Thus spoke Scott C. Best:
>
> Ya know...I was thinking about what Ray said, and
> reflected a bit on how Matthew Schalit did his rc.pf stuff.
> It might be worthwhile for "rule order" if there was a
> "type" associated with each rule, and a preface to the
> ruleset would indicate which "types" got installed in which
> order.
> So for instance, borrowing liberally:
>
> <RULE_TYPE_ORDER>
> order="defaults flush spoof stufd cert local masq int ext final"
> </RULE_TYPE_ORDER
>
> Then each <RULE> could have a tag like:
>
> <TYPE>spoof_1</TYPE>
>
> So now the XML file itself is not order-dependant,
> but, rather, it specifies an explicit order instead.
>
> -Scott
>
>
> On Sat, 3 Feb 2001, Scott C. Best wrote:
>
> > Ly:
> > Going to take a stab myself here...
> >
> > <RULE>
> > <CHAIN>input</CHAIN>
> > <ACTION>policy=deny</ACTION>
> > </RULE>
> > <RULE>
> > <CHAIN>input</CHAIN>
> > <ACTION>flush</ACTION>
> > </RULE>
> > <RULE>
> > <CHAIN>input</CHAIN>
> > <ACTION>ADD
> > <INT>external</INT>
> > <SOURCE_IP>anywhere</SOURCE_IP>
> > <SOURCE_MASK>0</SOURCE_MASK>
> > <DEST_IP>255.255.255.255</DEST_IP>
> > <DEST_MASK>32</DEST_MASK>
> > <PROTOCOL>tcp</PROTOCOL>
> > <LOGGING>no</LOGGING>
> > <FLAGS>syn</FLAGS>
> > <POLICY>deny</POLICY>
> > </ACTION>
> > </RULE>
> >
I think that this is much to low a level of abstraction. I suggest that if
you want to represent the user's wishes with regards to firewalling then
something more along the line of what is contained in the Seattle Firewall
configuration files is more appropriate. Also notice that there are no
order dependencies in any of those configuration files.
-Tom
--
Tom Eastep \ Alt Email: [EMAIL PROTECTED]
ICQ #60745924 \ Websites: http://seawall.sourceforge.net
[EMAIL PROTECTED] \ http://seattlefirewall.dyndns.org
Shoreline, Washington USA \___________________________________________
_______________________________________________
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel
