Well I think I understand in some way.
For me it is mostly the fun and the challange about is all that is the motivation, so that might be different.
By the way, I was doing some thinking on how the firewall anf the server issues could be simplified so that actually all development could be done more easy.
There will, as I will see it, be a need of a modularization between the "firewall stuff" and the "server stuff" to avoid "mixed stuff" that is to difficult to work with (If it should be an option to have more "radically" options for the firewlling part of it).
Actually I think a lot could be done within the framwork of the existing admin-panel.
Suggestion about how:
1. All firewall functinality is pulled out of the automated interaction with the server functions. (All the existing firewall configuration tool is removed or disabled.)
2. When first installed there is a fixed static basic firewall configuration script with some rather restrictive basic configuration. There should be no automated routines that will change this by thenself and without user interphere.
3. Then ther is build a completely new user panel in the admin-panel. The only sole purpose is to generate a new firewall configuration script based on user input.
4. The firewall configuration panel could then consist of an very easy setup with a red and a green fields wher you can hook of the ports you want opened for the red zone and for the green zone.
5. Also there could be an easy graphic interface for port forwarding.
6. The user panel could have such an easy design that the user could see imidiately what he have closed and what is open and which ports that are forwarded.
7. Then there could be some hook of for other funcrion like "answer to ping", "activate dos protection", etc.
When or if the firewall module does only have to deal with the firewll configuration then the complexity of "the firewall things" should be reduced to only a fraction of what it is in the existing system.
It should be no (big) problem to give the user a graphical overview and a full controll all the time and it should also be easy to implement inn diverse netfilter specialities.
This should give a bether and increased user control and a more easy and flexible solution.
Seen from my point of view such a project would contain an easy part and a difficult part.
The easy part is to configure a 2 or 3 port firewall. Thats how I would see it the next to nothing part of it.
Then there is the difficult part: How to make a web page interacting with a perl script in such a way that it will generate a text file. (I have no idea, but I guess it should be more easy to just to only generate a text file than interacting with all kind of server functions..)
I believe that all off it can be easily done if things are just modularized a bit so there is a problem area related to the server functions, as one unit and a problems releted to the firewall area, as one unit, then divided int to subareas 1. The web shell for generating the firewall configuration script. 2. The content of the fireall script itself.
The difficulty today is not the firewalling itself, but the way all kind of problems it tightly integrated into each other. With some modularization espessially for the firewall stuff, I think that more could be done and it could be done a lot more easy.
*********
*********
If not any big protests, I think I will post a text based 3 port dmz solution and a fine grained trafic controll in all trafic directions in the relatively near future. The solution is up and running with the SME 7.2 just now, but I will just do some more testing first. Will possibly also make a 2 ports variant with 4 directions firewalling as well. There is only one way to develop a firewall, I think, and that is to test it out. If protests I will not post it.
19 Replies
4454 Views