Request: Submission of Rulesets

Request: Submission of Rulesets

[Thomas Jones]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Greetings,

I would like to formally request end-user submission of rulesets to the 
Security Document Initiative's Firewall Rule Subset ---- see the following 
resource for more information http://www.buddhalinux.com.

Abstract:
The Security Document Initiative is an implementation of the domain of applied 
cryptography as it relates to XML Markup Language and the creation of a 
security infrastructure to protect information systems and resources.

This project is charged with developing a XML Document Type Definition 
document model that Netfilter rulesets can be validated against. Any document 
instance of the "Firewall Rule Subset" must be well-formed and comply with 
the structured XML Markup Language. This language is being designed to 
provide all VALID rule entries that are available under the netfilter 
framework.

This is where you the end-user come into play. Obviously, it would take me an 
untold number of days/weeks/months/years to construct a comprehensive and 
stable compilation of valid rules. The compilation of the rules and rulesets 
are a key step in this development process. Without, all representative rules 
and rulesets; a correct and valid netfilter rule will be deemed invalid under 
an improperly constructed document model. Thus, negating the purpose and 
intent of the SDI Firewall Rule Subset project.

All submissions are held in complete confidentiality. You may choose to alter 
your rules and/or rulesets accordingly to obfuscate and mask the original 
address schemes. However, a confidentiality agreement will be made available 
to interested parties. Due care and diligence will be made to ensure end-user 
privacy. All submissions will be stored in encrypted form only on a 
non-networked medium.

Digitally signed and/or encrypted submissions are recommended.

I would like to thank the Netfilter community in advance for their 
contributions to this project.

Cheers,
Thomas Jones
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFDDLkGoR5cE1e/kEIRAsc7AJ0ctaPsMyetjFpoR5efvRrdn3B2ogCffSmu
WCf1meG+lA4VS2NZHZSo7JE=
=u4s2
-----END PGP SIGNATURE-----

Re: Request: Submission of Rulesets

[/dev/rob0]

On Wednesday 2005-August-24 13:14, Thomas Jones wrote:
> Abstract:

I readily admit that this is not a good day for me. I am not operating 
at full capacity, so to speak. But I have to say that this post made no 
sense at all to me. Is it just me? Did anyone else understand it? If 
so, can you explain it?

> The Security Document Initiative is an implementation of the domain
> of applied cryptography as it relates to XML Markup Language and the
> creation of a security infrastructure to protect information systems
> and resources.

I once saw an online automated generator of scholarly papers. It was 
hilarious! It used language just like this.

> This project is charged with developing a XML Document Type
> Definition document model that Netfilter rulesets can be validated
> against. Any document instance of the "Firewall Rule Subset" must be
> well-formed and comply with the structured XML Markup Language. This
> language is being designed to provide all VALID rule entries that are
> available under the netfilter framework.

Okay, I think I see a little substance here. The poster wants something 
which lists every possible valid netfilter rule. Right?

Unfortunately, the list of valid rules is almost infinite. And what's 
valid may vary in context: what's available in the kernel, other rules 
in the chain, et c. "iptables I OUTPUT -j LOG" is a valid rule (rather 
unfortunate if the local syslogd is logging to a remote syslog server, 
as each packet generates another one ad infinitum), but only valid if 
the LOG target is available.

> This is where you the end-user come into play. Obviously, it would
> take me an untold number of days/weeks/months/years to construct a
> comprehensive and stable compilation of valid rules. The compilation

It's not even possible.

> of the rules and rulesets are a key step in this development process.
> Without, all representative rules and rulesets; a correct and valid
> netfilter rule will be deemed invalid under an improperly constructed
> document model. Thus, negating the purpose and intent of the SDI
> Firewall Rule Subset project.

Perhaps the purpose and intent of the SDI Firewall Rule Subset project 
should be reevaluated.
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header

Re: Request: Submission of Rulesets

[Thomas Jones]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wednesday 24 August 2005 16:07, /dev/rob0 wrote:
> On Wednesday 2005-August-24 13:14, Thomas Jones wrote:
> > Abstract:
>
> I readily admit that this is not a good day for me. I am not operating
> at full capacity, so to speak. But I have to say that this post made no
> sense at all to me. Is it just me? Did anyone else understand it? If
> so, can you explain it?
>
>
> I once saw an online automated generator of scholarly papers. It was
> hilarious! It used language just like this.

Hehehe. Ok...lets make it simple for you. Various security documentation is
composed using a custom XML markup language. Depending on the content,
modules are included or excluded. Given that these document instances are
security in nature they can be secured by a digital signature, encryption, or 
both.

