Re: [Fwbuilder-discussion] Platform for fwbuilder based FW?

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hi Bill,

On Dec 29, 2006, at 5:07 PM, Bill Arlofski wrote:

>
> Hi Vadim,
>
> I want to respond to your questions, but I also want to make sure  
> that I
> am not annoying you with this talk of m0n0wall. It seems that there  
> are
> at least a couple people on this list that also use m0n0wall and  
> may be
> interested in talking about the idea. I am not trying to push this  
> idea
> on you. I only wish I had the C++ programming skills to implement,  
> or to
> help implement such a thing myself and I hope that by chatting  
> about it
> in here a project might spring out of it.
>

its ok, do not worry.

>
> Heck, I'd even accept an answer of "I am a programmer, and have looked
> at m0n0wall and a module for FWBuilder to support m0n0wall is not a
> possibility for x, y & z reasons."  providing the person commenting  
> was
> being honest. :)
>

I think it should be possible, even not too difficult, to build a  
compiler for m0n0wall. It is built on FreeBSD and uses ipfilter for  
actual firewalling, which is one of the supported in fwbuilder  
combinations. The compiler for m0n0wall should be written as a  
derivative of the existing compiler for ipfilter. Basically, it  
should do what a compiler for ipfilter does already and then print  
the output in a different format.

>
>
>> Vadim Kurland wrote:
>> isnt there any way to just copy generated firewall script to moonwall
>> and execute it there ?
>
> No. Not really. As I mentioned in an earlier post in the previous  
> thread
> about this, (subject: [Fwbuilder-discussion] Module to support
> m0n0wall), m0n0wall's configuration, including all the aliases, dns,
> dhcp, PPPoE, interfaces, vlans, rules, NAT, etc, etc, etc, are all
> contained in one .XML file. That file may be downloaded (for  
> backup) via
> m0n0wall's  web interface or uploaded (for restoration) via m0nowall's
> web interface.
>
> The m0n0wall module for FWbuilder that I envisioned would be able to
> understand and create the whole config.xml m0n0wall config file to be
> uploaded to the m0n0wall.

I am not so sure about this. You want to be able to use m0n0wall web  
ui to manage VPN, traffic shaper, DHCP and other good things. Thats  
the advantage of m0n0wall over stripped down Linux distribution on  
the same hardware. So you need to somehow merge XML generated by  
fwbuilder compiler with the rest of the config generated by m0n0wall  
web ui and downloaded from it. You also want to minimize manual steps  
in this process.  Fwbuilder design does not allow compilers to  
communicate with the firewall, that is done in the installer. So the  
whole process could look like this:

  - create address, host, network and service objects in fwbuilder GUI
  - build firewall policy and NAT rules
  - run compiler. This generates an XML file with "nat", "filter" and  
"aliases"
  - run installer. This downloads m0n0wall config using their  
existing "backup" feature, merges it with XML part generated by  
fwbuilder and uploads combined config back to the firewall.

There are caveats though.

Their config includes everything, both parts that can be managed by  
fwbuilder and parts that can not be managed by it. Then, there are  
parts that are little bit of both. For example, m0n0wall XML file  
includes section "aliases" where they define hosts and network and  
their addresses (perhaps something else as well). Fwbuilder could  
generate this section because it has a database of objects; hosts and  
networks defined in this section are used in filter and nat rules, so  
this only makes sense. However I suspect that hosts and networks  
defined in this section can also be used by m0n0wall config in other  
sections, managed by the web ui of m0n0wall.

In order to properly support these objects ("aliases" in the  
config.xml file), the compiler would need to be able to merge aliases  
generated from fwbuilder objects with aliases created by the web ui.  
This is doable but inconvenient and error-prone because of possible  
name conflicts. Fwbuilder distinguishes objects by their unique  
internal IDs, so you can have objects with the same names. It does  
not look like m0n0wall has any kind of unique ID, they use names to  
distinguish hosts and networks.

It would be difficult to make fwbuilder read host and network objects  
created in the web ui and merge them with objects created in  
fwbuilder GUI. This is difficult not because I can not parse their  
XML, but rather because it must be done every time you touch  
configuration in the web ui, and fwbuilder does not know when this  
happens.  Also currently fwbuilder does not have any mechanism for  
such updates, so the only way to do it is to do it in a multi-step  
process that requires you to close the file, run some script to  
incorporate changes made in the web ui, then reopen the file in  
fwbuilder. This is a whole new can of worms I do not want to touch,  
so the merging of two configurations must happen in only one  
direction - by inserting aliases, filter and nat rules created in  
fwbuilder into m0n0wall config.

In any case, fwbuilder would not generate complete m0n0wall config.

>
> Vadim, honestly... When I thought about this m0n0wall module for
> FWBuilder, I hadn't even really considered the installer part,  
> since all
> I needed was for FWBuilder to create a nice complete m0n0wall- 
> compatible
> m0n0wall-config.xml file that I could easily upload via the m0n0wall's
> web gui.
>

not that simple, see above.

> However, a simple script that calls curl or wget with the  
> appropriate IP
> address and login credentials would be simple for me to write to
> "install" the new configuration to a m0n0wall firewall from within the
> FWBuilder interface.
>

yes, something like that.

>
>
> Again, I would be willing to help with such a module by providing any
> information, suggestions, some current real-world m0n0wall configs,
> performing testing or by providing anything required to get it  
> working.
> I guess I just need to convince someone (a programmer,  heh) that
> m0n0wall is a viable, worth-while platform for FWBuilder to  
> support. :)

you can convince me to do this if you show there is interest from  
sufficient number of people. I almost designed it right here, in this  
email :-)

--vk