|
Simple
Firewall
Title: |
Simple Firewall |
Authors:
|
Cornelius Diekmann,
Julius Michaelis and
Maximilian Haslbeck
|
Submission date: |
2016-08-24 |
Abstract: |
We present a simple model of a firewall. The firewall can accept or
drop a packet and can match on interfaces, IP addresses, protocol, and
ports. It was designed to feature nice mathematical properties: The
type of match expressions was carefully crafted such that the
conjunction of two match expressions is only one match expression.
This model is too simplistic to mirror all aspects of the real world.
In the upcoming entry "Iptables Semantics", we will translate the
Linux firewall iptables to this model. For a fixed service (e.g. ssh,
http), we provide an algorithm to compute an overview of the
firewall's filtering behavior. The algorithm computes minimal service
matrices, i.e. graphs which partition the complete IPv4 and IPv6
address space and visualize the allowed accesses between partitions.
For a detailed description, see
Verified iptables Firewall
Analysis, IFIP Networking 2016. |
BibTeX: |
@article{Simple_Firewall-AFP,
author = {Cornelius Diekmann and Julius Michaelis and Maximilian Haslbeck},
title = {Simple Firewall},
journal = {Archive of Formal Proofs},
month = aug,
year = 2016,
note = {\url{http://isa-afp.org/entries/Simple_Firewall.html},
Formal proof development},
ISSN = {2150-914x},
}
|
License: |
BSD License |
Depends on: |
IP_Addresses |
Used by: |
Routing |
Status: [ok] |
This is a development version of this entry. It might change over time
and is not stable. Please refer to release versions for citations.
|
|