RE: Request: Submission of Rulesets

RE: Request: Submission of Rulesets

[Derick Anderson]

 
Out of curiosity (and the lack of fully understanding your intent), how
would this DTD validate a ruleset? I imagine you'd be trying to go
beyond syntax since netfilter will tell you when you do something silly
like a --dport without a -p tcp|udp anyway. If that's so, what is your
standard for failure of a ruleset? Or success of a ruleset? I can submit
a working ruleset that isn't optimal (accepting RELATED,ESTABLISHED
connections as the last rule, for example) or that checks src/dst IPs
but not which interface...

Admittedly I don't know that much about XML and DTDs. I don't know how
powerful DTDs can be, but it seems to me like you'd need a high-level
programming language in order to test for more than syntactical
correctness. A simulation environment for Netfilter rules is something
I'd really like to see.

Derick Anderson


> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org 
> [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of 
> Thomas Jones
> Sent: Wednesday, August 24, 2005 6:48 PM
> To: netfilter@lists.netfilter.org
> Subject: Re: Request: Submission of Rulesets
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Wednesday 24 August 2005 17:36, /dev/rob0 wrote:
> >
> > If I could remember the URL I would post it.
> >
> 
> If you find it forward it to me. Sounds like it could be an 
> interesting trick or two.
> 
> >
> > Ah, *that* was the piece I was missing. You are accepting 
> the rulesets 
> > submitted as valid (probably) and are simply using them to 
> test your 
> > DTD. Is that it? I thought you were compiling it from the submitted 
> > rulesets, and that, I guess we agree, is not possible.
> >
> 
> Some of the targets and matches located in the extra 
> repository have not been introduced. These will definitely 
> take some work. Altough progress has been made, I am sure 
> that I have neglected various syntactical portions of the 
> netfilter framework.
> 
> >
> > I still don't, but at least the gibberish issue is cleared up. :)
> 
> Fair enough. ;)
> 
> Cheers,
> Thomas
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> 
> iD8DBQFDDPlAoR5cE1e/kEIRAnTvAJ9MdKaDz6DME9g7XQRhK9ZfCHq8fQCcDQJq
> Y9zJBZ5HNohUBV8e0eg/D7Y=
> =h+/H
> -----END PGP SIGNATURE-----
> 
> 

Re: Request: Submission of Rulesets

[Thomas Jones]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thursday 25 August 2005 06:56, Derick Anderson wrote:
> Out of curiosity (and the lack of fully understanding your intent), how
> would this DTD validate a ruleset? I imagine you'd be trying to go
> beyond syntax since netfilter will tell you when you do something silly
> like a --dport without a -p tcp|udp anyway. If that's so, what is your
> standard for failure of a ruleset? Or success of a ruleset?


The DTD is simply the document model by which the rule and/or rulesets can be 
applied against. 

This project can in no way perform logical evaluation of the rules. By this I 
mean the following: say you want to rate-limit incoming type 8 ping messages. 
To do so you would construct the following rules:

iptables -A INPUT -i eth0 -p icmp --icmp-type echo-request \
              -m limit --limit 1/second -j ACCEPT

iptables -A INPUT -i eth0 -p icmp --icmp-type echo-request -j DROP

Using logical evaluation of these rules, we can determine the following with 
respect to the pair:

- - Utilization of one rule without the other results in a completely different 
behavior.
- - They must be introduced to netfilter in the order they are given -- 
otherwise the same is true again.
- - Both rules should be introduced adjacently. Otherwise there is chance for 
another rule to intervene.

None of this can be performed by a DTD or an XML markup language. These 
however can be evaluated as you say by use of an XSL stylesheet.

