Ya know...I was thinking about what Ray said, and
reflected a bit on how Matthew Schalit did his rc.pf stuff.
It might be worthwhile for "rule order" if there was a
"type" associated with each rule, and a preface to the
ruleset would indicate which "types" got installed in which
order.
So for instance, borrowing liberally:
<RULE_TYPE_ORDER>
order="defaults flush spoof stufd cert local masq int ext final"
</RULE_TYPE_ORDER
Then each <RULE> could have a tag like:
<TYPE>spoof_1</TYPE>
So now the XML file itself is not order-dependant,
but, rather, it specifies an explicit order instead.
-Scott
On Sat, 3 Feb 2001, Scott C. Best wrote:
> Ly:
> Going to take a stab myself here...
>
> <RULE>
> <CHAIN>input</CHAIN>
> <ACTION>policy=deny</ACTION>
> </RULE>
> <RULE>
> <CHAIN>input</CHAIN>
> <ACTION>flush</ACTION>
> </RULE>
> <RULE>
> <CHAIN>input</CHAIN>
> <ACTION>ADD
> <INT>external</INT>
> <SOURCE_IP>anywhere</SOURCE_IP>
> <SOURCE_MASK>0</SOURCE_MASK>
> <DEST_IP>255.255.255.255</DEST_IP>
> <DEST_MASK>32</DEST_MASK>
> <PROTOCOL>tcp</PROTOCOL>
> <LOGGING>no</LOGGING>
> <FLAGS>syn</FLAGS>
> <POLICY>deny</POLICY>
> </ACTION>
> </RULE>
>
> A starting point?
>
> -Scott
>
> On Fri, 2 Feb 2001, Anh (Ly) Vuong wrote:
>
> > Greetings,
> >
> > I am just typing as go here, and hope to stimulate more thoughts in
> > definning an XML LRP config. I have not dare to start the firewall rules
> > just yet, any thoughts on this topic?
> >
> > Cheers,
> > Ly
> > ---
> > <?xml version="1.0" standalone="yes"?>
> > <LEAF>
> > <KERNEL>
> > <VERSION>2.2.16</VERSION>
> > <FEATURES>
> > <IP FWDING="YES" ALWAYS_DEFRAG="YES"/>
> > </FEATURES>
> > </KERNEL>
> > <INTERFACES REDIRECT_ICMP="YES">
> > <INTERFACE START_ON_BOOT="YES" BRIDGE="NO" PROXY_ARP="YES">
> > <ID>eth0</ID>
> > <ALIAS>dmz</ALIAS>
> > <TYPE>ethernet</TYPE>
> > <IP SPOOF="YES" LOG_MARTIANS="NO">
> > <ADDRESS>198.162.1.1</ADDRESS>
> > <MASK_LENGTH>24</MASK_LENGTH>
> > <BROADCAST>198.162.1.0</BROADCAST>
> > <GATEWAY>198.162.10.1</GATEWAY>
> > </IP>
> > </INTERFACE>
> > <INTERFACE START_ON_BOOT="YES" BRIDGE="NO" PROXY_ARP="YES">
> > <ID>eth1</ID>
> > <ALIAS>private</ALIAS>
> > <TYPE>ethernet</TYPE>
> > <IP SPOOF="YES" LOG_MARTIANS="NO">
> > <ADDRESS>198.162.2.1</ADDRESS>
> > <MASK_LENGTH>24</MASK_LENGTH>
> > <BROADCAST>198.162.2.0</BROADCAST>
> > <GATEWAY>198.162.1.1</GATEWAY>
> > </IP>
> > </INTERFACE>
> > </INTERFACES>
> > <DNS>
> > <DOMAINS>
> > <DOMAIN>config.lrp.net</DOMAIN>
> > <DOMAIN>another.com</DOMAIN>
> > </DOMAINS>
> > <SERVERS>
> > <SERVER>dns.another.com</SERVER>
> > <SERVER>198.162.10.1</SERVER>
> > </SERVERS>
> > </DNS>
> > </LEAF>
> > --
> > "If you find yourself digging a deeper and deeper hole... stop digging."
> > - Anonymous
> >
> > _______________________________________________
> > Leaf-devel mailing list
> > [EMAIL PROTECTED]
> > http://lists.sourceforge.net/lists/listinfo/leaf-devel
> >
>
>
_______________________________________________
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel
