re: any web management gui for pf ?

[Bret S. Lambert]

On Sun, Mar 14, 2010 at 12:30:58PM +0500,  ??? wrote:
> I just want to make sure there's no wheel already invented ))

While that's a fair enough thing to do, you didn't really tell
anybody what you were going to use the wheel for.

I could continue the metaphor, but that would quickly become
illegible, so I'll just reiterate:

State the problem you're trying to solve before try to enlist
the help of others in solving it.

Re: any web management gui for pf ?

[Илья Шипицин]

I just want to make sure there's no wheel already invented ))

2010/3/14 Bret S. Lambert :
> On Sun, Mar 14, 2010 at 12:05:48PM +0500,  ??? wrote:
>> a) two CARP-connected OpenBSD boxes
>>
>> b) many "real" IP addresses bound to OpenBSD
>>
>> c) RFC1918 (non routable) network with servers
>>
>> d1) monkey button for "nat" rules, so some servers can connect to
>> certain services (say, smtp to Gmail)
>>
>> d2) monkey button for "rdr" rules, so some servers could be"published"
>> on certain IP addresses
>
> This is actually pretty straightforward, if you're willing to
> build a script which takes a few files as input and then generates
> a pf.conf from each machine from those.
>
> NAT monkey button adds/removes entries from a pf.conf.nat
> RDR monkey button adds/removes entries from a pf.conf.rdr
>
> Some magic happens to trigger the pf.conf getting pulled together
> from those and any other bits you may require (e.g., pf.conf.mypr0n)
> and that gets pushed to your servers.
>
> How complex you make each of these bits is left as an exercise for
> the reader.
>
> You don't need a towering edifice to solve simple problems. You
> damn just solve them.
>
>>
>> 2010/3/14 Bret S. Lambert :
>> > On Sun, Mar 14, 2010 at 11:48:44AM +0500,  ??? wrote:
>> >> we have many people who know ISA very well and all they do with ISA is
>> >> "publishing applications", rdr rules in terms of pf.
>> >> they do not need to know "all the pf detailed", all they need is
>> >>
>> >> a) something ISA-like
>> >> b) syntax-checker, I mean that gui should only allow adding correct
>> >> rules (what is not true when you edit file)
>> >>
>> >> "learn pf.conf and edit file" is not our case though.
>> >
>> > Then you're in a much more limited problem domain, and it may be
>> > solvable for you. However, this went from "how do I export the
>> > full ability to edit pf.conf into gui form" to possibly just
>> > being "i need to add rdr rules via monkey-usable button", which
>> > is several orders of magnitude easier.
>> >
>> > However, in order to receive help in solving a problem, you must
>> > first state what the problem you're attempting to solve is. As
>> > awesome as I am, your tinfoil underwear is rendering my telepathy
>> > utterly useless.
>> >
>> > So, to summarize: details, mofo.
>> >
>> >>
>> >> 2010/3/14 Jason Dixon :
>> >> > On Sun, Mar 14, 2010 at 11:02:29AM +0500,  ??? wrote:
>> >> >> Hello,
>> >> >>
>> >> >> is there any GUI (like pfsense) around which can be installed on a
>> >> >> clean OpenBSD box (or even two CARP-connected boxes) for pf management
>> >> >> ?
>> >> >> I've found comixwall, but it seems to be dead already.
>> >> >
>> >> > None that are worth it, imho. ?If you want to do it right (you wouldn't
>> >> > use OpenBSD if you didn't) then learn pf and understand what you're
>> >> > putting together. ?It's not hard. ?In fact, compared to the
>> >> > other *nix firewalling alternatives, it's fucking easy.
>> >> >
>> >> > I've considered long and hard (TWSS) to write my own web interface for
>> >> > pf. ?The prevailing design philosophies SUCK. ?If you're going to
>> >> > bother, do it right; ?proper abstraction of filtering and routing
>> >> > concepts is mandatory if you want to make something easy *and* secure.
>> >> > Why hasn't anyone done it? ?It's really, really difficult. ?And most
>> >> > developers that might take a crack at an OpenBSD pf web ui aren't
>> >> > experienced in interface design.
>> >> >
>> >> > I've written a few web applications related to OpenBSD (Hatchet,
>> >> > NetFlow Dashboard, Blogsum). ?Compared to what a good web engineering
>> >> > team can put out, they suck. ?But they do an adequate job with the task
>> >> > they're designed to handle. ?Writing a log filtering interface isn't
>> >> > hard. ?Writing a NetFlow query interface isn't hard. ?Writing a blog
>> >> > application isn't hard (unless you're WordPress... then it's just
>> >> > bloated).
>> >> >
>> >> > I'll say it again... writing a good pf web UI is HARD. ?It's infinitely
>> >> > more complicated and prone to security problems. ?Reading the pf FAQ and
>> >> > editing pf.conf yourself is easier by geometric proportions.
>> >> >
>> >> > 
>> >> >
>> >> > --
>> >> > Jason Dixon
>> >> > DixonGroup Consulting
>> >> > http://www.dixongroup.net/

Re: any web management gui for pf ?

