Re: [Leaf-devel] First crack at the XML LRP config

Anh (Ly) Vuong Mon, 5 Feb 2001 18:22:07 -0500 (EST)
   Hello Scott,

   Thanks for the excellent comments.

   Instead of specifying the rules, I am thinking of just 'describing'
whatever the user knows or wants to achieve in his/her specific domain.
For example, instead of asking the user to specify the rules, why not
let the user specifying the networks and services which s/he wants to
build, and let another system to transform those specification into a
set of effective rules. Here are the components that the user has to
specify:

   1. domain
   2. networks
   3. interfaces
   4. services
   5. access
   6. security strategy

   On the step #5, the user will identify which services are accessible
to which network/user/domain. Another system (utility software) for a
particular application then processes the information provided by the
XML config file, and generates the appropriate rules. 

   I throw in the #6 to identify a security strategy, which is an
additional hints for the utility to complete its rules generation.

   Cheers,
   Ly
----
"Scott C. Best" wrote:
> 
>         Ya know...I was thinking about what Ray said, and
> reflected a bit on how Matthew Schalit did his rc.pf stuff.
> It might be worthwhile for "rule order" if there was a
> "type" associated with each rule, and a preface to the
> ruleset would indicate which "types" got installed in which
> order.
>         So for instance, borrowing liberally:
> 
> <RULE_TYPE_ORDER>
>   order="defaults flush spoof stufd cert local masq int ext final"
> </RULE_TYPE_ORDER
> 
>         Then each <RULE> could have a tag like:
> 
> <TYPE>spoof_1</TYPE>
> 
>         So now the XML file itself is not order-dependant,
> but, rather, it specifies an explicit order instead.
> 
> -Scott
> 
> On Sat, 3 Feb 2001, Scott C. Best wrote:
> 
> > Ly:
> >       Going to take a stab myself here...
> >
> > <RULE>
> >   <CHAIN>input</CHAIN>
> >   <ACTION>policy=deny</ACTION>
> > </RULE>
> > <RULE>
> >   <CHAIN>input</CHAIN>
> >   <ACTION>flush</ACTION>
> > </RULE>
> > <RULE>
> >   <CHAIN>input</CHAIN>
> >   <ACTION>ADD
> >     <INT>external</INT>
> >     <SOURCE_IP>anywhere</SOURCE_IP>
> >     <SOURCE_MASK>0</SOURCE_MASK>
> >     <DEST_IP>255.255.255.255</DEST_IP>
> >     <DEST_MASK>32</DEST_MASK>
> >     <PROTOCOL>tcp</PROTOCOL>
> >     <LOGGING>no</LOGGING>
> >     <FLAGS>syn</FLAGS>
> >     <POLICY>deny</POLICY>
> >   </ACTION>
> > </RULE>
> >
> >       A starting point?
> >
> > -Scott
> >
> > On Fri, 2 Feb 2001, Anh (Ly) Vuong wrote:
> >
> > > Greetings,
> > >
> > > I am just typing as go here, and hope to stimulate more thoughts in
> > > definning an XML LRP config. I have not dare to start the firewall rules
> > > just yet, any thoughts on this topic?
> > >
> > > Cheers,
> > > Ly
> > > ---
> > > <?xml version="1.0" standalone="yes"?>
> > > <LEAF>
> > >    <KERNEL>
> > >       <VERSION>2.2.16</VERSION>
> > >       <FEATURES>
> > >          <IP FWDING="YES" ALWAYS_DEFRAG="YES"/>
> > >       </FEATURES>
> > >    </KERNEL>
> > >    <INTERFACES REDIRECT_ICMP="YES">
> > >       <INTERFACE START_ON_BOOT="YES" BRIDGE="NO" PROXY_ARP="YES">
> > >          <ID>eth0</ID>
> > >          <ALIAS>dmz</ALIAS>
> > >          <TYPE>ethernet</TYPE>
> > >          <IP SPOOF="YES" LOG_MARTIANS="NO">
> > >             <ADDRESS>198.162.1.1</ADDRESS>
> > >             <MASK_LENGTH>24</MASK_LENGTH>
> > >             <BROADCAST>198.162.1.0</BROADCAST>
> > >             <GATEWAY>198.162.10.1</GATEWAY>
> > >          </IP>
> > >       </INTERFACE>
> > >       <INTERFACE START_ON_BOOT="YES" BRIDGE="NO" PROXY_ARP="YES">
> > >          <ID>eth1</ID>
> > >          <ALIAS>private</ALIAS>
> > >          <TYPE>ethernet</TYPE>
> > >          <IP SPOOF="YES" LOG_MARTIANS="NO">
> > >             <ADDRESS>198.162.2.1</ADDRESS>
> > >             <MASK_LENGTH>24</MASK_LENGTH>
> > >             <BROADCAST>198.162.2.0</BROADCAST>
> > >             <GATEWAY>198.162.1.1</GATEWAY>
> > >          </IP>
> > >       </INTERFACE>
> > >    </INTERFACES>
> > >    <DNS>
> > >       <DOMAINS>
> > >          <DOMAIN>config.lrp.net</DOMAIN>
> > >          <DOMAIN>another.com</DOMAIN>
> > >       </DOMAINS>
> > >       <SERVERS>
> > >          <SERVER>dns.another.com</SERVER>
> > >          <SERVER>198.162.10.1</SERVER>
> > >       </SERVERS>
> > >    </DNS>
> > > </LEAF>
> > > --
> > > "If you find yourself digging a deeper and deeper hole... stop digging."
> > > - Anonymous
> > >
> > > _______________________________________________
> > > Leaf-devel mailing list
> > > [EMAIL PROTECTED]
> > > http://lists.sourceforge.net/lists/listinfo/leaf-devel
> > >
> >
> >
> 
> _______________________________________________
> Leaf-devel mailing list
> [EMAIL PROTECTED]
> http://lists.sourceforge.net/lists/listinfo/leaf-devel

-- 
"If you find yourself digging a deeper and deeper hole... stop digging."
- Anonymous

_______________________________________________
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [Leaf-devel] First crack at the XML LRP config

Reply via email to
