On Sun, Mar 14, 2010 at 11:48:44AM +0500, ???? ??????? wrote:
quoted text > we have many people who know ISA very well and all they do with ISA is
> "publishing applications", rdr rules in terms of pf.
> they do not need to know "all the pf detailed", all they need is
>
> a) something ISA-like
> b) syntax-checker, I mean that gui should only allow adding correct
> rules (what is not true when you edit file)
>
> "learn pf.conf and edit file" is not our case though.
Then you're in a much more limited problem domain, and it may be
solvable for you. However, this went from "how do I export the
full ability to edit pf.conf into gui form" to possibly just
being "i need to add rdr rules via monkey-usable button", which
is several orders of magnitude easier.
However, in order to receive help in solving a problem, you must
first state what the problem you're attempting to solve is. As
awesome as I am, your tinfoil underwear is rendering my telepathy
utterly useless.
So, to summarize: details, mofo.
quoted text >
> 2010/3/14 Jason Dixon <jason@dixongroup.net>:
> > On Sun, Mar 14, 2010 at 11:02:29AM +0500, ???? ??????? wrote:
> >> Hello,
> >>
> >> is there any GUI (like pfsense) around which can be installed on a
> >> clean OpenBSD box (or even two CARP-connected boxes) for pf management
> >> ?
> >> I've found comixwall, but it seems to be dead already.
> >
> > None that are worth it, imho. If you want to do it right (you wouldn't
> > use OpenBSD if you didn't) then learn pf and understand what you're
> > putting together. It's not hard. In fact, compared to the
> > other *nix firewalling alternatives, it's fucking easy.
> >
> > I've considered long and hard (TWSS) to write my own web interface for
> > pf. The prevailing design philosophies SUCK. If you're going to
> > bother, do it right; proper abstraction of filtering and routing
> > concepts is mandatory if you want to make something easy *and* secure.
> > Why hasn't anyone done it? It's really, really difficult. And most
> > developers that might take a crack at an OpenBSD pf web ui aren't
> > experienced in interface design.
> >
> > I've written a few web applications related to OpenBSD (Hatchet,
> > NetFlow Dashboard, Blogsum). Compared to what a good web engineering
> > team can put out, they suck. But they do an adequate job with the task
> > they're designed to handle. Writing a log filtering interface isn't
> > hard. Writing a NetFlow query interface isn't hard. Writing a blog
> > application isn't hard (unless you're WordPress... then it's just
> > bloated).
> >
> > I'll say it again... writing a good pf web UI is HARD. It's infinitely
> > more complicated and prone to security problems. Reading the pf FAQ and
> > editing pf.conf yourself is easier by geometric proportions.
> >
> > </rant>
> >
> > --
> > Jason Dixon
> > DixonGroup Consulting
> >
http://www.dixongroup.net/
