* Netfilter rule notation and rule parsers
@ 2007-02-19 15:25 René Pfeiffer
2007-02-19 19:38 ` Franck Joncourt
0 siblings, 1 reply; 3+ messages in thread
From: René Pfeiffer @ 2007-02-19 15:25 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 1357 bytes --]
Hello, Netfilter List!
I have a question regarding the notation of filter rules. I am quite
familiar with the syntax of the iptables command. Apparently most people
who write firewall scripts are familiar with it as well since a lot of
scripts configuring Netfilter rules consist of a shell script and config
scripts. Most people that run a packet filter don't want to delve into
the depths of the iptables syntax in order to change a few rules.
Is anyone on this list aware of projects that try to define a kind of
meta-syntax for filtering rules which can be processed and stored easier
than shell script fragments? Maybe someone has tried to write a parser
in order to import OpenBSD pf or Cisco PIX rules. I'd like to hear about
anyone who has thoughts on this.
I am aware that there are several rule editors out there (such as
FWbuilder). I am more interested in a low-level approach having simple
rules that can be parsed easily and possibly distributed among multiple
firewall systems.
Best wishes,
René.
--
)\._.,--....,'``. Let GNU/Linux work for you while you take a nap.
/, _.. \ _\ (`._ ,. R. Pfeiffer <lynx at luchs.at> + http://web.luchs.at/
`._.-(,_..'--(,_..'`-.;.' - System administration + Consulting + Teaching -
Got mail delivery problems? http://web.luchs.at/information/blockedmail.php
[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Netfilter rule notation and rule parsers
2007-02-19 15:25 Netfilter rule notation and rule parsers René Pfeiffer
@ 2007-02-19 19:38 ` Franck Joncourt
2007-02-19 22:54 ` René Pfeiffer
0 siblings, 1 reply; 3+ messages in thread
From: Franck Joncourt @ 2007-02-19 19:38 UTC (permalink / raw)
To: netfilter
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
René Pfeiffer wrote:
> Hello, Netfilter List!
>
Hi,
> I am aware that there are several rule editors out there (such as
> FWbuilder). I am more interested in a low-level approach having simple
> rules that can be parsed easily and possibly distributed among multiple
> firewall systems.
>
I do not think there is another way to work at low level without writing
rules by yourself. The more you write, the more you understand.
This is not my job, and I am far from being an expert, but I should say,
distibuted rules among multiple systems, is not that simple ; it
depends on your needs. Can a script for a router be useful for a server
? It can be complicated to get a script working on both systems.
Maybe I am mistaken, but this is my point of view.
- --
Franck Joncourt
http://www.debian.org
http://smhteam.info/wiki/
GPG server : pgpkeys.mit.edu
Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFF2fysxJBTTnXAif4RAttPAJ9p1VGA3hZj+DNSu+i9f2YakFwjtQCdE+JC
J85trawUWu1ICtM86GyPNB0=
=LW0Y
-----END PGP SIGNATURE-----
___________________________________________________________
All new Yahoo! Mail "The new Interface is stunning in its simplicity and ease of use." - PC Magazine
http://uk.docs.yahoo.com/nowyoucan.html
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Netfilter rule notation and rule parsers
2007-02-19 19:38 ` Franck Joncourt
@ 2007-02-19 22:54 ` René Pfeiffer
0 siblings, 0 replies; 3+ messages in thread
From: René Pfeiffer @ 2007-02-19 22:54 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 2918 bytes --]
On Feb 19, 2007 at 2038 +0100, Franck Joncourt appeared and said:
> René Pfeiffer wrote:
> > I am aware that there are several rule editors out there (such as
> > FWbuilder). I am more interested in a low-level approach having simple
> > rules that can be parsed easily and possibly distributed among multiple
> > firewall systems.
>
> I do not think there is another way to work at low level without writing
> rules by yourself. The more you write, the more you understand.
Well, yes, but maybe my mail wasn't written well enough. I agree that
people who really want to learn the capabilities and the internals of
Netfilter should do that by writing scripts. My question was directed at
another scenario - time for an example. I am sysadmin for a couple of
Netfilter firewalls that run smoothly for many years now. Most setups
are fairly static or only changed by sysadmins who know what they are
doing. Some firewalls protect a NATed DMZ with development servers
running on a Xen host. The developers frequently start new servers with
new services (mostly HTTP and HTTPS) on a virtualised server with a
static IP. They need this server for a couple of weeks or months, then
they deactivated it. Maybe they wish to reactivate it after a period of
time just to run some additional tests.
Now the rule you need for this setup are NAT/NAPT translation rules and,
of course, filter rules. The Netfilter machine in question handles this
by virtue of a Bash script that contains a couple of functions. The
problem is that the developers wish to tell the firewall which IP and
port to translate and to allow access to by using a minimal set of
parameters. They don't care for NAT, NAPT, marking packets or policy
routing. They simply wish to switch on a service and switch it off
again. (IMHO this is not the "right" approach to firewalling, but this
is another story.)
So that's the reason I why I asked before writing yet another rule
language and yet another parser.
> This is not my job, and I am far from being an expert, but I should
> say, distibuted rules among multiple systems, is not that simple ; it
> depends on your needs. Can a script for a router be useful for a
> server ? It can be complicated to get a script working on both
> systems.
Yes, the distribution of rules was another use I had in mind, mainly as
a means to copy a working configuration to another firewall machine in
case of deceased hardware. I don't intend to magically "autoparse" rules
between machines that have completely different roles. ;)
Best regards,
René.
--
)\._.,--....,'``. Let GNU/Linux work for you while you take a nap.
/, _.. \ _\ (`._ ,. R. Pfeiffer <lynx at luchs.at> + http://web.luchs.at/
`._.-(,_..'--(,_..'`-.;.' - System administration + Consulting + Teaching -
Got mail delivery problems? http://web.luchs.at/information/blockedmail.php
[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2007-02-19 22:54 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2007-02-19 15:25 Netfilter rule notation and rule parsers René Pfeiffer
2007-02-19 19:38 ` Franck Joncourt
2007-02-19 22:54 ` René Pfeiffer
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.