login
Search
Hello, is there any GUI (like pfsense) around which can be installed on a clean OpenBSD box (or even two CARP-connected boxes) for pf management ? I've found comixwall, but it seems to be dead already. Cheers, Ilya Shipitsin
None that are worth it, imho. If you want to do it right (you wouldn't use OpenBSD if you didn't) then learn pf and understand what you're putting together. It's not hard. In fact, compared to the other *nix firewalling alternatives, it's fucking easy. I've considered long and hard (TWSS) to write my own web interface for pf. The prevailing design philosophies SUCK. If you're going to bother, do it right; proper abstraction of filtering and routing concepts is mandatory if you want to make something easy *and* secure. Why hasn't anyone done it? It's really, really difficult. And most developers that might take a crack at an OpenBSD pf web ui aren't experienced in interface design. I've written a few web applications related to OpenBSD (Hatchet, NetFlow Dashboard, Blogsum). Compared to what a good web engineering team can put out, they suck. But they do an adequate job with the task they're designed to handle. Writing a log filtering interface isn't hard. Writing a NetFlow query interface isn't hard. Writing a blog application isn't hard (unless you're WordPress... then it's just bloated). I'll say it again... writing a good pf web UI is HARD. It's infinitely more complicated and prone to security problems. Reading the pf FAQ and editing pf.conf yourself is easier by geometric proportions. </rant> -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
we have many people who know ISA very well and all they do with ISA is "publishing applications", rdr rules in terms of pf. they do not need to know "all the pf detailed", all they need is a) something ISA-like b) syntax-checker, I mean that gui should only allow adding correct rules (what is not true when you edit file) "learn pf.conf and edit file" is not our case though.
Then you're in a much more limited problem domain, and it may be solvable for you. However, this went from "how do I export the full ability to edit pf.conf into gui form" to possibly just being "i need to add rdr rules via monkey-usable button", which is several orders of magnitude easier. However, in order to receive help in solving a problem, you must first state what the problem you're attempting to solve is. As awesome as I am, your tinfoil underwear is rendering my telepathy utterly useless.
a) two CARP-connected OpenBSD boxes b) many "real" IP addresses bound to OpenBSD c) RFC1918 (non routable) network with servers d1) monkey button for "nat" rules, so some servers can connect to certain services (say, smtp to Gmail) d2) monkey button for "rdr" rules, so some servers could be"published" on certain IP addresses
This is actually pretty straightforward, if you're willing to build a script which takes a few files as input and then generates a pf.conf from each machine from those. NAT monkey button adds/removes entries from a pf.conf.nat RDR monkey button adds/removes entries from a pf.conf.rdr Some magic happens to trigger the pf.conf getting pulled together from those and any other bits you may require (e.g., pf.conf.mypr0n) and that gets pushed to your servers. How complex you make each of these bits is left as an exercise for the reader. You don't need a towering edifice to solve simple problems. You
I just want to make sure there's no wheel already invented ))
While that's a fair enough thing to do, you didn't really tell anybody what you were going to use the wheel for. I could continue the metaphor, but that would quickly become illegible, so I'll just reiterate: State the problem you're trying to solve before try to enlist the help of others in solving it.
the situation is pretty clear - any web gui for pf, something what pfsense already is, but installable on "clean" OpenBSD box. you probably do not make sense what are mailing lists for. mailing lists are for asking questions and for answering questions. if you have nothing to say except "read the fantastic manual", please, keep quiet. "read the fantastic manual" doesn't help anybody. it does't make no point at all.
I never pointed you at a manual; I asked for clarification and gave you a path to solving your problem, which apparently left you all butthurt.
the problem was described very precisely "pf gui like pfsense, but read the letter before answering to it.
Then why don't you use pfsense and port it back to OpenBSD. After all pf was created on OpenBSD and works better on OpenBSD anyway and the license of pfsense is BSD. http://www.pfsense.org/index.php?option=com_content&task=view&id=42&Itemid=62 So, if that's what you really want, then help yourself and make it work and you will have exactly what you want. You have been told there isn't one decent and you want pfsense like, so use that and bring it to OpenBSD as you want. And right on the pfsense website there is a big logo with "Commercial Support Available" If you can't do it, then pay them to do it for you and your team will have what they want. But frankly, I would very much recommend you to simply edit the pf.conf and refer to the manual if you have question, there isn't anything that will ever do it better, really no joke or punch intended, there isn't anything that will come close to it. Best of luck. Daniel
because I don't like to waste my time and do things that have been already done. I will port it to OpenBSD, it shouldn't be that hard. I just wanted to don't tell me what to do and you will not listen where you should go to. by the way, I was not asking what to do, I asked "is there a web gui for pf around?"
I have never used pfsense but I see from the frontpage that it has been forked from m0n0wall. Back then, m0n0wall did not support IPv6 (although now it does: http://m0n0.ch/wall/list-announce/showmsg.php?id=0/59). That is one of the reasons which pushed me to use OpenBSD on my soekris (that is a few years back in 2007, at the time, i even tried to enable it myself with some level of success: http://forum.m0n0.ch/index.php/topic,1038.0/topicseen.html) According to some searching, it looks like IPv6 in pfsense is not a given (http://remcobressers.nl/2009/08/configuring-native-ipv6-pfsense/ - http://thread.gmane.org/gmane.comp.security.firewalls.pfsense.support/14962) and this is a killer for me. Cheers, Steph
You're SOL on all counts. Oh by the way, when you find that magical firewall ui that "only allows adding correct rules", please let me know. That's some insanely smart code that knows right from wrong. Not even pf itself will keep you from shooting yourself in the foot with stupidity. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
text files do not have any structure, from pf.conf's point of view the rule "blok in all" is nothing more that just a line
You obviously haven't read pfctl(8). It supports syntax checking. $ sudo grep -n blok /etc/pf.conf 30:blok in all $ sudo pfctl -nf /etc/pf.conf /etc/pf.conf:30: syntax error -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/