[Firehol-support] FireHOL groups
Costa Tsaousis
costa at tsaousis.gr
Tue May 4 23:03:22 BST 2004
Hi all,
Although this is a development feature I want it tested, and normally I
should only submit it to the development list, the later is pretty empty.
So, if there are any volunteers among you, I would like to test the
following.
In v1.192 (in CVS) I have added the ability to group services together in
FireHOL, in order to optimize the generated firewall.
To use them, do (in interfaces and routers):
group with [optional rule parameters]
server x accept
client y drop
...
group end
The system supports any number of nested groups. For example:
group with src 10.0.0.0/8
server smpt accept
client http accept
group with src 10.0.0.0/24
server ssh accept
client ssh accept
group end
group end
Of course, the generated firewall is highly optimized because all the
optional rule parameters are now matched only once at the group level,
instead of matching them once per defined service.
I have not yet optimized the rest of FireHOL to use groups. If we don't
find bugs for a few days, I'll optimize all the complex services including
the expression:
server "x y z" accept [optional rule parameters]
to use groups internally for optimal code generation (now it matches all
the optional rule parameters once for each service given).
Thanks in advance,
Costa
PS: The CVS version appears in http://firehol.sf.net/firehol.tar.gz once
per day. Please check that you got the right version before sending
problems.
More information about the Firehol-support
mailing list