Enrico Perla wrote: > > Hello Tony, > > > > I believe such standard doesn't yet exist since IPfilter rules are quite > flexible. Darren will correct if I'm wrong :^) > > > I guess (James will correct if I miss something :P) that the idea here > is to create an high-level meta-language. Pretty much what happens with > binary analysis: you create a meta-language and an interpreter for that > language and than you just have to "port" the different machine codes > (UltraSPARC, x86, PPC, etc) to that meta-language and you can > investigate them with standard (and tested) primitives. > > The advantage is that you decouple the reasoning on the metalanguage > from the knowledge of the underlying architecture. > > The same idea might be applyied here (even if, I read above, the aim is > a simple tool for end-users to simplify firewall configuration with a > "tick-based" system, so the following discussion might not strictly > apply...), creating a sort of "general" and user friendly language for > the policies and then "porting" it to the various IPFilter, iptables, pf > and so on. > > It might be worth a try for not too obscure configurations. > The advantage is that the tool would be quickly ported to all the > systems, it could understand the state of different boxes with different > operating systems on them and it might be very handy in migration : > users with a working configuration on FreeBSD or Linux might just import > that configuration in the framework, install OpenSolaris and export it. >
Hi Enrico, Thanks for the clarification. This is exactly what FirewallBuilder does, representing policy in xml format that can be applied to different underlying operating systems. Our goal isn't a general firewall configuration tool but a framework for configuring firewall on Solaris. I'll clarify the project scope in the document. -tony
