[Xorp-hackers] First-cut IP filtering XIF.

Marko Zec zec@icir.org
Tue, 24 Aug 2004 16:10:17 +0200


On Sunday 22 August 2004 13:30, Bruce M Simpson wrote:
> Here's a first cut at a simple XRL interface to a firewall abstraction
> layer (as yet to be coded) in the FEA.
...
>		iface:txt & \
>		src:ipv4net & \
>		dst:ipv4net & \
>		proto:u32 & \
>		sport:u32 & \
>		dport:u32 & \
>		action:txt
...
>       * @param sport Source TCP/UDP port (actually u16).
>       * @param dport Destination TCP/UDP port (actually u16).


Perhaps it would make sense to allow for some kind of wildcarding on TCP/UDP 
ports. The proposed model with strict 1:1 port matching will not allow 
catching ephemeral ports etc.

On the other hand, different firewalling providers / implementations can have 
quite incompatible semantics in this matter, which might be a problem if we 
wish to have an uniform XRL firewall interface across all platforms. So maybe 
we should begin with supportting something really simple, like a single 
sport/dport range per firewall rule, since such semantics seems to be 
supported by most UNIX firewalls (I guess?).

IMO, the "action" field should probably also be uniformly defined across all 
underlying platforms (i.e. to avoid having random aliases for the same 
action, like permit/allow/pass/accept, deny/drop/block etc.). Or maybe not?

Marko