From, an OpenBSD-based firewall
Jump to: navigation, search

The backend is the central process, and provides:

  • The SOAP API, which is the only way to interact with the system (unless root access is enabled)
  • Access to, and revision management of, the configuration file
  • Tracking the system's state, in order to perform only the necessary changes when a new configuration is applied
  • Actuating the changes (events) via kernel APIs and system files
  • Starting, stopping and providing watchdogs for the other processes

One of the most important benefits of having a continuously running backend process is the ability to apply an entire configuration file, without having to reboot. Because it compares the new configuration file to the running configuration, only the necessary changes are made. One feature that becomes remarkably elegant using this scheme is clustering; as it's only a matter of transferring the configuration to the other cluster nodes.

The use of a SOAP API as the only way to interact with the system enforces a very strict security model. Even the CLI is a sand-boxed SOAP client, that executes everything through the backend process using the same virtual terminal as the graphical web administration.