From network-automation-owner@greatcircle.com Sat Jun 25 18:00:25 2005 X-Original-To: network-automation@greatcircle.com Received: from mta8.srv.hcvlny.cv.net (mta8.srv.hcvlny.cv.net [167.206.4.203]) by mycroft.greatcircle.com (Postfix) with ESMTP id 612AA32C399 for ; Sat, 25 Jun 2005 18:00:23 -0700 (PDT) Received: from inyoureyes.linsolutions.com (ool-43507762.dyn.optonline.net [67.80.119.98]) by mta8.srv.hcvlny.cv.net (Sun Java System Messaging Server 6.2-2.06 (built May 11 2005)) with ESMTP id <0IIO00DGO2PXDI00@mta8.srv.hcvlny.cv.net> for network-automation@greatcircle.com; Sat, 25 Jun 2005 20:58:46 -0400 (EDT) Date: Sat, 25 Jun 2005 21:00:21 -0400 From: Ted Kaczmarek Subject: Re: ACL compiler [was: Network Automation: An Architects View] In-reply-to: <66b6f3369bde6fa64632f383d2bc4500@gregor.com> To: DJ Gregor Cc: network-automation@greatcircle.com Reply-To: tedkaz@optonline.net Message-id: <1119747621.14548.2.camel@inyoureyes.linsolutions.com> MIME-version: 1.0 X-Mailer: Evolution 2.0.4 (2.0.4-4) Content-type: text/plain Content-transfer-encoding: 7BIT References: <5.1.0.14.0.20050521155048.025ab230@mail.eclipse.co.uk> <17039.36357.794569.744848@perdition.linnaean.org> <20050524115708.E40415@skink.reptiles.org> <66b6f3369bde6fa64632f383d2bc4500@gregor.com> X-Archive-Number: 200506/1 X-Sequence-Number: 128 On Tue, 2005-05-24 at 12:25 -0400, DJ Gregor wrote: > In terms of ACL compilers, has anyone looked at Firewall Builder? It > looks to have a general XML format that defines the policy (although at > a low-level, in terms of ports and devices), along with translators > from the XML format into implementation-specific configuration > statements. > > http://www.fwbuilder.org/ > > I've also seen the same thing done in a commercial product where not > only the firewall configuration, but the entire device configuration > was specified in an XML language that was translated to operating > system-specific configurations (for multiple OSes, even). The XML > configurations were per-device, not per-network, however. > > > - djg > I would like it a lot more if it generated redhat style iptables file :-) It is a most popular tool used by lots of people I know. Ted From network-automation-owner@greatcircle.com Sat Jun 25 18:08:14 2005 X-Original-To: network-automation@greatcircle.com Received: from mail3.bitpusher.com (support.bitpusher.com [64.127.99.30]) by mycroft.greatcircle.com (Postfix) with ESMTP id D847132C378 for ; Sat, 25 Jun 2005 18:08:13 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mail3.bitpusher.com (Postfix) with ESMTP id 31BC790FB; Sat, 25 Jun 2005 18:08:13 -0700 (PDT) Received: from mail3.bitpusher.com ([127.0.0.1]) by localhost (mail [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 00665-10; Sat, 25 Jun 2005 18:08:09 -0700 (PDT) Message-ID: <42BDFFF5.10307@bitpusher.com> Date: Sat, 25 Jun 2005 18:08:05 -0700 From: "Michael T. Halligan" Reply-To: mhalligan@bitpusher.com User-Agent: Mozilla Thunderbird 1.0.2 (Macintosh/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: tedkaz@optonline.net Cc: DJ Gregor , network-automation@greatcircle.com Subject: Re: ACL compiler [was: Network Automation: An Architects View] References: <5.1.0.14.0.20050521155048.025ab230@mail.eclipse.co.uk> <17039.36357.794569.744848@perdition.linnaean.org> <20050524115708.E40415@skink.reptiles.org> <66b6f3369bde6fa64632f383d2bc4500@gregor.com> <1119747621.14548.2.camel@inyoureyes.linsolutions.com> In-Reply-To: <1119747621.14548.2.camel@inyoureyes.linsolutions.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at bitpusher.com X-Archive-Number: 200506/2 X-Sequence-Number: 129 Ted, I believe you can create a redhat-style iptables file, after you've created your policy by running iptables-save .. Not the best solution, but a workable one. Otherwise, FWbuilder is nice, but in my experience it's somewhat buggy. I've never been able to get it to work reliably enough to create a policy all the way through on any platform it supports. Michael Ted Kaczmarek wrote: >On Tue, 2005-05-24 at 12:25 -0400, DJ Gregor wrote: > > >>In terms of ACL compilers, has anyone looked at Firewall Builder? It >>looks to have a general XML format that defines the policy (although at >>a low-level, in terms of ports and devices), along with translators >>from the XML format into implementation-specific configuration >>statements. >> >> http://www.fwbuilder.org/ >> >>I've also