Comments on ACL format for my new firewall

MonMotha monmotha at indy.rr.com
Sat Nov 24 16:43:22 PST 2001 

I'm starting to speculate on specifics for 2.5.x tree.  I'm going to
implement multiple "trust groups", each of which can have varying
permissions, as a way to facilitate multiple DMZs that people have been
asking for.  To help with this (and to make things less confusing) I
have decided on a new ACL format.  It is (for outbound):

ports at proto>dest^iface;state*action

Ports uses the multiport match, so comma separated values or ranges
using : as a delimiter are acceptable.

Proto is the protocol: tcp, udp, icmp, gre, etc

Dest is the destination IP address.

Iface is the interface that the destination IP address should live on.
I may provide a special keyword to allow any interface

State is the state of the connection.  This may be omitted (as I believe
the connection tracking has no idea what to do with some protocols).

Action is what to do with the packet: ACCEPT, DROP, REJECT, etc

---------------------------------------------------------------------------


An example rule might be:
22,80 at tcp>0/0^eth1;NEW,ESTABLISHED*ACCEPT

This ACL listing would allow any host in the trust group this rule is
assigned to (probably the internet on eth1 in this case) to connect to
the SSH server or the HTTP server on either the firewall itself or any
host behind the firewall.  (People with dynamic IPs are at a major
disadvantage here unless they rerun the script every time it changes,
but there's little we can do about that).


Another sample rule:
6112 at udp>192.168.0.2^eth0*ACCEPT

This rule would allow anyone in the trust group it is assigned to (once
again probably the internet) to send UDP datagrams to 192.168.0.2 on
port 6112 (starcraft).  NAT (port forwarding) would be set up separately
if it is needed to prevent "accidents."


An example of two DMZs that talk to each other, 172.16.1.0/24 is in the
trust group this rule is being assigned to:
25 at tcp>172.16.2.5^eth3*ACCEPT

Basically this is a rule to allow one DMZ to send mail using a relay on
another one (that's on interface eth3 in this case).



More exotic protocols can also be used:
gre>65.168.239.125^eth1*ACCEPT


This would allow the trust group (probably the internet given the IP) to
send GRE stuff at 65.168.239.125 (presumably on the internet on eth1 or
on another DMZ on eth1).

---------------------------------------------------------------------------

Any comments on this ACL syntax?  Too complicated?  Impossible to
implement?  Not flexible enough?  What do you think?

I would appriciate any suggestions you have on this one.  You may reply 
to me privately if you prefer.  I'd like to get as much input as 
possible so I don't have to change it once it is implemented.

--MonMotha

More information about the LUAU mailing list