| 4. Managing Rules |
  |
|
|
|
|
| Isba displays filtering rules on one notebook
page, and address translation rules on another. It sticks to ipfilter syntax
(with some exceptions):
you see ipfilter keywords in typed boxes, the first box is for the rule
`action' (pass, block, ...), the second box is for the action options (quick,
log, ...), and so on. One row of boxes therefore looks like an ipfilter
rule. This is the standard isba rule type. |
| You can also create "verbatim"
rules, which contain plain ipfilter text that will be fed `as-is' to
ipf at compile time. This is useful if you want to insert an ipfilter rule
whose syntax is not supported by isba (e.g. a skip rule). |
| Warning: because of the unfolding
process, there shouldn't be any head and group numbers in verbatim
rules. Such numbers wouldn't be synchronized with the generated head
numbers. |
|
|
The last rule type is the separator/comment
rule. It is used to improve ruleset readability by separating logical
blocks of rules. When you create a separator rule, it is displayed as
an empty, thin line. You can edit it and add a comment in it.
The following rulesets shows an example for each kind of `rule' in an
ipf and a nat ruleset. Note that comment lines don't have a rule number.
|
|
|
Sample ipf rules: three rule types
|
|
|
Sample NAT rules: three rule types
|
|
|
|
|
| To create a new rule you can use in the
"Rules" menu, but your new rule will be added at the end of the
ruleset. If you want to create a rule just after rule number N, you must
right-clic rule N on the box that contains the number, and choose new rule
(or new separator, or new verbatim rule) in the popup menu (see right). |
Rule numbers right-clic popup |
|
| Imagine that you have created
a blank rule: you see a new row of boxes ready to be filled. Each box has
a personalized right-clic popup menu. In the 'Ipf rule' notebook, the box
in 'Action' column has a popup menu that lets you choose the rule action
from among the following: pass in/out, block in/out, auth in/out, etc. The
'block in' entry is actually a cascaded menu where you'll be able to specify
a 'return-rst' or 'return-icmp' action. |
| Rules cut,
copy, paste and delete |
|
|
GUI Tips
A left-clic on the number of a rule copies it. The whole
rule flashes, showing that it is in the clipboard.
A control-clic on the number of a rule cuts it. It is copied
in the clipboard, enabling you to immediately paste it anywhere
in the ruleset.
If the clipboard contains a rule A, a middle-clic on the
number of a rule B pastes rule A just after rule B. If you want
to paste a rule before the first rule, paste it on the '#'
box in the headers row.
|
|
| The right-clic popup menu
quoted above allows you to cut, copy, paste and delete rules. Pasting a
rule works like creating a new rule: you must right-clic on the rule number
just above the place where you want your rule to be pasted. Cutting and
pasting is the only way to reorder rules. The popup menu also lets you delete
or clear a rule.See also how you can copy
rules from one ruleset to another. |
| |
|
|
|
What if you don't want a rule in your ruleset anymore, but may have to
re-enter it later: you can "disable" it, then enable it back
whenever you want, again from the right-clic popup menu. Disabled rules
are displayed greyed:
|
Rules 1 and 2 are disabled |
|
|
|
|
| Isba does not have the "undo"
feature. If you delete a rule, it is lost for good, unless you can revert
to the last time you saved. You can protect yourself from accidental modifications
on rules by locking them, again from the right-clic popup menu. The same
menu allows you to unlock a rule. On locked rules, the rule number is displayed
on a black background. |
| Warning: when a rule is locked, the rule
itself can't be modified (it can't even be disabled or enabled), but
its objects can. |
|
Rule 6 is locked |
|
|
|
|
| Here "compiling" means translating
isba rules to ipfilter rules. At any time you can see the ipfilter rules
a given isba rule will be translated into. Use again the right-clic popup
menu, and choose "compile to stdout". You may notice that some
isba rules are translated into several ipfilter rules. This is described
in Rule unfolding. |
Compiling one rule |
|
|
|
|
In multi-targets
rulesets you can specify the parts of your ruleset that will be compiled,
depending on the target it is compiled for, this on a per-rule basis.
When a rule contains a '#if-target(hosts_nets)' directive somewhere
in its comment box, this rule will be compiled if and only if the current
target (the host the ruleset is being compiled for) belongs to the set
of hosts and/or nets hosts_nets. For example:
|
#if-target()
#if-not-target() |
Sample conditional rule |
|
| When the ruleset is compiled, this rule
will generate an ipfilter rule if the current target belongs to 'ftp-servers'.
It will generate nothing on targets that don't. |
|
|
The 'hosts_nets' can be a white space separated list of hosts, nets,
groups of hosts and groups of nets.
There is also a '#if-not-target(hosts_nets)' directive.
|
|
Isba User's Guide - last modified on
09-Jan-2002 12:58
MET - Copyright (c) 2001 |
