Mail archive

Re: [alpine-devel] Alpine Wall for firewall management

From: Harry Lachanas <>
Date: Wed, 04 Jan 2012 11:45:20 +0200

On 12/30/2011 04:08 PM, Kaarle Ritvanen wrote:
> Hello,
> We have a new firewall management framework under early development.
> Please check out the draft specification here and provide your comments:
Very nice effort indeed ...
However I would like to see some level of abstraction in the ZONE
That is,

Instead of a 1 to 1 relation between zone and interface+subnet

I would like to attach an ipset there as a part of a zone.

In other words

Zone = ( iface ) U ( subnet(s) ) U ( ipset )
This should also consider the aspect if incoming and outgoing
connections, so expanding this would impose
ZONE = ( iface ) U ( Subnet(s) ) U ( ipset/Incoming ) U ( ipset/outgoing )

where U = union.

Perhaps Superimposing IPSETS on top of ip tables could offer a suitable
degree of freedom and abstraction to move things around.
IPSET attributes -> ZONES -> Interfaces

The promising element of ipsets is the elimination of iptables
reloading. Once values are added to the sets they are seen and executed
from iptables.


Received on Wed Jan 04 2012 - 11:45:20 UTC