On 08/19/08 01:17, Enrico Perla wrote: > > Hello Tony, > > > > I believe such standard doesn't yet exist since IPfilter rules are > quite > flexible. Darren will correct if I'm wrong :^) > > > I guess (James will correct if I miss something :P) that the idea here > is to create an high-level meta-language. Pretty much what happens > with binary analysis: you create a meta-language and an interpreter > for that language and than you just have to "port" the different > machine codes (UltraSPARC, x86, PPC, etc) to that meta-language and > you can investigate them with standard (and tested) primitives. > > The advantage is that you decouple the reasoning on the metalanguage > from the knowledge of the underlying architecture. > > The same idea might be applyied here (even if, I read above, the aim > is a simple tool for end-users to simplify firewall configuration with > a "tick-based" system, so the following discussion might not strictly > apply...), creating a sort of "general" and user friendly language > for the policies and then "porting" it to the various IPFilter, > iptables, pf and so on. > > It might be worth a try for not too obscure configurations. > The advantage is that the tool would be quickly ported to all the > systems, it could understand the state of different boxes with > different operating systems on them and it might be very handy in > migration : users with a working configuration on FreeBSD or Linux > might just import that configuration in the framework, install > OpenSolaris and export it.
This is harder than you might expect because of the difference in features present. If you limit the generated rules to being of a particular subset of functionality then there is a chance it can work. Which means that so long as you stick to high level concepts, it can mostly work. In the previous century I brainstormed this idea at a USENIX with Bellovin and Cheswick (authors of one of the early fireawll books) and assorted others... And I tried some things and I'm sure others have too. The end result is that today all text file firewall configs are still in their native format and only the GUIs have any capability to manage different firewalls and the reason is obvious: while you are working at the "low level" (ie text), it is natural to want to talk to the software at the same level. When the primary interface stops being a low level device then you tend to become less concerned with the details and more concerned with the objective. Darren -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.opensolaris.org/pipermail/security-discuss/attachments/20080819/b16aa653/attachment.html>
