|
||||||||||
This one time, at band camp, Andrew Eglington said: > What would be very useful would be an option in NAT/Firewall Rule setup > to detect if anything is currently requesting a port/NAT and options to > wizard/add a NAT/rule for it on that particular port/range, etc etc. > Effectively making NAT/firewall rule setup a matter of probing the > required function from outside, and being able to detect those probes > from inside and make rules to allow access. > > That way if you know ssh on port X from blah.net knocks on the door of > your WAN calling itself TheNameOfTheThingIWantToWorkNow on port X, you > can more easily click a button labelled "Yeah. guide me through rules to > connect that one" kerio personal firewall does this under windoze. sort of. it's configured by default to ask the user any time any port of any kind is opened, inbound or outbound. you are then asked to premit, deny, and/or create a rule. quite nice, actuallly. makes it very easy to lock down a machine. i user the first alert the appears to create an advanced rule that permits all outbound traffic, and another that permits only inbound ssh (plus a couple of other msnetworking specific rules, which are actaully treated as special built-in functions of KPF). > <thinking aloud> > Making a NAT can auto add a matching rule, and setup detects plugged in > WAN or LAN cards... How much more code would be required? would > auto-NAT/rule-addition compromise m0n0 security principles? would it > compromise the intent of m0n0 design? > </thinking aloud> a courageous suggestion :) such functionality would have to tie into the default deny machinery, perhaps as easily as parsing the logs. the tough part would be making it work through a webgui, i think. how does mini_httpd force a page load when a packet is processed by the default deny rule? my gut tells me that it would be plenty ugly, if not impossible, to implement in php, and that i think is a step away from the spirit of m0n0... ... but there's always room for modules :-) jj |