On Wed, Apr 06, 2005 at 11:59:56AM +0200, Ronald van der Pol wrote:
> On Tue, Apr 05, 2005 at 12:50:53 -0400, Steven M. Bellovin wrote:
> 
> > The proper way to do it, in my opinion, is to separate topology from 
> > policy.  For example -- and this is *not* a suggestion about proper 
> > syntax, though I think it's close -- you might want to say something like:
> > 
> > 
> > allow service any from localhost;
> > allow service smtp from any to mailhost;
> > allow service netbios from roadwarriors to fileserver;
> > 
> > localhost = {if:lo0};
> > mailhost = {smtp.example.com, ipv4:192.168.0.0/24, ipv6:2004::0102:0304:0506};
> > fileserver = { ipv4:10.1.1.1};
> > 
> > netbios = {udp:135-139};
> 
> That would be nice. The macros and lists of pf(4) can do some of these things.

As can IPFilter's syntax but so what?

But really, the difference is the above is about service definition, not
access control.  I spent some time with a group of guys at Usenix about
10 years ago exploring this in the pursuit of making it easier.  I don't
recall exactly what fell out of that...

Darren