Hello Tony,
>
> I believe such standard doesn't yet exist since IPfilter rules are quite
> flexible. Darren will correct if I'm wrong :^)
>
I guess (James will correct if I miss something :P) that the idea here is to
create an high-level meta-language. Pretty much what happens with binary
analysis: you create a meta-language and an interpreter for that language
and than you just have to "port" the different machine codes (UltraSPARC,
x86, PPC, etc) to that meta-language and you can investigate them with
standard (and tested) primitives.
The advantage is that you decouple the reasoning on the metalanguage from
the knowledge of the underlying architecture.
The same idea might be applyied here (even if, I read above, the aim is a
simple tool for end-users to simplify firewall configuration with a
"tick-based" system, so the following discussion might not strictly
apply...), creating a sort of "general" and user friendly language for the
policies and then "porting" it to the various IPFilter, iptables, pf and so
on.
It might be worth a try for not too obscure configurations.
The advantage is that the tool would be quickly ported to all the systems,
it could understand the state of different boxes with different operating
systems on them and it might be very handy in migration : users with a
working configuration on FreeBSD or Linux might just import that
configuration in the framework, install OpenSolaris and export it.
Cheers,
- Enrico
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://mail.opensolaris.org/pipermail/security-discuss/attachments/20080819/3f4ed9cd/attachment.html>
