Shorewall users - Aug 2002 - Shorewall GUI interface.

This is a cryptographically signed message in MIME format.

--------------ms020109040109080506060904
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit


I am quite keen to start working a GUI interface for Shorewall .


Before I go any further in my thoughts I would like to know if you think 
it will be a good idea ( I like it the way it is but some people like 
those graphics...) and what you think should be in it.


And before someone ask, yes it will be free and opensource.


regards

Bernard
-- 

Digital Objects Ltd

Internet security / Web hosting & design / Web enabled applications


PO Box 60510, Titirangi
Waitakere City

Phone: 0800 LETS DOIT (538736)
Fax: +64 9 8128 368
www.digitalobjects.co.nz



--------------ms020109040109080506060904
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJtzCC
AykwggKSoAMCAQICAQwwDQYJKoZIhvcNAQEEBQAwgdExCzAJBgNVBAYTAlpBMRUwEwYDVQQI
EwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEaMBgGA1UEChMRVGhhd3RlIENv
bnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNpb24xJDAi
BgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBDQTErMCkGCSqGSIb3DQEJARYccGVy
c29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTAeFw0wMDA4MzAwMDAwMDBaFw0wMjA4MjkyMzU5
NTlaMIGSMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlD
YXBlIFRvd24xDzANBgNVBAoTBlRoYXd0ZTEdMBsGA1UECxMUQ2VydGlmaWNhdGUgU2Vydmlj
ZXMxKDAmBgNVBAMTH1BlcnNvbmFsIEZyZWVtYWlsIFJTQSAyMDAwLjguMzAwgZ8wDQYJKoZI
hvcNAQEBBQADgY0AMIGJAoGBAN4zMqZjxwklRT7SbngnZ4HF2ogZgpcO40QpimM1Km1wPPrc
rvfudG8wvDOQf/k0caCjbZjxw0+iZdsN+kvx1t1hpfmFzVWaNRqdknWoJ67Ycvm6AvbXsJHe
HOmr4BgDqHxDQlBRh4M88Dm0m1SKE4f/s5udSWYALQmJ7JRr6aFpAgMBAAGjTjBMMCkGA1Ud
EQQiMCCkHjAcMRowGAYDVQQDExFQcml2YXRlTGFiZWwxLTI5NzASBgNVHRMBAf8ECDAGAQH/
AgEAMAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQQFAAOBgQBzG28mZYv/FTRLWWKK7US+Scfo
DbuPuQ1qJipihB+4h2N0HG23zxpTkUvhzeY42e1Q9DpsNJKs5pKcbsEjAcIJp+9LrnLdBmf1
UG8uWLi2C8FQV7XsHNfvF7bViJu3ooga7TlbOX00/LaWGCVNavSdxcORL6mWuAU8Uvzd6WID
SDCCA0EwggKqoAMCAQICAwYkOTANBgkqhkiG9w0BAQIFADCBkjELMAkGA1UEBhMCWkExFTAT
BgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3
dGUxHTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25hbCBG
cmVlbWFpbCBSU0EgMjAwMC44LjMwMB4XDTAxMTEyMDIwMzc1OFoXDTAyMTEyMDIwMzc1OFow
eTEQMA4GA1UEBBMHVmFyYWluZTEXMBUGA1UEKhMOQmVybmFyZCBQaWVycmUxHzAdBgNVBAMT
FkJlcm5hcmQgUGllcnJlIFZhcmFpbmUxKzApBgkqhkiG9w0BCQEWHGJlcm5hcmRAZGlnaXRh
bG9iamVjdHMuY28ubnowggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDQCaFIIqKJ
ASDJmaUfn77KPDqlZtyHEvSg0n4rqff9vBCOYZoCZ4uStlB9tppBGwcsTWHhuTJ4LFUpNmY3
7JfQSrjw/EPh0OZuUy4DRlB8/W4G9BLRowjOKgwOT2NFTc9fTu1Cc3VtO6kbi38HZdG/Yrez
NM9rDPjmOqErmz/7Lz9tiqJuoRp1DEB39PKm3r1GLyeGMmxKFjj1HUxQ6OkCXnFgWGgA0mB4
3ojwmrTao/0+6jqusCDmUXQWnNGrv5ucyZI/q9WrKVxkJl59DD6l7Unbwwtp5cCD5dpj31tI
akSxFhKQJYCnezAwc5vEclEIuHzQMgDJ0xQ4c7qxw6DrAgMBAAGjOTA3MCcGA1UdEQQgMB6B
HGJlcm5hcmRAZGlnaXRhbG9iamVjdHMuY28ubnowDAYDVR0TAQH/BAIwADANBgkqhkiG9w0B
AQIFAAOBgQAA0TrnaNRtanbwjJM4H4ZW6np7ySBv6xpPOpE3JLf1yd46LlUEz52KkvXKyGOX
