Mon, 28 Feb 2005
Transforming an old PC into a commercial-grade firewall/router/VPN appliance.
Yup, it's possible and I'm hashing out the details. Currently the commercial barrier is the lack of some really simple GUI elements for existing utilities like
Packet Filter,
dhcpd and the
IPsec utilities.
While most home firewall/router builders use a web browser interface, the first specific problem with making that work is pfctl must be run as root to get or set any pf data. This means the web server must also be run as root, or better yet, its CGIs must be run as root, or even better the user that calls the CGI should be in the sudoers file and only allowed to execute those commands.
Whew, well where does this leave us? It means that if someone were to find a way to get a shell from exploiting the web server and drop into it as the user the server is running as, they could modify the firewall if the user is allowed to execute the -f or -T flags of pfctl. Otherwise, they would only have read access, which is not as bad but still kind of shitty.
A free utility called
Metacortex uses Apache and PHP 4 to show us data from the system. This goes deeper than just PF data and into the entire process list and memory usage. This is accomplished by a series of shell scripts which are run as root via cron. The web browser just pulls the information in from the generated text file. I don't see this as a feature, as it's less accurate and accomplishing the same thing as using sudo. To set PF rules, it merely has an interface that lets you generate a rule set based on some GUI elements which it then prints out to the screen if it's valid. You have to ssh or local console into the box to actually make the new rules take effect.
While the SonicWall series of products pretty suck on features, they make up for it with support and user interface. I'm looking for something which can take the place of the sonicwall interface, run on commodity hardware or via an appliance, and have an unlimited usage license.
posted at: 01:34 | path:
/hacking |
permanent link to this entry