[Jason Dixon]

On Sun, Mar 14, 2010 at 12:12:31PM +0500,  ??? wrote:
> 2010/3/14 Jason Dixon :
> > On Sun, Mar 14, 2010 at 11:48:44AM +0500,  ??? wrote:
> >> we have many people who know ISA very well and all they do with ISA is
> >> "publishing applications", rdr rules in terms of pf.
> >> they do not need to know "all the pf detailed", all they need is
> >>
> >> a) something ISA-like
> >> b) syntax-checker, I mean that gui should only allow adding correct
> >> rules (what is not true when you edit file)
> >>
> >> "learn pf.conf and edit file" is not our case though.
> >
> > You're SOL on all counts.  Oh by the way, when you find that magical
> > firewall ui that "only allows adding correct rules", please let me know.
> > That's some insanely smart code that knows right from wrong.  Not even
> > pf itself will keep you from shooting yourself in the foot with
> > stupidity.
> 
> text files do not have any structure, from pf.conf's point of view the rule
> 
> "blok in all"
> 
> is nothing more that just a line

You obviously haven't read pfctl(8).  It supports syntax checking.

$ sudo grep -n blok /etc/pf.conf
   
30:blok in all

$ sudo pfctl -nf /etc/pf.conf   
   
/etc/pf.conf:30: syntax error


-- 
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/

Re: any web management gui for pf ?

[Bret S. Lambert]

On Sun, Mar 14, 2010 at 12:05:48PM +0500,  ??? wrote:
> a) two CARP-connected OpenBSD boxes
> 
> b) many "real" IP addresses bound to OpenBSD
> 
> c) RFC1918 (non routable) network with servers
> 
> d1) monkey button for "nat" rules, so some servers can connect to
> certain services (say, smtp to Gmail)
> 
> d2) monkey button for "rdr" rules, so some servers could be"published"
> on certain IP addresses

This is actually pretty straightforward, if you're willing to
build a script which takes a few files as input and then generates
a pf.conf from each machine from those.

NAT monkey button adds/removes entries from a pf.conf.nat
RDR monkey button adds/removes entries from a pf.conf.rdr

Some magic happens to trigger the pf.conf getting pulled together
from those and any other bits you may require (e.g., pf.conf.mypr0n)
and that gets pushed to your servers.

How complex you make each of these bits is left as an exercise for
the reader.

You don't need a towering edifice to solve simple problems. You
damn just solve them.

> 
> 2010/3/14 Bret S. Lambert :
> > On Sun, Mar 14, 2010 at 11:48:44AM +0500,  ??? wrote:
> >> we have many people who know ISA very well and all they do with ISA is
> >> "publishing applications", rdr rules in terms of pf.
> >> they do not need to know "all the pf detailed", all they need is
> >>
> >> a) something ISA-like
> >> b) syntax-checker, I mean that gui should only allow adding correct
> >> rules (what is not true when you edit file)
> >>
> >> "learn pf.conf and edit file" is not our case though.
> >
> > Then you're in a much more limited problem domain, and it may be
> > solvable for you. However, this went from "how do I export the
> > full ability to edit pf.conf into gui form" to possibly just
> > being "i need to add rdr rules via monkey-usable button", which
> > is several orders of magnitude easier.
> >
> > However, in order to receive help in solving a problem, you must
> > first state what the problem you're attempting to solve is. As
> > awesome as I am, your tinfoil underwear is rendering my telepathy
> > utterly useless.
> >
> > So, to summarize: details, mofo.
> >
> >>
> >> 2010/3/14 Jason Dixon :
> >> > On Sun, Mar 14, 2010 at 11:02:29AM +0500,  ??? wrote:
> >> >> Hello,
> >> >>
> >> >> is there any GUI (like pfsense) around which can be installed on a
> >> >> clean OpenBSD box (or even two CARP-connected boxes) for pf management
> >> >> ?
> >> >> I've found comixwall, but it seems to be dead already.
> >> >
> >> > None that are worth it, imho. ?If you want to do it right (you wouldn't
> >> > use OpenBSD if you didn't) then learn pf and understand what you're
> >> > putting together. ?It's not hard. ?In fact, compared to the
> >> > other *nix firewalling alternatives, it's fucking easy.
> >> >
> >> > I've considered long and hard (TWSS) to write my own web interface for
> >> > pf. ?The prevailing design philosophies SUCK. ?If you're going to
> >> > bother, do it right; ?proper abstraction of filtering and routing
> >> > concepts is mandatory if you want to make something easy *and* secure.
> >> > Why hasn't anyone done it? ?It's really, really difficult. ?And most
> >> > developers that might take a crack at an OpenBSD pf web ui aren't
> >> > experienced in interface design.
> >> >
> >> > I've written a few web applications related to OpenBSD (Hatchet,
> >> > NetFlow Dashboard, Blogsum). ?Compared to what a good web engineering
> >> > team can put out, they suck. ?But they do an adequate job with the task
> >> > they're designed to handle. ?Writing a log filtering interface isn't
> >> > hard. ?Writing a NetFlow query interface isn't hard. ?Writing a blog
> >> > application isn't hard (unless you're WordPress... then it's just
> >> > bloated).
> >> >
> >> > I'll say it again... writing a good pf web UI is HARD. ?It's infinitely
> >> > more complicated and prone to security problems. ?Reading the pf FAQ and
> >> > editing pf.conf yourself is easier by geometric proportions.
> >> >
> >> > 
> >> >
> >> > --
> >> > Jason Dixon
> >> > DixonGroup Consulting
> >> > http://www.dixongroup.net/