cda0fjevlAjlZCRkhVJ+3P9K40L/qSRZjdH2OjuGZu+QulC5hN0h1kWwq9cFqgk/6nSpo2U8
FUm+U+gywGTY06CDENmoTc1jMCLKvD25DgfomjCCA0EwggKqoAMCAQICAwYkOTANBgkqhkiG
9w0BAQIFADCBkjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UE
BxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsTFENlcnRpZmljYXRlIFNl
cnZpY2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAwMC44LjMwMB4XDTAx
MTEyMDIwMzc1OFoXDTAyMTEyMDIwMzc1OFoweTEQMA4GA1UEBBMHVmFyYWluZTEXMBUGA1UE
KhMOQmVybmFyZCBQaWVycmUxHzAdBgNVBAMTFkJlcm5hcmQgUGllcnJlIFZhcmFpbmUxKzAp
BgkqhkiG9w0BCQEWHGJlcm5hcmRAZGlnaXRhbG9iamVjdHMuY28ubnowggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQDQCaFIIqKJASDJmaUfn77KPDqlZtyHEvSg0n4rqff9vBCO
YZoCZ4uStlB9tppBGwcsTWHhuTJ4LFUpNmY37JfQSrjw/EPh0OZuUy4DRlB8/W4G9BLRowjO
KgwOT2NFTc9fTu1Cc3VtO6kbi38HZdG/YrezNM9rDPjmOqErmz/7Lz9tiqJuoRp1DEB39PKm
3r1GLyeGMmxKFjj1HUxQ6OkCXnFgWGgA0mB43ojwmrTao/0+6jqusCDmUXQWnNGrv5ucyZI/
q9WrKVxkJl59DD6l7Unbwwtp5cCD5dpj31tIakSxFhKQJYCnezAwc5vEclEIuHzQMgDJ0xQ4
c7qxw6DrAgMBAAGjOTA3MCcGA1UdEQQgMB6BHGJlcm5hcmRAZGlnaXRhbG9iamVjdHMuY28u
bnowDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQIFAAOBgQAA0TrnaNRtanbwjJM4H4ZW6np7
ySBv6xpPOpE3JLf1yd46LlUEz52KkvXKyGOXcda0fjevlAjlZCRkhVJ+3P9K40L/qSRZjdH2
OjuGZu+QulC5hN0h1kWwq9cFqgk/6nSpo2U8FUm+U+gywGTY06CDENmoTc1jMCLKvD25Dgfo
mjGCAycwggMjAgEBMIGaMIGSMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVybiBDYXBl
MRIwEAYDVQQHEwlDYXBlIFRvd24xDzANBgNVBAoTBlRoYXd0ZTEdMBsGA1UECxMUQ2VydGlm
aWNhdGUgU2VydmljZXMxKDAmBgNVBAMTH1BlcnNvbmFsIEZyZWVtYWlsIFJTQSAyMDAwLjgu
MzACAwYkOTAJBgUrDgMCGgUAoIIBYTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqG
SIb3DQEJBTEPFw0wMjA4MTMwNTAxNDdaMCMGCSqGSIb3DQEJBDEWBBQ2lpHHXU16WuTs5JRw
uV0EJi+VWjBSBgkqhkiG9w0BCQ8xRTBDMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDAN
BggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDCBrQYLKoZIhvcNAQkQAgsx
gZ2ggZowgZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcT
CUNhcGUgVG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2
aWNlczEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDIwMDAuOC4zMAIDBiQ5MA0G
CSqGSIb3DQEBAQUABIIBAK/luolv+DMdpv1lRvlRiPN3yYlHq5y9VvFOg4kO5LQp/hwrf/2I
+/TcdH1LPu7lpojwf0whiGgmIWT0hqTyPsa6EYe7V1IPDN+XvMQ0dQoeNVwpnJaqPCjYmNEB
cgh1jQPeXSRI8t9/lbx0g+OY4JPF/CsbrwVpQvZa/iQJsqpTogT7KyBi/ijQkrbHvtQc6are
nA61r935D9uPyF0btGIL/iU34kLXfJWnvinY2PpC16PmztnRErOyExmFmF2OMJFFd+4CcFDT
BYr9v0edrkYGySzZH2OK9qb8Mj1OYahMRbxkVuWLnqRps+KaB9f5DAhk5xEzj+ReOmoXiBVJ
SZEAAAAAAAA--------------ms020109040109080506060904--

Bernard Varaine schrieb:
> 
> I am quite keen to start working a GUI interface for Shorewall .
> 
> Before I go any further in my thoughts I would like to know if you think
> it will be a good idea ( I like it the way it is but some people like
> those graphics...) and what you think should be in it.
Would be really nice to have a GUI if it is made this way:

1) Just modify the affected lines in the config files. Don''t reformat
or
delete comments so it will be easy to maintain by hand and with the GUI.

