Re: [Setup-tool-hackers] Firewall Option?



On 15 Aug 2001 19:42:31 -0400, Arturo Espinosa Aldama wrote:
> On 15 Aug 2001, Joakim Ziegler wrote:

>> #2 isn't really a good option. "And for the advanced option, we just
>> supply a type-in field where the user can enter his own stuff" isn't
>> good GUI, it's kind of a cop-out.

>> I think #1 sounds like a good solution at the moment. On the longer
>> term, instead of doing #2, the right thing to do would be to completely
>> map out the useful functionality of the underlaying system, and then
>> create a good and intuitive UI for it. That is the correct and friendly
>> way of doing it.

> No way! I propose a button that launches emacs with the corresponding file
> in a buffer! But I can't think of a sane proposal for the advanced option
> at the moment.

I can't either. That is because I haven't mapped the problem. I can see
that there are several layers of functionality here, and each one maps
differently to a GUI:

* Low-level, per-rule layer. This is the most abstract, because a single
rule exists in a vacuum. It has no context, no purpose beyond what
itself expresses. An example of a rule like this is "block incoming
packages on port 567 when there's been no packages coming in port 325
from the same IP in the last 5 minutes". This is very hard to express in
a GUI other than as a list of rules (although it would be possible to
have a GUI that lets you construct such rules, checks their syntax,
syntax highlights them, etc., which would probably be helpful for the
expert user).

* Medium-level, ruleset layer. This is easier to express. It can be a
set of named rules that achieve a set objective, like "only allow SMTP
connections from a given series of IP addresses". This is not very much
more high-level than the low-level rules (at most, the medium-level
rules consist of 5-6 low-level rules), but by naming them and providing
"templates" for rules, it's a lot easier to deal with for the user.

* High-level, task-oriented layer. This requires behind-the-scenes
analysis and magic, but is very useful. Essentially, this is a set of
large-scale templates for things like "this machine is a web server",
which provide some fill-in fields and then adjust firewall rules and
filters on a large scale to secure the system.

If the higher-level layers can use the lower-level ones, perhaps in a
tree configuration, that would be a good system for advanced firewall
configuration.

I would recommend looking at other firewall tools (both free and
proprietary, and for different platforms), but sadly, every single one
I've seen in my life has sucked big rocks. So it might be better to just
work with this from scratch.

-- 
    Joakim Ziegler - Ximian Engineer - joakim@ximian.com - Radagast@IRC
 FIX sysop - Free Software Coder - Writer - FIDEL & Conglomerate
developer
http://www.avmaria.com/ - http://www.ximian.com/ -
http://www.sinthetic.org/


_______________________________________________
setup-tool-hackers maillist  -  setup-tool-hackers@ximian.com
http://lists.ximian.com/mailman/listinfo/setup-tool-hackers



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]