Request: Submission of Rulesets

Thomas Jones admin at
Thu Aug 25 00:25:06 CEST 2005

Hash: SHA1

On Wednesday 24 August 2005 16:07, /dev/rob0 wrote:
> On Wednesday 2005-August-24 13:14, Thomas Jones wrote:
> > Abstract:
> I readily admit that this is not a good day for me. I am not operating
> at full capacity, so to speak. But I have to say that this post made no
> sense at all to me. Is it just me? Did anyone else understand it? If
> so, can you explain it?
> I once saw an online automated generator of scholarly papers. It was
> hilarious! It used language just like this.

Hehehe. Ok...lets make it simple for you. Various security documentation is
composed using a custom XML markup language. Depending on the content,
modules are included or excluded. Given that these document instances are
security in nature they can be secured by a digital signature, encryption, or 

> Okay, I think I see a little substance here. The poster wants something
> which lists every possible valid netfilter rule. Right?

Seemingly, you are the the person to do this feat? Realistically, I don't 
expect you or anybody else to have knowledge of all the rules. I have already
developed the basic structure of the DTD. I just want to do some QA on various
rulesets that I have not applied it to.

> Unfortunately, the list of valid rules is almost infinite. And what's
> valid may vary in context: what's available in the kernel, other rules
> in the chain, et c. "iptables I OUTPUT -j LOG" is a valid rule (rather
> unfortunate if the local syslogd is logging to a remote syslog server,
> as each packet generates another one ad infinitum), but only valid if
> the LOG target is available.

The scenario you describe is what is called a conditional statement. Pretty 
self-explanatory with regards to an XML DTD(or many other disciplines for 
that reason).

> It's not even possible.

This statement is rather benign. Going back to your conditional statement 
scenario; the DTD is constructed like that of a programming language. It can
be developed by means of pseudo-functions. An element may contain another, so 
on so forth. This is surely within the intended scope and capability.

> Perhaps the purpose and intent of the SDI Firewall Rule Subset project
> should be reevaluated.

Because you do no not fully understand does not make it wrong. 

How do you know what I don't know? You are not me.
- ---Zhuang Zi - The Warring States Period

Version: GnuPG v1.2.4 (GNU/Linux)


More information about the netfilter mailing list