2) Make it client/server. Don''t force anybody to use the client on a
firewall. SSH can be used to secure communication.

3) Don''t make things too complicated, don''t put too much logic
into the
GUI. Make it configurable so changes in the shorewall configuration
style can be implemented by modifying a rules file in the GUI.

4) Make the help system easy. As a quick help, the GUI can just parse
the respective shorewall file and display the comments found there as
help text. Additional help can be given in form of links to the web
documantation.

Simon
> 
> And before someone ask, yes it will be free and opensource.
> 
> regards
> 
> Bernard
> --
> 
> Digital Objects Ltd
> 
> Internet security / Web hosting & design / Web enabled applications
> 
> PO Box 60510, Titirangi
> Waitakere City
> 
> Phone: 0800 LETS DOIT (538736)
> Fax: +64 9 8128 368
> www.digitalobjects.co.nz

Why not just build a Webmin module?  I think someone has already started
work on this, but I can''t remember the name.

Sincerely,
Jim Hubbard
____________________________________



> -----Original Message-----
> From: shorewall-users-admin@shorewall.net
> [mailto:shorewall-users-admin@shorewall.net]On Behalf Of Simon Matter
> Sent: Tuesday, August 13, 2002 2:48 AM
> To: Bernard Varaine
> Cc: Shorewall-users@shorewall.net
> Subject: Re: [Shorewall-users] Shorewall GUI interface.
>
>
> Bernard Varaine schrieb:
> >
> > I am quite keen to start working a GUI interface for Shorewall .
> >
> > Before I go any further in my thoughts I would like to know if you
think
> > it will be a good idea ( I like it the way it is but some people like
> > those graphics...) and what you think should be in it.
>
> Would be really nice to have a GUI if it is made this way:
>
> 1) Just modify the affected lines in the config files. Don''t
reformat or
> delete comments so it will be easy to maintain by hand and with the GUI.
>
> 2) Make it client/server. Don''t force anybody to use the client on
a
> firewall. SSH can be used to secure communication.
>
> 3) Don''t make things too complicated, don''t put too much
logic into the
> GUI. Make it configurable so changes in the shorewall configuration
> style can be implemented by modifying a rules file in the GUI.
>
> 4) Make the help system easy. As a quick help, the GUI can just parse
> the respective shorewall file and display the comments found there as
> help text. Additional help can be given in form of links to the web
> documantation.
>
> Simon
>
> >
> > And before someone ask, yes it will be free and opensource.
> >
> > regards
> >
> > Bernard
> > --
> >
> > Digital Objects Ltd
> >
> > Internet security / Web hosting & design / Web enabled
applications
> >
> > PO Box 60510, Titirangi
> > Waitakere City
> >
> > Phone: 0800 LETS DOIT (538736)
> > Fax: +64 9 8128 368
> > www.digitalobjects.co.nz
>
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@shorewall.net
> http://www.shorewall.net/mailman/listinfo/shorewall-users
>

On Tue, 13 Aug 2002, Jim Hubbard wrote:
> Why not just build a Webmin module?  I think someone has already started
> work on this, but I can''t remember the name.
> 
John Lodge is working on a Webmin module -- the last snapshot that he sent 
me is at http://www.shorewall.net/pub/shorewall/contrib/shorewall.wbm. 
That snapshot has everything necessary to build a config but it''s short
on
facilities for editing an existing one.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

> I am quite keen to start working a GUI interface for Shorewall .
> 
> Before I go any further in my thoughts I would like to know if you
think
> it will be a good idea ( I like it the way it is but some people
like
> those graphics...) and what you think should be in it.

How about something more of a TUI base, like Xconfigurator or
Linuxconf?

I try to run my firewalls on a low end machine (Like 90Mhz with 500 MB
HD)
and X would make it sink like a rock. Not to mention, X on a Firewall
just ain''t 
right.


