On Sun, Mar 14, 2010 at 12:05:48PM +0500, ???? ??????? wrote:
quoted text
> a) two CARP-connected OpenBSD boxes
> 
> b) many "real" IP addresses bound to OpenBSD
> 
> c) RFC1918 (non routable) network with servers
> 
> d1) monkey button for "nat" rules, so some servers can connect to
> certain services (say, smtp to Gmail)
> 
> d2) monkey button for "rdr" rules, so some servers could be"published"
> on certain IP addresses

This is actually pretty straightforward, if you're willing to
build a script which takes a few files as input and then generates
a pf.conf from each machine from those.

NAT monkey button adds/removes entries from a pf.conf.nat
RDR monkey button adds/removes entries from a pf.conf.rdr

Some magic happens to trigger the pf.conf getting pulled together
from those and any other bits you may require (e.g., pf.conf.mypr0n)
and that gets pushed to your servers.

How complex you make each of these bits is left as an exercise for
the reader.

You don't need a towering edifice to solve simple problems. You
damn just solve them.

quoted text
> 
> 2010/3/14 Bret S. Lambert <bret.lambert@gmail.com>:
> > On Sun, Mar 14, 2010 at 11:48:44AM +0500, ???? ??????? wrote:
> >> we have many people who know ISA very well and all they do with ISA is
> >> "publishing applications", rdr rules in terms of pf.
> >> they do not need to know "all the pf detailed", all they need is
> >>
> >> a) something ISA-like
> >> b) syntax-checker, I mean that gui should only allow adding correct
> >> rules (what is not true when you edit file)
> >>
> >> "learn pf.conf and edit file" is not our case though.
> >
> > Then you're in a much more limited problem domain, and it may be
> > solvable for you. However, this went from "how do I export the
> > full ability to edit pf.conf into gui form" to possibly just
> > being "i need to add rdr rules via monkey-usable button", which
> > is several orders of magnitude easier.
> >
> > However, in order to receive help in solving a problem, you must
> > first state what the problem you're attempting to solve is. As
> > awesome as I am, your tinfoil underwear is rendering my telepathy
> > utterly useless.
> >
> > So, to summarize: details, mofo.
> >
> >>
> >> 2010/3/14 Jason Dixon <jason@dixongroup.net>:
> >> > On Sun, Mar 14, 2010 at 11:02:29AM +0500, ???? ??????? wrote:
> >> >> Hello,
> >> >>
> >> >> is there any GUI (like pfsense) around which can be installed on a
> >> >> clean OpenBSD box (or even two CARP-connected boxes) for pf management
> >> >> ?
> >> >> I've found comixwall, but it seems to be dead already.
> >> >
> >> > None that are worth it, imho. ?If you want to do it right (you wouldn't
> >> > use OpenBSD if you didn't) then learn pf and understand what you're
> >> > putting together. ?It's not hard. ?In fact, compared to the
> >> > other *nix firewalling alternatives, it's fucking easy.
> >> >
> >> > I've considered long and hard (TWSS) to write my own web interface for
> >> > pf. ?The prevailing design philosophies SUCK. ?If you're going to
> >> > bother, do it right; ?proper abstraction of filtering and routing
> >> > concepts is mandatory if you want to make something easy *and* secure.
> >> > Why hasn't anyone done it? ?It's really, really difficult. ?And most
> >> > developers that might take a crack at an OpenBSD pf web ui aren't
> >> > experienced in interface design.
> >> >
> >> > I've written a few web applications related to OpenBSD (Hatchet,
> >> > NetFlow Dashboard, Blogsum). ?Compared to what a good web engineering
> >> > team can put out, they suck. ?But they do an adequate job with the task
> >> > they're designed to handle. ?Writing a log filtering interface isn't
> >> > hard. ?Writing a NetFlow query interface isn't hard. ?Writing a blog
> >> > application isn't hard (unless you're WordPress... then it's just
> >> > bloated).
> >> >
> >> > I'll say it again... writing a good pf web UI is HARD. ?It's infinitely
> >> > more complicated and prone to security problems. ?Reading the pf FAQ and
> >> > editing pf.conf yourself is easier by geometric proportions.
> >> >
> >> > </rant>
> >> >
> >> > --
> >> > Jason Dixon
> >> > DixonGroup Consulting
> >> > http://www.dixongroup.net/