The DTD simply validates against a known and programmed structure. The 
advantages of using XML and this approach are such:

- - Easy to develop according to the structured document model.
- - Anybody can construct new rules with a minimal effort of syntactical 
correctness.
- - The netfiler rules can be processed with a custom stylesheet to produce 
equivalent rules and/or rulesets in other forms for perimeter devices not 
consistent with the netfilter syntax(other firewalls, routers, etc...).
- - The netfiler rules can be processed with a custom stylesheet to evaluate the 
logical structure/intent of a given ruleset.
- - The rules can be digitally signed and encrypted by the administrative entity 
to secure the content. This ensures that confidentiality and integrity of the 
resources are intact.
- - The XML Security function(s) are standards-based. So inclusion into 
regulatory requirements can be easily introduced without complications. i.e. 
SOX

> I can submit
> a working ruleset that isn't optimal (accepting RELATED,ESTABLISHED
> connections as the last rule, for example) or that checks src/dst IPs
> but not which interface...

I am not here to judge yourself or the logical purpose of your rules. I simply 
want to contribute to the community. None of my projects are for profit. 
However, I do think that it could be a good starting point for new users to 
the netfilter framework to be able to construct valid rules and/or rulesets.

> Admittedly I don't know that much about XML and DTDs. I don't know how
> powerful DTDs can be, but it seems to me like you'd need a high-level
> programming language in order to test for more than syntactical
> correctness. 

That is a totally different beast. This is where the XSL stylesheets come into 
play.

> A simulation environment for Netfilter rules is something
> I'd really like to see.

Agreed. Construction of pseudo datagrams and testing for resultant outcomes 
would be a very interesting project. 

Cheers,
Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFDDddIoR5cE1e/kEIRAqn0AKDc0iJETnOHYDBWOQlekweswOj3sQCeIo/6
LhSsuJbNwjqcG9fSmV5Hw2U=
=0+PB
-----END PGP SIGNATURE-----

RE: Request: Submission of Rulesets

[Derick Anderson]

  
What you said made sense regarding DTDs and XSL stylesheets. XML (from
what I know of it) is a great standard.

> > I can submit
> > a working ruleset that isn't optimal (accepting RELATED,ESTABLISHED 
> > connections as the last rule, for example) or that checks 
> src/dst IPs 
> > but not which interface...
> 
> I am not here to judge yourself or the logical purpose of 
> your rules. I simply want to contribute to the community. 
> None of my projects are for profit. 
> However, I do think that it could be a good starting point 
> for new users to the netfilter framework to be able to 
> construct valid rules and/or rulesets.

My point there wasn't to say "I'm going to try and mess up your
project", it was an example of what I was asking about earlier -
evaluation of a ruleset that goes beyond correct syntax. I'll be
rebuilding my company's iptables firewall soon (the previous sys-admin
didn't quite grasp stateful inspection or using least privilege) and so
perhaps I'll submit a copy with external IPs obfuscated. 

I think there's a lot of work that can be done to ease the learning
curve for Netfilter. It took me a year to fully understand the basics -
where I knew what would happen to a particular packet as it traversed
the chains. A project like yours combined with a simulation environment
would have saved me a lot of dropped SSH sessions. =) I've got no
problem helping out.
 
> > Admittedly I don't know that much about XML and DTDs. I 
> don't know how 
> > powerful DTDs can be, but it seems to me like you'd need a 
> high-level 
> > programming language in order to test for more than syntactical 
> > correctness.
> 
> That is a totally different beast. This is where the XSL 
> stylesheets come into play.
> 
> > A simulation environment for Netfilter rules is something 
> I'd really 
> > like to see.
> 
> Agreed. Construction of pseudo datagrams and testing for 
> resultant outcomes would be a very interesting project. 
> 
> Cheers,
> Thomas

Derick Anderson

> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> 
> iD8DBQFDDddIoR5cE1e/kEIRAqn0AKDc0iJETnOHYDBWOQlekweswOj3sQCeIo/6
> LhSsuJbNwjqcG9fSmV5Hw2U=
> =0+PB
> -----END PGP SIGNATURE-----
> 

Request: Submission of Rulesets

[Thomas Jones]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Greetings,

I would like to formally request end-user submission of rulesets to the 
Security Document Initiative's Firewall Rule Subset ---- see the following 
resource for more information http://www.buddhalinux.com.

Abstract:
The Security Document Initiative is an implementation of the domain of applied 
cryptography as it relates to XML Markup Language and the creation of a 
security infrastructure to protect information systems and resources.

