{{{#!wiki caution The system described below does not yet exist and is only in the earliest planning stages. See FirewallRules for how we manage firewalls today. }}} == Rationale == The current FirewallRules system is a pretty thin abstraction over ferm, and has an ad-hoc parser with a number of built in limitations. Even after only having a dozen or so rules, it is becoming clear that managing firewall rules will quickly become burdensome both for members and admins. Based on current patterns of requests, there a few things to consider: * We need a way to define groups of rules that members can trivially request * default ports for shell user (http, vcs software, mail, ssh, ...) * common rules for certain cgi applications or special uses (e.g. wordpress always needs to contact wordpress.org for full functionality) * Don't want to tie configuration to physical nodes (e.g. moving to a new shell server) * Restrict users to having rules on certain nodes (statically enforced) * Members should be able to grant themselves "safe" rules without any admin intervention * allowing members to grant themselves safely marked rule groups seems like a good start A few wish list considerations: * Want to store per-node firewall config for system services (apache, exim, imap, etc.) * Ideally, also store common port config (afs, kerberos, domtool, etc.) Conclusion: the current fwtool implementation would require duplicating a lot of functionality already present in the support machinery for the domtool `domain` type. A new syntax for user rule files would need to be created (or tons of hackish supporting code) so ... The only (in)sane way forward is to create a domtool container for firewalls to manage rules. This has distinct advantages: * Takes advantage of current domtool infrastructure for pushing configs * The domtool language is quite nice and has the needed functionality for abstracting groups of users, common config, etc. * Lays the groundwork for using domtool to perform node management in addition to domain management == Idea == My current thinking, expressed in pseudo-domtool @sig@ {{{ (* -*- domtool -*- *) firewall "node" with userRules "user" with proxiedServer [port, ...] [host, ...]; client [port, ...] [all_hosts]; server ...; end; end; (* userRules could implicitly create group? *) firewallGroup "name" with client ...; end; (* Groups would be independent of nodes? *) (* How to differentiate between groups users can request and not? *) firewallRules with addRules "group_name"; (* On DefaultFirewallHost? Or not support? *) addRulesAt "node" "group_name"; end; (* In some user config file, let them grant themselves common ports on user nodes. Definitely provide bindings for web/shell nodes. *) }}} ---- CategorySystemAdministration CategoryWorkInProgress