Feature #2705

Updated by Giacomo Sanchietti almost 6 years ago

Firewall should implement a simple way to describe reusable objects.

Firewall module uses these system objects:
* Host
* Group of host
* Zone
* Service


A host is an already defined entry inside the @hosts@ db, or a new key of type @host@:
<pre>
name=host
IpAddress=IP
MacAddress=MAC
Description=
</pre>

A @host-group@ is a group of hosts inside the @hosts@ db. A @host-group@ db entry can be something like:
<pre>
name=group
Members=host1,host2
</pre>

A zone represents a network zone which can be associated to an interface or a set of IP address. A @zone@ entry in @networks@ database can be something like:
<pre>
name=zone
Interface=eth0
</pre>
or
<pre>
name=zone
Network=CIDR/IP Range
</pre>

Network property can be:
* a network in CIDR format
* an IP address range of the form low.address-high.address.

A service can have a protocol and one or more ports. A @service@ entry in @configuration@ database can be something like:
<pre>
name=fservice
Protocol=TCP/UDP/TCPUDP/ESP/GRE/ICMP
Ports=port/port range
</pre>

Back