[Xorp-hackers] First-cut IP filtering XIF.
Marko Zec
zec@icir.org
Tue, 24 Aug 2004 16:10:17 +0200
On Sunday 22 August 2004 13:30, Bruce M Simpson wrote:
> Here's a first cut at a simple XRL interface to a firewall abstraction
> layer (as yet to be coded) in the FEA.
...
> iface:txt & \
> src:ipv4net & \
> dst:ipv4net & \
> proto:u32 & \
> sport:u32 & \
> dport:u32 & \
> action:txt
...
> * @param sport Source TCP/UDP port (actually u16).
> * @param dport Destination TCP/UDP port (actually u16).
Perhaps it would make sense to allow for some kind of wildcarding on TCP/UDP
ports. The proposed model with strict 1:1 port matching will not allow
catching ephemeral ports etc.
On the other hand, different firewalling providers / implementations can have
quite incompatible semantics in this matter, which might be a problem if we
wish to have an uniform XRL firewall interface across all platforms. So maybe
we should begin with supportting something really simple, like a single
sport/dport range per firewall rule, since such semantics seems to be
supported by most UNIX firewalls (I guess?).
IMO, the "action" field should probably also be uniformly defined across all
underlying platforms (i.e. to avoid having random aliases for the same
action, like permit/allow/pass/accept, deny/drop/block etc.). Or maybe not?
Marko