[ previous ] [ next ] [ threads ]
 
 From:  Adam Nellemann <adam at nellemann dot nu>
 Cc:  m0n0wall List <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Port Knocking?
 Date:  Sun, 08 Feb 2004 19:11:48 +0100
Hi,

Hehe, I just can't let go of this idea, so I'll spam some more about it:

Instead of bugging m0n0wall down with things like this (or any other 
kind of similar security or otherwise "rule-modifying" feature for that 
matter), why not simply go for the following "universal" solution to 
such things:

A read/write community for SNMP could be implemented in m0n0wall (I hope 
I'm right in assuming that it currently isn't?) or perhaps there is a 
better way of making changes to m0n0wall programatically (going through 
the webGUI is kind of cumbersome to code).

This way things, such as PK, could be done from a local machine without 
any further support from m0n0wall (ie. the "PK server" application would 
look at the firewall log, and then use SNMP or whatever to change the 
rules as needed). Even if PK might perhaps at some time in the future be 
best off running on m0n0wall itself, this way there is a way to test 
various implementations and ideas, while developing the concept to a 
usable and stable concept, all without having to modify m0n0walls code 
along the way.

There might be good reasons for not having a R/W SNMP community on a 
firewall, but I really think there are a great number of quite good 
reasons for having SOME way of making configuration changes to m0n0wall 
(from the local side only of course) other than the webGUI.

Aside from the above example (which extends to a lot of other similar 
solutions as well), it would also be possible for someone (such as I) to 
make a configuration and/or monitoring client for m0n0wall. Personally 
I'd love to have some small tray-icon thingie, showing the WAN load and 
other "blinkenlights" while allowing you to quickly change various 
settings on m0n0wall.

Another reason would be the ability to modify stuff in the m0n0wall 
config using cron jobs, scripts and/or binary clients. This could for 
instance be time-of-day rules (something I think has been requested for 
inclusion in m0n0wall itself. This way it can be done without 
complicating both the code and GUI of m0n0wall) Perhaps some people 
would like to have a few batch scripts for disabling and enabling 
various settings (ie. blocking all traffic on a given interface or 
something like that), and so on and so forth...

Of course, all this might, in turn, require m0n0wall to provide a bit 
more information through SNMP than is currently the case? (It wouldn't 
perhaps be the case that another SNMP implementation for BSD could be 
choosen, one that already has support for R/W communities as well as 
providing more info?)

Well, just a thought anyway!

Adam.