Firewalls are a fundamental tool for managing and protecting computer networks. They not only permit specifying which packets are allowed to enter a network, but also how these packets are modified by translating IP addresses and performing port redirection (NAT). Many firewalls systems are available which provide different tools and configuration languages. In contrast with the intuition, the most widespread languages cannot express the same configurations, even when simple filtering and NAT transformations are considered. This paper formally investigates the power of firewall languages of the most used tools in Unix and Linux. In particular, we introduce two kinds of expressivity. The first concerns the ways a packet can be transformed by NAT. According to this criterion iptables is strictly more expressive than ipfw and pf that are equivalent. The second kind is more finer-grained and considers the dependencies among the management of all packets. Our results show that some configurations are expressible in a system, but not in another one. Indeed, iptables is incomparable with the others, and ipfw is more expressive than pf.

Are all firewall systems equally powerful?

Ceragioli L.;Galletta L.
2019-01-01

Abstract

Firewalls are a fundamental tool for managing and protecting computer networks. They not only permit specifying which packets are allowed to enter a network, but also how these packets are modified by translating IP addresses and performing port redirection (NAT). Many firewalls systems are available which provide different tools and configuration languages. In contrast with the intuition, the most widespread languages cannot express the same configurations, even when simple filtering and NAT transformations are considered. This paper formally investigates the power of firewall languages of the most used tools in Unix and Linux. In particular, we introduce two kinds of expressivity. The first concerns the ways a packet can be transformed by NAT. According to this criterion iptables is strictly more expressive than ipfw and pf that are equivalent. The second kind is more finer-grained and considers the dependencies among the management of all packets. Our results show that some configurations are expressible in a system, but not in another one. Indeed, iptables is incomparable with the others, and ipfw is more expressive than pf.
2019
9781450368360
Configuration analysis; Firewall configuration languages; Firewall semantics; Porting
File in questo prodotto:
File Dimensione Formato  
plas11.pdf

non disponibili

Tipologia: Documento in Pre-print
Licenza: Nessuna licenza
Dimensione 775.28 kB
Formato Adobe PDF
775.28 kB Adobe PDF   Visualizza/Apri   Richiedi una copia

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/20.500.11771/14627
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 4
social impact