Jeff

> > I am quite keen to start working a GUI interface for Shorewall .
> > 
> > Before I go any further in my thoughts I would like to know if you
> > think it will be a good idea ( I like it the way it is but some people
> > like those graphics...) and what you think should be in it.
> 
> How about something more of a TUI base, like Xconfigurator or
> Linuxconf?
> 
> I try to run my firewalls on a low end machine (Like 90Mhz with 500 MB
> HD) and X would make it sink like a rock. Not to mention, X on a Firewall
> just ain''t right.
> 
> Jeff
I would rather *not* have to work at the firewall machine directly if I 
can, so whether you use linuxconf or something else is no different from 
webmin.  In fact, webmin is a clean and secure (SSL) way to access the 
machine for it is all done via the web; linuxconf needs to be done by 
sshing to the machine and executing it.  You do not *need* to fire up X 
on the machine to use webmin.  

Regards.

Harish

On Tue, 13 Aug 2002, Harish Pillay wrote:
> webmin.  In fact, webmin is a clean and secure (SSL) way to access the 
> machine for it is all done via the web; linuxconf needs to be done by 
> sshing to the machine and executing it.
Not so -- Linuxconf has remote administration facilities.

You do not *need* to fire up X 
> on the machine to use webmin.  
> 
Nor do you with Linuxconf -- it has both a Curses-based interface and an 
X-based interface.

That having been said, RedHat seem to be deemphasizing Linuxconf of late 
since they no longer install it by default.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

On Tue, Aug 13, 2002 at 09:16:58AM -0700, Tom Eastep
wrote:
> On Tue, 13 Aug 2002, Harish Pillay wrote:
> 
> > webmin.  In fact, webmin is a clean and secure (SSL) way to access the
> > machine for it is all done via the web; linuxconf needs to be done by 
> > sshing to the machine and executing it.
> 
> Not so -- Linuxconf has remote administration facilities.
Ah yes.  Forgot about that.  The only issue remaining is whether the 
remote admin function is via a secure link.  If not, you have to ssh
into the machine and do the work.  Webmin''s strength, IMHO, is that it 
has SSL enabled and as a sysadmin, that level of security is critical.
> > You do not *need* to fire up X on the machine to use webmin.  
> 
> Nor do you with Linuxconf -- it has both a Curses-based interface and an 
> X-based interface.
I think they are both the same, though I have been known to be wrong.
> That having been said, RedHat seem to be deemphasizing Linuxconf of late 
> since they no longer install it by default.
You are right.  In fact, it has been a long time since I used linuxconf
and is probably due to them not being installed by default on the rh machines
I have setup.

Regards.

Harish

> > webmin.  In fact, webmin is a clean and secure (SSL) way to access
the 
> > machine for it is all done via the web; linuxconf needs to be done
by 
> > sshing to the machine and executing it.
> 
> Not so -- Linuxconf has remote administration facilities.
-Ah yes.  Forgot about that.  The only issue remaining is whether the 
-remote admin function is via a secure link.  If not, you have to ssh
-into the machine and do the work.  Webmin''s strength, IMHO, is that it

-has SSL enabled and as a sysadmin, that level of security is
critical.
> > You do not *need* to fire up X on the machine to use webmin.  
> 
> Nor do you with Linuxconf -- it has both a Curses-based interface and
an 
> X-based interface.
-I think they are both the same, though I have been known to be wrong.
> That having been said, RedHat seem to be deemphasizing Linuxconf of
late 
> since they no longer install it by default.
-You are right.  In fact, it has been a long time since I used
linuxconf
-and is probably due to them not being installed by default on the rh
machines
-I have setup.


I was not making a suggestion to incorporate shorewall into linuxconf,

but that a curses based interface *like* linuxconf would be useful. If
you''ve 
lost network connectivity to your firewall (without X) for some reason,

you could run the interface to make things right. Links/Lynx with
webmin
might be a bit rough. (Granted, editing the config files would be just
as 
quick, but the discussion started about a GUI interface).

On 13 Aug 2002 at 23:52, Harish Pillay wrote:
> > > I am quite keen to start working a GUI interface for Shorewall .
> I would rather *not* have to work at the firewall machine directly if I
> can, so whether you use linuxconf or something else is no different
> from
> webmin.  In fact, webmin is a clean and secure (SSL) way to access the
> machine for it is all done via the web; linuxconf needs to be done by
> sshing to the machine and executing it.  You do not *need* to fire up X
> on
> the machine to use webmin.  
BUT never the less, webmin is more complex to set up and 
administer unless it happens to be pre-installed by your distro, and may be
something you don''t necessarily want
on a dedicated firewall machine.

