Date: 19 Nov 2002 09:06:36 -0500 From: Dan Pelleg <daniel+bsd@pelleg.org> To: freebsd-stable@FreeBSD.org Subject: RFC: alternative firewall rule framework Message-ID: <u2s65ut4psj.fsf@gs166.sp.cs.cmu.edu>
next in thread | raw e-mail | index | archive | help
I'd like to propose a framework alternative to rc.firewall. The monolithic rc.firewall makes it hard to maintain and to use in any way other than loading it all at once. I can think of at least two axes along which one would like to modularize: 1. Define independent policies to perform various firewall tasks (eg, allow access to our web server, or: let NAT machines initiate connections). 2. Separate the lists of actual hosts and networks from the policy. If you want, (1) separates "what" from "how", and (2) separates "how" from "whom". With this kind of framework in place, it becomes easy to load, unload, or refresh any part of the ruleset. For example: you've just added a machine to the battery of webservers and need to update the firewall. You'd rather not lose your state table or lock yourself out while doing it. The only part you want to touch is the one with the http rules in it. I have a prototype for such a system (below). The implementation is nothing but a bunch of shell scripts that wrap ipfw(8) calls. But they do step towards providing modularization. As-is it's mostly a drop-in replacement for rc.firewall. But it also contains some examples that show it is easily extensible to more complex situations. Also included is a setup for a small NAT-ed network, which seems to be a high hurdle for many, (at least if you judge by the number of questions posted to the mailing lists). It's at http://web.cs.cmu.edu/~dpelleg/download/fwtasks.tgz comments will be appreciated. I already know the implementation is ugly :) -- Dan Pelleg To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?u2s65ut4psj.fsf>