welcome: please sign in

Upload page content

You can upload content for the page named below. If you change the page name, you can also upload content for another page. If the page name is empty, we derive the page name from the file name.

File to load page content from
Page name
First name of the author of the GNU Manifesto



The system described below does not yet exist and is only in the earliest planning stages. See FirewallRules for how we manage firewalls today.

1. Rationale

The current FirewallRules system is a pretty thin abstraction over ferm, and has an ad-hoc parser with a number of built in limitations. Even after only having a dozen or so rules, it is becoming clear that managing firewall rules will quickly become burdensome both for members and admins.

Based on current patterns of requests, there a few things to consider:

A few wish list considerations:

Conclusion: the current fwtool implementation would require duplicating a lot of functionality already present in the support machinery for the domtool domain type. A new syntax for user rule files would need to be created (or tons of hackish supporting code) so ...

The only (in)sane way forward is to create a domtool container for firewalls to manage rules. This has distinct advantages:

2. Idea

My current thinking, expressed in pseudo-domtool @sig@

(* -*- domtool -*- *)

firewall "node" with
  userRules "user" with
    proxiedServer [port, ...] [host, ...];
    client [port, ...] [all_hosts];
    server ...;
(* userRules could implicitly create group? *)

firewallGroup "name" with
  client ...;
(* Groups would be independent of nodes? *)
(* How to differentiate between groups users can request and not? *)

firewallRules with
  addRules "group_name"; (* On DefaultFirewallHost? Or not support? *)
  addRulesAt "node" "group_name";

(* In some user config file, let them grant themselves common ports on
   user nodes. Definitely provide bindings for web/shell nodes. *)

CategorySystemAdministration CategoryWorkInProgress