Netfilter rule notation and rule parsers

Netfilter rule notation and rule parsers

[René Pfeiffer]

[-- Attachment #1: Type: text/plain, Size: 1357 bytes --]

Hello, Netfilter List!

I have a question regarding the notation of filter rules. I am quite
familiar with the syntax of the iptables command. Apparently most people
who write firewall scripts are familiar with it as well since a lot of
scripts configuring Netfilter rules consist of a shell script and config
scripts. Most people that run a packet filter don't want to delve into
the depths of the iptables syntax in order to change a few rules.

Is anyone on this list aware of projects that try to define a kind of
meta-syntax for filtering rules which can be processed and stored easier
than shell script fragments? Maybe someone has tried to write a parser
in order to import OpenBSD pf or Cisco PIX rules. I'd like to hear about
anyone who has thoughts on this.

I am aware that there are several rule editors out there (such as
FWbuilder). I am more interested in a low-level approach having simple
rules that can be parsed easily and possibly distributed among multiple
firewall systems.

Best wishes,
René.

-- 
  )\._.,--....,'``.      Let GNU/Linux work for you while you take a nap.
 /,   _.. \   _\  (`._ ,. R. Pfeiffer <lynx at luchs.at> + http://web.luchs.at/
`._.-(,_..'--(,_..'`-.;.'  - System administration + Consulting + Teaching -
Got mail delivery problems?  http://web.luchs.at/information/blockedmail.php

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: Netfilter rule notation and rule parsers

[Franck Joncourt]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

René Pfeiffer wrote:
> Hello, Netfilter List!
> 

Hi,

> I am aware that there are several rule editors out there (such as
> FWbuilder). I am more interested in a low-level approach having simple
> rules that can be parsed easily and possibly distributed among multiple
> firewall systems.
> 

I do not think there is another way to work at low level without writing
rules by yourself. The more you write, the more you understand.
This is not my job, and I am far from being an expert, but I should say,
 distibuted rules among multiple systems, is not that simple ; it
depends on your needs. Can a script for a router be useful for a server
? It can be complicated to get a script working on both systems.

Maybe I am mistaken, but this is my point of view.

- --
Franck Joncourt
http://www.debian.org
http://smhteam.info/wiki/
GPG server : pgpkeys.mit.edu
Fingerprint : C10E D1D0 EF70 0A2A CACF  9A3C C490 534E 75C0 89FE
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFF2fysxJBTTnXAif4RAttPAJ9p1VGA3hZj+DNSu+i9f2YakFwjtQCdE+JC
J85trawUWu1ICtM86GyPNB0=
=LW0Y
-----END PGP SIGNATURE-----

	
	
		
___________________________________________________________ 
All new Yahoo! Mail "The new Interface is stunning in its simplicity and ease of use." - PC Magazine 
http://uk.docs.yahoo.com/nowyoucan.html

Re: Netfilter rule notation and rule parsers

[René Pfeiffer]

[-- Attachment #1: Type: text/plain, Size: 2918 bytes --]

On Feb 19, 2007 at 2038 +0100, Franck Joncourt appeared and said:
> René Pfeiffer wrote:
> > I am aware that there are several rule editors out there (such as
> > FWbuilder). I am more interested in a low-level approach having simple
> > rules that can be parsed easily and possibly distributed among multiple
> > firewall systems.
> 
> I do not think there is another way to work at low level without writing
> rules by yourself. The more you write, the more you understand.

Well, yes, but maybe my mail wasn't written well enough. I agree that
people who really want to learn the capabilities and the internals of
Netfilter should do that by writing scripts. My question was directed at
another scenario - time for an example. I am sysadmin for a couple of
Netfilter firewalls that run smoothly for many years now. Most setups
are fairly static or only changed by sysadmins who know what they are
doing. Some firewalls protect a NATed DMZ with development servers
running on a Xen host. The developers frequently start new servers with
new services (mostly HTTP and HTTPS) on a virtualised server with a
static IP. They need this server for a couple of weeks or months, then
they deactivated it. Maybe they wish to reactivate it after a period of
time just to run some additional tests.

Now the rule you need for this setup are NAT/NAPT translation rules and,
of course, filter rules. The Netfilter machine in question handles this
by virtue of a Bash script that contains a couple of functions. The
problem is that the developers wish to tell the firewall which IP and
port to translate and to allow access to by using a minimal set of
parameters. They don't care for NAT, NAPT, marking packets or policy
routing. They simply wish to switch on a service and switch it off
again. (IMHO this is not the "right" approach to firewalling, but this
is another story.)

So that's the reason I why I asked before writing yet another rule
language and yet another parser.

> This is not my job, and I am far from being an expert, but I should
> say, distibuted rules among multiple systems, is not that simple ; it
> depends on your needs. Can a script for a router be useful for a
> server ? It can be complicated to get a script working on both
> systems.

Yes, the distribution of rules was another use I had in mind, mainly as
a means to copy a working configuration to another firewall machine in
case of deceased hardware. I don't intend to magically "autoparse" rules
between machines that have completely different roles. ;)

Best regards,
René.

-- 
  )\._.,--....,'``.      Let GNU/Linux work for you while you take a nap.
 /,   _.. \   _\  (`._ ,. R. Pfeiffer <lynx at luchs.at> + http://web.luchs.at/
`._.-(,_..'--(,_..'`-.;.'  - System administration + Consulting + Teaching -
Got mail delivery problems?  http://web.luchs.at/information/blockedmail.php

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]