Re: [TuxFrw-devel] Re: Let's restart TuxFrw development!!!

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Well,

first of all, welcome to tuxfrw-devel list Mr. Gervais.

I agree with you, and we are happy to have another member in our development
team...

We certainly need some help with 'script code', whatever the language is to be
used.

As u said, a GUI is not our main goal, cause firewalls generally run over
¨dumb¨ systems, without those graphical ¨beauties¨... That's why our intention
is to make some sort of CLI in NCurses. Another friend of us, Mr. Ajay Kumar,
said he would help developing a Ncurses based UI.

Below is some of my ideas/outlines for TF (TuxFrw).

Certainly we should keep TF as simple as it is, but my idea is to give it some
more functionality and greater automation level...

Well, thats all...

-------------------------------------------------------------------------------

TuxFrw is a set of scripts created to ease the way Linux IPTables rules are
configured.
Using TuxFrw an user can configure his own Linux / Netfilter based network
firewall,
simply passing some IP address numbers and other services utilization policies.

TuxFrw Development
------------------

- List of features and changes for future versions

Basic fucntions:

- Netfilter/IPtables firewall builder.
- automated Policy routing / Traffic control
- firewall auditoring / traffic analyzer (???)

What should TuxFrw be?

	User interface to Netfilter/IPtables and Linux policy routing or traffic
control, allowing you to edit firewall rules and configure the firewall to "mark"
packets for policy routing or for class based queueing (CBQ). Also a firewall
auditor and traffic analyzer.

Functionality:

	Lists the various possibilities in "menus" and "forms" that can be
navigated through using the arrow and function keys (Ncurses version), GUI (Qt) or
web interface (CGI or similar) so that one doesn't have to memorize the various
configuration possibilities and options of command line or script or script-based
IPtables firewall setup.

TuxFrw 2.x functionality

	New versions should keep the way 2.x did IPtables rules, but now the main
TuxFrw interface is responsible for setting the rules and loading them through the
"SysV-like service".

		|-> creates/manages "/etc/tuxfrw/<conf_and_rules_files>"

	|
	TuxFrw -|
		|

	|-> setup "/etc/init.d/tuxfrw" service

Full list of features:

- Copy all other already existent features from TF 2.x

- An wizard that can easily configure rules.
	- switch between simple or advanced firewall setup
	- choose Internet connected device (ethX, pppX, ...)
		- is DHCP?
	- enable/disable ICMP filtering (Echo, Unreachable, ...)
	- enable services by names
	- TOS configuration (DiffServ - Throughput, Reliability, Delay)
	- Masquerading (LAN)
		- select internal device (IP autodetection or manual)
		- setup port forwarding

- Commands to Start/Stop firewall or Halt all network traffic
- Option to explicitly block ports
- Option to enable experimental options

- Try to detect the location of system binaries
- Setup preferred packet rejection method (DENY, REJECT)

- Display firewall hit-list (enable/disable, clear, load, save) --> Logs?

- Allow creation of Dynamic rules
	- deny all connections from...
	- allow all connection from...
	- allow (TCP/UDP) service (port) to (IP)...
	- allow (TCP/UDP) service (port) to anyone

- Rules viewer : filter, nat and mangle (Packet filtering, masquerading and
mangling)
- Load/Save configurations
- Probe interfaces automatically. (get IPs )
- Connection viewer (/proc/net/ip_conntrack) --> like connviewer by Conectiva

- Traffic Control (Class Based Queueing)
- work together with Traffic Shaper, based on MARK targets (CBQ scheduler)
- Traffic shapper monitor

- tcpdump front-end
- nmap frontend
- Log analysis

Our object should be based on the following :

	" The idea of a tool to configure the reliable firewall for either network
protection or host protection still has not found its right implementation,
particularly
one to be used by people who do not understand the technical details of packet
filtering
and its Linux implementation together with at least some of the iptables
internals. The
best way to configure iptables still seems to be "iptables -N", "iptables -A",
"iptables -D", etc.
	In other words, if one can learn to successfully operate some of the existent
automation tools (including TuxFrw), one can just as easily learn to configure
iptables
from the command line! This tools should have full support for iptables
features and use
plain simple well-documented configuration files.
	However, such tools must be implemented, as the need exists for the simple firewall
configuration support due to widespread use of Linux in an insecure Internet
environment."

	-- based on a SecurityFocus Article.

------------------------------------------------------------------------------

> Bonjour !
> 
> Yes, I am willing to help !
> 
> I am a software developer.  I have been developping software  for the past
> 15 
> years.   On my job, I now do more management and  software analysis than 
> software development.  
> 
> I am willing to help with CLI.  I am willing to participate in perl, awk,
> sed, 
> ruby (i never used it but this language seem promising), shell script  or
> any 
> scripting language.  
> 
> I don't think that a GUI is a good idea for a firewall since most machine
> that 
> are running firewall do not have graphical interfaces. 
> 
> I think that one of the strength of Tux Firewall is his simplicity.  Tux 
> firewall is elegant.  Most people that are using this type of firewall 
> already know about iptables (They should). For me Tux firewall is a
> framework 
> that offers me a clear way to organize my iptables rules.  
> 
> Most others firewalls i have seen so far try's to simplify firewall creation
> 
> and maintenance, wich is good.  But these firewalls are trying to hide the
> 
> fact that the objectives is to make iptables or ipchains rules, by doing so,
> 
> they are building an architecture that is often more complex than the
> problem 
> they are trying to solve.  
> 
> I think that, Tux firewall should help system administrator   with the 
> creation and maintenance of iptables rules, but in no way hide these rules
> 
> from him.
> 
> There is already plenty GUI firewall. Some of them have very nice interface.
> 
> (OpenWall)  I don't think, that Tux firewall should compete with these 
> firewalls.  They are design for fifferent market  (are they ?).
> 
> The strength of Tux firewall is that it is in perfect harmony with iptables.
>  
> It is design the way it should be.  
> 
> How do you see the futur of Tux firewall ?  
> 
> Can we make a list of the things that we would like to see in Tux firewall ?
>   
> 
> Au revoir !
> 
> Jean Jacques Gervais
> 
> _______________________________________________________________
> Hundreds of nodes, one monster rendering program.
> Now that's a super model! Visit http://clustering.foundries.sf.net/
> 
> _______________________________________________
> TuxFrw-devel mailing list
> Tux...@li...
> https://lists.sourceforge.net/lists/listinfo/tuxfrw-devel
> 

------------------------------------------------------------ 
   - MARCELO DE SOUZA -            <ma...@ac...> 

   Computer Science / UNESP - S. J. Rio Preto, SP, Brazil 

         -- ACME! Computer Security Research -- 

            http://www.acme-ids.org/~marcelo 
------------------------------------------------------------ 

-------------------------------------------------
       ACME! Computer Security Research
           http://www.acme-ids.org