OpenBSD Journal

New Project: Simple OpenBSD Firewall Interface

Contributed by jose on from the pf-web dept.

The Simple OpenBSD Firewall Interface (SOFI) project was announced earlier this weekend in an email to misc@ . From the announcement email:

Some interesting features include:

  • Automated installation process
  • Network autodetection
  • Web interface for all administrative functions
  • Support for DNS and DHCP servers
The project itself is hosted at the SOFT Sourceforge site where you can see feature descriptions and even a small demo of the interface.

(Comments are closed)


Comments
  1. By Anonymous Coward () on

    It may be a bit reinventing the wheel, since lots of these instant-router projects already exist.
    It's nicely done though, and it features a full system, allowing the admin to 'grow' as he/she learns more about OpenBSD. Other projects are mostly stripped-down versions of the base OS, allowing for not much growth.

    Comments
    1. By Anonymous Coward () on

      Agreed. Some users that are _users_ with no real desire to be firewall administrators would find this sufficient. The others that want to continue to expand their knowledge could easily do so, without having to redo anything.

      The only thing I didn't see was a report on NAT, showing who is being NATed currently or who has been NATed. You could easily run a nmap on your NATed interface to see who responds, and who is not listed in your hosts file, for example. There may be other ways, I haven't looked.

      Good foundation, and don't let the brainless naysayers here disturb you. After all, code talks, and hot air walks.

  2. By Anonymous Coward () on

    Waste of time *cough*

    Comments
    1. By Anonymous Coward () on

      Ever notice how it's always the freeloaders who have contributed absolutely nothing that are so eager to shoot down others work?

      Comments
      1. By Anonymous Coward () on

        OMG LET US GO CRAZY OVER A FOUR WORD POST!!! I think that you do not know he is a freeloader, but we must refer to the jeffersonian definition of freeloaderite-ism as opposed to the hegelian definition. you are a communist!

        Comments
        1. By cosmopolitan () on

          as with all forms of leadership: comunism is not that bad, if it is not too extreme! ;) but that's offtopic.... i think this project is a great idea. Users can really learn a lot ... i think that one-floppy-firewalls or some shrinked OSs with extremely limited opportunitys is (nearly) useless!

      2. By couderc () on

        They also do it anonymously :)

    2. By Anonymous Coward () on

      Brilliant argumentation *cough*

    3. By Josh () selerius@codefusion.org on http://www.codefusion.org

      "Waste of time *cough* "

      How about not using the "anonymous coward" option next time, and let us know who you are. Its easy to point fingers and remain anonymous...

      Until that time arrives, We will consider your comment moronic, on the basis that if you don't have the balls to let us know who you are, then you don't have ability/intellegence to backup such a comment.

      So please enlighten us as to what you have contributed to OpenBSD that makes this person's hard work a "Waste of Time."

      Comments
      1. By Anonymous Coward () on

        I really think he has the right to remain anonymous, what do you want to prove over here, that we should also vote non-anymously?

        Comments
        1. By couderc () on

          He has nothing to prove, everybody knows exactly what is an anonymous coward.
          Anonymous critics have no value, especially when they say that something is shit.
          Now if you don't have any good arguments just shut up.

    4. By RC () on

      In my lifetime, I will almost certianly never go into space... Therefore the space shuttle is a huge waste of time.

      Ummm, cough.

  3. By End User () on

    your screenshots are nothing more than text imbedded in a webpage. if someone's not smart enough to configure Obsd from command line, they probably won't understand your text output either. try using perl or something to make the web interface more user friendly.
    i'll stick to the CL.

  4. By Not Really Anonymous () on

    First, I think creating a project to simplify firewalling is great. This will allow the average joe to be that much more secure.

    Second, why is the project using a web interface? Yes, it's easier to develop, but I wouldn't trust my firewall with a web interface.

    One more thing, is the password sent to the firewall encrypted in any way?

    It's great to use OpenBSD because they make security a priority, but that won't stop someone from doing a simple sniff and undermining your entire network.

    Comments
    1. By Anonymous Coward () on

      "Second, why is the project using a web interface? Yes, it's easier to develop, but I wouldn't trust my firewall with a web interface."

      I would: Apache+SSL & .htaccess

      Comments
      1. By Not Really Anonymous () on

        I can agree with you concerning other types of projects, but my main point was about unencrypted traffic. I looked through the site and even at the demo, but it doesn't look like they are using ssl.

        Then you have the average user setting up apache (w/.htaccess) and openssl, but still trying to group them into the simple pf interface category. To me (and I'm no guru) it's easier to configure the firewall with vi and I don't have to worry about securing a web interface.

        There is also a lot of configuration involved to insure the web interface is secure and to miss one thing could compromise your entire network. They don't provide detailed information on how to insure the interface is secure.

        The more layers you add, the level of risk increases.

        I think if they focused on a secure simple interface, be it web or other, it would greatly help others become more secure. They would also need to provide detailed information on how to setup and configure the interface.

        just my 5 euros.

  5. By Matt Van Mater () on

    But I happen to like this idea. I don't really care about the web interface, but I like the auto installation and other handy ideas. I have yet to find an example of how I can make a truly automated install diskette (and i'm not talking about sitexx.tgz) without a huge amount of work. I wish i had the mandrakish "replay this installation" feature where you could record all of your settings and choices to a floppy and then reinstall at any time.

    good for you guys.

  6. By Mark Heily () mheily@users.sourceforge.net on http://www.heily.com

    I am the main developer of the SOFI project, and I want to respond to some of the issues raised.

    First of all, about security: OpenSSL+basic authentication is used to secure the web interface. Passwords are encrypted.

    Secondly, the web interface is reasonably secure and requires no user tweaking. The FAQ explains more about the security model used, but basically it has a custom 'sudo' that can only run a limited set of commands as root.

    Lastly, I had a lot of fun writing this and I hope people find it useful for their home networks.

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]