Request: Submission of Rulesets

Derick Anderson danderson at vikus.com
Fri Aug 26 13:57:32 CEST 2005


  
What you said made sense regarding DTDs and XSL stylesheets. XML (from
what I know of it) is a great standard.

> > I can submit
> > a working ruleset that isn't optimal (accepting RELATED,ESTABLISHED 
> > connections as the last rule, for example) or that checks 
> src/dst IPs 
> > but not which interface...
> 
> I am not here to judge yourself or the logical purpose of 
> your rules. I simply want to contribute to the community. 
> None of my projects are for profit. 
> However, I do think that it could be a good starting point 
> for new users to the netfilter framework to be able to 
> construct valid rules and/or rulesets.

My point there wasn't to say "I'm going to try and mess up your
project", it was an example of what I was asking about earlier -
evaluation of a ruleset that goes beyond correct syntax. I'll be
rebuilding my company's iptables firewall soon (the previous sys-admin
didn't quite grasp stateful inspection or using least privilege) and so
perhaps I'll submit a copy with external IPs obfuscated. 

I think there's a lot of work that can be done to ease the learning
curve for Netfilter. It took me a year to fully understand the basics -
where I knew what would happen to a particular packet as it traversed
the chains. A project like yours combined with a simulation environment
would have saved me a lot of dropped SSH sessions. =) I've got no
problem helping out.
 
> > Admittedly I don't know that much about XML and DTDs. I 
> don't know how 
> > powerful DTDs can be, but it seems to me like you'd need a 
> high-level 
> > programming language in order to test for more than syntactical 
> > correctness.
> 
> That is a totally different beast. This is where the XSL 
> stylesheets come into play.
> 
> > A simulation environment for Netfilter rules is something 
> I'd really 
> > like to see.
> 
> Agreed. Construction of pseudo datagrams and testing for 
> resultant outcomes would be a very interesting project. 
> 
> Cheers,
> Thomas

Derick Anderson

> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> 
> iD8DBQFDDddIoR5cE1e/kEIRAqn0AKDc0iJETnOHYDBWOQlekweswOj3sQCeIo/6
> LhSsuJbNwjqcG9fSmV5Hw2U=
> =0+PB
> -----END PGP SIGNATURE-----
> 



More information about the netfilter mailing list