> Let me answer the questions a bit differently.
>
> Most packet filters use the same basic style of configuration file as
> IPfilter -- an ordered set of rules that block or permit access to
> various services to or from various IP addresses.  In my opinion,
> that's very much the wrong way to do it.  As you imply, that causes
> problems with people update one part of the rules but not another.
>
> The proper way to do it, in my opinion, is to separate topology from
> policy.  For example -- and this is *not* a suggestion about proper
> syntax, though I think it's close -- you might want to say something
> like:
>
>
> allow service any from localhost;
> allow service smtp from any to mailhost;
> allow service netbios from roadwarriors to fileserver;
>
> localhost = {if:lo0};
> mailhost = {smtp.example.com, ipv4:192.168.0.0/24,
> ipv6:2004::0102:0304:0506};
> fileserver = { ipv4:10.1.1.1};
>
> netbios = {udp:135-139};
>
>
>
> 		--Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb
>
>
>

Maybe what you want is it similar to Shorewall does on linux ?
(http://www.shorewall.net)

I've not used it a lot but seems to me that could match what you are
asking for.

Regards,
Roberto