>
> Okay, I think I see a little substance here. The poster wants something
> which lists every possible valid netfilter rule. Right?

Seemingly, you are the the person to do this feat? Realistically, I don't 
expect you or anybody else to have knowledge of all the rules. I have already
developed the basic structure of the DTD. I just want to do some QA on various
rulesets that I have not applied it to.

>
> Unfortunately, the list of valid rules is almost infinite. And what's
> valid may vary in context: what's available in the kernel, other rules
> in the chain, et c. "iptables I OUTPUT -j LOG" is a valid rule (rather
> unfortunate if the local syslogd is logging to a remote syslog server,
> as each packet generates another one ad infinitum), but only valid if
> the LOG target is available.
>

The scenario you describe is what is called a conditional statement. Pretty 
self-explanatory with regards to an XML DTD(or many other disciplines for 
that reason).

>
> It's not even possible.
>

This statement is rather benign. Going back to your conditional statement 
scenario; the DTD is constructed like that of a programming language. It can
be developed by means of pseudo-functions. An element may contain another, so 
on so forth. This is surely within the intended scope and capability.

>
> Perhaps the purpose and intent of the SDI Firewall Rule Subset project
> should be reevaluated.

Because you do no not fully understand does not make it wrong. 


How do you know what I don't know? You are not me.
- ---Zhuang Zi - The Warring States Period


Cheers,
Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFDDPPHoR5cE1e/kEIRAkM0AJ9KGwqKuzMCJjsm8oQ3RXHK43MVJgCfaqR7
nuf6UbusppcBeD62jfqcmVY=
=qsSS
-----END PGP SIGNATURE-----

Re: Request: Submission of Rulesets

[/dev/rob0]

On Wednesday 2005-August-24 17:25, Thomas Jones wrote:
> > I once saw an online automated generator of scholarly papers. It
> > was hilarious! It used language just like this.
>
> Hehehe. Ok...lets make it simple for you. Various security

You really should Google that. It was loads of fun. I generated some 
scholarly papers under my name and sent them to colleagues "for review 
and comment." They were ashamed to admit that it was all a bunch of 
gibberish to them. I laughed for days. :)

If I could remember the URL I would post it.

> > Okay, I think I see a little substance here. The poster wants
> > something which lists every possible valid netfilter rule. Right?
>
> Seemingly, you are the the person to do this feat? Realistically, I
> don't expect you or anybody else to have knowledge of all the rules.
> I have already developed the basic structure of the DTD. I just want

Ah, *that* was the piece I was missing. You are accepting the rulesets 
submitted as valid (probably) and are simply using them to test your 
DTD. Is that it? I thought you were compiling it from the submitted 
rulesets, and that, I guess we agree, is not possible.

> Because you do no not fully understand does not make it wrong.

I still don't, but at least the gibberish issue is cleared up. :)
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header

Re: Request: Submission of Rulesets

[Thomas Jones]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wednesday 24 August 2005 17:36, /dev/rob0 wrote:
>
> If I could remember the URL I would post it.
>

If you find it forward it to me. Sounds like it could be an interesting
trick or two.

>
> Ah, *that* was the piece I was missing. You are accepting the rulesets
> submitted as valid (probably) and are simply using them to test your
> DTD. Is that it? I thought you were compiling it from the submitted
> rulesets, and that, I guess we agree, is not possible.
>

Some of the targets and matches located in the extra repository have not been 
introduced. These will definitely take some work. Altough progress has been 
made, I am sure that I have neglected various syntactical portions of the 
netfilter framework.

>
> I still don't, but at least the gibberish issue is cleared up. :)

Fair enough. ;)

Cheers,
Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFDDPlAoR5cE1e/kEIRAnTvAJ9MdKaDz6DME9g7XQRhK9ZfCHq8fQCcDQJq
Y9zJBZ5HNohUBV8e0eg/D7Y=
=h+/H
-----END PGP SIGNATURE-----

Fwd: Request: Submission of Rulesets

[Shannon Roddy]

Forgot to send a copy the list too....


On 8/24/05, Thomas Jones <admin@buddhalinux.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Wednesday 24 August 2005 17:36, /dev/rob0 wrote:
> >
> > If I could remember the URL I would post it.
> >
>
> If you find it forward it to me. Sounds like it could be an interesting
> trick or two.
>
> >

It is quite amusing:  http://pdos.csail.mit.edu/scigen/

The Slashdot article from April:
http://science.slashdot.org/article.pl?sid=05/04/13/1723206

Seems one of the papers generated actually was accepted to "The 9th
World Multi-Conference on Systemics, Cybernetics and Informatics".