In message <20050406101726.GA4531@NetBSD.org>, Darren Reed writes:
>On Wed, Apr 06, 2005 at 11:59:56AM +0200, Ronald van der Pol wrote:
>> On Tue, Apr 05, 2005 at 12:50:53 -0400, Steven M. Bellovin wrote:
>> 
>> > The proper way to do it, in my opinion, is to separate topology from 
>> > policy.  For example -- and this is *not* a suggestion about proper 
>> > syntax, though I think it's close -- you might want to say something like:
>> > 
>> > 
>> > allow service any from localhost;
>> > allow service smtp from any to mailhost;
>> > allow service netbios from roadwarriors to fileserver;
>> > 
>> > localhost = {if:lo0};
>> > mailhost = {smtp.example.com, ipv4:192.168.0.0/24, ipv6:2004::0102:0304:05
>06};
>> > fileserver = { ipv4:10.1.1.1};
>> > 
>> > netbios = {udp:135-139};
>> 
>> That would be nice. The macros and lists of pf(4) can do some of these thing
>s.
>
>As can IPFilter's syntax but so what?
>
>But really, the difference is the above is about service definition, not
>access control.  I spent some time with a group of guys at Usenix about
>10 years ago exploring this in the pursuit of making it easier.  I don't
>recall exactly what fell out of that...
>

I don't recall how long I've been advocating this separation, but 10 
years sounds about right...  Hmm -- checking my archives, I see email 
from Bill Cheswick dated February 1996, describing a security policy 
language.  The document is by him and one Darren Reed.  And yes, it 
does separate the file into "realms", "services", "action", "map", and 
"policy".

I'm not certain what you mean about "service definition" versus "access 
control".  In the example I gave, the declaration of "netbios" is 
indeed a service definition.  But separating the destinations from the 
policy rules is crucial to what I'm recommending -- and, I think, 
crucial to what you asked about.

		--Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb