Shorewall users - Feb 2003 - Shorewall 2.0 plans

On Tue, 04 Feb 2003, Tom Eastep wrote:
> Additionally, I think I''ve taken the shell-based Shorewall idea
about
> as far as I want to so Shorewall 2 will be written in another language
> (probably another interpretive one though).
Python seems to be a favourite -- I''ve seen many
my-god-how-did-this-grow-so-huge projects choose Python when they
finally get around to rewriting.
> I''ll make another attempt at getting myself excited about writing
a
> GUI...
Since it''s clear you''re not interested in designing a GUI for
Shorewall
yourself, and I supect that any forced enthusiasm would be short lived,
may I suggest that you consider an alternative way of getting the same
result.

You could instead think about an *programmatic* interface, or rather a
configuration *specification*, that allows anyone to write their own
front-end for configuration and have a degree of confidence that it will
continue to apply as the configuration set changes.

This is a difficult thing to do, and probably means the existing
configuration set will be incompatible, but "version 2" is a good time
to do it since incompatibilities with 1.x are to be expected.

This way, if sufficient people want a GUI for Shorewall configuration
(or Web interface, or ncurses menus, or whatever), it is possible for
them to write it independently and you can concentrate on what actually
interests you about Shorewall.  I''d hate to see you shackle yourself to
a task you''re simply not interested in, because that would soon lead to
you burning out and leaving the project.

Projects you could crib from include Debian''s debconf system, the
webmin
system, perhaps GNOME (though I haven''t looked too hard at that), and
others that hopefully other list members can suggest.

-- 
 \     "When I turned two I was really anxious, because I''d
doubled my |
  `\   age in a year. I thought, if this keeps up, by the time I''m six
|
_o__)                               I''ll be ninety."  -- Steven
Wright |
bignose@zip.com.au  F''print 9CFE12B0 791A4267 887F520C B7AC2E51
BD41714B

--On Wednesday, February 05, 2003 9:43 AM +1100 Ben Finney 
<bignose@zip.com.au> wrote:
>
> Since it''s clear you''re not interested in designing a GUI
for Shorewall
> yourself, and I supect that any forced enthusiasm would be short lived,
> may I suggest that you consider an alternative way of getting the same
> result.
>
> You could instead think about an *programmatic* interface, or rather a
> configuration *specification*, that allows anyone to write their own
> front-end for configuration and have a degree of confidence that it will
> continue to apply as the configuration set changes.
>
> This is a difficult thing to do, and probably means the existing
> configuration set will be incompatible, but "version 2" is a good
time
> to do it since incompatibilities with 1.x are to be expected.
I had actually planned to modularize my code along those lines:

a) A set of modules that implement the various objects within a Shorewall 
configuration. I will probably use gutted Shorewall 1 scripts as drivers 
for these during development and testing.
b) A GUI built on top of those modules

And you''re certainly correct that I will find a) a lot more interesting
than b).

I will take this approach for several reasons:

1) I have no chance of succeeding at b) if I don''t get a) right to
start
with.
2) I will probably be using an unfamiliar programming language so by 
tackling a familiar problem first (namely ''a)'') I
won''t be so likely to
suffer "new concept overflow".
3) I have no GUI design experience so my first several attempts at b) will 
undoubtedly suck. When I throw each away and start over again, I will not 
have to rethink the a) part. That of course assumes that I got a) right the 
first time but I''m quite confident about that given my experience with
OO
and with Shorewall 1.
4) It allows other people to easily extend Shorewall and to embed it into 
other products.
>
> This way, if sufficient people want a GUI for Shorewall configuration
> (or Web interface, or ncurses menus, or whatever), it is possible for
> them to write it independently and you can concentrate on what actually
> interests you about Shorewall.
Yep.
> I''d hate to see you shackle yourself to
> a task you''re simply not interested in, because that would soon
lead to
> you burning out and leaving the project.
I think that if I approach the problem as outlined above, I''ll have a 
better chance -- it will allow me to focus first on learning the new 
language by solving a problem that I am already very familiar with. Once 
I''m through with a), I should feel comfortable with the language and
will
be able to concentrate on learning about GUI design and construction.
>
> Projects you could crib from include Debian''s debconf system, the
webmin
> system, perhaps GNOME (though I haven''t looked too hard at that),
and
> others that hopefully other list members can suggest.
>
Good idea.

