[TuxFrw-devel] Firewall update and firewall install

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi,=20

I am trying to figure out a  way that would allow us to upgrade tf.  Actu=
aly=20
there is no way to preserve users modifications. =20

I think we should have a database of tf rules and a database of users rul=
es. =20
This would allow us to install a new version of tf without disturbing act=
ual=20
tf rules.  The new rules (that are coming with the upgrade) or modified r=
ules=20
could be validated with the user before they are apply to the main databa=
se=20
rules.

We would have a user interface that would alllow us to manage these rules=
=2E  We=20
could even think of a graphical user interface (web base like php) that w=
ould=20
allow an administrator to manage multiple firewall database rules.

The database rules could be a xml database. =20

The format of the xml file, could be something like:

<firewall modified"20020530" version=3D"2.17">
  <module id=3D"INT2EXT"=20
    enable=3D"IsInterfaceEnabled(INT) &&=20
                    IsInterfaceEnabled(EXT) &&=20
                    IsModuleOn($ModuleName)"/>
      <rule id=3D"1000"=20
           description=3D"Create INT2EXT chain"=20
           order=3D"AlwayFirst"=20
          dependencies=3D""
       />
      -N INT2EXT
      <rule/>

      <rule id=3D"2000"=20
        description=3D"Accept http" order=3D""=20
        enable=3D"yes"=20
        dependecies=3D""
      />
      -A INT2EXT -p tcp -m multiport --dport http,https -j ACCEPT
      <rule/>

      <rule id=3D"3000"=20
       description=3D"Accept Mail"=20
       order=3D""=20
       enable=3D"yes"=20
       dependecies=3D""=20
     />
      -A INT2EXT -p tcp -m multiport --dport smtp,pop-3 -j ACCEPT"
      <rule/>
=2E...
  </module>
</firewall>

The information containt in the xml file would be:

 - tux firewall  rules version
- modules rules and dependencies
 -the firewall rules group by module
- each rule would be identified by a unique idenfitier within a module
- for each rule, there could be=20
     --> a version number
    --> a revised date
   --> enable ...
   --> dependencies rules (this rule can be applied only if this other ru=
le is=20
also applied, if this interface is enable, if this flag is  on or off, ba=
se=20
on the state of another rule ...)
  --> ordering rules:  always first, always last, must follow rule n, bef=
ore=20
rule n...
  --> a comment

The tux modules would be genarated by taking the tf rules + user rules. =20

On the first TF install, everything should be disable.  Then the user cou=
ld=20
allow to open fonctionality.   The firewall assistant would allow to enab=
le=20
or disable rules, add new rules, replace tf rules in the user rule databa=
se=20
and generate the new firewall scripts based on tf rules and user rules.

What do you think ?

Jean Jacques Gervais