I'm sure that I've already seen work done in this field... IMHO the best (easiest to read) product specific descriptor format I have seen is in IPFilter. I would suggest it as a model, at least. The trouble is that you will run into problems - the set of functions in the descriptor language will probably be larger than that in the simplest firewall. Example - there's not stateful filtering in ipchains, you can't block frags in IOS ACLs (Uh, until recently) etc. Assuming you can get past that I suppose you could hack together a ruleset translator. Personally, (as if anyone wanted my opinion ;), I think that a public firewall review site would not be useful. The main trouble with it is that popular != good in many cases. Review sites are great for sorting out popular <=> unpopular, but of limited use after that. I know that I don't feel qualified to objectively say "this firewall is better suited to this security profile than that one" - at least without weeks of testing work - and, frankly, I don't think that there are many people I'd trust to make those judgements. Note that "The Internet" is NOT one of those people. Not to mention the fact that I can pick two firewalls and then pick two types of network such that I wouldn't touch firewall B for network A, nor firewall A for network B. IOW you can't rate firewalls by stars. 8) But go ahead - maybe you'll get VC based on advertising revenue, hoist a .com startup and make so much money I'll be crying into my beer by Christmas. Cheers, -- Ben Nagy Network Consultant, Volante Solutions PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520 > -----Original Message----- > From: Michael T. Babcock [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, 18 October 2000 4:32 AM > To: Michael E. Cummins > Cc: [EMAIL PROTECTED]; HAL ROTTENBERG (HP-USA,ex1) (E-mail); > Mandy Andress (E-mail); Vincent de Lau (E-mail); 'William Bartholomew' > (E-mail); 'Mike Forrester' > Subject: Re: Firewall Rules Database / FirewallReviews.COM proposal > > > "Michael E. Cummins" wrote: > > > What I need, as a developer and not a firewalls expert, is > a list of field > > names that we could use to create a sort of "master table" > to describe the > > firewall rules. I would also need descriptions on how to sort this > > information. > > As another developer, I've always wanted to sit down and make > a generic C-like > configuration system for firewalls that could then be parsed > into whatever > output is needed (like an ipchains or Cisco IOS series of commands). > > - > [To unsubscribe, send mail to [EMAIL PROTECTED] with > "unsubscribe firewalls" in the body of the message.] > - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
