Re: [Fwbuilder-discussion] Platform for fwbuilder based FW?
Brought to you by:
mikehorn
From: <va...@vk...> - 2006-12-30 05:54:49
|
Hi Bill, On Dec 29, 2006, at 5:07 PM, Bill Arlofski wrote: > > Hi Vadim, > > I want to respond to your questions, but I also want to make sure > that I > am not annoying you with this talk of m0n0wall. It seems that there > are > at least a couple people on this list that also use m0n0wall and > may be > interested in talking about the idea. I am not trying to push this > idea > on you. I only wish I had the C++ programming skills to implement, > or to > help implement such a thing myself and I hope that by chatting > about it > in here a project might spring out of it. > its ok, do not worry. > > Heck, I'd even accept an answer of "I am a programmer, and have looked > at m0n0wall and a module for FWBuilder to support m0n0wall is not a > possibility for x, y & z reasons." providing the person commenting > was > being honest. :) > I think it should be possible, even not too difficult, to build a compiler for m0n0wall. It is built on FreeBSD and uses ipfilter for actual firewalling, which is one of the supported in fwbuilder combinations. The compiler for m0n0wall should be written as a derivative of the existing compiler for ipfilter. Basically, it should do what a compiler for ipfilter does already and then print the output in a different format. > > >> Vadim Kurland wrote: >> isnt there any way to just copy generated firewall script to moonwall >> and execute it there ? > > No. Not really. As I mentioned in an earlier post in the previous > thread > about this, (subject: [Fwbuilder-discussion] Module to support > m0n0wall), m0n0wall's configuration, including all the aliases, dns, > dhcp, PPPoE, interfaces, vlans, rules, NAT, etc, etc, etc, are all > contained in one .XML file. That file may be downloaded (for > backup) via > m0n0wall's web interface or uploaded (for restoration) via m0nowall's > web interface. > > The m0n0wall module for FWbuilder that I envisioned would be able to > understand and create the whole config.xml m0n0wall config file to be > uploaded to the m0n0wall. I am not so sure about this. You want to be able to use m0n0wall web ui to manage VPN, traffic shaper, DHCP and other good things. Thats the advantage of m0n0wall over stripped down Linux distribution on the same hardware. So you need to somehow merge XML generated by fwbuilder compiler with the rest of the config generated by m0n0wall web ui and downloaded from it. You also want to minimize manual steps in this process. Fwbuilder design does not allow compilers to communicate with the firewall, that is done in the installer. So the whole process could look like this: - create address, host, network and service objects in fwbuilder GUI - build firewall policy and NAT rules - run compiler. This generates an XML file with "nat", "filter" and "aliases" - run installer. This downloads m0n0wall config using their existing "backup" feature, merges it with XML part generated by fwbuilder and uploads combined config back to the firewall. There are caveats though. Their config includes everything, both parts that can be managed by fwbuilder and parts that can not be managed by it. Then, there are parts that are little bit of both. For example, m0n0wall XML file includes section "aliases" where they define hosts and network and their addresses (perhaps something else as well). Fwbuilder could generate this section because it has a database of objects; hosts and networks defined in this section are used in filter and nat rules, so this only makes sense. However I suspect that hosts and networks defined in this section can also be used by m0n0wall config in other sections, managed by the web ui of m0n0wall. In order to properly support these objects ("aliases" in the config.xml file), the compiler would need to be able to merge aliases generated from fwbuilder objects with aliases created by the web ui. This is doable but inconvenient and error-prone because of possible name conflicts. Fwbuilder distinguishes objects by their unique internal IDs, so you can have objects with the same names. It does not look like m0n0wall has any kind of unique ID, they use names to distinguish hosts and networks. It would be difficult to make fwbuilder read host and network objects created in the web ui and merge them with objects created in fwbuilder GUI. This is difficult not because I can not parse their XML, but rather because it must be done every time you touch configuration in the web ui, and fwbuilder does not know when this happens. Also currently fwbuilder does not have any mechanism for such updates, so the only way to do it is to do it in a multi-step process that requires you to close the file, run some script to incorporate changes made in the web ui, then reopen the file in fwbuilder. This is a whole new can of worms I do not want to touch, so the merging of two configurations must happen in only one direction - by inserting aliases, filter and nat rules created in fwbuilder into m0n0wall config. In any case, fwbuilder would not generate complete m0n0wall config. > > Vadim, honestly... When I thought about this m0n0wall module for > FWBuilder, I hadn't even really considered the installer part, > since all > I needed was for FWBuilder to create a nice complete m0n0wall- > compatible > m0n0wall-config.xml file that I could easily upload via the m0n0wall's > web gui. > not that simple, see above. > However, a simple script that calls curl or wget with the > appropriate IP > address and login credentials would be simple for me to write to > "install" the new configuration to a m0n0wall firewall from within the > FWBuilder interface. > yes, something like that. > > > Again, I would be willing to help with such a module by providing any > information, suggestions, some current real-world m0n0wall configs, > performing testing or by providing anything required to get it > working. > I guess I just need to convince someone (a programmer, heh) that > m0n0wall is a viable, worth-while platform for FWBuilder to > support. :) you can convince me to do this if you show there is interest from sufficient number of people. I almost designed it right here, in this email :-) --vk |