Bernard Varaine schrieb:
>
> I am quite keen to start working a GUI interface for Shorewall .
>
> Before I go any further in my thoughts I would like to know if you think
> it will be a good idea ( I like it the way it is but some people like
> those graphics...) and what you think should be in it.

Would be really nice to have a GUI if it is made this way:

1) Just modify the affected lines in the config files. Don't reformat or
delete comments so it will be easy to maintain by hand and with the GUI.

2) Make it client/server. Don't force anybody to use the client on a
firewall. SSH can be used to secure communication.

3) Don't make things too complicated, don't put too much logic into the
GUI. Make it configurable so changes in the shorewall configuration
style can be implemented by modifying a rules file in the GUI.

4) Make the help system easy. As a quick help, the GUI can just parse
the respective shorewall file and display the comments found there as
help text. Additional help can be given in form of links to the web
documantation.

Simon

>
> And before someone ask, yes it will be free and opensource.
>
> regards
>
> Bernard
> --
>
> Digital Objects Ltd
>
> Internet security / Web hosting & design / Web enabled applications
>
> PO Box 60510, Titirangi
> Waitakere City
>
> Phone: 0800 LETS DOIT (538736)
> Fax: +64 9 8128 368
> www.digitalobjects.co.nz

Why not just build a Webmin module? I think someone has already started
work on this, but I can't remember the name.

Sincerely,
Jim Hubbard
____________________________________




> -----Original Message-----
> From: shorewall-users-***@shorewall.net
> [mailto:shorewall-users-***@shorewall.net]On Behalf Of Simon Matter
> Sent: Tuesday, August 13, 2002 2:48 AM
> To: Bernard Varaine
> Cc: Shorewall-***@shorewall.net
> Subject: Re: [Shorewall-users] Shorewall GUI interface.
>
>
> Bernard Varaine schrieb:
> >
> > I am quite keen to start working a GUI interface for Shorewall .
> >
> > Before I go any further in my thoughts I would like to know if you think
> > it will be a good idea ( I like it the way it is but some people like
> > those graphics...) and what you think should be in it.
>
> Would be really nice to have a GUI if it is made this way:
>
> 1) Just modify the affected lines in the config files. Don't reformat or
> delete comments so it will be easy to maintain by hand and with the GUI.
>
> 2) Make it client/server. Don't force anybody to use the client on a
> firewall. SSH can be used to secure communication.
>
> 3) Don't make things too complicated, don't put too much logic into the
> GUI. Make it configurable so changes in the shorewall configuration
> style can be implemented by modifying a rules file in the GUI.
>
> 4) Make the help system easy. As a quick help, the GUI can just parse
> the respective shorewall file and display the comments found there as
> help text. Additional help can be given in form of links to the web
> documantation.
>
> Simon
>
> >
> > And before someone ask, yes it will be free and opensource.
> >
> > regards
> >
> > Bernard
> > --
> >
> > Digital Objects Ltd
> >
> > Internet security / Web hosting & design / Web enabled applications
> >
> > PO Box 60510, Titirangi
> > Waitakere City
> >
> > Phone: 0800 LETS DOIT (538736)
> > Fax: +64 9 8128 368
> > www.digitalobjects.co.nz
>
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-***@shorewall.net
> http://www.shorewall.net/mailman/listinfo/shorewall-users
>

On Tue, 13 Aug 2002, Jim Hubbard wrote:

> Why not just build a Webmin module? I think someone has already started
> work on this, but I can't remember the name.
>

John Lodge is working on a Webmin module -- the last snapshot that he sent
me is at http://www.shorewall.net/pub/shorewall/contrib/shorewall.wbm.
That snapshot has everything necessary to build a config but it's short on
facilities for editing an existing one.

-Tom
--
Tom Eastep \ Shorewall - iptables made easy
AIM: tmeastep \ http://www.shorewall.net
ICQ: #60745924 \ ***@shorewall.net

> I am quite keen to start working a GUI interface for Shorewall .
>
> Before I go any further in my thoughts I would like to know if you
think
> it will be a good idea ( I like it the way it is but some people
like
> those graphics...) and what you think should be in it.


