Semantics-Preserving Simplification of Real-World Firewall Rule Sets

  • Cornelius DiekmannEmail author
  • Lars Hupel
  • Georg Carle
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9109)


The security provided by a firewall for a computer network almost completely depends on the rules it enforces. For over a decade, it has been a well-known and unsolved problem that the quality of many firewall rule sets is insufficient. Therefore, there are many tools to analyze them. However, we found that none of the available tools could handle typical, real-world iptables rulesets. This is due to the complex chain model used by iptables, but also to the vast amount of possible match conditions that occur in real-world firewalls, many of which are not understood by academic and open source tools.

In this paper, we provide algorithms to transform firewall rulesets. We reduce the execution model to a simple list model and use ternary logic to abstract over all unknown match conditions. These transformations enable existing tools to understand real-world firewall rules, which we demonstrate on four decently-sized rulesets. Using the Isabelle theorem prover, we formally show that all our algorithms preserve the firewall’s filtering behavior.


Computer networks Firewalls Isabelle Netfilter Iptables Semantics 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    IPTables Example Config, (retrieved September 2014)
  2. 2.
    PF: The OpenBSD packet filter,
  3. 3.
    Cisco IOS firewall – configuring IP access lists. Document ID: 23602 (December 2007),
  4. 4.
    Bartal, Y., Mayer, A., Nissim, K., Wool, A.: Firmato: A novel firewall management toolkit. In: Symposium on Security and Privacy, pp. 17–31. IEEE (1999)Google Scholar
  5. 5.
    Brucker, A.D., Brügger, L., Wolff, B.: Model-based firewall conformance testing. In: Suzuki, K., Higashino, T., Ulrich, A., Hasegawa, T. (eds.) TestCom/FATES 2008. LNCS, vol. 5047, pp. 103–118. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  6. 6.
    Diekmann, C., Hupel, L., Carle, G.: Directed security policies: A stateful network implementation. In: Third International Workshop on Engineering Safety and Security Systems. EPTCS, vol. 150, pp. 20–34 (May 2014)Google Scholar
  7. 7.
    Diekmann, C., Posselt, S.-A., Niedermayer, H., Kinkelin, H., Hanka, O., Carle, G.: Verifying security policies using host attributes. In: Ábrahám, E., Palamidessi, C. (eds.) FORTE 2014. LNCS, vol. 8461, pp. 133–148. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  8. 8.
    Eastep, T.M.: iptables made easy – shorewall (2014),
  9. 9.
    Engelhardt, J.: Towards the perfect ruleset (May 2011),
  10. 10.
    Fuller, V., Li, T.: Classless Inter-domain Routing (CIDR): The Internet Address Assignment and Aggregation Plan. RFC 4632 (Best Current Practice) (August 2006),
  11. 11.
    Gartenmeister, M.: Iptables vs. Cisco PIX (April 2005),
  12. 12.
    Hamed, H., Al-Shaer, E.: Taxonomy of conflicts in network security policies. IEEE Communications Magazine 44(3), 134–141 (2006)CrossRefGoogle Scholar
  13. 13.
    Hewlett Packard: IP firewall configuration guide (2005),
  14. 14.
    Jeffrey, A., Samak, T.: Model checking firewall policy configurations. In: Policies for Distributed Systems and Networks, pp. 60–67. IEEE (July 2009)Google Scholar
  15. 15.
    Kazemian, P., Varghese, G., McKeown, N.: Header space analysis: static checking for networks. In: Networked Systems Design and Implementation, pp. 113–126. USENIX (April 2012)Google Scholar
  16. 16.
    Kleene, S.C.: Introduction to Metamathematics. Bibliotheca Mathematica. North-Holland, Amsterdam (1952)zbMATHGoogle Scholar
  17. 17.
    Leblond, E.: Why you will love nftables (January 2014),
  18. 18.
    Mansmann, F., Göbel, T., Cheswick, W.: Visual analysis of complex firewall configurations. In: Proceedings of the Ninth International Symposium on Visualization for Cyber Security, VizSec 2012, pp. 1–8. ACM (2012)Google Scholar
  19. 19.
    Marmorstein, R.M., Kearns, P.: A tool for automated iptables firewall analysis. In: USENIX Annual Technical Conference, FREENIX Track, pp. 71–81 (2005)Google Scholar
  20. 20.
    Marmorstein, R.M., Kearns, P.: Firewall analysis with policy-based host classification. In: Large Installation System Administration Conference, vol. 6, p. 4. USENIX (December 2006)Google Scholar
  21. 21.
    Nelson, T., Barratt, C., Dougherty, D.J., Fisler, K., Krishnamurthi, S.: The margrave tool for firewall analysis. In: Large Installation System Administration Conference. USENIX (November 2010)Google Scholar
  22. 22.
    NetCitadel, Inc.: FirewallBuilder ver. 5.1,
  23. 23.
    Nipkow, T., Klein, G.: Concrete Semantics. Springer (2014)Google Scholar
  24. 24.
    Nipkow, T., Paulson, L.C., Wenzel, M.: Isabelle/HOL: A Proof Assistant for Higher-Order Logic. LNCS, vol. 2283. Springer, Heidelberg (2002), (last updated 2014)
  25. 25.
    Pozo, S., Ceballos, R., Gasca, R.M.: CSP-based firewall rule set diagnosis using security policies, pp. 723–729. IEEE (April 2007)Google Scholar
  26. 26.
    Renard, B.: cisco-acl-to-iptables (2013), (retrieved September 2014)
  27. 27.
    Sherry, J., Hasan, S., Scott, C., Krishnamurthy, A., Ratnasamy, S., Sekar, V.: Making middleboxes someone else’s problem: Network processing as a cloud service. ACM SIGCOMM Computer Communication Review 42(4), 13–24 (2012)CrossRefGoogle Scholar
  28. 28.
    The project: netfilter/iptables project,
  29. 29.
    The project: netfilter/nftables project,
  30. 30.
    Tongaonkar, A., Inamdar, N., Sekar, R.: Inferring higher level policies from firewall rules. In: Large Installation System Administration Conference, vol. 7, pp. 1–10. USENIX (2007)Google Scholar
  31. 31.
    Verizon Business RISK team, United States Secret Service: 2010 data breach investigations report (2010),
  32. 32.
    Wool, A.: A quantitative study of firewall configuration errors. IEEE Computer 37(6), 62–67 (2004)CrossRefGoogle Scholar
  33. 33.
    Yuan, L., Chen, H., Mai, J., Chuah, C.N., Su, Z., Mohapatra, P.: FIREMAN: a toolkit for firewall modeling and analysis. In: Symposium on Security and Privacy, pp. 199–213. IEEE (May 2006)Google Scholar
  34. 34.
    Zhang, B., Al-Shaer, E., Jagadeesan, R., Riely, J., Pitcher, C.: Specifications of a high-level conflict-free firewall policy language for multi-domain networks. In: Symposium on Access Control Models and Technologies, pp. 185–194. ACM (2007)Google Scholar
  35. 35.
    Zhang, S., Mahmoud, A., Malik, S., Narain, S.: Verification and synthesis of firewalls using SAT and QBF. In: Network Protocols (ICNP), pp. 1–6 (October 2012)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  1. 1.Technische Universität MünchenMünchenGermany

Personalised recommendations