Re: any web management gui for pf ?

[Илья Шипицин]

2010/3/14 Jason Dixon :
> On Sun, Mar 14, 2010 at 11:48:44AM +0500,  ??? wrote:
>> we have many people who know ISA very well and all they do with ISA is
>> "publishing applications", rdr rules in terms of pf.
>> they do not need to know "all the pf detailed", all they need is
>>
>> a) something ISA-like
>> b) syntax-checker, I mean that gui should only allow adding correct
>> rules (what is not true when you edit file)
>>
>> "learn pf.conf and edit file" is not our case though.
>
> You're SOL on all counts.  Oh by the way, when you find that magical
> firewall ui that "only allows adding correct rules", please let me know.
> That's some insanely smart code that knows right from wrong.  Not even
> pf itself will keep you from shooting yourself in the foot with
> stupidity.

text files do not have any structure, from pf.conf's point of view the rule

"blok in all"

is nothing more that just a line

I didn't mean prevent myself from "shooting myself in the foot"

>
> --
> Jason Dixon
> DixonGroup Consulting
> http://www.dixongroup.net/

Re: any web management gui for pf ?

[Илья Шипицин]

a) two CARP-connected OpenBSD boxes

b) many "real" IP addresses bound to OpenBSD

c) RFC1918 (non routable) network with servers

d1) monkey button for "nat" rules, so some servers can connect to
certain services (say, smtp to Gmail)

d2) monkey button for "rdr" rules, so some servers could be"published"
on certain IP addresses

