<--planning ^--Firewall Steve--^ design, continued-->

Firewall Steve - a visual firewall tool - planning, continued

Stevesieve

Truly, I should start coding this in PHP right off the bat. All modern systems (and by this I mean Linux) have PHP installed as a command-line tool, so there's no reason I couldn't use that, with its able XML libraries, to process the output from iptables. However, I'm a sucker for XSLT, and tend to try and solve everything with that first.

The issue is whether or not XSLT is powerful enough to do all of the checks that the firewall does on a packet. It's easy enough to compare port numbers or IP addresses or protocols, but what about port ranges or IP subnets?

This is the first hurdle with writing the sieve in XSLT. While we do have specific rules for individual IPs (sometimes problem IPs that need to be filtered, sometimes specific IPs that are allowed traffic that is otherwise denied), the majority of our rules are based on subnet traffic, as we tend to separate our machines into different classes by subnet, which also defines what kind of traffic is allowed to and from that class.

The port range won't be so bad; XSLT allows for some good iteration. It's the subnets that pose a problem. It would be one (relatively simple) thing if the subnets were all standard, class C subnets -- with a netmask of 255.255.255.0 -- but they are not. Because of this, I need a way to do comparisons between a sample packet (which has a single address), and a subnet mask.

Another issue that has come up is that the XSLT processor I've been using has a few bugs in it; namely, the floor function and mod operator fail on certain values. Luckily, upgrading to a later version has fixed the floor problem, and there's a workaround for the mod problem. Since the end result will not use a generic XSLT processor, but most likely PHP, I'm hoping this function and operator are working correctly there!
<--planning ^--Firewall Steve--^ design, continued-->

©2002-2017 Wayne Pearson