This project is charged with developing a XML Document Type Definition 
document model that Netfilter rulesets can be validated against. Any document 
instance of the "Firewall Rule Subset" must be well-formed and comply with 
the structured XML Markup Language. This language is being designed to 
provide all VALID rule entries that are available under the netfilter 
framework.

This is where you the end-user come into play. Obviously, it would take me an 
untold number of days/weeks/months/years to construct a comprehensive and 
stable compilation of valid rules. The compilation of the rules and rulesets 
are a key step in this development process. Without, all representative rules 
and rulesets; a correct and valid netfilter rule will be deemed invalid under 
an improperly constructed document model. Thus, negating the purpose and 
intent of the SDI Firewall Rule Subset project.

All submissions are held in complete confidentiality. You may choose to alter 
your rules and/or rulesets accordingly to obfuscate and mask the original 
address schemes. However, a confidentiality agreement will be made available 
to interested parties. Due care and diligence will be made to ensure end-user 
privacy. All submissions will be stored in encrypted form only on a 
non-networked medium.

Digitally signed and/or encrypted submissions are recommended.

I would like to thank the Netfilter community in advance for their 
contributions to this project.

Cheers,
Thomas Jones
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFDDLkGoR5cE1e/kEIRAsc7AJ0ctaPsMyetjFpoR5efvRrdn3B2ogCffSmu
WCf1meG+lA4VS2NZHZSo7JE=
=u4s2
-----END PGP SIGNATURE-----

Re: Request: Submission of Rulesets

[/dev/rob0]

On Wednesday 2005-August-24 13:14, Thomas Jones wrote:
> Abstract:

I readily admit that this is not a good day for me. I am not operating 
at full capacity, so to speak. But I have to say that this post made no 
sense at all to me. Is it just me? Did anyone else understand it? If 
so, can you explain it?

> The Security Document Initiative is an implementation of the domain
> of applied cryptography as it relates to XML Markup Language and the
> creation of a security infrastructure to protect information systems
> and resources.

I once saw an online automated generator of scholarly papers. It was 
hilarious! It used language just like this.

> This project is charged with developing a XML Document Type
> Definition document model that Netfilter rulesets can be validated
> against. Any document instance of the "Firewall Rule Subset" must be
> well-formed and comply with the structured XML Markup Language. This
> language is being designed to provide all VALID rule entries that are
> available under the netfilter framework.

Okay, I think I see a little substance here. The poster wants something 
which lists every possible valid netfilter rule. Right?

Unfortunately, the list of valid rules is almost infinite. And what's 
valid may vary in context: what's available in the kernel, other rules 
in the chain, et c. "iptables I OUTPUT -j LOG" is a valid rule (rather 
unfortunate if the local syslogd is logging to a remote syslog server, 
as each packet generates another one ad infinitum), but only valid if 
the LOG target is available.

> This is where you the end-user come into play. Obviously, it would
> take me an untold number of days/weeks/months/years to construct a
> comprehensive and stable compilation of valid rules. The compilation

It's not even possible.

> of the rules and rulesets are a key step in this development process.
> Without, all representative rules and rulesets; a correct and valid
> netfilter rule will be deemed invalid under an improperly constructed
> document model. Thus, negating the purpose and intent of the SDI
> Firewall Rule Subset project.

Perhaps the purpose and intent of the SDI Firewall Rule Subset project 
should be reevaluated.
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header

Re: Request: Submission of Rulesets

[Thomas Jones]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wednesday 24 August 2005 16:07, /dev/rob0 wrote:
> On Wednesday 2005-August-24 13:14, Thomas Jones wrote:
> > Abstract:
>
> I readily admit that this is not a good day for me. I am not operating
> at full capacity, so to speak. But I have to say that this post made no
> sense at all to me. Is it just me? Did anyone else understand it? If
> so, can you explain it?
>
>
> I once saw an online automated generator of scholarly papers. It was
> hilarious! It used language just like this.

