This is something I thought of while preparing my lecture about iptables at Haifux.
You are all welcome, of course, to tell me that a project like this already exist, or that it's otherwise useless. ;)
Problem: Setting up (static) routing tables and/or firewall rules is rather counterintuitive (at least to me). I find it rather uncomfortable to read the routing table, and when it comes to firewall rules, it's evidently difficult to grasp from a long list of rules, whether the firewall indeed stops what it should stop.
Suggested solution: Instead of defining a set of sequential rules, create a configuration file, which would look something like (syntax like I just felt for):
group local-net { net=10.0.0.0/8, if=eth0 }
group hostile { net=0.0.0.0/0, if = ppp0}The idea is that we tell "the computer" what internet addresses to expect at which interface. It is then up to "the computer" to set up the routing tables to make an actual interconnection. This is IMHO far more intuitive than just routing tables, because if I plugged in some cable to my ethernet card, and it's a cross connection to another computer, all I have to do is to say:
group another_computer { net = 10.10.10.10/24, if=eth1 }
Yes, this is an equivalent representation. But if I'll use the analogy of giving directions of getting somewhere, routing tables are like "second traffic light left", and what I suggest is drawing a map.
While the advantage of this representation is not very significant in creating routing tables, it's a reliable way of setting up firewalls. Rather than defining a list of rather confusing firewall rules, I can now say things like: "Computers belonging to local-net can connect to computers at hostile in any way" (but not saying the vice versa would forbid that). Or: Any computer on local-net can do anything on any other computer on local-net.
The project I suggest is as follows:
1. Write an application (script or C/C++) which accepts a configuration file, and sets up routing tables and firewalls accordingly.
2. Write a GUI application, which allows a graphical depiction of the network structure and its rules. This application will create the configuration file.
I hope I've made this clear. Even more, I hope you'll like the idea. :)
Regards, Eli
================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