seen the same thing done in a commercial product where not >>only the firewall configuration, but the entire device configuration >>was specified in an XML language that was translated to operating >>system-specific configurations (for multiple OSes, even). The XML >>configurations were per-device, not per-network, however. >> >> >> - djg >> >> >> >I would like it a lot more if it generated redhat style iptables >file :-) >It is a most popular tool used by lots of people I know. > >Ted > > > > -- ------------------- BitPusher, LLC http://www.bitpusher.com/ 1.888.9PUSHER (415) 724.7998 - Mobile From network-automation-owner@greatcircle.com Sat Jun 25 18:44:58 2005 X-Original-To: network-automation@greatcircle.com Received: from citadel01.netcitadel.com (citadel01.netcitadel.com [69.56.183.146]) by mycroft.greatcircle.com (Postfix) with ESMTP id C34E932C38D for ; Sat, 25 Jun 2005 18:44:57 -0700 (PDT) Received: from mail.vk.crocodile.org (c-24-6-2-179.hsd1.ca.comcast.net [24.6.2.179]) by citadel01.netcitadel.com (8.12.8/8.12.8) with ESMTP id j5Q1j9k1002120; Sat, 25 Jun 2005 20:45:12 -0500 Received: from [10.3.14.30] ([10.3.14.30]) by mail.vk.crocodile.org (8.12.8/8.12.8) with ESMTP id j5Q1iqdF012856; Sat, 25 Jun 2005 18:44:52 -0700 In-Reply-To: <42BDFFF5.10307@bitpusher.com> References: <5.1.0.14.0.20050521155048.025ab230@mail.eclipse.co.uk> <17039.36357.794569.744848@perdition.linnaean.org> <20050524115708.E40415@skink.reptiles.org> <66b6f3369bde6fa64632f383d2bc4500@gregor.com> <1119747621.14548.2.camel@inyoureyes.linsolutions.com> <42BDFFF5.10307@bitpusher.com> Mime-Version: 1.0 (Apple Message framework v730) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <39FF996B-41D7-493B-8818-76A1A4349009@vk.crocodile.org> Cc: tedkaz@optonline.net, DJ Gregor , network-automation@greatcircle.com Content-Transfer-Encoding: 7bit From: Vadim Kurland Subject: Re: ACL compiler [was: Network Automation: An Architects View] Date: Sat, 25 Jun 2005 18:44:51 -0700 To: mhalligan@bitpusher.com X-Mailer: Apple Mail (2.730) X-Archive-Number: 200506/3 X-Sequence-Number: 130 On Jun 25, 2005, at 6:08 PM, Michael T. Halligan wrote: > Ted, > > I believe you can create a redhat-style iptables file, after you've > created your policy by running iptables-save .. Not the best > solution, but a workable one. > > Otherwise, FWbuilder is nice, but in my experience it's somewhat > buggy. I've never been able to get it to work reliably enough > to create a policy all the way through on any platform it supports. > I am the author of Firewall Builder. May I ask what bugs you've encountered? I would like to fix them, of course. You can contact me off the list. As far as generating iptables config that can be used with iptables- restore directly, the thing is, Firewall Builder does some extra work preparing the system besides just generating iptables rules. For example, it can configure alias IP addresses on interfaces to make sure NAT rules work even if they use IP address that are not the primary ones on the interfaces. You do not have to use this feature, it is optional, but many users asked for it. It can also set or clear various kernel parameters, such as ip forwarding, various TCP parameters etc. Generated script can also read an address of an interface at the moment of policy activation and use it in the rules. This way we can generate correct anti-spoofing rules even for firewalls with dynamic addresses and do other neat things, such as use "wild card" interfaces in the policies. The same mechanism is used when you create one policy and then deploy it on multiple servers or firewalls that have similar configuration but different addresses. --vk > Michael > > Ted Kaczmarek wrote: > > >> On Tue, 2005-05-24 at 12:25 -0400, DJ Gregor wrote: >> >> >>> In terms of ACL compilers, has anyone looked at Firewall >>> Builder? It looks to have a general XML format that defines the >>> policy (although at a low-level, in terms of ports and devices), >>> along with translators from the XML format into implementation- >>> specific configuration statements. >>> >>> http://www.fwbuilder.org/ >>> >>> I've also seen the same thing done in a commercial product where >>> not only the firewall configuration, but the entire device >>> configuration was specified in an XML language that was >>> translated to operating system-specific configurations (for >>> multiple OSes, even). The XML configurations