-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
Shoreline,    \ http://www.shorewall.net
Washington USA \ teastep@shorewall.net

Tom Eastep schrieb:
> 
> --On Wednesday, February 05, 2003 9:43 AM +1100 Ben Finney
> <bignose@zip.com.au> wrote:
> 
> >
> > Since it''s clear you''re not interested in designing
a GUI for Shorewall
> > yourself, and I supect that any forced enthusiasm would be short
lived,
> > may I suggest that you consider an alternative way of getting the same
> > result.
> >
> > You could instead think about an *programmatic* interface, or rather a
> > configuration *specification*, that allows anyone to write their own
> > front-end for configuration and have a degree of confidence that it
will
> > continue to apply as the configuration set changes.
> >
> > This is a difficult thing to do, and probably means the existing
> > configuration set will be incompatible, but "version 2" is a
good time
> > to do it since incompatibilities with 1.x are to be expected.
> 
> I had actually planned to modularize my code along those lines:
> 
> a) A set of modules that implement the various objects within a Shorewall
> configuration. I will probably use gutted Shorewall 1 scripts as drivers
> for these during development and testing.
> b) A GUI built on top of those modules
> 
> And you''re certainly correct that I will find a) a lot more
interesting
> than b).
> 
> I will take this approach for several reasons:
> 
> 1) I have no chance of succeeding at b) if I don''t get a) right to
start
> with.
> 2) I will probably be using an unfamiliar programming language so by
> tackling a familiar problem first (namely ''a)'') I
won''t be so likely to
> suffer "new concept overflow".
> 3) I have no GUI design experience so my first several attempts at b) will
> undoubtedly suck. When I throw each away and start over again, I will not
> have to rethink the a) part. That of course assumes that I got a) right the
> first time but I''m quite confident about that given my experience
with OO
> and with Shorewall 1.
> 4) It allows other people to easily extend Shorewall and to embed it into
> other products.
> 
> >
> > This way, if sufficient people want a GUI for Shorewall configuration
> > (or Web interface, or ncurses menus, or whatever), it is possible for
> > them to write it independently and you can concentrate on what
actually
> > interests you about Shorewall.
> 
> Yep.
> 
> > I''d hate to see you shackle yourself to
> > a task you''re simply not interested in, because that would
soon lead to
> > you burning out and leaving the project.
> 
> I think that if I approach the problem as outlined above, I''ll
have a
> better chance -- it will allow me to focus first on learning the new
> language by solving a problem that I am already very familiar with. Once
> I''m through with a), I should feel comfortable with the language
and will
> be able to concentrate on learning about GUI design and construction.
> 
> >
> > Projects you could crib from include Debian''s debconf system,
the webmin
> > system, perhaps GNOME (though I haven''t looked too hard at
that), and
> > others that hopefully other list members can suggest.
What I would like to see is the ability to support different config
backends? Something like the db backends in BIND9. My idea is that some
people like configs in flat files, some want them in a SQL database,
some - like me - like to have everything in a LDAP directory. Of course,
it''s always possible to write programs which create config files based
on information stored in other places, but having builtin plugins to
support different config backends prevents people from reinventing the
wheel again and again.

Simon
> >
> 
> Good idea.
> 
> -Tom
> --
> Tom Eastep   \ Shorewall - iptables made easy
> Shoreline,    \ http://www.shorewall.net
> Washington USA \ teastep@shorewall.net
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.shorewall.net
> http://lists.shorewall.net/mailman/listinfo/shorewall-users

Simon Matter  (5.2.2003  8:50):
>people like configs in flat files, some want them in a SQL database,
>some - like me - like to have everything in a LDAP directory. Of course,

Any kind of SQL support for config management should be great for many GUIs.
"Plain text" config and GUI is OK only if you use that GUI from
begging and no
changes
are made "by hand" in configuration.

