Re: Create IPTables rules using output from a database?

["John A. Sullivan III" <jsullivan@opensourcedevelopmentcorp.com>]

On Fri, 2004-03-05 at 14:21, John P Lang wrote:
> Good morning,
> 
> Just out of curiosity, has anyone seen an application that allows you to
> build iptables rules using web forms, post to a database of choice and
> builds a firewall script?
> 
> I know... I'm not asking for much.
> 
> Any suggestions or comments would be greatly appreciated.
> 
> John L

If I understand your request properly, you may want to look at fwbuilder
(http://www.fwbuilder.org).

I am very involved with the ISCS project (http://iscs.sourceforge.net)
however it has not yet released code.  When it does, we will go far
beyond being able to generate iptables rules from a graphically
front-ended database.  Instead of creating rules, one describes one's
security and communications environment in high level business terms
(e.g., give Executive and Financial access to Financial Data).  It then
evaluates the environment and produces consistent iptables filter, nat
and mangle rules, OpenS/WAN VPN connections, iproute2 route
configurations, user authentication routines for out-of-band user
authentication (e.g., creating iptables rules based upon a user's X.509
certs, RADIUS ID, ActiveDirectory ID) and RAS DHCP configurations to
produce the environment.  It stores them in any RDBMS that supports
transactions and automatically distributes them to any number of
gateways anywhere.

One can also define and distribute in the same high-level, abstracted
way, layer1 and layer2 configurations for the physical gateways.  This
makes the product extensible beyond just security devices.  It can be
used to managed large numbers of Linux routers.  A possible fabulous use
is to create large networks of thousands of wireless access points with
out-of-band user identification so that even if someone does gain
unauthorized access to the access point, they cannot go anywhere beyond
the access point unless they can properly identify themselves and, even
then, they can only go where their credentials allow them to go.

That might be little more than you are looking for but we're quite
intrigued with it.  Although it does meet your requirement to talk to
any RDBMS, because the user interface is extremely demanding, it is
managed through a web browser. However, the GUI is written in Qt so that
the same code with only minor modifications will run on Windows, X11 or
Mac.

Finally, it is not just limited to iptables.  Any vendor who can provide
the requisite functionality and a communications method can be managed
with ISCS.

Good luck in your search - John

-- 
Open Source Development Corporation
Financially Sustainable open source development
http://www.opensourcedevelopmentcorp.com