Hehehe. Ok...lets make it simple for you. Various security documentation is
composed using a custom XML markup language. Depending on the content,
modules are included or excluded. Given that these document instances are
security in nature they can be secured by a digital signature, encryption, or 
both.

>
> Okay, I think I see a little substance here. The poster wants something
> which lists every possible valid netfilter rule. Right?

Seemingly, you are the the person to do this feat? Realistically, I don't 
expect you or anybody else to have knowledge of all the rules. I have already
developed the basic structure of the DTD. I just want to do some QA on various
rulesets that I have not applied it to.

>
> Unfortunately, the list of valid rules is almost infinite. And what's
> valid may vary in context: what's available in the kernel, other rules
> in the chain, et c. "iptables I OUTPUT -j LOG" is a valid rule (rather
> unfortunate if the local syslogd is logging to a remote syslog server,
> as each packet generates another one ad infinitum), but only valid if
> the LOG target is available.
>

The scenario you describe is what is called a conditional statement. Pretty 
self-explanatory with regards to an XML DTD(or many other disciplines for 
that reason).

>
> It's not even possible.
>

This statement is rather benign. Going back to your conditional statement 
scenario; the DTD is constructed like that of a programming language. It can
be developed by means of pseudo-functions. An element may contain another, so 
on so forth. This is surely within the intended scope and capability.

>
> Perhaps the purpose and intent of the SDI Firewall Rule Subset project
> should be reevaluated.

Because you do no not fully understand does not make it wrong. 


How do you know what I don't know? You are not me.
- ---Zhuang Zi - The Warring States Period


Cheers,
Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFDDPPHoR5cE1e/kEIRAkM0AJ9KGwqKuzMCJjsm8oQ3RXHK43MVJgCfaqR7
nuf6UbusppcBeD62jfqcmVY=
=qsSS
-----END PGP SIGNATURE-----

Re: Request: Submission of Rulesets

[/dev/rob0]

On Wednesday 2005-August-24 17:25, Thomas Jones wrote:
> > I once saw an online automated generator of scholarly papers. It
> > was hilarious! It used language just like this.
>
> Hehehe. Ok...lets make it simple for you. Various security

You really should Google that. It was loads of fun. I generated some 
scholarly papers under my name and sent them to colleagues "for review 
and comment." They were ashamed to admit that it was all a bunch of 
gibberish to them. I laughed for days. :)

If I could remember the URL I would post it.

> > Okay, I think I see a little substance here. The poster wants
> > something which lists every possible valid netfilter rule. Right?
>
> Seemingly, you are the the person to do this feat? Realistically, I
> don't expect you or anybody else to have knowledge of all the rules.
> I have already developed the basic structure of the DTD. I just want

Ah, *that* was the piece I was missing. You are accepting the rulesets 
submitted as valid (probably) and are simply using them to test your 
DTD. Is that it? I thought you were compiling it from the submitted 
rulesets, and that, I guess we agree, is not possible.

> Because you do no not fully understand does not make it wrong.

I still don't, but at least the gibberish issue is cleared up. :)
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header

Re: Request: Submission of Rulesets

[Thomas Jones]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wednesday 24 August 2005 17:36, /dev/rob0 wrote:
>
> If I could remember the URL I would post it.
>

If you find it forward it to me. Sounds like it could be an interesting
trick or two.

>
> Ah, *that* was the piece I was missing. You are accepting the rulesets
> submitted as valid (probably) and are simply using them to test your
> DTD. Is that it? I thought you were compiling it from the submitted
> rulesets, and that, I guess we agree, is not possible.
>

Some of the targets and matches located in the extra repository have not been 
introduced. These will definitely take some work. Altough progress has been 
made, I am sure that I have neglected various syntactical portions of the 
netfilter framework.

>
> I still don't, but at least the gibberish issue is cleared up. :)

Fair enough. ;)

Cheers,
Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFDDPlAoR5cE1e/kEIRAnTvAJ9MdKaDz6DME9g7XQRhK9ZfCHq8fQCcDQJq
Y9zJBZ5HNohUBV8e0eg/D7Y=
=h+/H
-----END PGP SIGNATURE-----