Hehe, I just can't let go of this idea, so I'll spam some more about it:
Instead of bugging m0n0wall down with things like this (or any other
kind of similar security or otherwise "rule-modifying" feature for that
matter), why not simply go for the following "universal" solution to
A read/write community for SNMP could be implemented in m0n0wall (I hope
I'm right in assuming that it currently isn't?) or perhaps there is a
better way of making changes to m0n0wall programatically (going through
the webGUI is kind of cumbersome to code).
This way things, such as PK, could be done from a local machine without
any further support from m0n0wall (ie. the "PK server" application would
look at the firewall log, and then use SNMP or whatever to change the
rules as needed). Even if PK might perhaps at some time in the future be
best off running on m0n0wall itself, this way there is a way to test
various implementations and ideas, while developing the concept to a
usable and stable concept, all without having to modify m0n0walls code
along the way.
There might be good reasons for not having a R/W SNMP community on a
firewall, but I really think there are a great number of quite good
reasons for having SOME way of making configuration changes to m0n0wall
(from the local side only of course) other than the webGUI.
Aside from the above example (which extends to a lot of other similar
solutions as well), it would also be possible for someone (such as I) to
make a configuration and/or monitoring client for m0n0wall. Personally
I'd love to have some small tray-icon thingie, showing the WAN load and
other "blinkenlights" while allowing you to quickly change various
settings on m0n0wall.
Another reason would be the ability to modify stuff in the m0n0wall
config using cron jobs, scripts and/or binary clients. This could for
instance be time-of-day rules (something I think has been requested for
inclusion in m0n0wall itself. This way it can be done without
complicating both the code and GUI of m0n0wall) Perhaps some people
would like to have a few batch scripts for disabling and enabling
various settings (ie. blocking all traffic on a given interface or
something like that), and so on and so forth...
Of course, all this might, in turn, require m0n0wall to provide a bit
more information through SNMP than is currently the case? (It wouldn't
perhaps be the case that another SNMP implementation for BSD could be
choosen, one that already has support for R/W communities as well as
providing more info?)
Well, just a thought anyway!