Re: Create IPTables rules using output from a database?

["John A. Sullivan III" <jsullivan@opensourcedevelopmentcorp.com>]

On Fri, 2004-03-05 at 15:43, John A. Sullivan III wrote:
> On Fri, 2004-03-05 at 14:21, John P Lang wrote:
> > Good morning,
> > 
> > Just out of curiosity, has anyone seen an application that allows you to
> > build iptables rules using web forms, post to a database of choice and
> > builds a firewall script?
> > 
> > I know... I'm not asking for much.
> > 
> > Any suggestions or comments would be greatly appreciated.
> > 
> > John L
> 
> If I understand your request properly, you may want to look at fwbuilder
> (http://www.fwbuilder.org).
> 
> I am very involved with the ISCS project (http://iscs.sourceforge.net)
> however it has not yet released code.  When it does, we will go far
> beyond being able to generate iptables rules from a graphically
> front-ended database.  Instead of creating rules, one describes one's
> security and communications environment in high level business terms
> (e.g., give Executive and Financial access to Financial Data).  It then
> evaluates the environment and produces consistent iptables filter, nat
> and mangle rules, OpenS/WAN VPN connections, iproute2 route
> configurations, user authentication routines for out-of-band user
> authentication (e.g., creating iptables rules based upon a user's X.509
> certs, RADIUS ID, ActiveDirectory ID) and RAS DHCP configurations to
> produce the environment.  It stores them in any RDBMS that supports
> transactions and automatically distributes them to any number of
> gateways anywhere.
> 
> One can also define and distribute in the same high-level, abstracted
> way, layer1 and layer2 configurations for the physical gateways.  This
> makes the product extensible beyond just security devices.  It can be
> used to managed large numbers of Linux routers.  A possible fabulous use
> is to create large networks of thousands of wireless access points with
> out-of-band user identification so that even if someone does gain
> unauthorized access to the access point, they cannot go anywhere beyond
> the access point unless they can properly identify themselves and, even
> then, they can only go where their credentials allow them to go.
> 
> That might be little more than you are looking for but we're quite
> intrigued with it.  Although it does meet your requirement to talk to
> any RDBMS, because the user interface is extremely demanding, it is
> managed through a web browser. However, the GUI is written in Qt so that
> the same code with only minor modifications will run on Windows, X11 or
> Mac.
> 
> Finally, it is not just limited to iptables.  Any vendor who can provide
> the requisite functionality and a communications method can be managed
> with ISCS.
> 
> Good luck in your search - John
My aplogies - because the user interface is extremely demanding it is
NOT managed through a web browser.
-- 
Open Source Development Corporation
Financially Sustainable open source development
http://www.opensourcedevelopmentcorp.com