--On Saturday, March 08, 2003 11:57:17 PM -0800 Steve Herber
<herber@thing.com> wrote:
> Just a note to mention that I have been using the RC1 release at work
> for a simple one interface firewall. No problems that I have seen.
Great -- thanks!
>
> We use Solaris, AIX, Tru64, and Linux in my group at the U of W.
> I know some IP filter package is available on Solaris and Tru64. On the
> Tru64 system you can configure an interface with a list of cidr notation
> subnets to accept or deny access. I reformatted it to create a sub-zone
> in Shorewall. This reminded me of a previous suggestion for Shorewall.
> It would be wonderful if Shorewall could be split into two parts.
> The front end would read the files and do any preprocessing needed.
> The back end would be OS-specific with different versions for iptables,
> cisco pix firewall, BSD, Tru64, Solaris, and other systems as required.
>
Well, Shorewall 2.0 will definitely execute the [re]start command in two
phases. It will first parse all of the configuration files needed to
execute the command and will build an internal model of the firewall being
described. If any errors are found, they will be reported and the state of
the firewall will remain unchanged. The second phase will use the model to
instantiate the firewall in the running system.
So given that separation of parsing and instantiation, what you described
should be possible provided that volunteers step forward for each of the
platforms mentioned.
-Tom
--
Tom Eastep \ Shorewall - iptables made easy
Shoreline, \ http://www.shorewall.net
Washington USA \ teastep@shorewall.net