On 12/30/2011 04:08 PM, Kaarle Ritvanen wrote:
> We have a new firewall management framework under early development.
> Please check out the draft specification here and provide your comments:
Very nice effort indeed ...
However I would like to see some level of abstraction in the ZONE
Instead of a 1 to 1 relation between zone and interface+subnet
I would like to attach an ipset there as a part of a zone.
In other words
Zone = ( iface ) U ( subnet(s) ) U ( ipset )
This should also consider the aspect if incoming and outgoing
connections, so expanding this would impose
ZONE = ( iface ) U ( Subnet(s) ) U ( ipset/Incoming ) U ( ipset/outgoing )
where U = union.
Perhaps Superimposing IPSETS on top of ip tables could offer a suitable
degree of freedom and abstraction to move things around.
IPSET attributes -> ZONES -> Interfaces
The promising element of ipsets is the elimination of iptables
reloading. Once values are added to the sets they are seen and executed
Received on Wed Jan 04 2012 - 11:45:20 GMT