were per-device, >>> not per-network, however. >>> >>> >>> - djg >>> >>> >>> >> I would like it a lot more if it generated redhat style iptables >> file :-) >> It is a most popular tool used by lots of people I know. >> >> Ted >> >> >> >> > > > -- > ------------------- > BitPusher, LLC > http://www.bitpusher.com/ > 1.888.9PUSHER > (415) 724.7998 - Mobile > > From network-automation-owner@greatcircle.com Sun Jun 26 02:07:17 2005 X-Original-To: network-automation@greatcircle.com Received: from mta1.srv.hcvlny.cv.net (mta1.srv.hcvlny.cv.net [167.206.4.196]) by mycroft.greatcircle.com (Postfix) with ESMTP id C1CC332C1C9 for ; Sun, 26 Jun 2005 02:06:45 -0700 (PDT) Received: from inyoureyes.linsolutions.com (ool-43507762.dyn.optonline.net [67.80.119.98]) by mta1.srv.hcvlny.cv.net (Sun Java System Messaging Server 6.2-2.06 (built May 11 2005)) with ESMTP id <0IIO00EA6PFZHAK0@mta1.srv.hcvlny.cv.net> for network-automation@greatcircle.com; Sun, 26 Jun 2005 05:09:36 -0400 (EDT) Date: Sun, 26 Jun 2005 05:08:10 -0400 From: Ted Kaczmarek Subject: Re: ACL compiler [was: Network Automation: An Architects View] In-reply-to: <1119747621.14548.2.camel@inyoureyes.linsolutions.com> To: DJ Gregor Cc: network-automation@greatcircle.com Reply-To: tedkaz@optonline.net Message-id: <1119776890.11924.0.camel@inyoureyes.linsolutions.com> MIME-version: 1.0 X-Mailer: Evolution 2.0.4 (2.0.4-4) Content-type: text/plain Content-transfer-encoding: 7BIT References: <5.1.0.14.0.20050521155048.025ab230@mail.eclipse.co.uk> <17039.36357.794569.744848@perdition.linnaean.org> <20050524115708.E40415@skink.reptiles.org> <66b6f3369bde6fa64632f383d2bc4500@gregor.com> <1119747621.14548.2.camel@inyoureyes.linsolutions.com> X-Archive-Number: 200506/4 X-Sequence-Number: 131 Looks like the list died :-( Ted On Sat, 2005-06-25 at 21:00 -0400, Ted Kaczmarek wrote: > On Tue, 2005-05-24 at 12:25 -0400, DJ Gregor wrote: > > In terms of ACL compilers, has anyone looked at Firewall Builder? It > > looks to have a general XML format that defines the policy (although at > > a low-level, in terms of ports and devices), along with translators > > from the XML format into implementation-specific configuration > > statements. > > > > http://www.fwbuilder.org/ > > > > I've also seen the same thing done in a commercial product where not > > only the firewall configuration, but the entire device configuration > > was specified in an XML language that was translated to operating > > system-specific configurations (for multiple OSes, even). The XML > > configurations were per-device, not per-network, however. > > > > > > - djg > > > I would like it a lot more if it generated redhat style iptables > file :-) > It is a most popular tool used by lots of people I know. > > Ted > From network-automation-owner@greatcircle.com Mon Jun 27 17:04:06 2005 X-Original-To: network-automation@greatcircle.com Received: from hotmail.com (bay104-f42.bay104.hotmail.com [65.54.175.52]) by mycroft.greatcircle.com (Postfix) with ESMTP id 32E0D32C1EE for ; Mon, 27 Jun 2005 17:04:01 -0700 (PDT) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 27 Jun 2005 17:04:01 -0700 Message-ID: Received: from 65.54.175.206 by by104fd.bay104.hotmail.msn.com with HTTP; Tue, 28 Jun 2005 00:04:00 GMT X-Originating-IP: [65.54.175.206] X-Originating-Email: [aldarion_e@hotmail.com] X-Sender: aldarion_e@hotmail.com From: "Daniele Cerra" To: network-automation@greatcircle.com Subject: Re: ACL compiler Date: Tue, 28 Jun 2005 02:04:00 +0200 Mime-Version: 1.0 Content-Type: text/plain; format=flowed X-OriginalArrivalTime: 28 Jun 2005 00:04:01.0102 (UTC) FILETIME=[E35F3EE0:01C57B74] X-Archive-Number: 200506/5 X-Sequence-Number: 132 Re: ACL compiler [was: Network Automation: An Architects View] Re: ACL compiler [was: Network Automation: An Architects View] Hello to everybody! I am a student from an Italian univeristy in Rome (University of Roma 3). I'm working on a project called NetML, which homepage you can find at : http://www.dia.uniroma3.it/~compunet/netml/ NetML supported up to now an abstract description of networks using XML, and features supporting of routing protocols as RIP and BGP. Actually the work is focused on constructing vendor-independent ACL specifications, and Iptables will be among the supported ones. I will post on this mailing list when we will release the next NetML version with this features, so that you may have a look. Greetings Daniele