2010/3/14 Bret S. Lambert :
> On Sun, Mar 14, 2010 at 11:48:44AM +0500,  ??? wrote:
>> we have many people who know ISA very well and all they do with ISA is
>> "publishing applications", rdr rules in terms of pf.
>> they do not need to know "all the pf detailed", all they need is
>>
>> a) something ISA-like
>> b) syntax-checker, I mean that gui should only allow adding correct
>> rules (what is not true when you edit file)
>>
>> "learn pf.conf and edit file" is not our case though.
>
> Then you're in a much more limited problem domain, and it may be
> solvable for you. However, this went from "how do I export the
> full ability to edit pf.conf into gui form" to possibly just
> being "i need to add rdr rules via monkey-usable button", which
> is several orders of magnitude easier.
>
> However, in order to receive help in solving a problem, you must
> first state what the problem you're attempting to solve is. As
> awesome as I am, your tinfoil underwear is rendering my telepathy
> utterly useless.
>
> So, to summarize: details, mofo.
>
>>
>> 2010/3/14 Jason Dixon :
>> > On Sun, Mar 14, 2010 at 11:02:29AM +0500,  ??? wrote:
>> >> Hello,
>> >>
>> >> is there any GUI (like pfsense) around which can be installed on a
>> >> clean OpenBSD box (or even two CARP-connected boxes) for pf management
>> >> ?
>> >> I've found comixwall, but it seems to be dead already.
>> >
>> > None that are worth it, imho.  If you want to do it right (you wouldn't
>> > use OpenBSD if you didn't) then learn pf and understand what you're
>> > putting together.  It's not hard.  In fact, compared to the
>> > other *nix firewalling alternatives, it's fucking easy.
>> >
>> > I've considered long and hard (TWSS) to write my own web interface for
>> > pf.  The prevailing design philosophies SUCK.  If you're going to
>> > bother, do it right;  proper abstraction of filtering and routing
>> > concepts is mandatory if you want to make something easy *and* secure.
>> > Why hasn't anyone done it?  It's really, really difficult.  And most
>> > developers that might take a crack at an OpenBSD pf web ui aren't
>> > experienced in interface design.
>> >
>> > I've written a few web applications related to OpenBSD (Hatchet,
>> > NetFlow Dashboard, Blogsum).  Compared to what a good web engineering
>> > team can put out, they suck.  But they do an adequate job with the task
>> > they're designed to handle.  Writing a log filtering interface isn't
>> > hard.  Writing a NetFlow query interface isn't hard.  Writing a blog
>> > application isn't hard (unless you're WordPress... then it's just
>> > bloated).
>> >
>> > I'll say it again... writing a good pf web UI is HARD.  It's infinitely
>> > more complicated and prone to security problems.  Reading the pf FAQ and
>> > editing pf.conf yourself is easier by geometric proportions.
>> >
>> > 
>> >
>> > --
>> > Jason Dixon
>> > DixonGroup Consulting
>> > http://www.dixongroup.net/

Re: any web management gui for pf ?

[Jason Dixon]

On Sun, Mar 14, 2010 at 11:48:44AM +0500,  ??? wrote:
> we have many people who know ISA very well and all they do with ISA is
> "publishing applications", rdr rules in terms of pf.
> they do not need to know "all the pf detailed", all they need is
> 
> a) something ISA-like
> b) syntax-checker, I mean that gui should only allow adding correct
> rules (what is not true when you edit file)
> 
> "learn pf.conf and edit file" is not our case though.

You're SOL on all counts.  Oh by the way, when you find that magical
firewall ui that "only allows adding correct rules", please let me know.
That's some insanely smart code that knows right from wrong.  Not even
pf itself will keep you from shooting yourself in the foot with
stupidity.

-- 
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/

Re: any web management gui for pf ?

[Bret S. Lambert]

On Sun, Mar 14, 2010 at 11:48:44AM +0500,  ??? wrote:
> we have many people who know ISA very well and all they do with ISA is
> "publishing applications", rdr rules in terms of pf.
> they do not need to know "all the pf detailed", all they need is
> 
> a) something ISA-like
> b) syntax-checker, I mean that gui should only allow adding correct
> rules (what is not true when you edit file)
> 
> "learn pf.conf and edit file" is not our case though.

Then you're in a much more limited problem domain, and it may be
solvable for you. However, this went from "how do I export the
full ability to edit pf.conf into gui form" to possibly just
being "i need to add rdr rules via monkey-usable button", which
is several orders of magnitude easier.

However, in order to receive help in solving a problem, you must
first state what the problem you're attempting to solve is. As
awesome as I am, your tinfoil underwear is rendering my telepathy
utterly useless.

So, to summarize: details, mofo.

> 
> 2010/3/14 Jason Dixon :
> > On Sun, Mar 14, 2010 at 11:02:29AM +0500,  ??? wrote:
> >> Hello,
> >>
> >> is there any GUI (like pfsense) around which can be installed on a
> >> clean OpenBSD box (or even two CARP-connected boxes) for pf management
> >> ?
> >> I've found comixwall, but it seems to be dead already.
> >
> > None that are worth it, imho.  If you want to do it right (you wouldn't
> > use OpenBSD if you didn't) then learn pf and understand what you're
> > putting together.  It's not hard.  In fact, compared to the
> > other *nix firewalling alternatives, it's fucking easy.
> >
> > I've considered long and hard (TWSS) to write my own web interface for
> > pf.  The prevailing design philosophies SUCK.  If you're going to
> > bother, do it right;  proper abstraction of filtering and routing
> > concepts is mandatory if you want to make something easy *and* secure.
> > Why hasn't anyone done it?  It's really, really difficult.  And most
> > developers that might take a crack at an OpenBSD pf web ui aren't
> > experienced in interface design.
> >
> > I've written a few web applications related to OpenBSD (Hatchet,
> > NetFlow Dashboard, Blogsum).  Compared to what a good web engineering
> > team can put out, they suck.  But they do an adequate job with the task
> > they're designed to handle.  Writing a log filtering interface isn't
> > hard.  Writing a NetFlow query interface isn't hard.  Writing a blog
> > application isn't hard (unless you're WordPress... then it's just
> > bloated).
> >
> > I'll say it again... writing a good pf web UI is HARD.  It's infinitely
> > more complicated and prone to security problems.  Reading the pf FAQ and
> > editing pf.conf yourself is easier by geometric proportions.
> >
> > 
> >
> > --
> > Jason Dixon
> > DixonGroup Consulting
> > http://www.dixongroup.net/

Re: any web management gui for pf ?

