we have many people who know ISA very well and all they do with ISA is "publishing applications", rdr rules in terms of pf. they do not need to know "all the pf detailed", all they need is
a) something ISA-like b) syntax-checker, I mean that gui should only allow adding correct rules (what is not true when you edit file) "learn pf.conf and edit file" is not our case though. 2010/3/14 Jason Dixon <ja...@dixongroup.net>: > On Sun, Mar 14, 2010 at 11:02:29AM +0500, ???? ??????? wrote: >> Hello, >> >> is there any GUI (like pfsense) around which can be installed on a >> clean OpenBSD box (or even two CARP-connected boxes) for pf management >> ? >> I've found comixwall, but it seems to be dead already. > > None that are worth it, imho. If you want to do it right (you wouldn't > use OpenBSD if you didn't) then learn pf and understand what you're > putting together. It's not hard. In fact, compared to the > other *nix firewalling alternatives, it's fucking easy. > > I've considered long and hard (TWSS) to write my own web interface for > pf. The prevailing design philosophies SUCK. If you're going to > bother, do it right; proper abstraction of filtering and routing > concepts is mandatory if you want to make something easy *and* secure. > Why hasn't anyone done it? It's really, really difficult. And most > developers that might take a crack at an OpenBSD pf web ui aren't > experienced in interface design. > > I've written a few web applications related to OpenBSD (Hatchet, > NetFlow Dashboard, Blogsum). Compared to what a good web engineering > team can put out, they suck. But they do an adequate job with the task > they're designed to handle. Writing a log filtering interface isn't > hard. Writing a NetFlow query interface isn't hard. Writing a blog > application isn't hard (unless you're WordPress... then it's just > bloated). > > I'll say it again... writing a good pf web UI is HARD. It's infinitely > more complicated and prone to security problems. Reading the pf FAQ and > editing pf.conf yourself is easier by geometric proportions. > > </rant> > > -- > Jason Dixon > DixonGroup Consulting > http://www.dixongroup.net/