How about something more of a TUI base, like Xconfigurator or
Linuxconf?

I try to run my firewalls on a low end machine (Like 90Mhz with 500 MB
HD)
and X would make it sink like a rock. Not to mention, X on a Firewall
just ain't
right.


Jeff

On Tue, 13 Aug 2002, Harish Pillay wrote:

> webmin. In fact, webmin is a clean and secure (SSL) way to access the
> machine for it is all done via the web; linuxconf needs to be done by
> sshing to the machine and executing it.

Not so -- Linuxconf has remote administration facilities.

You do not *need* to fire up X
> on the machine to use webmin.
>

Nor do you with Linuxconf -- it has both a Curses-based interface and an
X-based interface.

That having been said, RedHat seem to be deemphasizing Linuxconf of late
since they no longer install it by default.

-Tom
--
Tom Eastep \ Shorewall - iptables made easy
AIM: tmeastep \ http://www.shorewall.net
ICQ: #60745924 \ ***@shorewall.net

> > webmin. In fact, webmin is a clean and secure (SSL) way to access
the
> > machine for it is all done via the web; linuxconf needs to be done
by
> > sshing to the machine and executing it.
>
> Not so -- Linuxconf has remote administration facilities.

-Ah yes. Forgot about that. The only issue remaining is whether the
-remote admin function is via a secure link. If not, you have to ssh
-into the machine and do the work. Webmin's strength, IMHO, is that it

-has SSL enabled and as a sysadmin, that level of security is
critical.

> > You do not *need* to fire up X on the machine to use webmin.
>
> Nor do you with Linuxconf -- it has both a Curses-based interface and
an
> X-based interface.

-I think they are both the same, though I have been known to be wrong.

> That having been said, RedHat seem to be deemphasizing Linuxconf of
late
> since they no longer install it by default.

-You are right. In fact, it has been a long time since I used
linuxconf
-and is probably due to them not being installed by default on the rh
machines
-I have setup.


I was not making a suggestion to incorporate shorewall into linuxconf,

but that a curses based interface *like* linuxconf would be useful. If
you've
lost network connectivity to your firewall (without X) for some reason,

you could run the interface to make things right. Links/Lynx with
webmin
might be a bit rough. (Granted, editing the config files would be just
as
quick, but the discussion started about a GUI interface).

On Tue, 13 Aug 2002, John Andersen wrote:

> > the machine to use webmin.
>
> BUT never the less, webmin is more complex to set up and administer
> unless it happens to be pre-installed by your distro, and may be
> something you don't necessarily want on a dedicated firewall machine.
>

The RPM is quite good -- I installed it in a few minutes. I haven't tried
installing Webmin from sources which I'm sure would be more daunting.

> I just don't get why a GUI is necessary (and I write GUIs for a living),
> in that its NOT easier (its easy enough already), its NOT more informative (the comments in the files are very
> usefull), and it does not
> lead to better understanding (whereas the docs on the web site are
> excellent). Is that enough parentheticals for you??? ;-)
>
> The other aspect of it is that even if there is a gui tool,
> new features tend to NOT be in the gui until LATER. GUIs can
> delay the availability of new features.
>
> So you end up using a text editor anyway. Tom can't be expected
> to keep a gui or even webmin up to date in preference to development
> of Shorewall.

That's a concern for me also but if I work very closely with the GUI
developer(s), we should be able to keep synced up. I'm going to be backing
off of the frantic pace of releases now anyway in favor of interim bug-fix
releases (such as 5a and 5b) with a longer time between releases
containing new features.

>
> ssh and your favorite text editor (and routestopped) seem quite adequate.
>

I quite agree but then I also use Pine as my email client and Emacs for
editing :-). We live in a point-and-click world though and tools that
are configured by editing config files are becoming rarer.

