A MULTI-PLATFORM TOOLKIT FOR THE CONFIGURATION OF PACKET-FILTERING FIREWALLS

Packet filtering represents an important, yet only the first, step towards system and network security. The deployment of a packet filter, however, is often complicated by the commonly available configuration languages, which are designed to give fine-grained control rather than expressiveness. The resulting rule sets are verbose and their correctness hard to verify. Portability is also an issue: a successful effort in configuring a particular packet filter can be frustrated by the need of changing or simply upgrading the underlying system. This paper illustrates a configuration tool aimed at the broadest audience, that is, both expert and non-expert users, designed to overcome the aforementioned problems. The core feature of the proposed architecture is a platform-independent rule definition language (Firewall Architecture Independent Rules, or FAIR). FAIR rules are easily verifiable and modifiable by an expert operator, who can benefit of their high-level syntax for manually programming filtering behaviors without having to deal with specific OS-dependent tools. Two software modules complete the system: a wizard-like interface to make the production of FAIR rule-sets easier, and a translator to convert FAIR sets into actual firewall programming commands. Experimental results supporting the validity of the outlined approach are given with reference to the Linux operating system.