On Sun, Mar 14, 2010 at 11:48:44AM +0500, ???? ??????? wrote: > we have many people who know ISA very well and all they do with ISA is > "publishing applications", rdr rules in terms of pf. > they do not need to know "all the pf detailed", all they need is > > a) something ISA-like > b) syntax-checker, I mean that gui should only allow adding correct > rules (what is not true when you edit file) > > "learn pf.conf and edit file" is not our case though.
Then you're in a much more limited problem domain, and it may be solvable for you. However, this went from "how do I export the full ability to edit pf.conf into gui form" to possibly just being "i need to add rdr rules via monkey-usable button", which is several orders of magnitude easier. However, in order to receive help in solving a problem, you must first state what the problem you're attempting to solve is. As awesome as I am, your tinfoil underwear is rendering my telepathy utterly useless. So, to summarize: details, mofo. > > 2010/3/14 Jason Dixon <ja...@dixongroup.net>: > > On Sun, Mar 14, 2010 at 11:02:29AM +0500, ???? ??????? wrote: > >> Hello, > >> > >> is there any GUI (like pfsense) around which can be installed on a > >> clean OpenBSD box (or even two CARP-connected boxes) for pf management > >> ? > >> I've found comixwall, but it seems to be dead already. > > > > None that are worth it, imho. If you want to do it right (you wouldn't > > use OpenBSD if you didn't) then learn pf and understand what you're > > putting together. It's not hard. In fact, compared to the > > other *nix firewalling alternatives, it's fucking easy. > > > > I've considered long and hard (TWSS) to write my own web interface for > > pf. The prevailing design philosophies SUCK. If you're going to > > bother, do it right; proper abstraction of filtering and routing > > concepts is mandatory if you want to make something easy *and* secure. > > Why hasn't anyone done it? It's really, really difficult. And most > > developers that might take a crack at an OpenBSD pf web ui aren't > > experienced in interface design. > > > > I've written a few web applications related to OpenBSD (Hatchet, > > NetFlow Dashboard, Blogsum). Compared to what a good web engineering > > team can put out, they suck. But they do an adequate job with the task > > they're designed to handle. Writing a log filtering interface isn't > > hard. Writing a NetFlow query interface isn't hard. Writing a blog > > application isn't hard (unless you're WordPress... then it's just > > bloated). > > > > I'll say it again... writing a good pf web UI is HARD. It's infinitely > > more complicated and prone to security problems. Reading the pf FAQ and > > editing pf.conf yourself is easier by geometric proportions. > > > > </rant> > > > > -- > > Jason Dixon > > DixonGroup Consulting > > http://www.dixongroup.net/