Since a sizable percentage of the user base runs Bering, we have to retain
the text files; Bering (router on a floppy) users typically don't have the
ability to load something large like Perl or Python just be be able to
configure their firewall.

-Tom
--
Tom Eastep \ Shorewall - iptables made easy
AIM: tmeastep \ http://www.shorewall.net
ICQ: #60745924 \ ***@shorewall.net

Hello all,

Normally I just sit quietly and listen, but felt I should chime in here.

I use Command Line an awful lot, but enjoy the simplicity of using a GUI when I
want to do multiple things. Sometimes the addage "a picture is worth..." holds
true. I would seriously like to see a GUI that graphically shows the firewall
chains. I could see it being beneficial to recognize when you are shooting your
own foot or needing a cluebat. Otherwise a simple script would probably suffice.

***@kiteflyer.com
/insert witty quote here/



() Join the ASCII ribbon campaign against HTML email and Microsoft specific attachments.
/\ If I wanted to read HTML, I would have visited your website! Support open standards.

On 13 Aug 2002 at 19:10, ***@kiteflyer.com wrote:

> I would seriously like to see a GUI that graphically
> shows the firewall chains.

This might be nice for the chains in general but is certainly
not necessary for shorewall configuration.

In fact the concept of the various chains need not
be understood fully to properly configure shorewall.

I'm living proof! ;-)

______________________________________
John Andersen
NORCOM / Juneau, Alaska
http://www.screenio.com/
(907) 790-3386

At 8/13/2002 02:14 PM, you wrote:
>BUT never the less, webmin is more complex to set up and
>administer unless it happens to be pre-installed by your distro,

In a RH installation, with just two cmds you setup Webmin up and running:
wget
http://telia.dl.sourceforge.net/sourceforge/webadmin/webmin-0.990-1.noarch.rpm
rpm -Uvh webmin-0.990-1.noarch.rpm

and just browse.

I agree, in a firewall, it must be as clean as it's possible.
In my case I install a really base RH (all packages turned off), ssl,
webmin and Shorewall.
Work's fine.

Another point is: sometimes on the road, in emergency situations, the place
from where I need to support a client, only permits www/https (80/443)
outgoing conections.

-Gilson

On Wed, 14 Aug 2002, Rob B wrote:

> At 10:31 13/08/2002 -0700, Tom Eastep sent this up the stick:
> >On Tue, 13 Aug 2002, John Andersen wrote:
> >
> > >
> > > BUT never the less, webmin is more complex to set up and administer
> > > unless it happens to be pre-installed by your distro, and may be
> > > something you don't necessarily want on a dedicated firewall machine.
> > >
> >
> >The RPM is quite good -- I installed it in a few minutes. I haven't tried
> >installing Webmin from sources which I'm sure would be more daunting.
>
> I'll disagree with you here .... it is as simple as download, gunzip,
> untar, ./sertup.sh and answer about 5 questions. the defaults are VERY
> sensible - and for the most part are based on what distro you are running
> (question 1)
>

So that seems to result in one less legitimate reason to reject Webmin: I
found the RPM easy to install and you found the tarball equally easy.

What are the other arguments from the anti-Webmin folks?

-Tom
--
Tom Eastep \ Shorewall - iptables made easy
AIM: tmeastep \ http://www.shorewall.net
ICQ: #60745924 \ ***@shorewall.net

To tell the truth, I would rather see a good GUI for the log file. One that
you can reposition the column's or otherwise customize. A good log file
interface is very useful in troubleshooting.


Joe


-----Original Message-----
From: shorewall-users-***@shorewall.net
[mailto:shorewall-users-***@shorewall.net]On Behalf Of Bernard Varaine
Sent: Wednesday, August 14, 2002 4:35 AM
To: ***@screenio.com
Cc: Shorewall-***@shorewall.net
Subject: Re: [Shorewall-users] Shorewall GUI interface.


