What you said made sense regarding DTDs and XSL stylesheets. XML (from what I know of it) is a great standard. > > I can submit > > a working ruleset that isn't optimal (accepting RELATED,ESTABLISHED > > connections as the last rule, for example) or that checks > src/dst IPs > > but not which interface... > > I am not here to judge yourself or the logical purpose of > your rules. I simply want to contribute to the community. > None of my projects are for profit. > However, I do think that it could be a good starting point > for new users to the netfilter framework to be able to > construct valid rules and/or rulesets. My point there wasn't to say "I'm going to try and mess up your project", it was an example of what I was asking about earlier - evaluation of a ruleset that goes beyond correct syntax. I'll be rebuilding my company's iptables firewall soon (the previous sys-admin didn't quite grasp stateful inspection or using least privilege) and so perhaps I'll submit a copy with external IPs obfuscated. I think there's a lot of work that can be done to ease the learning curve for Netfilter. It took me a year to fully understand the basics - where I knew what would happen to a particular packet as it traversed the chains. A project like yours combined with a simulation environment would have saved me a lot of dropped SSH sessions. =) I've got no problem helping out. > > Admittedly I don't know that much about XML and DTDs. I > don't know how > > powerful DTDs can be, but it seems to me like you'd need a > high-level > > programming language in order to test for more than syntactical > > correctness. > > That is a totally different beast. This is where the XSL > stylesheets come into play. > > > A simulation environment for Netfilter rules is something > I'd really > > like to see. > > Agreed. Construction of pseudo datagrams and testing for > resultant outcomes would be a very interesting project. > > Cheers, > Thomas Derick Anderson > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.4 (GNU/Linux) > > iD8DBQFDDddIoR5cE1e/kEIRAqn0AKDc0iJETnOHYDBWOQlekweswOj3sQCeIo/6 > LhSsuJbNwjqcG9fSmV5Hw2U= > =0+PB > -----END PGP SIGNATURE----- >