I just don''t get why a GUI is necessary (and I write GUIs for a
living),
in that its NOT easier (its easy enough already), its NOT more informative (the
comments in the files are very
usefull), and it does not
lead to better understanding (whereas the docs on the web site are 
excellent).  Is that enough parentheticals for you???  ;-)

The other aspect of it is that even if there is a gui tool,
new features tend to NOT be in the gui until LATER. GUIs can 
delay the availability of new features.

So you end up using a text editor anyway.  Tom can''t be expected
to keep a gui or even webmin up to date in preference to development
of Shorewall.

ssh and your favorite text editor (and routestopped) seem quite adequate.

______________________________________
John Andersen
NORCOM / Juneau, Alaska
http://www.screenio.com/
(907) 790-3386

> > > > I am quite keen to start working a GUI interface for
Shorewall .
> 
> > I would rather *not* have to work at the firewall machine directly if
I
> > can, so whether you use linuxconf or something else is no different
> > from
> > webmin.  In fact, webmin is a clean and secure (SSL) way to access the
> > machine for it is all done via the web; linuxconf needs to be done by
> > sshing to the machine and executing it.  You do not *need* to fire up
X
> > on
> > the machine to use webmin.  
> 
> BUT never the less, webmin is more complex to set up and administer 
> unless it happens to be pre-installed by your distro, and may be something 
> you don''t necessarily want on a dedicated firewall machine.
> 
> I just don''t get why a GUI is necessary (and I write GUIs for a
living),
> in that its NOT easier (its easy enough already), its NOT more informative 
> (the comments in the files are very usefull), and it does not lead to
better
> understanding (whereas the docs on the web site are excellent).  Is that 
> enough parentheticals for you???  ;-)
> 
> The other aspect of it is that even if there is a gui tool,
> new features tend to NOT be in the gui until LATER. GUIs can 
> delay the availability of new features.
> 
> So you end up using a text editor anyway.  Tom can''t be expected
> to keep a gui or even webmin up to date in preference to development
> of Shorewall.
> 
> ssh and your favorite text editor (and routestopped) seem quite adequate.
I agree fully with your comments.  I was merely putting forth the argument
that if a GUI is to be built, it probably makes sense to have it within
the webmin framework instead of working a whole new UI.  Further, with 
webmin''s SSL security, the framework is compelling.  Webmin or any
other
GUI notwithstanding, I am more at home on the command line and have been 
rather pleased with that mode of managing shorewall.

Harish

On Tue, 13 Aug 2002, John Andersen wrote:
> > the machine to use webmin.  
> 
> BUT never the less, webmin is more complex to set up and administer
> unless it happens to be pre-installed by your distro, and may be
> something you don''t necessarily want on a dedicated firewall
machine.
> 
The RPM is quite good -- I installed it in a few minutes. I haven''t
tried
installing Webmin from sources which I''m sure would be more daunting.
> I just don''t get why a GUI is necessary (and I write GUIs for a
living),
> in that its NOT easier (its easy enough already), its NOT more informative
(the comments in the files are very
> usefull), and it does not
> lead to better understanding (whereas the docs on the web site are 
> excellent).  Is that enough parentheticals for you???  ;-)
> 
> The other aspect of it is that even if there is a gui tool,
> new features tend to NOT be in the gui until LATER. GUIs can 
> delay the availability of new features.
> 
> So you end up using a text editor anyway.  Tom can''t be expected
> to keep a gui or even webmin up to date in preference to development
> of Shorewall.
That''s a concern for me also but if I work very closely with the GUI 
developer(s), we should be able to keep synced up. I''m going to be
backing
off of the frantic pace of releases now anyway in favor of interim bug-fix 
releases (such as 5a and 5b) with a longer time between releases 
containing new features.
> 
> ssh and your favorite text editor (and routestopped) seem quite adequate.
> 
I quite agree but then I also use Pine as my email client and Emacs for
editing :-). We live in a point-and-click world though and tools that 
are configured by editing config files are becoming rarer.

Since a sizable percentage of the user base runs Bering, we have to retain
the text files; Bering (router on a floppy) users typically don''t have
the
ability to load something large like Perl or Python just be be able to
configure their firewall.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

Hello all,

Normally I just sit quietly and listen, but felt I should chime in here.

I use Command Line an awful lot, but enjoy the simplicity of using a GUI when I 
want to do multiple things. Sometimes the addage "a picture is
worth..." holds
true. I would seriously like to see a GUI that graphically shows the firewall 
chains. I could see it being beneficial to recognize when you are shooting your 
own foot or needing a cluebat. Otherwise a simple script would probably suffice.

admin@kiteflyer.com
/insert witty quote here/



() Join the ASCII ribbon campaign against HTML email and Microsoft specific
attachments.
/\ If I wanted to read HTML, I would have visited your website! Support open
standards.