Everybody is talking about own "favourite" language. Here is mine:
Java :-)
I know U will kill me because of size hehe, but I can use Java for webinterface
to shorewall,
for application interface to shorewall, I can compile it to native Linux code,
there is a huge API
for any feautures I would like to do to shorewall..

Anyway, I like that Tom''s idea about modular structure and I hope that
I will
be able to "connect"
to new shorewall with my JavaServerPages GUI :-)

Juraj

On 5 Feb 2003, "SHOREWALL TimeLord" wrote:
> Everybody is talking about own "favourite" language. Here is
mine:
> Java :-)
Language preferences aside, there are significant roadblocks to free
software Java implementations, placed by Sun.  The Debian project has a
FAQ addressing these issues:

  <http://www.debian.org/doc/manuals/debian-java-faq/ch2.html>

I hope Tom will restrict his selection to only languages that can be
implemented on free operating systems.  I would hate to have many people
abandon Shorewall 2.0 because it depends on non-free components.

-- 
 \     "I was married by a judge. I should have asked for a jury."  --
|
  `\                                                      Groucho Marx |
_o__)                                                                  |
bignose@zip.com.au  F''print 9CFE12B0 791A4267 887F520C B7AC2E51
BD41714B

Ben Finney wrote:
> On 5 Feb 2003, "SHOREWALL TimeLord" wrote:
> 
>>Everybody is talking about own "favourite" language. Here is
mine:
>>Java :-)
> 
> 
> Language preferences aside, there are significant roadblocks to free
> software Java implementations, placed by Sun.
I''m uncomfortable with the Java "Terms of Use" myself having
recently
been forced to download and install the JRE from SunSoft in order to 
Java-enable my Netscape browser.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Tom,

I''d prefer to see your efforts concentrate more on the backend.  People
tend to be somewhat religous about GUI''s.  If your backend is modular
and you provide API''s for manipulating it, then many different
GUI''s can be run on top of it (a good thing?).  Webmin would be great
as the default interface.

On to more selfish requests :)

I manage several shorewalls and a Cisco or two.  I''ve found that text
based config files are extreemly useful in that I can place them in change
control and just transfer them (scp, cut ''n'' paste into an ssh
etc.) to the appropriate firewall for deployment.  I hope you won''t
move away from an underlying text based config mechanism.  Deploying changes out
to several firewalls using a GUI is tedius and error prone.  I''m not
saying that a configuration GUI isn''t useful, as long as it is not the
only interface for configuration.

A GUI is perfect for providing better firewall reporting.  The Webmin interface
for example could provide (to start out with) at least the equivalent of
"shorewall hits".  It could easily be expanded to do log analysis
etc., quick health reports (similar to LEAF''s interface?) and providing
many other useful firewall reports.  While I''m not a big perl fan,
webmin is a sound platform for this type of application (I use it everywhere). 
Other pros to webmin are that it provides an upgrade mechanism and secure
access, both of which you won''t have to write :).

Thanks for a great firewall!
Jim Susoy

--On Friday, February 07, 2003 4:21 PM -0800 Jim Susoy <jim@susoy.com> 
wrote:
>
> I manage several shorewalls and a Cisco or two.  I''ve found that
text
> based config files are extreemly useful in that I can place them in
> change control and just transfer them (scp, cut ''n'' paste
into an ssh
> etc.) to the appropriate firewall for deployment.  I hope you
won''t move
> away from an underlying text based config mechanism.  Deploying changes
> out to several firewalls using a GUI is tedius and error prone. 
I''m not
> saying that a configuration GUI isn''t useful, as long as it is not
the
> only interface for configuration.
I''m getting that message loud and clear from a number of sources.

Thanks,
-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
Shoreline,    \ http://www.shorewall.net
Washington USA \ teastep@shorewall.net

I agree with your opinion... :)

Easy and clean administration of the firewall is the number 1 thing in
most cases. And shorewall does an excellent job in it..


Kristof.

