Oct 09 2003
 Vincent Deffontaines

This document describes structure and constraints about the structure of XMLed
data for nufw's ACLs definitions.


Orders of directives does not matter, exept proto must be specified before ports
or types.

Order of directives can (and should) be optimized by the rules generator.

o All possible directives :
--------------------------

<protocol proto="[icmp/tcp/udp]">  </protocol proto="[icmp/tcp/udp]">
<srcipstart ip="[ip]">         </srcipstart ip="[ip]">
<srcipend ip="[ip]">           </srcipend ip="[ip]">
<dstipstart ip="[ip]">         </dstipstart ip="[ip]">
<dstipend ip="[ip]">           </dstipend ip="[ip]">
#TCP and UDP specific
<srcportstart port="[port]">     </srcportstart port="[port]">
<srcportend port="[port]">       </srcportend port="[port]">
<dstportstart port="[port]">     </dstportstart port="[port]">
<dstportend port="[port]">       </dstportend port="[port]">
#end of TCP and UDP specific
#ICMP specific
<icmptype type="[type]">       </icmptype type="[type]">
#end ICMP specific
<daystart days="[days]">       </daystart days="[days]">
<dayend days="[days]">         </dayend days="[days]">
#days = monday + tuesday + etc. where monday = 1, tuesday = 2, wednesday = 4, etc.)
<timestart time="[time]">      </timestart time="[time]">
<timeend   time="[time]">      </timeend time="[time]">
#time = number of seconds since midnight
<Group>GroupID</Group>
#The only needed directive.



o Rules :
--------
Not all directives need to be specified
The two following examples are stricly equivalent :

<protocol proto="tcp">
 <dstportstart port="1">
  <dstportend port="1024">
   <timestart time="32400"> #9 am
    <timeend time="61200">  # 5 pm
     <Group>101</Group>  #Allow these groups' members to perform a connection in specified conditions
     <Group>102</Group>
    </timeend time="61200">
   </timestart time="32400">
  </dstportend port="1024">
 </dstportstart port="1">
</protocol proto="tcp">


<timestart time="32400"> #9 am
 <timeend time="61200">  # 5 pm
  <protocol proto="tcp">
   <dstportstart port="1">
    <dstportend port="1024">
     <Group>101</Group>  #Allow these groups' members to perform a connection in specified conditions
     <Group>102</Group>
    </dstportend port="1024">
   </dstportstart port="1">
  </protocol proto="tcp">
 </timeend time="61200">
</timestart time="32400">


Another example :
<timestart time="32400"> #9 am
 <timeend time"61200">  # 5 pm
  <protocol proto="tcp">
   <dstportstart port="1">
    <dstportend port="1024">
     <Group>101</Group>
     <Group>102</Group>  #Allow these groups' members to perform a connection to TCP ports 1-1024
    </dstportend port="1024">
   </dstportstart port="1">
  </protocol proto="tcp">
  <protocol proto="udp">
   <dstportstart port="53">
    <dstportend port="53">
     <Group>101</Group>  #Allow these groups' members to perform a connection to UDP port 53
     <Group>102</Group>
    </dstportend port="53">
   </dstportstart port="53">
  </protocol proto="udp">
 </timeend time="61200">
</timestart time="32400">

