Sophie

Sophie

distrib > Mandriva > 8.1 > i586 > by-pkgid > 11d19300581ffb7d8f8d6c874ef3bf14 > files > 27

fwbuilder-0.9.5-1mdk.i586.rpm


Release Notes for policy compiler for iptables firewalls, v0.9.2



fwb_iptables generates shell script which needs to be executed on a
target firewall. Script file name is that of the firewall object plus
".fw" extension.

Compiler honors all rule elements and all the options available in
GUI: source, destination, service, target, direction, action, logging.  

Compiler creates separate chain for each rule in order to generate one
rule for logging and another one to implement ruquested action (Drop,
Reject, Accept). This separate chain can be used for accounting in the
future.


Negation in Source, Destination or Service is implemented by means of
yet another auxiliary chain, which includes rules with objects,
specified in GUI, and action set to "RETURN". The very last rule in
this auxiliary chain has soure and destination set to "0/0" and
actually implements action, specified in GUI. This algorithm correctly
processes negation in rules where multiple objects are specified as
soure, or destination or service.

Custom logging prefix: each rule defined in GUI can now have custom
logging prefix. Compiler recognizes following pseudo-format sequences :

 '%N' will be replaced with rule number
 '%A' will be replaced with rule action

Custom logging prefix can be specified in GUI via rule options dialog.

Processing of object "Any":

Object "Any" should include the firewall itself. In the iptables
packets originated on the firewall will be processed by OUTPUT chain,
and packets headed for the firewall will be processed by INPUT chain.
To take this into acocunt, compiler generates rules for these two
chains in addition to FORWARD chain if one or more objects in the rule
are "Any". This behaviour can be changed by the option in Firewall
object's platform-specific options tab. Option is called "Assume
firewall object is part of 'Any' or network objects". If this option
is deactivated, code will not be generated in INPUT and OUTPUT chains
and special dedicated rules are needed to provide access to and from
firewall itself.

Rules with service set to "Any" generate iptables code which does not
specify protocol at all. We rely on iptables implementation for
statefullness here.

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional