The system described below does not yet exist and is only in the earliest planning stages. See FirewallRules for how we manage firewalls today.
The current FirewallRules system is a pretty thin abstraction over ferm, and has an ad-hoc parser with a number of built in limitations. Even after only having a dozen or so rules, it is becoming clear that managing firewall rules will quickly become burdensome both for members and admins.
Based on current patterns of requests, there a few things to consider:
- We need a way to define groups of rules that members can trivially request
- default ports for shell user (http, vcs software, mail, ssh, ...)
- common rules for certain cgi applications or special uses (e.g. wordpress always needs to contact wordpress.org for full functionality)
- Don't want to tie configuration to physical nodes (e.g. moving to a new shell server)
- Restrict users to having rules on certain nodes (statically enforced)
- Members should be able to grant themselves "safe" rules without any admin intervention
- allowing members to grant themselves safely marked rule groups seems like a good start
A few wish list considerations:
- Want to store per-node firewall config for system services (apache, exim, imap, etc.)
- Ideally, also store common port config (afs, kerberos, domtool, etc.)
Conclusion: the current fwtool implementation would require duplicating a lot of functionality already present in the support machinery for the domtool domain type. A new syntax for user rule files would need to be created (or tons of hackish supporting code) so ...
The only (in)sane way forward is to create a domtool container for firewalls to manage rules. This has distinct advantages:
- Takes advantage of current domtool infrastructure for pushing configs
- The domtool language is quite nice and has the needed functionality for abstracting groups of users, common config, etc.
- Lays the groundwork for using domtool to perform node management in addition to domain management
My current thinking, expressed in pseudo-domtool @sig@
(* -*- domtool -*- *) firewall "node" with userRules "user" with proxiedServer [port, ...] [host, ...]; client [port, ...] [all_hosts]; server ...; end; end; (* userRules could implicitly create group? *) firewallGroup "name" with client ...; end; (* Groups would be independent of nodes? *) (* How to differentiate between groups users can request and not? *) firewallRules with addRules "group_name"; (* On DefaultFirewallHost? Or not support? *) addRulesAt "node" "group_name"; end; (* In some user config file, let them grant themselves common ports on user nodes. Definitely provide bindings for web/shell nodes. *)