On 13 Aug 2002 at 19:10, admin@kiteflyer.com wrote:
> I would seriously like to see a GUI that graphically
> shows the firewall chains.
This might be nice for the chains in general  but is certainly
not necessary for shorewall configuration.

In fact the concept of the various chains need not
be understood fully to properly configure shorewall.

I''m living proof! ;-)

______________________________________
John Andersen
NORCOM / Juneau, Alaska
http://www.screenio.com/
(907) 790-3386

At 8/13/2002 02:14 PM, you wrote:
>BUT never the less, webmin is more complex to set up and
>administer unless it happens to be pre-installed by your distro,
In a RH installation, with just two cmds you setup Webmin up and running:
wget 
http://telia.dl.sourceforge.net/sourceforge/webadmin/webmin-0.990-1.noarch.rpm
rpm -Uvh webmin-0.990-1.noarch.rpm

and just browse.

I agree, in a firewall, it must be as clean as it''s possible.
In my case I install a really base RH (all packages turned off), ssl, 
webmin and Shorewall.
Work''s fine.

Another point is: sometimes on the road, in emergency situations, the place 
from where I need to support a client, only permits www/https (80/443) 
outgoing conections.

-Gilson

At 10:31 13/08/2002 -0700, Tom Eastep sent this up the
stick:
>On Tue, 13 Aug 2002, John Andersen wrote:
>
> >
> > BUT never the less, webmin is more complex to set up and administer
> > unless it happens to be pre-installed by your distro, and may be
> > something you don''t necessarily want on a dedicated firewall
machine.
> >
>
>The RPM is quite good -- I installed it in a few minutes. I haven''t
tried
>installing Webmin from sources which I''m sure would be more
daunting.
I''ll disagree with you here .... it is as simple as download, gunzip, 
untar, ./sertup.sh and answer about 5 questions.  the defaults are VERY 
sensible - and for the most part are based on what distro you are running 
(question 1)

Cheers,
Rob

--
Research causes cancer in rats.

This is random quote 912 of a collection of 1254
[15200.8 km (8207.8 mi), 262.8 deg](Apparent) Rennerian

On Wed, 14 Aug 2002, Rob B wrote:
> At 10:31 13/08/2002 -0700, Tom Eastep sent this up the stick:
> >On Tue, 13 Aug 2002, John Andersen wrote:
> >
> > >
> > > BUT never the less, webmin is more complex to set up and
administer
> > > unless it happens to be pre-installed by your distro, and may be
> > > something you don''t necessarily want on a dedicated
firewall machine.
> > >
> >
> >The RPM is quite good -- I installed it in a few minutes. I
haven''t tried
> >installing Webmin from sources which I''m sure would be more
daunting.
> 
> I''ll disagree with you here .... it is as simple as download,
gunzip,
> untar, ./sertup.sh and answer about 5 questions.  the defaults are VERY 
> sensible - and for the most part are based on what distro you are running 
> (question 1)
> 
So that seems to result in one less legitimate reason to reject Webmin: I
found the RPM easy to install and you found the tarball equally easy.

What are the other arguments from the anti-Webmin folks?

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

John Andersen wrote:
> 
> I just don''t get why a GUI is necessary (and I write GUIs for a
living),
> in that its NOT easier (its easy enough already), its NOT more informative
(the comments in the files are very
> usefull), and it does not
> lead to better understanding (whereas the docs on the web site are 
> excellent).  Is that enough parentheticals for you???  ;-)
> 
> The other aspect of it is that even if there is a gui tool,
> new features tend to NOT be in the gui until LATER. GUIs can 
> delay the availability of new features.

Don''t get me wrong, I don''t think a GUI is a must have. In
fact I rather
like using config files than GUI.

But I am not the only one using it and some "users" like those GUI 
thingy. even if it is only a display tool and nothing else...

As there is a webmin module halfway there I might just wait a little 
longer before doing anything.


Cheers

Bernard

To tell the truth, I would rather see a good GUI for the log file. One that
you can reposition the column''s or otherwise customize. A good log file
interface is very useful in troubleshooting.


		Joe


-----Original Message-----
From: shorewall-users-admin@shorewall.net
[mailto:shorewall-users-admin@shorewall.net]On Behalf Of Bernard Varaine
Sent: Wednesday, August 14, 2002 4:35 AM
To: JAndersen@screenio.com
Cc: Shorewall-users@shorewall.net
Subject: Re: [Shorewall-users] Shorewall GUI interface.