-----Original Message-----
From: shorewall-users-bounces@lists.shorewall.net
[mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Jim
Susoy
Sent: zaterdag 8 februari 2003 1:21
To: shorewall-users
Subject: Re: [Shorewall-users] Shorewall 2.0 plans

..snip

I manage several shorewalls and a Cisco or two.  I''ve found that text
based config files are extreemly useful in that I can place them in
change control and just transfer them (scp, cut ''n'' paste into
an ssh
etc.) to the 

..snip

Thanks for a great firewall!
Jim Susoy

Hi,

Any idea where I can post suggestions to webmin''s shorewall module?

A thing that might be nice.. Comments in the config files. I use
comments all the time (I preceed them with ##! Or something like that)
in some config files. This to make the file understandable for some
colleagues and searching in a ''bigger'' rules file easier.

Would be pretty to make these also appear in the webmin-part..


Greetings,

Kristof.

Kristof Hardy wrote:
> A thing that might be nice.. Comments in the config files. I use
> comments all the time (I preceed them with ##! Or something like that)
> in some config files. This to make the file understandable for some
> colleagues and searching in a ''bigger'' rules file easier.
> 
> Would be pretty to make these also appear in the webmin-part..
I think best place to add comments with webmin module would be to add 
them after record on same line.

ACCEPT	loc	dmz	all	# Permit all traffic from local to dmz

I think that''s only place where commants and configs can be kept in 
sync. I once had a plan to add that into shorewall webmin module but I 
had no time for that.

And if webmin was default gui there would no be need for any 
documentation in config-files.

That would help Tom a lot, I think. Only web documentation is then 
needed. And there could be links to current documentation from webmin 
module so local copy there was unnecessary.

-- 
Tuomo Soini <tis@foobar.fi>
http://tis.foobar.fi/

Hello Kristof,

Kristof Hardy wrote:
> Hi,
> 
> Any idea where I can post suggestions to webmin''s shorewall
module?
There isn''t anyone actively maintaining the Webmin module currently. 
John Lodge works on it as time permits but his time for that has been 
limited.

Jamie Cameron (the Webmin maintainer) has agreed to add support for 
"shorewall refresh" and the new alias label feature from 1.3.14 in the
next Webmin release but he won''t be adding major function like support 
for additional files.

Any volunteers?
> 
> A thing that might be nice.. Comments in the config files. I use
> comments all the time (I preceed them with ##! Or something like that)
> in some config files. This to make the file understandable for some
> colleagues and searching in a ''bigger'' rules file easier.
> 
> Would be pretty to make these also appear in the webmin-part..
> 
I had the same thought as I was using the webmin module the other day.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

One thing I would like is to have "rules templates".

I''m facing an installation in a university where I''ll have
ACADEMIC,
CORPORATE, DMZ and dozens COMPUTER LABS (subnets via VLANs).

And those LABS will have (almost) the same RULES.
Using PARAMS was usefull but it''s not ideal solution.

A very raw idea could be:
--------------------------------------------------
[labs_exams]
  ACCEPT $ZONE fw tcp $WWWPORT
  ACCEPT $ZONE net udp domain
  ACCEPT $ZONE academic tcp mysql
  DROP   $ZONE net tcp irc
[/labs_exams]

REPEAT labs_exams 
ZONE=academic,room1a,room1b,room1c,room2a,room2b,room2c,room3a WWWPORT=squid
---------------------------------------------------
[labs_afterhours]
  ACCEPT $ZONE net tcp www
  ACCEPT $ZONE net udp domain
  ACCEPT $ZONE net tcp ftp
[/labs_afterhours]

REPEAT labs_afterhours 
ZONE=academic,corp,room1a,room1b,room1c,room2a,room2b,room2c,room3a
--------------------------------------------------

-Gilson

Well,

I don?t know any perl, and worst,  I don?t have time to volunteer (I work 
on a financial firm, you know, I shouldn?t even been writing this mail). 
But as I said, I really needed the hosts table.  So I kind of made a very 
simple interface to it (no checks, no critics).  There goes the icon to 
webmin (put in Shorewall/Images in webmin) and a patch to Webmin Shorewall 
modules.  I guess it will work and maybe someone catches the job from 
here, if you like it ;-).



