[CLUG] Web-based iptables administration

[adam beecher]

> I have subversion repos already setup and a trac wiki set up 
> as well Adam, just need the email list. 
> 
Cool. Let's use CLUG for the rest of the week, see how it goes. I'm sure
people won't mind a few extra mails for a few days.

> to dump the iptables rules into a database and then from 
> there generate a firewall script.
>
That's what Plesk does, but their data is stored in BLOBs, and what comes
out of the BLOB in a dump looks like hexcodes and/or encrypted strings. I
haven't looked at the rest of the tables tbh but given Plesk's proprietary
nature I'd say it's encrypted to stop nasty people like us reverse
engineering their pretty toy. (The PHP scripts are encoded, before anyone
asks. :)

> Now there are all sorts of permissions issues we gota look at.
> I presume that the user in plesk who edits the fiirewall rules
> is the server administrator and not joe blogs.
> 
Yeah, the Plesk admin interface runs a separate Apache webserver on 8443,
which is overkill for our needs. However Plesk just generates a shell script
that loads the firewall, and I think we should go that route too. I was
thinking along the lines of suexec, but that's probably a bit too
complicated for our target market. Perhaps if we just stick with ssh to
activate it for now, and come back to more advanced activation stuff later?

BTW, I think it's very important to make sure that people don't lock
themselves out of their servers by mistake, so I think we should definitely
include some code (just `sleep`, presumably) to automatically deactivate the
new firewall after a minute or so, so people can test it. Perhaps if the
shell script loaded the fw like that by default, and to activate it properly
you have to pass a flag, or even a password?

I'll reply to your other, rather longer(!) post later on or tomorrow.

adam