[Firehol-devs] FireHOL groups
costa at tsaousis.gr
Tue May 4 23:03:22 BST 2004
Although this is a development feature I want it tested, and normally I
should only submit it to the development list, the later is pretty empty.
So, if there are any volunteers among you, I would like to test the
In v1.192 (in CVS) I have added the ability to group services together in
FireHOL, in order to optimize the generated firewall.
To use them, do (in interfaces and routers):
group with [optional rule parameters]
server x accept
client y drop
The system supports any number of nested groups. For example:
group with src 10.0.0.0/8
server smpt accept
client http accept
group with src 10.0.0.0/24
server ssh accept
client ssh accept
Of course, the generated firewall is highly optimized because all the
optional rule parameters are now matched only once at the group level,
instead of matching them once per defined service.
I have not yet optimized the rest of FireHOL to use groups. If we don't
find bugs for a few days, I'll optimize all the complex services including
server "x y z" accept [optional rule parameters]
to use groups internally for optimal code generation (now it matches all
the optional rule parameters once for each service given).
Thanks in advance,
PS: The CVS version appears in http://firehol.sf.net/firehol.tar.gz once
per day. Please check that you got the right version before sending
More information about the Firehol-devs