4. Managing Rules

Rule types


Rule types
Creating a rule
Rules cut, copy, paste, delete
Disabling a rule
Locking a rule
Compiling one rule
Conditional rules

Isba displays filtering rules on one notebook page, and address translation rules on another. It sticks to ipfilter syntax (with some exceptions): you see ipfilter keywords in typed boxes, the first box is for the rule `action' (pass, block, ...), the second box is for the action options (quick, log, ...), and so on. One row of boxes therefore looks like an ipfilter rule. This is the standard isba rule type.
You can also create "verbatim" rules, which contain plain ipfilter text that will be fed `as-is' to ipf at compile time. This is useful if you want to insert an ipfilter rule whose syntax is not supported by isba (e.g. a skip rule).
Warning: because of the unfolding process, there shouldn't be any head and group numbers in verbatim rules. Such numbers wouldn't be synchronized with the generated head numbers.

The last rule type is the separator/comment rule. It is used to improve ruleset readability by separating logical blocks of rules. When you create a separator rule, it is displayed as an empty, thin line. You can edit it and add a comment in it.

The following rulesets shows an example for each kind of `rule' in an ipf and a nat ruleset. Note that comment lines don't have a rule number.


Sample ipf rules: three rule types

Sample NAT rules: three rule types

Creating a rule
To create a new rule you can use in the "Rules" menu, but your new rule will be added at the end of the ruleset. If you want to create a rule just after rule number N, you must right-clic rule N on the box that contains the number, and choose new rule (or new separator, or new verbatim rule) in the popup menu (see right).

Rule numbers right-clic popup
Imagine that you have created a blank rule: you see a new row of boxes ready to be filled. Each box has a personalized right-clic popup menu. In the 'Ipf rule' notebook, the box in 'Action' column has a popup menu that lets you choose the rule action from among the following: pass in/out, block in/out, auth in/out, etc. The 'block in' entry is actually a cascaded menu where you'll be able to specify a 'return-rst' or 'return-icmp' action.
Rules cut, copy, paste and delete

GUI Tips

A left-clic on the number of a rule copies it. The whole rule flashes, showing that it is in the clipboard.

A control-clic on the number of a rule cuts it. It is copied in the clipboard, enabling you to immediately paste it anywhere in the ruleset.

If the clipboard contains a rule A, a middle-clic on the number of a rule B pastes rule A just after rule B. If you want to paste a rule before the first rule, paste it on the '#' box in the headers row.

The right-clic popup menu quoted above allows you to cut, copy, paste and delete rules. Pasting a rule works like creating a new rule: you must right-clic on the rule number just above the place where you want your rule to be pasted. Cutting and pasting is the only way to reorder rules. The popup menu also lets you delete or clear a rule.See also how you can copy rules from one ruleset to another.
Disabling a rule

What if you don't want a rule in your ruleset anymore, but may have to re-enter it later: you can "disable" it, then enable it back whenever you want, again from the right-clic popup menu. Disabled rules are displayed greyed:

Rules 1 and 2 are disabled
Locking a rule

Isba does not have the "undo" feature. If you delete a rule, it is lost for good, unless you can revert to the last time you saved. You can protect yourself from accidental modifications on rules by locking them, again from the right-clic popup menu. The same menu allows you to unlock a rule. On locked rules, the rule number is displayed on a black background.
Warning: when a rule is locked, the rule itself can't be modified (it can't even be disabled or enabled), but its objects can.

Rule 6 is locked
Compiling one rule
Here "compiling" means translating isba rules to ipfilter rules. At any time you can see the ipfilter rules a given isba rule will be translated into. Use again the right-clic popup menu, and choose "compile to stdout". You may notice that some isba rules are translated into several ipfilter rules. This is described in Rule unfolding. Compiling one rule
Conditional rules

In multi-targets rulesets you can specify the parts of your ruleset that will be compiled, depending on the target it is compiled for, this on a per-rule basis.

When a rule contains a '#if-target(hosts_nets)' directive somewhere in its comment box, this rule will be compiled if and only if the current target (the host the ruleset is being compiled for) belongs to the set of hosts and/or nets hosts_nets. For example:


Sample conditional rule
When the ruleset is compiled, this rule will generate an ipfilter rule if the current target belongs to 'ftp-servers'. It will generate nothing on targets that don't.  

The 'hosts_nets' can be a white space separated list of hosts, nets, groups of hosts and groups of nets.

There is also a '#if-not-target(hosts_nets)' directive.


Isba User's Guide - last modified on 09-Jan-2002 12:58 MET - Copyright (c) 2001