welcome: please sign in

Revision 1 as of 2013-01-21 08:34:07

Clear message


The system described below does not yet exist and is only in the earliest planning stages. See FirewallRules for how we manage firewalls today.

1. Rationale

The current FirewallRules system is a pretty thin abstraction over ferm, and has an ad-hoc parser with a number of built in limitations. Even after only having a dozen or so rules, it is becoming clear that managing firewall rules will quickly become burdensome both for members and admins.

Based on current patterns of requests, there a few things to consider:

A few wish list considerations:

Conclusion: the current fwtool implementation would require duplicating a lot of functionality already present in the support machinery for the domtool domain type. A new syntax for user rule files would need to be created (or tons of hackish supporting code) so ...

The only (in)sane way forward is to create a domtool container for firewalls to manage rules. This has distinct advantages:

CategorySystemAdministration CategoryWorkInProgress