Firewall Wizards mailing list archives

Re: Firewall administration.

From: Bennett Todd <bet () rahul net>
Date: Wed, 8 Oct 1997 04:22:23 -0700

On Tue, Oct 07, 1997 at 09:15:12PM -0500, Rick Smith wrote:

[...] Actually, I mean something a bit different. We need to assume that
users *won't* have a good understanding of what they're doing. So the GUI
needs to present choices that clearly relate to what the customers need
to control, and "under the hood" perform the necessary connections and
restrictions for them. A trivial example would be to give customers the
ability to manipulate "services" instead of "port numbers."

Also, keep in mind that I'm speaking from the point of view of someone who
wants to get as many people as possible using firewalls correctly, even if
they're not experts in networking or security.


Hmm. I really like this goal. Combine these thoughts with other threads that
have been dangling --- including Brent Chapman's packet filtering paper which
I hit chasing a link from the Sinus Firewall docs, and mjr's remarks in this
forum about canned security stances --- and we have the makings of a nice tidy
small project.

Linux+ipfw+fwtk has all the bits you need to assemble a nice firewall. So what
someone needs to do is roll up a handful of nice boilerplate configs ---
``security stances'' --- and then whip up a nice user-friendly front-end that
offers a choice among the stances, with high-level descriptions to help the
user pick the nearest match to their needs, then uses the chosen stance as an
initial state for a gui front-end, which offers enable/disable choices on
services, with explanations of risks that pop up whenever you try to enable
something to tell you why you might not want to.

Wouldn't even require running X on the firewall; this could all be done with
e.g. dialog(1).

Config options that it sets can be documented, by having nice blocks of
comments in any config files it edits, and having it generate an annotated log
of the commands it issues to make the config changes take effect.

Base it on a minimal Red Hat install, and it'll be easy to add and remove
chunks of software with RPM, and to support updating to track new versions.

-Bennett

Current thread:

Re: Firewall administration. Anton J Aylward (Oct 01)
- Re: Firewall administration. Rick Smith (Oct 03)
- <Possible follow-ups>
- Re: Firewall administration. Rik Farrow (Oct 03)
  - Re: Firewall administration and thoughts cont. Mark Teicher (Oct 04)
    - Interface (was Firewall administration and thoughts) David Collier-Brown (Oct 06)
    - Re: Interface (was Firewall administration and thoughts) Mark Teicher (Oct 06)
- Re: Firewall administration. Anton J Aylward (Oct 04)
  - Re: Firewall administration. Rick Smith (Oct 09)
    - Re: Firewall administration. Bennett Todd (Oct 09)
    - firewall configurator Was: Firewall administration. Magossa'nyi A'rpa'd (Oct 10)
    - Re: firewall configurator Was: Firewall administration. -= ArkanoiD =- (Oct 11)
    - Re: firewall configurator Was: Firewall administration. Magossa'nyi A'rpa'd (Oct 12)
- RE: Firewall administration. Gary Crumrine (Oct 06)
  - Re: Firewall administration. Bennett Todd (Oct 06)
    - Re: Firewall administration. Adam Shostack (Oct 07)
    - Re: Firewall administration. Bennett Todd (Oct 07)
    - Re: Firewall administration. Marcus J. Ranum (Oct 07)
    - Re: Small company question was Re: Firewall administration. Mark Teicher (Oct 09)
    - Re: Small company question was Re: Firewall administration. Bennett Todd (Oct 10)

(Thread continues...)