I just want to make sure there's no wheel already invented ))
2010/3/14 Bret S. Lambert <bret.lamb...@gmail.com>:
> On Sun, Mar 14, 2010 at 12:05:48PM +0500, ???? ??????? wrote:
>> a) two CARP-connected OpenBSD boxes
>>
>> b) many "real" IP addresses bound to OpenBSD
>>
>> c) RFC1918 (non routable) network with servers
>>
>> d1) monkey button for "nat" rules, so some servers can connect to
>> certain services (say, smtp to Gmail)
>>
>> d2) monkey button for "rdr" rules, so some servers could be"published"
>> on certain IP addresses
>
> This is actually pretty straightforward, if you're willing to
> build a script which takes a few files as input and then generates
> a pf.conf from each machine from those.
>
> NAT monkey button adds/removes entries from a pf.conf.nat
> RDR monkey button adds/removes entries from a pf.conf.rdr
>
> Some magic happens to trigger the pf.conf getting pulled together
> from those and any other bits you may require (e.g., pf.conf.mypr0n)
> and that gets pushed to your servers.
>
> How complex you make each of these bits is left as an exercise for
> the reader.
>
> You don't need a towering edifice to solve simple problems. You
> damn just solve them.
>
>>
>> 2010/3/14 Bret S. Lambert <bret.lamb...@gmail.com>:
>> > On Sun, Mar 14, 2010 at 11:48:44AM +0500, ???? ??????? wrote:
>> >> we have many people who know ISA very well and all they do with ISA is
>> >> "publishing applications", rdr rules in terms of pf.
>> >> they do not need to know "all the pf detailed", all they need is
>> >>
>> >> a) something ISA-like
>> >> b) syntax-checker, I mean that gui should only allow adding correct
>> >> rules (what is not true when you edit file)
>> >>
>> >> "learn pf.conf and edit file" is not our case though.
>> >
>> > Then you're in a much more limited problem domain, and it may be
>> > solvable for you. However, this went from "how do I export the
>> > full ability to edit pf.conf into gui form" to possibly just
>> > being "i need to add rdr rules via monkey-usable button", which
>> > is several orders of magnitude easier.
>> >
>> > However, in order to receive help in solving a problem, you must
>> > first state what the problem you're attempting to solve is. As
>> > awesome as I am, your tinfoil underwear is rendering my telepathy
>> > utterly useless.
>> >
>> > So, to summarize: details, mofo.
>> >
>> >>
>> >> 2010/3/14 Jason Dixon <ja...@dixongroup.net>:
>> >> > On Sun, Mar 14, 2010 at 11:02:29AM +0500, ???? ??????? wrote:
>> >> >> Hello,
>> >> >>
>> >> >> is there any GUI (like pfsense) around which can be installed on a
>> >> >> clean OpenBSD box (or even two CARP-connected boxes) for pf management
>> >> >> ?
>> >> >> I've found comixwall, but it seems to be dead already.
>> >> >
>> >> > None that are worth it, imho. ?If you want to do it right (you wouldn't
>> >> > use OpenBSD if you didn't) then learn pf and understand what you're
>> >> > putting together. ?It's not hard. ?In fact, compared to the
>> >> > other *nix firewalling alternatives, it's fucking easy.
>> >> >
>> >> > I've considered long and hard (TWSS) to write my own web interface for
>> >> > pf. ?The prevailing design philosophies SUCK. ?If you're going to
>> >> > bother, do it right; ?proper abstraction of filtering and routing
>> >> > concepts is mandatory if you want to make something easy *and* secure.
>> >> > Why hasn't anyone done it? ?It's really, really difficult. ?And most
>> >> > developers that might take a crack at an OpenBSD pf web ui aren't
>> >> > experienced in interface design.
>> >> >
>> >> > I've written a few web applications related to OpenBSD (Hatchet,
>> >> > NetFlow Dashboard, Blogsum). ?Compared to what a good web engineering
>> >> > team can put out, they suck. ?But they do an adequate job with the task
>> >> > they're designed to handle. ?Writing a log filtering interface isn't
>> >> > hard. ?Writing a NetFlow query interface isn't hard. ?Writing a blog
>> >> > application isn't hard (unless you're WordPress... then it's just
>> >> > bloated).
>> >> >
>> >> > I'll say it again... writing a good pf web UI is HARD. ?It's infinitely
>> >> > more complicated and prone to security problems. ?Reading the pf FAQ and
>> >> > editing pf.conf yourself is easier by geometric proportions.
>> >> >
>> >> > </rant>
>> >> >
>> >> > --
>> >> > Jason Dixon
>> >> > DixonGroup Consulting
>> >> > http://www.dixongroup.net/