[Илья Шипицин]

we have many people who know ISA very well and all they do with ISA is
"publishing applications", rdr rules in terms of pf.
they do not need to know "all the pf detailed", all they need is

a) something ISA-like
b) syntax-checker, I mean that gui should only allow adding correct
rules (what is not true when you edit file)

"learn pf.conf and edit file" is not our case though.

2010/3/14 Jason Dixon :
> On Sun, Mar 14, 2010 at 11:02:29AM +0500,  ??? wrote:
>> Hello,
>>
>> is there any GUI (like pfsense) around which can be installed on a
>> clean OpenBSD box (or even two CARP-connected boxes) for pf management
>> ?
>> I've found comixwall, but it seems to be dead already.
>
> None that are worth it, imho.  If you want to do it right (you wouldn't
> use OpenBSD if you didn't) then learn pf and understand what you're
> putting together.  It's not hard.  In fact, compared to the
> other *nix firewalling alternatives, it's fucking easy.
>
> I've considered long and hard (TWSS) to write my own web interface for
> pf.  The prevailing design philosophies SUCK.  If you're going to
> bother, do it right;  proper abstraction of filtering and routing
> concepts is mandatory if you want to make something easy *and* secure.
> Why hasn't anyone done it?  It's really, really difficult.  And most
> developers that might take a crack at an OpenBSD pf web ui aren't
> experienced in interface design.
>
> I've written a few web applications related to OpenBSD (Hatchet,
> NetFlow Dashboard, Blogsum).  Compared to what a good web engineering
> team can put out, they suck.  But they do an adequate job with the task
> they're designed to handle.  Writing a log filtering interface isn't
> hard.  Writing a NetFlow query interface isn't hard.  Writing a blog
> application isn't hard (unless you're WordPress... then it's just
> bloated).
>
> I'll say it again... writing a good pf web UI is HARD.  It's infinitely
> more complicated and prone to security problems.  Reading the pf FAQ and
> editing pf.conf yourself is easier by geometric proportions.
>
> 
>
> --
> Jason Dixon
> DixonGroup Consulting
> http://www.dixongroup.net/

Re: any web management gui for pf ?

[Jason Dixon]

On Sun, Mar 14, 2010 at 11:02:29AM +0500,  ??? wrote:
> Hello,
> 
> is there any GUI (like pfsense) around which can be installed on a
> clean OpenBSD box (or even two CARP-connected boxes) for pf management
> ?
> I've found comixwall, but it seems to be dead already.

None that are worth it, imho.  If you want to do it right (you wouldn't
use OpenBSD if you didn't) then learn pf and understand what you're
putting together.  It's not hard.  In fact, compared to the
other *nix firewalling alternatives, it's fucking easy.

I've considered long and hard (TWSS) to write my own web interface for
pf.  The prevailing design philosophies SUCK.  If you're going to
bother, do it right;  proper abstraction of filtering and routing
concepts is mandatory if you want to make something easy *and* secure.
Why hasn't anyone done it?  It's really, really difficult.  And most
developers that might take a crack at an OpenBSD pf web ui aren't
experienced in interface design.

I've written a few web applications related to OpenBSD (Hatchet,
NetFlow Dashboard, Blogsum).  Compared to what a good web engineering
team can put out, they suck.  But they do an adequate job with the task
they're designed to handle.  Writing a log filtering interface isn't
hard.  Writing a NetFlow query interface isn't hard.  Writing a blog
application isn't hard (unless you're WordPress... then it's just
bloated).

I'll say it again... writing a good pf web UI is HARD.  It's infinitely
more complicated and prone to security problems.  Reading the pf FAQ and
editing pf.conf yourself is easier by geometric proportions.



-- 
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/

any web management gui for pf ?

[Илья Шипицин]

Hello,

is there any GUI (like pfsense) around which can be installed on a
clean OpenBSD box (or even two CARP-connected boxes) for pf management
?
I've found comixwall, but it seems to be dead already.


Cheers,
Ilya Shipitsin