X-Original-To: alpine-devel@lists.alpinelinux.org Delivered-To: alpine-devel@mail.alpinelinux.org Received: from smtp.freemail.gr (smtp.freemail.gr [81.171.104.132]) by mail.alpinelinux.org (Postfix) with ESMTP id 47BA8DC1604 for ; Wed, 4 Jan 2012 09:45:23 +0000 (UTC) Received: from [10.10.10.222] (ppp-94-65-209-100.home.otenet.gr [94.65.209.100]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.freemail.gr (Postfix) with ESMTP id A5C4A339017 for ; Wed, 4 Jan 2012 12:08:57 +0200 (EET) Message-ID: <4F041FB0.10109@freemail.gr> Date: Wed, 04 Jan 2012 11:45:20 +0200 From: Harry Lachanas User-Agent: Mozilla/5.0 (X11; Linux i686; rv:8.0) Gecko/20111105 Thunderbird/8.0 X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: MIME-Version: 1.0 To: alpine-devel@lists.alpinelinux.org Subject: Re: [alpine-devel] Alpine Wall for firewall management References: In-Reply-To: Content-Type: multipart/alternative; boundary="------------040000000903010007070907" This is a multi-part message in MIME format. --------------040000000903010007070907 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit On 12/30/2011 04:08 PM, Kaarle Ritvanen wrote: > Hello, > > We have a new firewall management framework under early development. > Please check out the draft specification here and provide your comments: > > http://wiki.alpinelinux.org/wiki/Alpine_Wall > Very nice effort indeed ... However I would like to see some level of abstraction in the ZONE specification. That is, Instead of a 1 to 1 relation between zone and interface+subnet I would like to attach an ipset there as a part of a zone. In other words Zone = ( iface ) U ( subnet(s) ) U ( ipset ) This should also consider the aspect if incoming and outgoing connections, so expanding this would impose ZONE = ( iface ) U ( Subnet(s) ) U ( ipset/Incoming ) U ( ipset/outgoing ) where U = union. Perhaps Superimposing IPSETS on top of ip tables could offer a suitable degree of freedom and abstraction to move things around. IPSET attributes -> ZONES -> Interfaces The promising element of ipsets is the elimination of iptables reloading. Once values are added to the sets they are seen and executed from iptables. Regards Harry. --------------040000000903010007070907 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit On 12/30/2011 04:08 PM, Kaarle Ritvanen wrote:
Hello,

We have a new firewall management framework under early development. Please check out the draft specification here and provide your comments:

http://wiki.alpinelinux.org/wiki/Alpine_Wall

Very nice effort indeed ...
However I would like to see some level of abstraction in the ZONE specification.
That is,

Instead of a 1 to 1 relation between zone and interface+subnet

I would like to attach an ipset there as a part of a zone.

In other words

Zone = ( iface ) U ( subnet(s) ) U ( ipset )
This should also consider the aspect if incoming and outgoing connections, so expanding this would impose
ZONE = ( iface ) U ( Subnet(s) ) U ( ipset/Incoming ) U ( ipset/outgoing )

where U = union.

Perhaps Superimposing IPSETS on top of ip tables could offer a suitable degree  of freedom and abstraction to move things around.
IPSET attributes -> ZONES -> Interfaces

The promising element of ipsets is the elimination of iptables reloading. Once values are added to the sets they are seen and executed from iptables.

Regards
Harry.





--------------040000000903010007070907-- --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org ---