On Fri, 2004-03-05 at 14:21, John P Lang wrote: > Good morning, > > Just out of curiosity, has anyone seen an application that allows you to > build iptables rules using web forms, post to a database of choice and > builds a firewall script? > > I know... I'm not asking for much. > > Any suggestions or comments would be greatly appreciated. > > John L If I understand your request properly, you may want to look at fwbuilder (http://www.fwbuilder.org). I am very involved with the ISCS project (http://iscs.sourceforge.net) however it has not yet released code. When it does, we will go far beyond being able to generate iptables rules from a graphically front-ended database. Instead of creating rules, one describes one's security and communications environment in high level business terms (e.g., give Executive and Financial access to Financial Data). It then evaluates the environment and produces consistent iptables filter, nat and mangle rules, OpenS/WAN VPN connections, iproute2 route configurations, user authentication routines for out-of-band user authentication (e.g., creating iptables rules based upon a user's X.509 certs, RADIUS ID, ActiveDirectory ID) and RAS DHCP configurations to produce the environment. It stores them in any RDBMS that supports transactions and automatically distributes them to any number of gateways anywhere. One can also define and distribute in the same high-level, abstracted way, layer1 and layer2 configurations for the physical gateways. This makes the product extensible beyond just security devices. It can be used to managed large numbers of Linux routers. A possible fabulous use is to create large networks of thousands of wireless access points with out-of-band user identification so that even if someone does gain unauthorized access to the access point, they cannot go anywhere beyond the access point unless they can properly identify themselves and, even then, they can only go where their credentials allow them to go. That might be little more than you are looking for but we're quite intrigued with it. Although it does meet your requirement to talk to any RDBMS, because the user interface is extremely demanding, it is managed through a web browser. However, the GUI is written in Qt so that the same code with only minor modifications will run on Windows, X11 or Mac. Finally, it is not just limited to iptables. Any vendor who can provide the requisite functionality and a communications method can be managed with ISCS. Good luck in your search - John -- Open Source Development Corporation Financially Sustainable open source development http://www.opensourcedevelopmentcorp.com
