Request: Submission of Rulesets
danderson at vikus.com
Fri Aug 26 13:57:32 CEST 2005
What you said made sense regarding DTDs and XSL stylesheets. XML (from
what I know of it) is a great standard.
> > I can submit
> > a working ruleset that isn't optimal (accepting RELATED,ESTABLISHED
> > connections as the last rule, for example) or that checks
> src/dst IPs
> > but not which interface...
> I am not here to judge yourself or the logical purpose of
> your rules. I simply want to contribute to the community.
> None of my projects are for profit.
> However, I do think that it could be a good starting point
> for new users to the netfilter framework to be able to
> construct valid rules and/or rulesets.
My point there wasn't to say "I'm going to try and mess up your
project", it was an example of what I was asking about earlier -
evaluation of a ruleset that goes beyond correct syntax. I'll be
rebuilding my company's iptables firewall soon (the previous sys-admin
didn't quite grasp stateful inspection or using least privilege) and so
perhaps I'll submit a copy with external IPs obfuscated.
I think there's a lot of work that can be done to ease the learning
curve for Netfilter. It took me a year to fully understand the basics -
where I knew what would happen to a particular packet as it traversed
the chains. A project like yours combined with a simulation environment
would have saved me a lot of dropped SSH sessions. =) I've got no
problem helping out.
> > Admittedly I don't know that much about XML and DTDs. I
> don't know how
> > powerful DTDs can be, but it seems to me like you'd need a
> > programming language in order to test for more than syntactical
> > correctness.
> That is a totally different beast. This is where the XSL
> stylesheets come into play.
> > A simulation environment for Netfilter rules is something
> I'd really
> > like to see.
> Agreed. Construction of pseudo datagrams and testing for
> resultant outcomes would be a very interesting project.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> -----END PGP SIGNATURE-----
More information about the netfilter