welcome: please sign in

The following 240 words could not be found in the dictionary of 7 words (including 7 LocalSpellingWords) and are highlighted below:
able   abstracting   abstraction   ad   add   addition   admin   Administration   admins   advantage   advantages   afs   after   all   allowing   already   also   always   an   and   any   apache   applications   At   Based   be   become   becoming   below   between   bindings   both   built   burdensome   can   Category   caution   certain   cgi   clear   client   code   common   Conclusion   config   configs   configuration   consider   considerations   contact   container   could   create   created   current   Default   default   define   Definitely   described   differentiate   distinct   does   domain   domtool   Don   dozen   duplicating   earliest   end   enforced   etc   Even   exim   exist   expressed   ferm   few   file   files   Firewall   firewall   firewalls   for   forward   full   functionality   fwtool   good   grant   groundwork   group   Group   groups   Groups   hackish   has   having   hoc   host   Host   hosts   How   how   http   Idea   Ideally   imap   implementation   implicitly   In   in   independent   infrastructure   intervention   is   it   kerberos   language   Lays   let   like   limitations   list   lot   machinery   mail   manage   management   managing   marked   Members   members   moving   My   name   need   needed   needs   new   nice   node   nodes   not   number   of   On   on   only   Or   or   org   over   parser   patterns   per   perform   physical   planning   port   ports   present   pretty   Progress   provide   proxied   pseudo   pushing   quickly   quite   Rationale   request   requests   require   Restrict   rule   Rules   rules   safe   safely   sane   See   seems   server   Server   services   shell   should   sig   so   software   some   special   ssh   stages   start   statically   store   support   supporting   syntax   System   system   Takes   that   The   the   them   themselves   there   thin   things   thinking   This   tie   to   today   tons   trivially   type   user   users   uses   using   vcs   want   Want   way   We   we   web   wiki   will   wish   with   without   wordpress   Work   would   yet  

Clear message


The system described below does not yet exist and is only in the earliest planning stages. See FirewallRules for how we manage firewalls today.

1. Rationale

The current FirewallRules system is a pretty thin abstraction over ferm, and has an ad-hoc parser with a number of built in limitations. Even after only having a dozen or so rules, it is becoming clear that managing firewall rules will quickly become burdensome both for members and admins.

Based on current patterns of requests, there a few things to consider:

A few wish list considerations:

Conclusion: the current fwtool implementation would require duplicating a lot of functionality already present in the support machinery for the domtool domain type. A new syntax for user rule files would need to be created (or tons of hackish supporting code) so ...

The only (in)sane way forward is to create a domtool container for firewalls to manage rules. This has distinct advantages:

2. Idea

My current thinking, expressed in pseudo-domtool @sig@

(* -*- domtool -*- *)

firewall "node" with
  userRules "user" with
    proxiedServer [port, ...] [host, ...];
    client [port, ...] [all_hosts];
    server ...;
(* userRules could implicitly create group? *)

firewallGroup "name" with
  client ...;
(* Groups would be independent of nodes? *)
(* How to differentiate between groups users can request and not? *)

firewallRules with
  addRules "group_name"; (* On DefaultFirewallHost? Or not support? *)
  addRulesAt "node" "group_name";

(* In some user config file, let them grant themselves common ports on
   user nodes. Definitely provide bindings for web/shell nodes. *)

CategorySystemAdministration CategoryWorkInProgress

FirewallTool (last edited 2013-01-21 08:45:46 by ClintonEbadi)