Create IPTables rules using output from a database?

Create IPTables rules using output from a database?

[John P Lang]

Good morning,

Just out of curiosity, has anyone seen an application that allows you to
build iptables rules using web forms, post to a database of choice and
builds a firewall script?

I know... I'm not asking for much.

Any suggestions or comments would be greatly appreciated.

John L

Re: Create IPTables rules using output from a database?

[John A. Sullivan III]

On Fri, 2004-03-05 at 14:21, John P Lang wrote:
> Good morning,
> 
> Just out of curiosity, has anyone seen an application that allows you to
> build iptables rules using web forms, post to a database of choice and
> builds a firewall script?
> 
> I know... I'm not asking for much.
> 
> Any suggestions or comments would be greatly appreciated.
> 
> John L

If I understand your request properly, you may want to look at fwbuilder
(http://www.fwbuilder.org).

I am very involved with the ISCS project (http://iscs.sourceforge.net)
however it has not yet released code.  When it does, we will go far
beyond being able to generate iptables rules from a graphically
front-ended database.  Instead of creating rules, one describes one's
security and communications environment in high level business terms
(e.g., give Executive and Financial access to Financial Data).  It then
evaluates the environment and produces consistent iptables filter, nat
and mangle rules, OpenS/WAN VPN connections, iproute2 route
configurations, user authentication routines for out-of-band user
authentication (e.g., creating iptables rules based upon a user's X.509
certs, RADIUS ID, ActiveDirectory ID) and RAS DHCP configurations to
produce the environment.  It stores them in any RDBMS that supports
transactions and automatically distributes them to any number of
gateways anywhere.

One can also define and distribute in the same high-level, abstracted
way, layer1 and layer2 configurations for the physical gateways.  This
makes the product extensible beyond just security devices.  It can be
used to managed large numbers of Linux routers.  A possible fabulous use
is to create large networks of thousands of wireless access points with
out-of-band user identification so that even if someone does gain
unauthorized access to the access point, they cannot go anywhere beyond
the access point unless they can properly identify themselves and, even
then, they can only go where their credentials allow them to go.

That might be little more than you are looking for but we're quite
intrigued with it.  Although it does meet your requirement to talk to
any RDBMS, because the user interface is extremely demanding, it is
managed through a web browser. However, the GUI is written in Qt so that
the same code with only minor modifications will run on Windows, X11 or
Mac.

Finally, it is not just limited to iptables.  Any vendor who can provide
the requisite functionality and a communications method can be managed
with ISCS.

Good luck in your search - John

-- 
Open Source Development Corporation
Financially Sustainable open source development
http://www.opensourcedevelopmentcorp.com

Re: Create IPTables rules using output from a database?

[John A. Sullivan III]

On Fri, 2004-03-05 at 15:43, John A. Sullivan III wrote:
> On Fri, 2004-03-05 at 14:21, John P Lang wrote:
> > Good morning,
> > 
> > Just out of curiosity, has anyone seen an application that allows you to
> > build iptables rules using web forms, post to a database of choice and
> > builds a firewall script?
> > 
> > I know... I'm not asking for much.
> > 
> > Any suggestions or comments would be greatly appreciated.
> > 
> > John L
> 
> If I understand your request properly, you may want to look at fwbuilder
> (http://www.fwbuilder.org).
> 
> I am very involved with the ISCS project (http://iscs.sourceforge.net)
> however it has not yet released code.  When it does, we will go far
> beyond being able to generate iptables rules from a graphically
> front-ended database.  Instead of creating rules, one describes one's
> security and communications environment in high level business terms
> (e.g., give Executive and Financial access to Financial Data).  It then
> evaluates the environment and produces consistent iptables filter, nat
> and mangle rules, OpenS/WAN VPN connections, iproute2 route
> configurations, user authentication routines for out-of-band user
> authentication (e.g., creating iptables rules based upon a user's X.509
> certs, RADIUS ID, ActiveDirectory ID) and RAS DHCP configurations to
> produce the environment.  It stores them in any RDBMS that supports
> transactions and automatically distributes them to any number of
> gateways anywhere.
> 
> One can also define and distribute in the same high-level, abstracted
> way, layer1 and layer2 configurations for the physical gateways.  This
> makes the product extensible beyond just security devices.  It can be
> used to managed large numbers of Linux routers.  A possible fabulous use
> is to create large networks of thousands of wireless access points with
> out-of-band user identification so that even if someone does gain
> unauthorized access to the access point, they cannot go anywhere beyond
> the access point unless they can properly identify themselves and, even
> then, they can only go where their credentials allow them to go.
> 
> That might be little more than you are looking for but we're quite
> intrigued with it.  Although it does meet your requirement to talk to
> any RDBMS, because the user interface is extremely demanding, it is
> managed through a web browser. However, the GUI is written in Qt so that
> the same code with only minor modifications will run on Windows, X11 or
> Mac.
> 
> Finally, it is not just limited to iptables.  Any vendor who can provide
> the requisite functionality and a communications method can be managed
> with ISCS.
> 
> Good luck in your search - John
My aplogies - because the user interface is extremely demanding it is
NOT managed through a web browser.
-- 
Open Source Development Corporation
Financially Sustainable open source development
http://www.opensourcedevelopmentcorp.com