OpenBSD Journal

pf frontend PfPro now has NAT Support

Contributed by grey on from the journey to feature parity with vi pf.conf dept.

Adam VanderHook writes:

I have just uploaded PfPro v0.1.0 which adds support for 'nat' and 'rdr' rules. There are other, less noteworthy changes as detailed in the changelog. There is a screenshot of it in action, or just jump straight to the downloads.

(Comments are closed)

Comments

  1. By Peter Hessler (208.201.244.164) on

    Why do people need a web front end for a firewall? LEARN TO READ! If you do it wrong, you are endagering your network. Don't lower the bar, raise the knowledge of the user.

    Comments

    1. By Anonymous Coward (211.30.147.144) on

      Blame it on the Windows world...Most PC users don't have time to sit down and actually learn BSDs/Linux. Which is why the "ease of use" has made MS's OSs popular despite their security issues that often affects the web.

      Comments

      1. By Peter Hessler (208.201.244.164) on

        Most PC uesrs should not be firewall admins. I'm not saying I expect them to be able to code a firewall, but I expected them to have some understanding of tcp/ip, and be able to think. This is analogous to allowing any asshole to be a cop. No, cops need to know certain things. Same thing with firewall admins.

        Comments

        1. By Adam VanderHook (128.183.167.178) acidos@bandwidth-junkies.net on

          Assuming you _are_ a firewall admin., as you seem to imply you know a lot about them, I'm also sure you know about a lovely firewall called Checkpoint, with its own drag-n-drool interface. Now, would you rather people use Checkpoint, or something that utilizies BSD's + PF?

          Comments

          1. By Anonymous Coward (69.197.92.190) on

            If someone uses checkpoint over pf because they are incapable of editing a text file, then it really doesn't matter what they use. Obviously something as potentially complex as a firewall is not safe in their hands, so no matter what they choose it will turn out bad. Most people using checkpoint don't do it for the interface, they do it because its a widely known, commercially supported firewall that they've heard of. People use pix too, which is more difficult to setup than pf. They use it because they have heard the name "cisco" before, and are trusting their network to that name, despite its lack of shiny buttons.

            The point is, the lack of a GUI is not holding back adoption of pf. Its just that most people have never heard of it, and even amoung those who have, lots of people are dumb and only use expensive solutions, hoping that will make up for a lack of knowledge.

    2. By Adam VanderHook (128.183.167.178) acidos@bandwidth-junkies.net on

      It's not a web front-end, it's a stand-alone application. It is also a work in progress towards a way to configure nat/firewall/ipsec across multiple platforms for multiple installations in one interface.

      Comments

      1. By M.Raju (66.23.224.121) on

        This is actually useful when selling OpenBSD as a firewall solution to the suits (dumb M$ slaves) in the corporate world. This is a fat client (similar to Checkpoint's GUI to manage FW-1) and not a web-interface which I am not a fan of for far more obvious security reasons. JAVA/XML is a good idea, since it becomes a cross platform solution. I for one encourage this project, eventhough I am an old school vi /etc/pf.conf person. Cheers for the good work...

        Comments

        1. By Anonymous Coward (62.167.209.178) on

          what about just using fwbuilder ? available for different filter 'backends' ( iptables, pf, Cisco PIX ) ....

          Comments

          1. By Adam VanderHook (128.183.167.178) acidos@bandwidth-junkies.net on

            fwbuilder and PfPro are very similar right now. In fact, fwbuilder is more mature and feature rich than PfPro right now. I plan to change that in time. I personally don't care for fwbuilder, but it's a good choice for those who would use PfPro if it wasn't programmed in Java.

          2. By Anonymous Coward (217.162.136.53) on

            just went over to the fwbuilder page and can't seem to find their openbsd port despite it being mentioned, last time (oh, about 2 years ago) that I attempted to build it, it failed.

            anyone have success with 2.0 on openbsd 3.5/current? btw, I do prefer vi, but ever tried to teach it to a windows user over the phone ;)

            conceptually, I much prefer a standalone remote GUI to a web front-end.

            I can't comment on pfpro as I unfortunately have an innate dislike for java that I am unwilling to kick.

  2. By Anonymous Coward (66.91.136.202) on

    TO ME it seems much more difficult to create firewall rulesets inside one of these aplications. The authors of PF spent alot of time making the pf.conf NICE AND EASY... i think these tools make the issue more complicated

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]