A tool for creating a firewall using high level language

Registered by Rick Clark

Create a high level language for iptables firewall configuration. The language would be based on OpenBSD's PF syntax, along with any improvements to make it easier for users. Initially, the language will consist of only a subset of PF functionality, but eventually could include queuing and traffic optimization.

In addition to the higher level language, ubuntu-firewall should provide packaging integration to make it easier for network daemon packages to integrate with the firewall.

This is not intended to be a tool for integration in the Ubuntu desktop, however it should make building these tools easier.

Blueprint information

Status:
Complete
Approver:
Rick Clark
Priority:
Low
Drafter:
Jamie Strandboge
Direction:
Approved
Assignee:
Jamie Strandboge
Definition:
Approved
Series goal:
Accepted for hardy
Implementation:
Implemented
Milestone target:
None
Started by
Rick Clark
Completed by
Rick Clark

Related branches

Sprints

Whiteboard

-In an off-list email, mdz had this to say: "I also believe that the package interface should be declarative, not procedural: it should specify 'this package provides a service on port 80, described so, with these attributes, etc.', and then the actions to be taken would be driven by a central policy engine. The default might be to block all services, for example. The package should not specify firewall rules. This would also provide the necessary data for a configuration tool to allow the user to configure access rules (ranging from simple on/off to more complex iptables logic)."

(?)

Work Items