------------------ ----------- ----------- | client | XML | | XML | wfcommitd | | | <- SSL -> | wfpolicyd | <- SSL -> | | | (Web, X11, etc.) | | | | FreeBSD | ------------------ ----------- ----------- ^ | XML,SSL | v ----------- | wfcommitd | | | | Linux | ----------- Communication between client and wfpolicyd, and between wfpolicyd and wfcommitd, should be encrypted with SSL. Every data is transmitted in XML (ruleset, network objects, etc.). - the client is Web based, X11, or even shell interface, which enable to administrate every aspect of the configuration and monitoring. - wfpolicyd is the central daemon which centralizes and stores every information. Clients connect to wfpolicyd, and wfpolicyd sends commands to wfcommitd. - wfcommitd is a daemon that answers to requests coming from wfpolicyd. It translates the ruleset wfpolicyd has transmitted to him into a target language adapted to the operating system (and the corresponding tool) it runs on, using wfconvert or the wfconvert library. - wfconvert is a tool based on the wfconvert library. It uses several input/output modules, and enable to translate a ruleset language into another (wallfire, netfilter, XML, etc.). ------------------- Scenario: 1) The client connects to wfpolicyd, and retrieves the current ruleset. 2) The administrator uses the client in order to modify the ruleset, when he commits the changes 3) The client sends the new ruleset back to wfpolicyd. 4) Wfpolicyd validates the ruleset, then sends the ruleset to wfcommitd. 5) Wfcommitd transforms the ruleset into a netfilter script (if the wfcommitd host is running under Linux 2.4) using wfconvert library. 6) Wfpolicyd asks wfcommitd to commit the ruleset (run the iptables script, here) Wfpolicyd can send commands to wfcommitd. Those commands should be basically: - send the ruleset - (re)start (run the produced script, in the case of iptables) - stop (clear the rules) - get the status (started/stopped, currently active connections, etc.) But wfcommitd can also send feedback to wfpolicyd through a permanent connection: for log events, status events (attacks, or whatever). ------------------- client: - for the moment, it will have no state. wfpolicyd: - the ruleset is stored on the wfpolicyd host in wallfire native language. This allows the administrator to modify ruleset files directly with an editor. - we don't have to implement wfpolicyd in the first place, but everything should be designed so as it would not be too difficult to implement it when the time will come. wfcommitd: - it will use either wfconvert or wfconvert library. -------------------- General remarks: - the different conversions (wallfire->XML, XML->wallfire, XML->iptables) are achieved by the wfconvert library. wf native language | | iptables script wf XML language | <-> wfconvert <-> | ipfilter rules Linux kernel netfilter rules | | XML output - wfconvert library converts one rule description language into another, using an intermediate internal memory model for storing the ruleset. Wfconvert library relies on modules, each corresponding to a particular language (wallfire, iptables, XML, etc.) Each module has input (language to memory model) and output (memory model to language) methods. So every ruleset description language can be turned into another.