File: README.ipfilter

package info (click to toggle)
fwbuilder 1.0.0-2
  • links: PTS
  • area: main
  • in suites: woody
  • size: 4,508 kB
  • ctags: 2,655
  • sloc: cpp: 15,549; sh: 7,494; ansic: 3,538; xml: 3,418; makefile: 906; perl: 397
file content (58 lines) | stat: -rw-r--r-- 2,401 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
 

NOTE:
ip_filter compiler is not implemented in Firewall Builder v 0.9.0,
0.9.1, 0.9.2



Release Notes for ipfilter compiler v 0.8.7


fwb_ipfilter generates ipf.conf and ipnat.conf files for ipfilter. It
has been tested with ipfilter v3.4.13 running on Solaris 2.6 box.

Compiler creates files in its current working directory; typically this
would be $HOME/fwbuilder if compiler has been launched from within GUI.

It is user's responsibility to copy these files over to the firewall
box and reload ipfilter software for firewall policy and NAT changes
to take effect.


Notes:

 - compiler honors all rule elements coming from GUI: source,
   destination, service, target, direction, action, logging.

 - compiler scans firewall interfaces in "prologue" function and
   generates two groups per interface: one group for inbound and another
   for outbound packets. All the rules will be installed in these groups
   later on.

 - compiler implements workaround for negation. Since ipfilter does not
   implement negation for the rule elements (although "!" is present
   in syntax definition,it does not seem to work), we do the following:

   In case negation is used in the rule we will generate two
   configuration lines: one will check conditions specified via GUI,
   ignoring negation flag, and will skip next rule in case conditions
   are met.  The very next line will execute action specified via
   GUI. If negation is used in the rule element which contains group
   or more than one object, this algorithm will repeat setting number
   of lines to be skipped in a such way that the first line will skip
   all others. The action specified in GUI rule will generate only one
   configuration line at the end of the batch.

 - If GUI rule specifies direction ("inbound"/"outbound"), compiler
   will generate configuration lines appropriately. If GUI rule does
   not specify direction, compiler generates configuration lines for
   both "in" and "out" directions.  Similar algorithm used for
   interfaces: if GUI line requires that rule is to be installed on
   particular interface, compiler generates configuration line for the
   group which controls packets on that interface. If interface was
   not specified in GUI, then compiler generates lines for all
   interfaces. This algorithm produces a lot of redundant rules and
   obviously leaves a lot of room for optimization.