John Andersen wrote:
>
> I just don't get why a GUI is necessary (and I write GUIs for a living),
> in that its NOT easier (its easy enough already), its NOT more informative
(the comments in the files are very
> usefull), and it does not
> lead to better understanding (whereas the docs on the web site are
> excellent). Is that enough parentheticals for you??? ;-)
>
> The other aspect of it is that even if there is a gui tool,
> new features tend to NOT be in the gui until LATER. GUIs can
> delay the availability of new features.


Don't get me wrong, I don't think a GUI is a must have. In fact I rather
like using config files than GUI.

But I am not the only one using it and some "users" like those GUI
thingy. even if it is only a display tool and nothing else...

As there is a webmin module halfway there I might just wait a little
longer before doing anything.


Cheers

Bernard

Hi there,

This seems like it'd be reasonably easy to implement as a web cgi (not
that I'm volunteering ;). Perhaps it's already in the webmin module
mentioned earlier in this thread. I don't know, I haven't checked it
out.

I'm using weblet in LEAF/Bering with some modifications to the log viewer
scripts but it's very limited in that I basically only have sed to work
with, no perl/python/php on this 486 laptop w/ 14MB of ram ;).

--- John Andersen <***@screenio.com> wrote:
> On 14 Aug 2002 at 8:11, H&K4ME wrote:
>
> > To tell the truth, I would rather see a good GUI for the log file. One
> > that you can reposition the column's or otherwise customize. A good log
> > file interface is very useful in troubleshooting.
> >
> > Joe
>
> Great Idea Joe...
> If nothing else colorcoded portions like some context
> cororizing text editors to find the things easier.
> Staring at the log is a real "go-blind" task.
>
> I'd like translation of port to service for inbound dtp and
> possibly clickable whois info on IPs,
> clickable add-to-blacklist etc.

__________________________________________________
Do You Yahoo!?
HotJobs - Search Thousands of New Jobs
http://www.hotjobs.com

Although I think the addition of a GUI (or web based) config tool would be
good for shorewall -- some of us semi ole-timers (that have been using vi
for 20+ years) will never change.

What's my point??? My warped sense of humor aside... I hope shorewall will
still allow us to either manually edit the config files -or- use a GUI.

Steve Cowles

On Wed, 14 Aug 2002, Cowles, Steve wrote:

> Although I think the addition of a GUI (or web based) config tool would be
> good for shorewall -- some of us semi ole-timers (that have been using vi
> for 20+ years) will never change.
>
> What's my point??? My warped sense of humor aside... I hope shorewall will
> still allow us to either manually edit the config files -or- use a GUI.
>

So long as LEAF users are a sizable percentage of the Shorewall family, I
think we must continue to support config files.

-Tom
--
Tom Eastep \ Shorewall - iptables made easy
AIM: tmeastep \ http://www.shorewall.net
ICQ: #60745924 \ ***@shorewall.net

> > Although I think the addition of a GUI (or web based)
> > config tool would be good for shorewall -- some of us
> > semi ole-timers (that have been using vi for 20+ years)
> > will never change.
> >
> > What's my point??? My warped sense of humor aside... I
> > hope shorewall will still allow us to either manually
> > edit the config files -or- use a GUI.
> >
>
> So long as LEAF users are a sizable percentage of the
> Shorewall family, I think we must continue to support
> config files.
>

WHEW!!! I feel better now. Thanks LEAF users.

If I could add my two bits to this discussion, my main complaint about GUI's
is the programmers of these GUI's never allow me to add comments on why I
made a particular entry. Why is this so important to me??? Six months from
now when I take a look at a customers rules file (for instance), I'm not
asking my self "Why the hell did I add this entry?" or "WTF is port 1984
used for?" By manually editing the rules file, I can add comments like the
date I made the entry along with notes about the application; even WEB links
to the applications web site that discusses how to run this app behind a
firewall.

Well that's my two bits.

Steve Cowles

Yes, my webmin module is making good progess. I am making changes now to
incorporate
the changes needed to support Shorewall 1.3.