Put the diff file into /usr/libexec/webmin and, from directory 
/usr/libexec/webmin/shorewall and would run a patch -p1 < 
../shorewall_webmin_hosts_table.diff 
the gif I?ve got from another hosts.gif file I found elsewhere in the 
webmin directories...

hope this helps,

Eduardo Ferreira





Tom Eastep <teastep@shorewall.net> 
Sent by: shorewall-users-bounces@lists.shorewall.net
08/02/2003 12:31

To
Kristof Hardy <kristof.hardy@catsanddogs.com>
cc
Shorewall Users <shorewall-users@lists.shorewall.net>
Subject
Re: [Shorewall-users] Shorewall Webmin suggestions






Hello Kristof,

Kristof Hardy wrote:
> Hi,
> 
> Any idea where I can post suggestions to webmin''s shorewall
module?
There isn''t anyone actively maintaining the Webmin module currently. 
John Lodge works on it as time permits but his time for that has been 
limited.

Jamie Cameron (the Webmin maintainer) has agreed to add support for 
"shorewall refresh" and the new alias label feature from 1.3.14 in the
next Webmin release but he won''t be adding major function like support 
for additional files.

Any volunteers?
> 
> A thing that might be nice.. Comments in the config files. I use
> comments all the time (I preceed them with ##! Or something like that)
> in some config files. This to make the file understandable for some
> colleagues and searching in a ''bigger'' rules file easier.
> 
> Would be pretty to make these also appear in the webmin-part..
> 
I had the same thought as I was using the webmin module the other day.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.shorewall.net
http://lists.shorewall.net/mailman/listinfo/shorewall-users

-------------- next part --------------
A non-text attachment was scrubbed...
Name: shorewall_webmin_hosts_tables.diff
Type: application/octet-stream
Size: 2803 bytes
Desc: not available
Url :
http://lists.shorewall.net/pipermail/shorewall-users/attachments/20030210/95879ae1/shorewall_webmin_hosts_tables-0001.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: hosts.gif
Type: image/gif
Size: 2575 bytes
Desc: not available
Url :
http://lists.shorewall.net/pipermail/shorewall-users/attachments/20030210/95879ae1/hosts-0001.gif

Gilson Soares wrote:
> One thing I would like is to have "rules templates".
> 
> I''m facing an installation in a university where I''ll
have ACADEMIC,
> CORPORATE, DMZ and dozens COMPUTER LABS (subnets via VLANs).
> 
> And those LABS will have (almost) the same RULES.
> Using PARAMS was usefull but it''s not ideal solution.
> 
> A very raw idea could be:
> --------------------------------------------------
> [labs_exams]
>  ACCEPT $ZONE fw tcp $WWWPORT
>  ACCEPT $ZONE net udp domain
>  ACCEPT $ZONE academic tcp mysql
>  DROP   $ZONE net tcp irc
> [/labs_exams]
> 
> REPEAT labs_exams 
> ZONE=academic,room1a,room1b,room1c,room2a,room2b,room2c,room3a 
> WWWPORT=squid
> ---------------------------------------------------
> [labs_afterhours]
>  ACCEPT $ZONE net tcp www
>  ACCEPT $ZONE net udp domain
>  ACCEPT $ZONE net tcp ftp
> [/labs_afterhours]
> 
> REPEAT labs_afterhours 
> ZONE=academic,corp,room1a,room1b,room1c,room2a,room2b,room2c,room3a
> --------------------------------------------------
> 
This can be accomplished already as follows:
------------------------------------------------------------
a) Place your static rules in /etc/shorewall/rules
b) Place this in /etc/afterhours/init:

cp -f /etc/shorewall/rules /etc/afterhours/rules

For ZONE in academic room1a room1b room1c room2a room2b room2c room3a; do
  echo "ACCEPT $ZONE net tcp www" >> /etc/afterhours/rules
  echo "ACCEPT $ZONE net udp domain" >> /etc/afterhours/rules
  echo "ACCEPT $ZONE net tcp ftp" >> /etc/afterhours/rules
done
--------------------------------------------------------------

Now "shorewall -c /etc/afterhours restart"

You can do a similar thing in /etc/labs_exams.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net