1

The system described below does not yet exist and is only in the earliest planning stages. See FirewallRules for how we manage firewalls today.

3. Rationale

The current FirewallRules system is a pretty thin abstraction over ferm, and has an ad-hoc parser with a number of built in limitations. Even after only having a dozen or so rules, it is becoming clear that managing firewall rules will quickly become burdensome both for members and admins.

Based on current patterns of requests, there a few things to consider:

A few wish list considerations:

Conclusion: the current fwtool implementation would require duplicating a lot of functionality already present in the support machinery for the domtool domain type. A new syntax for user rule files would need to be created (or tons of hackish supporting code) so ...

The only (in)sane way forward is to create a domtool container for firewalls to manage rules. This has distinct advantages:

4. Idea

My current thinking, expressed in pseudo-domtool @sig@

(* -*- domtool -*- *)

firewall "node" with
  userRules "user" with
    proxiedServer [port, ...] [host, ...];
    client [port, ...] [all_hosts];
    server ...;
  end;
end;
(* userRules could implicitly create group? *)


firewallGroup "name" with
  client ...;
end;
(* Groups would be independent of nodes? *)
(* How to differentiate between groups users can request and not? *)

firewallRules with
  addRules "group_name"; (* On DefaultFirewallHost? Or not support? *)
  addRulesAt "node" "group_name";
end;

(* In some user config file, let them grant themselves common ports on
   user nodes. Definitely provide bindings for web/shell nodes. *)


CategorySystemAdministration CategoryWorkInProgress