SEO

hi all

which of pf generator would u suggest for me to use?

i'm testing metacortex for testing and i would like to use another.. any
idea?

>>>>> "eazam" == eazam <eazam@mylinux.net.my> writes:

eazam> any idea?

vi ?

Eric Masson

--
auriez vous trouvé ma disquette ?
-+- st2 in http://www.le-gnu.net : Les objets perdUsnet.

>>>>> "Eric" == Eric Masson <emss@free.fr> writes:

>>>>> "eazam" == eazam <eazam@mylinux.net.my> writes:
eazam> any idea?

Eric> vi ?

emacs (with CVS mode to keep track of changes in case you make an "oops")?

--
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<merlyn@stonehenge.com> <URL:http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!

On Wed, 09 Jun 2004 18:02:53 +0800 in <ca6n8b$o1a$1@news4.jaring.my> eazam <eazam@mylinux.net.my> wrote:
> hi all
>
> which of pf generator would u suggest for me to use?
>
> i'm testing metacortex for testing and i would like to use another.. any
> idea?

Back around 2001 I came across a GUI tool that could be
used to generate rules for ipf, ipfw, ipchains, and iptables.
I believe it added support for pf and pix.

Unfortunately, I've forgotten the name, but I suspect a query on
freshmeat would find it.

These are the things I discovered.
1) A GUI is no replacement for clue.
2) If you do have a clue, the GUI will tend to get in your way.
3) If you don't have a clue, you can make bigger mistakes faster.

I tossed it in favor of vi and manually making a backup copy before editing.



--
Chris Dukes
"I'm not really all that interested in what Hollywood does with its stuff.
I mean, they're only the size of the porn industry." -- Bruce Sterling
"my vibe is going dave, I can feel it." -- Jasmine

pakrat@localhost.private.neotoma.org wrote:
> Back around 2001 I came across a GUI tool that could be
> used to generate rules for ipf, ipfw, ipchains, and iptables.
> I believe it added support for pf and pix.
>
> Unfortunately, I've forgotten the name, but I suspect a query on
> freshmeat would find it.

Firewall Builder:
http://www.fwbuilder.org/

On Wed, 09 Jun 2004 15:51:20 GMT, pakrat@localhost.private.neotoma.org
wrote:


>1) A GUI is no replacement for clue.

True.

>2) If you do have a clue, the GUI will tend to get in your way.

Not if its well designed.

GUI policy management also makes life a tad easier when operating in
enterprise space. Especially when working on a global policy for dozens if
not hundreds of edge devices.

>
>I tossed it in favor of vi and manually making a backup copy before editing.

Admirable as an editor is, it still doesnt fix the occasional problem
between chair and keyboard.


The sort of problem we've all experienced, in particular the 'Oh F*CK'
moment as you realise that your tired 2am self has just hacked the policy
on the wrong firewall and are now locked out.



greg

--
"vying with Platt for the largest gap
between capability and self perception"

Greg Hennessy <me@privacy.net> wrote:
> On Wed, 09 Jun 2004 15:51:20 GMT, pakrat@localhost.private.neotoma.org
> wrote:


>>1) A GUI is no replacement for clue.

> True.

>>2) If you do have a clue, the GUI will tend to get in your way.

> Not if its well designed.
You mean "Not if my demands are simple and predictable" ?


> GUI policy management also makes life a tad easier when operating in
> enterprise space. Especially when working on a global policy for dozens if
> not hundreds of edge devices.

In what way is a GUI superior to "vi" + perl + rsync + rcs/cvs in managing
policys for lot's of boxes ?

>>
>>I tossed it in favor of vi and manually making a backup copy before editing.

> Admirable as an editor is, it still doesnt fix the occasional problem
> between chair and keyboard.
Thats where CVS comes in. True, i GUI might catch (some)errors on your thinking,
but how do you back out of these without a versioning system ??


> The sort of problem we've all experienced, in particular the 'Oh F*CK'
> moment as you realise that your tired 2am self has just hacked the policy
> on the wrong firewall and are now locked out.



> greg

> --
> "vying with Platt for the largest gap
> between capability and self perception"

--
Peter Håkanson
IPSec Sverige ( At Gothenburg Riverside )
Sorry about my e-mail address, but i'm trying to keep spam out,
remove "icke-reklam" if you feel for mailing me. Thanx.

On Wed, 09 Jun 2004 19:19:40 +0100 in <dsjec0d9hf26i99fk91l5nt2d63iskftdb@4ax.com> Greg Hennessy <me@privacy.net> wrote:
>>
>>I tossed it in favor of vi and manually making a backup copy before editing.
>
> Admirable as an editor is, it still doesnt fix the occasional problem
> between chair and keyboard.
>
> The sort of problem we've all experienced, in particular the 'Oh F*CK'
> moment as you realise that your tired 2am self has just hacked the policy
> on the wrong firewall and are now locked out.

I know of no GUI that will prevent that.


--
Chris Dukes
"I'm not really all that interested in what Hollywood does with its stuff.
I mean, they're only the size of the porn industry." -- Bruce Sterling
"my vibe is going dave, I can feel it." -- Jasmine

On Wed, 9 Jun 2004 20:19:46 +0000 (UTC), phn@icke-reklam.ipsec.nu wrote:


>
>> Not if its well designed.
>You mean "Not if my demands are simple and predictable" ?
>

No, I mean "Not if its well designed".

>
>> GUI policy management also makes life a tad easier when operating in
>> enterprise space. Especially when working on a global policy for dozens if
>> not hundreds of edge devices.
>
>In what way is a GUI superior to "vi" + perl + rsync + rcs/cvs in managing
>policys for lot's of boxes ?

No disrespect, the fact that you asked that question shows a certain lack
of comprehension of the scaling issues involved when working in an
enterprise environment.

if one has to readdress a key infrastructure component , A GUI means one
doesn't have to manually hack, test and reload several hundred polices.

Test being the important word here. Corporate change management
environments are rigorous.


>>>I tossed it in favor of vi and manually making a backup copy before editing.
>
>> Admirable as an editor is, it still doesnt fix the occasional problem
>> between chair and keyboard.
>Thats where CVS comes in.


Which is of zero use if one has done an inadvertent pfctl -f and locked
out access on a box 2 continents away.

>True, i GUI might catch (some)errors on your thinking,

It'll catch all syntax errors.
It'll also catch a decent subset of the semantic ones also.

A decent GUI will abstract out the physical network security policy into
objects and flows.

It also will take care of dependency checking.


>but how do you back out of these without a versioning system ??

Using a GUI and a versioning system are not mutually exclusive.

Even in the bad bad old days of using ckp 2.x and 3.x one always took a
copy of a running policy before working on it.



greg



--
"vying with Platt for the largest gap
between capability and self perception"

On Wed, 09 Jun 2004 23:30:39 +0100, Greg Hennessy wrote:

> Which is of zero use if one has done an inadvertent pfctl -f and locked
^^^^^^^^
> out access on a box 2 continents away.

It's no wonder you Windoze weenies have a problem with using exact
commands.