John Andersen wrote:
>
> I just don''t get why a GUI is necessary (and I write GUIs for a
living),
> in that its NOT easier (its easy enough already), its NOT more informative
(the comments in the files are very
> usefull), and it does not
> lead to better understanding (whereas the docs on the web site are
> excellent).  Is that enough parentheticals for you???  ;-)
>
> The other aspect of it is that even if there is a gui tool,
> new features tend to NOT be in the gui until LATER. GUIs can
> delay the availability of new features.

Don''t get me wrong, I don''t think a GUI is a must have. In
fact I rather
like using config files than GUI.

But I am not the only one using it and some "users" like those GUI
thingy. even if it is only a display tool and nothing else...

As there is a webmin module halfway there I might just wait a little
longer before doing anything.


Cheers

Bernard

_______________________________________________
Shorewall-users mailing list
Shorewall-users@shorewall.net
http://www.shorewall.net/mailman/listinfo/shorewall-users

On 14 Aug 2002 at 8:11, H&K4ME wrote:
> To tell the truth, I would rather see a good GUI for the log file. One
> that you can reposition the column''s or otherwise customize. A
good log
> file interface is very useful in troubleshooting.
> 
> 
>   Joe
Great Idea Joe...
If nothing else colorcoded portions like some context
cororizing text editors to find the things easier.
Staring at the log is a real "go-blind" task.

I''d like translation of port to service for inbound dtp and
possibly clickable whois info on IPs, 
clickable add-to-blacklist etc.



______________________________________
John Andersen
NORCOM / Juneau, Alaska
http://www.screenio.com/
(907) 790-3386

Hi there,

This seems like it''d be reasonably easy to implement as a web cgi (not
that I''m volunteering ;).  Perhaps it''s already in the webmin
module
mentioned earlier in this thread.  I don''t know, I haven''t
checked it
out.

I''m using weblet in LEAF/Bering with some modifications to the log
viewer
scripts but it''s very limited in that I basically only have sed to work
with, no perl/python/php on this 486 laptop w/ 14MB of ram ;).

--- John Andersen <JAndersen@screenio.com> wrote:
> On 14 Aug 2002 at 8:11, H&K4ME wrote:
> 
> > To tell the truth, I would rather see a good GUI for the log file. One
> > that you can reposition the column''s or otherwise customize.
A good log
> > file interface is very useful in troubleshooting.
> > 
> >   Joe
> 
> Great Idea Joe...
> If nothing else colorcoded portions like some context
> cororizing text editors to find the things easier.
> Staring at the log is a real "go-blind" task.
> 
> I''d like translation of port to service for inbound dtp and
> possibly clickable whois info on IPs, 
> clickable add-to-blacklist etc.
__________________________________________________
Do You Yahoo!?
HotJobs - Search Thousands of New Jobs
http://www.hotjobs.com

Although I think the addition of a GUI (or web based) config tool would be
good for shorewall -- some of us semi ole-timers (that have been using vi
for 20+ years) will never change.

What''s my point??? My warped sense of humor aside... I hope shorewall
will
still allow us to either manually edit the config files -or- use a GUI.

Steve Cowles

On Wed, 14 Aug 2002, Cowles, Steve wrote:
> Although I think the addition of a GUI (or web based) config tool would be
> good for shorewall -- some of us semi ole-timers (that have been using vi
> for 20+ years) will never change.
> 
> What''s my point??? My warped sense of humor aside... I hope
shorewall will
> still allow us to either manually edit the config files -or- use a GUI.
> 
So long as LEAF users are a sizable percentage of the Shorewall family, I 
think we must continue to support config files.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

> > Although I think the addition of a GUI (or web based) 
> > config tool would be good for shorewall -- some of us
> > semi ole-timers (that have been using vi for 20+ years)
> > will never change.
> > 
> > What''s my point??? My warped sense of humor aside... I
> > hope shorewall will still allow us to either manually
> > edit the config files -or- use a GUI.
> > 
> 
> So long as LEAF users are a sizable percentage of the 
> Shorewall family, I think we must continue to support
> config files.
> 
WHEW!!! I feel better now. Thanks LEAF users.

If I could add my two bits to this discussion, my main complaint about
GUI''s
is the programmers of these GUI''s never allow me to add comments on why
I
made a particular entry. Why is this so important to me??? Six months from
now when I take a look at a customers rules file (for instance), I''m
not
asking my self "Why the hell did I add this entry?" or "WTF is
port 1984
used for?" By manually editing the rules file, I can add comments like the
date I made the entry along with notes about the application; even WEB links
to the applications web site that discusses how to run this app behind a
firewall. 

