> IMO, its too much of a security hole to have a
> gui to manage your pf.conf.
>
Why? We have even developed a special firewall configuration shell,
fwsh, which explicitely allows for the easy template based config of
a firewall/vpn gateway. It hides most of the pf/isakmpd etc.
complexity.

Editing the plain configuration file should not be allowed for the
untrained
user, so I consider a GUI or a shell as a security feature as it
prevents
the user from entering non-working configuration data, IMHO.

Hiding the complex stuff allows you to install OpenBSD machines in
places where no one has UNIX experience.

- Marc

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]