[DFD] work on DFD continues
Travis
travis+ml-dfd at subspacefield.org
Thu Oct 2 00:53:06 CEST 2008
I'm in the process of re-writing DFD for the 4.0 release.
This release will make the code significantly cleaner.
Rules will almost always have parent containers which will make it
easier to delete expired rules.
I have decoupled the part which interfaces with pf from the rules
themselves.
I have also produced a document on the implementation:
http://www.subspacefield.org/security/dfd_keeper/
The big change I am considering is to let people create a set of
rules, commands, and variables, and "freeze" them into a
configuration, and then thaw and run that configuration. This would
mean that everything is persisted across reboots or shutoffs, and that
there is no more arbitrary lines between variables (which are
persistent) and rules (which were not).
This means that I can also include a script to run the frozen
configuration, which means less run-time junk in the script you have
to write to use DFD. Specifically, it will be much easier for DFD to
run like any other daemon and it will handle all the daemonizing,
interrupt-handling, and syslogging by itself, freeing end-users from
that desire.
The really exciting changes will come in the form of helper
applications; I want to allow single packet authentication (SPA), and
set up sniffers that open up bittorrent ports _only_ when they are in
use. Because when it comes to security, a closed port is a terrible
thing to waste :-)
--
Crypto ergo sum. http://www.subspacefield.org/~travis/
Truth does not fear scrutiny or competition, only lies do.
If you are a spammer, please email john at subspacefield.org to get blacklisted.
More information about the DFD
mailing list