Checking the Expressivity of Firewall Languages

  • Lorenzo CeragioliEmail author
  • Pierpaolo Degano
  • Letterio Galletta
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11760)


Designing and maintaining firewall configurations is hard, also for expert system administrators. Indeed, policies are made of a large number of rules and are written in low-level configuration languages that are specific to the firewall system in use. As part of a larger group, we have addressed these issues and have proposed a semantic-based transcompilation pipeline. It is supported by FWS, a tool that analyses a real configuration and ports it from a firewall system to another. To our surprise, we discovered that some configurations expressed in a real firewall system cannot be ported to another system, preserving the semantics. Here we outline the main reasons for the detected differences between the firewall languages, and describe F2F, a tool that checks if a given configuration in a system can be ported to another system, and reports its user on which parts cause problems and why.


  1. 1.
    Adão, P., Bozzato, C., Rossi, G.D., Focardi, R., Luccio, F.L.: Mignis: a semantic based tool for firewall configuration. In: IEEE 27th Computer Security Foundations Symposium, CSF 2014, pp. 351–365 (2014)Google Scholar
  2. 2.
    Adão, P., Focardi, R., Guttman, J.D., Luccio, F.L.: Localizing firewall security policies. In: Proceedings of the 29th IEEE CSF, Lisbon, Portugal, 27 June–1 July 2016, pp. 194–209 (2016)Google Scholar
  3. 3.
    Bodei, C., Degano, P., Focardi, R., Galletta, L., Tempesta, M.: Transcompiling firewalls. In: Bauer, L., Küsters, R. (eds.) POST 2018. LNCS, vol. 10804, pp. 303–324. Springer, Cham (2018). Scholar
  4. 4.
    Bodei, C., Degano, P., Focardi, R., Galletta, L., Tempesta, M., Veronese, L.: Language-independent synthesis of firewall policies. In: Proceedings of the 3rd IEEE European Symposium on Security and Privacy (2018)Google Scholar
  5. 5.
    Ceragioli, L., Degano, P., Galletta, L.: Are All Firewall Systems Equally Powerful? Submitted for publication.
  6. 6.
    Ceragioli, L., Galletta, L., Tempesta, M.: From firewalls to functions and back. In: Italian Conference on Cybersecurity ITASEC 2019. CEUR Proceedings, vol. 2315 (2019).
  7. 7.
    Cuppens, F., Cuppens-Boulahia, N., Sans, T., Miège, A.: A formal approach to specify and deploy a network security policy. In: Dimitrakos, T., Martinelli, F. (eds.) Formal Aspects in Security and Trust. IIFIP, vol. 173, pp. 203–218. Springer, Boston, MA (2005). Scholar
  8. 8.
    Diekmann, C., Hupel, L., Michaelis, J., Haslbeck, M.P.L., Carle, G.: Verified iptables firewall analysis and verification. J. Autom. Reason. 61(1–4), 191–242 (2018)MathSciNetCrossRefGoogle Scholar
  9. 9.
    Foley, S.N., Neville, U.: A firewall algebra for openstack. In: 2015 IEEE Conference on Communications and Network Security, CNS 2015, pp. 541–549 (2015)Google Scholar
  10. 10.
    Martínez, S., Cabot, J., Garcia-Alfaro, J., Cuppens, F., Cuppens-Boulahia, N.: A model-driven approach for the extraction of network access-control policies. In: Proceedings of the MDSec 2012, pp. 5:1–5:6. ACM (2012)Google Scholar
  11. 11.
  12. 12.
    Russell, R.: Linux 2.4 packet filtering HOWTO (2002). documentation/HOWTO/packet- filtering-HOWTO.html
  13. 13.
  14. 14.
    The Netfilter Project.

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Dipartimento di InformaticaUniversità di PisaPisaItaly
  2. 2.IMT School for Advanced StudiesLuccaItaly

Personalised recommendations