Well that''s my two bits.

Steve Cowles

Yes, my webmin module is making good progess. I am making changes now to
incorporate
the changes needed to support Shorewall 1.3.

John Lodge

-----Original Message-----
From: shorewall-users-admin@shorewall.net
[mailto:shorewall-users-admin@shorewall.net]On Behalf Of Jim Hubbard
Sent: 13 August 2002 12:15
To: shorewall-users@shorewall.net
Subject: RE: [Shorewall-users] Shorewall GUI interface.


Why not just build a Webmin module?  I think someone has already started
work on this, but I can''t remember the name.

Sincerely,
Jim Hubbard
____________________________________



> -----Original Message-----
> From: shorewall-users-admin@shorewall.net
> [mailto:shorewall-users-admin@shorewall.net]On Behalf Of Simon Matter
> Sent: Tuesday, August 13, 2002 2:48 AM
> To: Bernard Varaine
> Cc: Shorewall-users@shorewall.net
> Subject: Re: [Shorewall-users] Shorewall GUI interface.
>
>
> Bernard Varaine schrieb:
> >
> > I am quite keen to start working a GUI interface for Shorewall .
> >
> > Before I go any further in my thoughts I would like to know if you
think
> > it will be a good idea ( I like it the way it is but some people like
> > those graphics...) and what you think should be in it.
>
> Would be really nice to have a GUI if it is made this way:
>
> 1) Just modify the affected lines in the config files. Don''t
reformat or
> delete comments so it will be easy to maintain by hand and with the GUI.
>
> 2) Make it client/server. Don''t force anybody to use the client on
a
> firewall. SSH can be used to secure communication.
>
> 3) Don''t make things too complicated, don''t put too much
logic into the
> GUI. Make it configurable so changes in the shorewall configuration
> style can be implemented by modifying a rules file in the GUI.
>
> 4) Make the help system easy. As a quick help, the GUI can just parse
> the respective shorewall file and display the comments found there as
> help text. Additional help can be given in form of links to the web
> documantation.
>
> Simon
>
> >
> > And before someone ask, yes it will be free and opensource.
> >
> > regards
> >
> > Bernard
> > --
> >
> > Digital Objects Ltd
> >
> > Internet security / Web hosting & design / Web enabled
applications
> >
> > PO Box 60510, Titirangi
> > Waitakere City
> >
> > Phone: 0800 LETS DOIT (538736)
> > Fax: +64 9 8128 368
> > www.digitalobjects.co.nz
>
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@shorewall.net
> http://www.shorewall.net/mailman/listinfo/shorewall-users
>
_______________________________________________
Shorewall-users mailing list
Shorewall-users@shorewall.net
http://www.shorewall.net/mailman/listinfo/shorewall-users

> -----Original Message-----
> From: John Andersen [mailto:JAndersen@screenio.com]
> Sent: Wednesday, August 14, 2002 10:52 AM
> To: H&K4ME
> Cc: Shorewall-users@shorewall.net
> Subject: RE: [Shorewall-users] Shorewall GUI interface.
> 
> 
> On 14 Aug 2002 at 8:11, H&K4ME wrote:
> 
> > To tell the truth, I would rather see a good GUI for the 
> log file. One
> > that you can reposition the column''s or otherwise 
> customize. A good log
> > file interface is very useful in troubleshooting.
> > 
> > 
> >   Joe
> 
> Great Idea Joe...
> If nothing else colorcoded portions like some context
> cororizing text editors to find the things easier.
> Staring at the log is a real "go-blind" task.
Just so you guys know, there *are* some colorcoding options currently
available for your Shorewall (well, any iptables) logs:

FireParse: http://aaron.marasco.com/linux.html
FWAnalog (uses Analog webstats parser): http://tud.at/programm/fwanalog/
fwlogwatch (log parser plus live daemon which can do realtime monitoring):
http://www.kyb.uni-stuttgart.de/boris/software.shtml

Have fun!!!

--Josh

On 15 Aug 2002 at 22:14, Joshua Penix wrote:
> Just so you guys know, there *are* some colorcoding options currently
> available for your Shorewall (well, any iptables) logs:
 
> fwlogwatch (log parser plus live daemon which can do realtime monitoring):
> http://www.kyb.uni-stuttgart.de/boris/software.shtml
That one is pretty cool. I like the email alerts option
as well as the web interface.

______________________________________
John Andersen
NORCOM / Juneau, Alaska
http://www.screenio.com/
(907) 790-3386