Mail archive
alpine-devel

Re: [alpine-devel] Alpine Wall for firewall management

From: Timo Teräs <timo.teras_at_iki.fi>
Date: Wed, 04 Jan 2012 11:21:00 +0200

On 01/03/2012 07:45 PM, Jeremy Thomerson wrote:
>
> On Fri, Dec 30, 2011 at 9:08 AM, Kaarle Ritvanen
> <kaarle.ritvanen_at_datakunkku.fi <mailto:kaarle.ritvanen_at_datakunkku.fi>>
> wrote:
>
> Hello,
>
> We have a new firewall management framework under early development.
> Please check out the draft specification here and provide your comments:
>
> http://wiki.alpinelinux.org/__wiki/Alpine_Wall
> <http://wiki.alpinelinux.org/wiki/Alpine_Wall>
>
> BR,
> Kaarle
>
>
> Not having looked through all of it in great detail, I have a question
> about the following statement from the wiki:
>
> The back-end will contain functionality for domain name resolution.
> In the data model, hosts of groups thereof can be identified by
> their domain names. The back-end will resolve these to IP addresses,
> which will be stored in the target files, so there will be no need
> to resolve anything when activating the configuration during boot.
>
> At what point does the back-end do the resolution? It seems like it
> would need to periodically update this since a firewall may run weeks,
> months, or years with no change and name resolution could change
> periodically. Will it observe TTL?

I believe updating of the DNS records to IPv4/IPv6 addresses would be
administrative step. The idea is to create permanent cache of the fqdn
domain names, that gets refreshed only as a result of running a command
(or clicking acf button).

This is because otherwise just someone updating a dns entry could break
the whole firewall. Additionally, during bootup we cannot usually do dns
queries (so we really need cached info). However, allowing usage of dns
names will be beneficial, as it avoid duplication of information in
multiple places. This should be sufficient as your server dns records
should not change that often; and when they change you probably want to
double check your firewall rules anyway.

The idea is also that for fqdn's both A and AAAA records are used, so
alpine wall would automatically create both ipv4 and ipv6 firewall rules.

> Overall, the plan looks really good. I'd be curious: will there be a
> CLI for the functionality, or will it only be in ACF webapp? I
> typically don't use ACF on my Alpine boxes. I assume without ACF I'll
> just need to modify the Alpine Wall config files directly?

Yes, plan is to have command line functionality as well. ACF would be
just polished way to display the data.

- Timo


---
Unsubscribe:  alpine-devel+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-devel+help_at_lists.alpinelinux.org
---
Received on Wed Jan 04 2012 - 11:21:00 GMT