Re: [TuxFrw-devel] Firewall update and firewall install
Brought to you by:
mgondim
Menu
▾
▴
Re: [TuxFrw-devel] Firewall update and firewall install
|
From: Marcelo de S. <ma...@ac...> - 2002-05-31 14:51:18
|
Hi, certainly this is a great idea. In fact, some time ago I thought about the use of XML as a structural model for TF rules, but only in a "distant future". Well, we really can think about some way of using XML to do this, but I think it could be into 3.x versions only. Let's keep things simpler now, and live the more "complex ideas" to future branches... Right now I think we should find a way to "finalize" 2.x series, creating a "stable" set of configuration files and rules. So, as soon as we finish this, we could lead towards our most desired features... This is my opinion. What do u think? > Hi, > > I am trying to figure out a way that would allow us to upgrade tf. Actualy > > there is no way to preserve users modifications. > > I think we should have a database of tf rules and a database of users rules. > > This would allow us to install a new version of tf without disturbing actual > > tf rules. The new rules (that are coming with the upgrade) or modified > rules > could be validated with the user before they are apply to the main database > > rules. > > We would have a user interface that would alllow us to manage these rules. > We > could even think of a graphical user interface (web base like php) that > would > allow an administrator to manage multiple firewall database rules. > > The database rules could be a xml database. > > The format of the xml file, could be something like: > > <firewall modified"20020530" version="2.17"> > <module id="INT2EXT" > enable="IsInterfaceEnabled(INT) && > IsInterfaceEnabled(EXT) && > IsModuleOn($ModuleName)"/> > <rule id="1000" > description="Create INT2EXT chain" > order="AlwayFirst" > dependencies="" > /> > -N INT2EXT > <rule/> > > <rule id="2000" > description="Accept http" order="" > enable="yes" > dependecies="" > /> > -A INT2EXT -p tcp -m multiport --dport http,https -j ACCEPT > <rule/> > > <rule id="3000" > description="Accept Mail" > order="" > enable="yes" > dependecies="" > /> > -A INT2EXT -p tcp -m multiport --dport smtp,pop-3 -j ACCEPT" > <rule/> > .... > </module> > </firewall> > > The information containt in the xml file would be: > > - tux firewall rules version > - modules rules and dependencies > -the firewall rules group by module > - each rule would be identified by a unique idenfitier within a module > - for each rule, there could be > --> a version number > --> a revised date > --> enable ... > --> dependencies rules (this rule can be applied only if this other rule > is > also applied, if this interface is enable, if this flag is on or off, base > > on the state of another rule ...) > --> ordering rules: always first, always last, must follow rule n, before > > rule n... > --> a comment > > > The tux modules would be genarated by taking the tf rules + user rules. > > On the first TF install, everything should be disable. Then the user could > > allow to open fonctionality. The firewall assistant would allow to enable > > or disable rules, add new rules, replace tf rules in the user rule database > > and generate the new firewall scripts based on tf rules and user rules. > > What do you think ? > > Jean Jacques Gervais > > > > > _______________________________________________________________ > > Don't miss the 2002 Sprint PCS Application Developer's Conference > August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm > > _______________________________________________ > TuxFrw-devel mailing list > Tux...@li... > https://lists.sourceforge.net/lists/listinfo/tuxfrw-devel > ------------------------------------------------------------ - MARCELO DE SOUZA - <ma...@ac...> Computer Science / UNESP - S. J. Rio Preto, SP, Brazil -- ACME! Computer Security Research -- http://www.acme-ids.org/~marcelo ------------------------------------------------------------ ------------------------------------------------- ACME! Computer Security Research http://www.acme-ids.org |
