= Shorewall Management Daemon Proposal = The purpose of this page is to provide a forum for discussing the proposed Shorewall Management Daemon, including desired features and to begin to develop the requirements. == Objective == Provide a mechanism for securely interacting with one or more Shorewall systems without requiring shell or root access on the Shorewall system. == Description == The genesis of this idea is in BIND's rndc utility. The desire is to allow someone to administer Shorewall on a particular host without needing to have root, or even shell, access at all. Additionally, in environments where there are many systems running Shorewall it would be possible to issue, for example, one command to control multiple Shorewall hosts. == Discussion == Based on preliminary discussions, it seems as though the implementation language will be C. The primary driver for this is wanting to keep the daemon as compact as possible (both from the perspective of disk footprint and memory footprint), so that it can be available to administrators running Shorewall on embedded systems. Since the daemon will require the ability to interact with the iptables/shorewall (possibly through the use of the {{{system()}}} system call), which will affect the netfilter configuration in the running kernel, the daemon will run as root it will not be able to drop privileges once it is running. As a result, the daemon will neither be enabled nor configured by default. The desired feature set includes the ability to issue "immediate" commands to Shorewall, as well as the ability to inspect and modify the configuration files on disk. "Immediate" commands would be something like {{{shorewall drop 1.2.3.4}}} or {{{shorewall restart}}}. That is to say, those commands have an immediate effect. The utility used to access the Shorewall Management Daemon will have both an interactive mode and a "batch" mode. The "batch" mode would provide access to only "immediate" commands and would also allow sending commands to multiple hosts running the Shorewall Management Daemon. This would also facilitate scripting. The "interactive" mode would allow more complete access to the daemon's features, including the ability to inspect and modify the configuration. Future development could include a GUI management console. == Details == * Development language: C * Target platform: any platform which can run Shorewall, Shorewall-lite, Shorewall6 or Shorewall6-lite == Suggestions == * The daemon should make use of PKI for remote management.