Personal tools
You are here: Home Events LFCS Seminars-Folder LFCS Seminar: Riccardo Focardi: A semantic based tool for firewall configuration

LFCS Seminar: Riccardo Focardi: A semantic based tool for firewall configuration

— filed under:

  • LFCS Seminar
When Jan 28, 2014
from 03:00 PM to 04:00 PM
Where IF 2.33
Add event to calendar vCal



The management and specification of access control rules that enforce a

given policy is a non-trivial, complex, and time consuming task. In this

paper we aim at simplifying this task both at specification and

verification levels. For that, we propose a formal model of Netfilter, a

firewall system integrated in the Linux kernel. We define an abstraction

of the concepts of chains, rules, and packets existent in Netfilter

configurations, and give a semantics that mimics packet filtering and

address translation. We then introduce a simple but powerful language

that permits to specify firewall configurations which are unaffected by

the relative ordering of rules and that does not depend on the

underlying Netfilter chains. We give a semantics for this language and

show that it can be translated into our Netfilter abstraction. We

demonstrate the feasibility of our approach by providing a publicly

available tool that translates abstract firewall specifications into

real Netfilter configurations.




Riccardo Focardi is an Associate Professor at Ca' Foscari University of

Venice, Italy. His research interests are in computer security with a

specific focus on the specification and formal analysis of security

properties. He is part of the Journal of Computer Security editorial

board and has served in the program committees of major information

security conferences. He has recently co-founded Cryptosense

(, a spin-off that brings to market research-based


tools for the formal analysis of cryptographic systems.

Document Actions