A flexible approach to configuration of linux-based firewalls

Linux-based hosts are suitable for a broad range of network-related applications, as clients, servers and as a convenient replacement for traditional routers. Their cost and flexibility are appealing both to the experienced network administrator and to the novice with no deep knowledge of the matter. The correct configuration of the packet filtering functions natively available within the Linux OS certainly represents an important, yet only the first, step towards system and network security. This paper illustrates the architecture of a configuration tool, aimed at the broadest audience, suitable for Linux-based routers/firewalls. Its modular design encompasses a wizard-like interface, which is invoked for easy definition of the basic behaviors, an architecture-independent rule definition language (Firewall Architecture Independent Rules, or FAIR), and a parser, which translates the FAIR files to actual firewall programming commands. The wizard is designed so that the guided configuration of behaviors not foreseen from the beginning can be enabled by adding modules. The FAIR rules are easily readable and modifiable by an expert operator, who can benefit of their high-level syntax for programming custom behaviors, not fitting in any general scheme, without having to deal with specific OS-dependent tools. The resulting architecture, while designed on and for Linux, can be easily extended for configuring other packet-filtering systems by simply adding specific parsers/translators.