Date: Sun, 7 Oct 2001 10:15:45 +0200 (SAST) From: The Psychotic Viper <psyv@sec-it.net> To: Sudirman Hassan <s9810048@mmu.edu.my> Cc: <freebsd-questions@FreeBSD.ORG> Subject: Re: FreeFirewall Message-ID: <20011007094144.Q58292-100000@lucifer.fuzion.ath.cx> In-Reply-To: <3727.10.100.98.133.1002129202.squirrel@10.100.3.5>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, I have been looking at this thread and have a few ideas that could come in handy, On Thu, 4 Oct 2001, Sudirman Hassan wrote: > In process of learning it, I want to contribute something to > community. Eventhough it might be a small project, hope it'll help > other later or at least give some idea or prototype so that someone > might be coming with better thing. Thus I come with idea of webbased > firewall. Easy to use, install and manage. > > The idea is that : > 1. Sys admin using webbased interface to manage the firewall - remotely using > browser. Can do configuration of firewall policy, rule via web. See log file. > for firewall - i might be using ip filter. This is not a bad idea but if the OS is planned for a Firewall the idea of accessing the firewall via the web (even if its on an internal ONLY network device) is something I would tend to avoid, most commercial firewall products afaik dont go for such features (least when last I worked on them , now all firewalls are FreeBSD ipf based unless otherwise demanded). Allowing the system to be compromised through a service that need not be on a firewall is something best avoided. Logs are also best monitored via email so the web frontend for viewing logs can be bypassed. > 2. have option for ssh for those who like to tinkering by hand. always a good option, > 3. sharing connection with pc in LAN - ( i think suitable for small > and medium size company ) - NAT i guess doing all this yes NAT does that well, > 4. dhcp would work well for a nicely controlled network behind a "competent" firewall:) > 5. caching for faster and saving bandwith - might be using Squid. > 6. filtering - might using squidGuard. Squid would do fine just depends on where the firewall is implemented and the traffic it crunches through as well as the hardware platform would be a consideration, remember Squid can go awry with resources and you dont want your firewall and network performance affected by that, > 7. intrusion detection - snort or something like that. again always a good idea, monitor as much as possible and keep an eye on it, > 8. upgrade etc. could take some time to perfect a few scripts to update your "customised" release (which I would assume is stripped down from the original FreeBSD build and altered), but as someone else on the list has initiated me into looking into seems a lot less difficult than it may seem:) > 9. Setting that improve security ALWAYS harden that firewall and seeing as this is going to perform specific tasks you can remove things you would not need, > All of the above will be done in a way that can be > use/configure/tinker via web. To make it related to FreeBSD, I name it > "FreeFirewall" :) You might have guess it. :P Security is a must. If you looking to make a Firewall that can be configured via a web interface try Webmin (and write your own module) just a dedicated "secure" firewall imho should avoid that, stick to console only GUI (curses or non-listening X) or CLI mode. I also know not all admins are as savvy as others and may need a remote X gui but that can be tackled later or if you really want to know just mail me or the list and I will give my 2c worth.Just if you say security is a must local access to the firewall rules would be best, or SSH. > This is my Final Year Project. There's many topics available that I > can choose but I think better I propose something that I can use it as > a way to play with my FreeBSD box and in the same time provide those > with faint-hearted to use FreeBSD and later love it. :) Also I see > that many company ( small to medium ) need something like this. > Something like this have appeared in Linux such as Mandrake SNF and > e-smith but I don;t know whether we FreeBSDian have one. I havent seen/used SNF but know of some one who has, havent gotten an opinion from him yet just how it performed, will do though thats for sure, e-smith however is nice but a freebsd type implementation could be so much better, and Id personally be willing to dedicate time to a project like this as its what I do in my daily work anyways, taking FreeBSD then hardening and firewalling it and placing them in small to medium networks (ranging from 10machines to around 100), and would make my life (and Im sure hundreds others) lives a lot easier. FreeBSD also has a step-up on linux imho with a simpler update path to any linux distro I have used by far (and I have been on linux a fair while before converting). > Now, come to what I want to ask. :) Please give comments, constructive > suggestion, links, article, whatever so that I can make this project a > reality. Personal help would also be welcome. I like to mail > personally to those who volunteer to help personally rather flooding > this mailing list. Flame should be okay :) I could go on about this topic for hours (if I havent already) but atleast I gave my input hope it was valuable, if anyone wants to continue this would me feel free. YES id be glad to volunteer time to this project (if I were good enough and had the time Id dedicate time to FreeBSD developement itself but alas Id be dwarfed by the current team, kudos to them). Mail me off-list and we can continue this, PsyV To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011007094144.Q58292-100000>