[Firehol-devs] FireHOL groups

Costa Tsaousis costa at tsaousis.gr
Tue May 4 23:03:22 BST 2004


Hi all,

Although this is a development feature I want it tested, and normally I
should only submit it to the development list, the later is pretty empty.
So, if there are any volunteers among you, I would like to test the
following.


In v1.192 (in CVS) I have added the ability to group services together in
FireHOL, in order to optimize the generated firewall.

To use them, do (in interfaces and routers):

group with [optional rule parameters]
   server x accept
   client y drop
   ...
group end

The system supports any number of nested groups. For example:

group with src 10.0.0.0/8
   server smpt accept
   client http accept

   group with src 10.0.0.0/24
      server ssh accept
      client ssh accept
   group end
group end

Of course, the generated firewall is highly optimized because all the
optional rule parameters are now matched only once at the group level,
instead of matching them once per defined service.

I have not yet optimized the rest of FireHOL to use groups. If we don't
find bugs for a few days, I'll optimize all the complex services including
the expression:

server "x y z" accept [optional rule parameters]

to use groups internally for optimal code generation (now it matches all
the optional rule parameters once for each service given).

Thanks in advance,

Costa

PS: The CVS version appears in http://firehol.sf.net/firehol.tar.gz once
per day. Please check that you got the right version before sending
problems.





More information about the Firehol-devs mailing list