Firewall Primitives

[Cat Okita <cat () reptiles org>]

I've had far too much time on my hands lately, and it's led me to thinking
about the basic elements that make up firewall rules and descriptors.  My
basic thought process involved producing descriptors that would make sense
and be fairly straightforward for Joe Average IT Guy to understand (rather
than Jane Clueful Security Goddess) After a bit of back and forth with
several people, I've come up with the following list.

Firewall Primitives:

(actions with the following modifiers: )
    {[from host|network] [type TCP/IP/ICMP/UDP] [on port]} [keep state] [log]

    accept
    allow(or pass)
    reject
    drop

I'd be curious to hear thoughts about whether folks think that 'redirect'
is best handled as a standalone item, or an aspect of 'accept'.

Things become far more interesting as soon as you move towards NAT in any
form, and it starts being challenging to try and develop a means of
descriptive that isn't order dependant to express complex setups.

What I ended up with doesn't entirely meet my criteria for 'clear'[0].

    translate from:< > [as_from:< >] to:< > [as_to:< >]

    (where < > can be an IP or a range)

[0] whether a given translation is static or dynamic is contextual, and thus
    not necessarily clear to "Joe Average IT Guy"

cheers!
==========================================================================
"A cat spends her life conflicted between a deep, passionate and profound
desire for fish and an equally deep, passionate and profound desire to
avoid getting wet.  This is the defining metaphor of my life right now."

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards