| 5. Managing Objects |   |
| Three object types |
Isba uses three types of objects to represent these conditions: Interfaces, Host/Nets and Services. When building a rule, you will paste one (or more) objects in purpose-built boxes, e.g. the From and To boxes will accept to receive hosts and/or nets, etc. In Nat rules the hosts and nets objects can go to Original From, Original To and Translated Address boxes.
| Objects properties |
All three kinds of objects have the following properties:
- a name
- a value
- a color
- a one line comment.
Services have two additional properties:
- a protocol (tcp, udp, tcp/udp, icmp or any other IP protocol)
- a second value to optionally specify the end of a port range or an ICMP-Code.
You can define or change your objects' properties in edition windows. To open the edition window of an object, double-click on it. For example:
Editing a host or net object
Sample anonymous object
On the opposite, objects may be given a name but no value. At compile time, isba will generate an error unless it is a well-known object, such as for example the ftp service (see below).
This feature allows you to start writing a ruleset prior to knowing the values of all your objects.
Sample unvalued object
An object's Value field may receive the name of another object. In that case both objects have the same literal value. More interesting, the Value field may receive the names of several objects: see Groups of objects.
"Variable" objects
| Creating an object |
You can create an object from several places:
- from the 'Objects' main menu (New ...)
- from the Chooser (New)
- "on the fly": from main window, with a right-clic on a rule (new ...), in the box you want to put the future object in
- from main window, with a shift-clic on the Hosts/Nets, Services or Interfaces button in the upper-right corner.
These four methods all open an clean object edition window.
|
Gui tips If you close the Edition window before clicking Create or Update, your changes will be lost. |
| Editing Service objects |
| Range kind | First value ('Port') | Second value ('To') | Example |
| single port | the port value | (empty) | port = 23 |
| dual-bounded range | the lower bound (exclusive) | the upper bound (exclusive) | port 5999 >< 6011 |
| high-bounded range | (empty) | the upper bound (exclusive) | port < 1024 |
| low-bounded range | the lower bound (exclusive) | 65536 | port > 1023 |
 Sample ICMP Service edition window with popups |
| Objects Choosers |
|
Gui tips In Choosers, the objects properties are shown in descending order of interest: if you need to see only the Name, you can reduce the window width until only the Name column is visible. You won't see all bottom buttons any more, but the same functions (New, Edit, Eval, Del, Where) are available from the right-clic popup menu. This is a way of saving screen space if it is a problem. |
The Choosers show all objects properties: the Name (with the object color), the Value, the Comment, and the file the object was included from, if any. The Chooser for Services objects also shows the protocol.
 Sample Chooser window |
From the Chooser window you can:
- select an object by clicking it: the object is copied to the clipboard, from where it an be pasted in the ruleset
- create an object (New)
- edit the selected object (Edit)
- see the literal value of an object (Eval)
- destroy the selected object (Del)
- see where an object is used (Where).
|
Gui tips The New, Edit, Eval, Del and Where functions are also available from a right-click on an object (popup menu). |
| Seeing the literal value of an object |
|
Gui tips The Eval window is dynamic: you can keep it open and clic on several objects, and their literal value will show up when you click them. |
 Sample object evaluation window |
| Seeing objects dependancies |
- which objects use object A in their value - recursively (which objects use an object that uses A, etc)
- which ipf and nat rules use object A (or an object that uses A, etc).
|
Gui tips In the Where window you can double-clic on an object or rule to go straight to it (as with the 'Show me' button). |
Sample Where window
| Deleting an object |
Note that included objects can't be deleted (the Delete button is disabled). If you don't want an included object anymore, you must delete it from the file it is defined in (open the include fine).
When your object is ready to be created (or updated), holding down the Shift key while clicking the Create (or Update) button, results in the edit window staying open and retaining its data. This is useful to enter several similar objects.
Similarly, if you hold down the Control key, the edition window will stay open but will be cleared.
| Predefined objects |
| Object | Description |
| proto-tcp | a port-undefined TCP Service you can use in an Ipf rule to say "proto tcp" without specifying a port |
| proto-udp | a port-undefined UDP Service you can use in an Ipf rule to say "proto udp" without specifying a port |
| proto-tcp-udp | you'll never guess |
| proto-icmp | a type-undefined ICMP Service you can use in an Ipf rule to say "proto icmp" without specifying an ICMP-Type/Code |
| 0/32 | in Nat rules, specifies the current IP address |
| 0/0 | in Nat rules, specifies any original address |
| lo0 | the local loopback interface |
Moreover, at compile time, isba tries to resolve values of undefined objects:
- undefined tcp/udp Services are given the port number and protocol from the local machine's /etc/services file, if found
- undefined protocols are given the value from /etc/protocols, if found
- undefined hosts are given the value from /etc/hosts, if found.
At compile time, for each undefined object which value is found that way, isba prints a warning on stdout.
| Note: using such undefined objects makes your ruleset depend on the local machine's /etc/services, protocol and/or hosts files, which may not be a good idea. |
| Objects cut/copy/paste |
See also how you can copy objects from one ruleset to another.
|
Gui tips A left-click on an object in a rule or in a chooser copies
it. The object flashes to show it is in the clipboard (exception:
in a Chooser, objects don't flash). |
| Groups of objects |
We have seen that the value of an object may be a literal value or the name of another object. Actually it can be any number of literal values and objects names, so you can define a "group object". A group object may contain names of other group objects. Group objects are managed in the same Chooser as simple objects of the same kind (there's no special Chooser for groups).
Sample group object
| Conditional values |
In multi-targets rulesets you can make the value of an object depend on the target the ruleset is compiled for. The syntax is:
#if-target(hosts_nets, value1 [, value2])
At compile time, the object which value is entered as above has its value equal to value1 if the target the ruleset is compiled for belongs to hosts_nets. Otherwise its value is value2 if present, or nothing if value2 is not defined (as if the object didn't exist).
#if-not-target()
In hosts/nets objects, value1 and value2 may be given the value 'any'.
There is also a '#if-not-target()' directive with the same syntax.
| Automatic values |
An Interface object can be given the value #from-ifconfig or #from-ifconfig(N): it receives the name of the Nth interface found in the target machine's `ifconfig -a` (lo0 excepted) at compile time. Isba uses the remote management SSH channel to get it. The syntax for the interface value is (default value for N is 1):
interface value = #from-ifconfig [(N)]
A Host object can be given the value #from-ifconfig(intf_name): it receives the IP address of the interface named intf_name (read from target machine's ifconfig -a through SSH) at compile time. The syntax for the host value is:
#from-ifconfig(intf)
host value = #from-ifconfig(intf_name)
Currently automatic values are supported in Solaris and *BSD.
Isba User's Guide - last modified on 09-Jan-2002 13:38 MET - Copyright (c) 2001