--On Thursday, August 28, 2008 01:16:18 PM -0700 Tony Nguyen <Truong.Q.Nguyen at Sun.COM> wrote:
> Scott Rotondo wrote: >> Tony Nguyen wrote: >>> >>> The design strongly encourages your described scenario though >>> presented differently. The overall policy is split into two global >>> layers, Global Default and Global Override. >>> >>> - Initially, services are set to inherit Global Default's policy so >>> service specific rules enforces the same policy(block or allow the >>> same set of network entities). This is the preferred and default >>> settings for services. >>> >>> - Administrator can, however, choose to set a different policy for a >>> specific service. This action potentially exposes the system, but only >>> through that service and is a user's conscious decision. >>> >>> - The Global Override allows another set of global rules, overall >>> policy, that takes precedence over the needs of all services. This >>> explicit global override policy makes it clear services' policies are >>> restricted by another overall policy. >> >> Yes, I got that from reading the design document, and the Global >> Override seems to accomplish what I was looking for in terms of a global >> policy that cannot be undone by individual services. >> >> However, a highly desirable related property would be assurance that >> individual service rules cannot conflict with each other. As you said in >> response to another email: >> >>> A service is expected to only generate rules relevant to its network >>> traffic. >> >> It would be ideal if the way of expressing service rules made it >> impossible to affect other services. I don't think the current syntax >> for service rules provides that assurance (and it may not be feasible to >> do so), but it would be great if it could. >> > > Agree, that would be the ideal solution. At the moment, I don't see a > way to analyze an arbitrary set of rules for a conflicting subset. No, of course not; the possibilities offered by ipf are too varied and complex to allow that. What I think Scott was proposing is that services not get to specify arbitrary ipf rules, but instead get to specify rules in a much more restrictive language, which is designed such that you _can_ analyze for conflicts, or even better, such that conflicts cannot occur.