Other autoconfig autodeploy GUI

PMc · May 27, 2019

The plan is this: you have some sheet with a painting of your network topology.

Now ideally that sheet does already contain all that is to know about the network.
The next thing to do therefore is, feed the sheet into some script processor, and out come the ready-to-go deployable firewall configs for all concerned hosts.

Do we have software that can to this?

PMc · May 28, 2019

Nobody having no ideas whatsoever, indeed?
Not even if the approach might be feasible, or might be deficient by/for whatever reasons?

Phishfry · May 28, 2019

That sounds alot like FirewallBuilder...

Firewall Builder | Simplifying Firewall Management

Firewall Builder is Open Source multi-platform firewall management software that supports Linux iptables, FreeBSD ipfilter and ipfw, OpenBSD pf, CIsco PIX and Cisco IOS Access Lists

fwbuilder.sourceforge.net

security/fwbuilder

PMc · May 28, 2019

Phishfry said:
That sounds alot like FirewallBuilder...

Yes, that seems about to be what I had expected to exist.

Background is, I was here with my 400+ rules firewall written some 10 years ago, and that would really need a major workover as a couple of new things have arrived, most prominently VoIP. But it didn't look like fun to approach that task.
I finally figured that it would be easier (and more fun) to setup a database GUI and then just clickthe needed things together and have a script generate the actual rules from that, than to sort out and manually edit these rules with the editor.
And so I did. Then I was wondering: if this is so easy to do, then why doesn't it already exist? I did a web search, but didn't find this one, or something similar. So the question was: should I make my approach publicly accessible (which is a bit of additional work)?

SirDice · May 28, 2019

PMc said:
The plan is this: you have some sheet with a painting of your network topology.

Now ideally that sheet does already contain all that is to know about the network.
The next thing to do therefore is, feed the sheet into some script processor, and out come the ready-to-go deployable firewall configs for all concerned hosts.

Your drawings aren't going to show the traffic flows. Which is what's actually important for a firewall. Topology is important of course but the firewall needs to know what traffic should be allowed to go where. If you're just going to assume everything has to talk to everything else then one can argue about why you're installing a firewall in the first place.

PMc · May 28, 2019

SirDice said:
Your drawings aren't going to show the traffic flows.

No, they are going to show what the device is good for. Which means, the use-cases.

Which is what's actually important for a firewall. Topology is important of course but the firewall needs to know what traffic should be allowed to go where.

Yes, the firewall needs to know. But I dont want to know and sort this out again and again.
Take a VoIP device - there is half a dozen of strange services with rather weird behaviour associated with that.
There it should be enough to klick on that and say, this is another telephone - because everything else is obvious from that.
Then, when you configure an asterisk, it should not be necessary to rewrite the whole firewall. It should do to click on the objects and say, these are now routed to the asterisk. Ruleset gets recreated, goes into staging, connectivity check, set productive. No new errors, no typos, no nothing. Continuous delivery.

I've not implemented that yet. I have focused on the topology, because that's what I wanted first: to say, <route this via a different gateway>, or <install another NAT at this point> with one click, and have all the weird stateful rules autocreated accordingly, forth and backwards. That part works.

SirDice · May 28, 2019

PMc said:
But I dont want to know and sort this out again and again.

Three words, document, document and document.

PMc said:
Then, when you configure an asterisk, it should not be necessary to rewrite the whole firewall. It should do to click on the objects and say, these are now routed to the asterisk.

I don't know how you configure a firewall but I generally create fairly straight-forward rules using objects (or variables with PF), abstract as much as possible into logical groups. Just add the Asterisk to the right object group and the rest will follow. If you create a new set of rules for every little thing, the ruleset will grow organically into a giant mess.

PMc · May 28, 2019

SirDice said:
Three words, document, document and document.

The medium is the message.

I don't know how you configure a firewall but I generally create fairly straight-forward rules using objects (or variables with PF), abstract as much as possible into logical groups. Just add the Asterisk to the right object group and the rest will follow.

Aye, greater men than me have tried to make that SIP stuff work with nat, and have despaired.

Eeuwige Bloemenkraft!

PMc · Jun 24, 2019

Ladies and Gentlemen!!!

We proudly present:

The Giant Mess

Other autoconfig autodeploy GUI

PMc

PMc

Phishfry

Firewall Builder | Simplifying Firewall Management

PMc

SirDice

Administrator

PMc

SirDice

Administrator

PMc

PMc