Mail archive
alpine-devel

Re: [alpine-devel] Alpine Wall for firewall management

From: Harry Lachanas <grharry_at_freemail.gr>
Date: Wed, 04 Jan 2012 11:45:20 +0200

On 12/30/2011 04:08 PM, Kaarle Ritvanen wrote:
> Hello,
>
> We have a new firewall management framework under early development.
> Please check out the draft specification here and provide your comments:
>
> http://wiki.alpinelinux.org/wiki/Alpine_Wall
>
Very nice effort indeed ...
However I would like to see some level of abstraction in the ZONE
specification.
That is,

Instead of a 1 to 1 relation between zone and interface+subnet

I would like to attach an ipset there as a part of a zone.

In other words

Zone = ( iface ) U ( subnet(s) ) U ( ipset )
This should also consider the aspect if incoming and outgoing
connections, so expanding this would impose
ZONE = ( iface ) U ( Subnet(s) ) U ( ipset/Incoming ) U ( ipset/outgoing )

where U = union.

Perhaps Superimposing IPSETS on top of ip tables could offer a suitable
degree of freedom and abstraction to move things around.
IPSET attributes -> ZONES -> Interfaces

The promising element of ipsets is the elimination of iptables
reloading. Once values are added to the sets they are seen and executed
from iptables.

Regards
Harry.








---
Unsubscribe:  alpine-devel+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-devel+help_at_lists.alpinelinux.org
---
Received on Wed Jan 04 2012 - 11:45:20 GMT