7.5.8. Support for Rule Elements and Features on Various Firewalls

Certain fields in the rules are only available if the target firewall platform supports them. For example, the iptables firewall provides controls for logging of matched packets, while Cisco PIX does not; PIX always logs every packet it drops. Where possible, the policy compiler tries to emulate the missing feature. For example, OpenBSD PF does not support negation natively, but the policy compiler provides a workaround and tries to emulate this feature for PF. Another example is policy rules with "Outbound" direction. Cisco PIX supports only inbound access lists, so the policy compiler emulates outbound Access Lists while generating configuration for PIX. Table 7.1 represents a list of fields in the rules and which firewall platforms support them. Information about these fields and features is available for Firewall Builder GUI that disables corresponding menu items and hides associated policy elements when they are not supported.

Table 7.1. Rule Features Available on Different Platforms

Firewall Platform Source Destination Service Time Interval Direction Action Logging/ Options Comment Negation in Policy rules Negation in NAT rules
iptables + + + + + + + + + +
ipfilter + + + - + + + + + -
pf + + + - + + + + + +
Cisco PIX + + + - + + - + - -


 

Copyright © 2000-2012 NetCitadel, Inc. All rights reserved.
 Using free CSS Templates.