John Lodge

-----Original Message-----
From: shorewall-users-***@shorewall.net
[mailto:shorewall-users-***@shorewall.net]On Behalf Of Jim Hubbard
Sent: 13 August 2002 12:15
To: shorewall-***@shorewall.net
Subject: RE: [Shorewall-users] Shorewall GUI interface.


Why not just build a Webmin module? I think someone has already started
work on this, but I can't remember the name.

Sincerely,
Jim Hubbard
____________________________________




> -----Original Message-----
> From: shorewall-users-***@shorewall.net
> [mailto:shorewall-users-***@shorewall.net]On Behalf Of Simon Matter
> Sent: Tuesday, August 13, 2002 2:48 AM
> To: Bernard Varaine
> Cc: Shorewall-***@shorewall.net
> Subject: Re: [Shorewall-users] Shorewall GUI interface.
>
>
> Bernard Varaine schrieb:
> >
> > I am quite keen to start working a GUI interface for Shorewall .
> >
> > Before I go any further in my thoughts I would like to know if you think
> > it will be a good idea ( I like it the way it is but some people like
> > those graphics...) and what you think should be in it.
>
> Would be really nice to have a GUI if it is made this way:
>
> 1) Just modify the affected lines in the config files. Don't reformat or
> delete comments so it will be easy to maintain by hand and with the GUI.
>
> 2) Make it client/server. Don't force anybody to use the client on a
> firewall. SSH can be used to secure communication.
>
> 3) Don't make things too complicated, don't put too much logic into the
> GUI. Make it configurable so changes in the shorewall configuration
> style can be implemented by modifying a rules file in the GUI.
>
> 4) Make the help system easy. As a quick help, the GUI can just parse
> the respective shorewall file and display the comments found there as
> help text. Additional help can be given in form of links to the web
> documantation.
>
> Simon
>
> >
> > And before someone ask, yes it will be free and opensource.
> >
> > regards
> >
> > Bernard
> > --
> >
> > Digital Objects Ltd
> >
> > Internet security / Web hosting & design / Web enabled applications
> >
> > PO Box 60510, Titirangi
> > Waitakere City
> >
> > Phone: 0800 LETS DOIT (538736)
> > Fax: +64 9 8128 368
> > www.digitalobjects.co.nz
>
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-***@shorewall.net
> http://www.shorewall.net/mailman/listinfo/shorewall-users
>

> -----Original Message-----
> From: John Andersen [mailto:***@screenio.com]
> Sent: Wednesday, August 14, 2002 10:52 AM
> To: H&K4ME
> Cc: Shorewall-***@shorewall.net
> Subject: RE: [Shorewall-users] Shorewall GUI interface.
>
>
> On 14 Aug 2002 at 8:11, H&K4ME wrote:
>
> > To tell the truth, I would rather see a good GUI for the
> log file. One
> > that you can reposition the column's or otherwise
> customize. A good log
> > file interface is very useful in troubleshooting.
> >
> >
> > Joe
>
> Great Idea Joe...
> If nothing else colorcoded portions like some context
> cororizing text editors to find the things easier.
> Staring at the log is a real "go-blind" task.

Just so you guys know, there *are* some colorcoding options currently
available for your Shorewall (well, any iptables) logs:

FireParse: http://aaron.marasco.com/linux.html
FWAnalog (uses Analog webstats parser): http://tud.at/programm/fwanalog/
fwlogwatch (log parser plus live daemon which can do realtime monitoring):
http://www.kyb.uni-stuttgart.de/boris/software.shtml

Have fun!!!

--Josh

On 15 Aug 2002 at 22:14, Joshua Penix wrote:

> Just so you guys know, there *are* some colorcoding options currently
> available for your Shorewall (well, any iptables) logs:

> fwlogwatch (log parser plus live daemon which can do realtime monitoring):
> http://www.kyb.uni-stuttgart.de/boris/software.shtml

That one is pretty cool. I like the email alerts option
as well as the web interface.

______________________________________
John Andersen
NORCOM / Juneau, Alaska
http://www.screenio.com/
(907) 790-3386