Tony Nguyen writes:
> Hi Darren and all,
>
> As part of the Visual Panels project,
>
> http://opensolaris.org/os/project/vpanels
>
> we're proposing a generic firewall framework for Solaris. The framework
> utilizes IPfilter to provide a simple mechanism to configure a firewall
> on Solaris systems.
This looks pretty nifty. I have a few high-level questions about it,
though:
- There are a bunch of open source firewall construction toolkits
and 'ease of use' GUIs around for doing this sort of work,
including several for IP Filter. (I think FirewallBuilder is a
popular one, but there seem to be others as well, and I'm no
expert in that marketplace. I've always just edited the files by
hand.)
I didn't see any mention of these other systems in this document.
Would it be possible to add a section that addresses how this new
feature compares to one or two of the known popular existing
tools, and (longer term) how we plan to keep ours viable and what
issues users may have in transitioning over from one of the
others?
- Related to that: are there any standards (formal or otherwise) for
policy rule languages? It seems to me that having consistent
policy rules across multiple machines (not just Solaris) would be
an important goal for administrators, and being able to speak some
common language would be an important step to achieving that.
If no viable standards exist, and we don't want to create one for
some reason, is it at least possible to synchronize policy among
cooperating Solaris machines? I see only "system-wide" as the
largest grouping described in the document.
Has any investigation been done on interoperability and deployment
with multiple machines?
- One of the big high-level problems with IP Filter (as it is with
_all_ firewall software) is visualizing how the rules perform.
That is, being able to ask "what if?" questions concerning traffic
from other hosts. (Something like: "which rules would match if I
received a TCP SYN packet for destination address a.b.c.d and port
25 from host foo.bar.com, and what would be the resulting action
taken by the system?")
As someone who uses this stuff frequently, this is often a sore
point. It can be hard to determine whether you've gotten
everything just right unless you log into some remote system and
start attacking your original machine.
Would it be possible to have something like "tcpdmatch" for this
tool?
--
James Carlson, Solaris Networking <james.d.carlson at sun.com>
Sun Microsystems / 35 Network Drive 71.232W Vox +1 781 442 2084
MS UBUR02-212 / Burlington MA 01803-2757 42.496N Fax +1 781 442 1677
