On Wed, Jan 24, 2007 at 09:51:13AM +0100, Marco Cremonini wrote:
> Hi all,
> I would like to ask you a suggestion for a project we are
> developing.
> The project aims to automate some monitoring functionality with
> firewall policy management (just iptables, at present).
> The problem is: We would like to implement/adopt a high-level
> specification language for the definition of a security policy,
> something that should let to specify the policy at organizational
> level. Such a policy should then be translated into specific fw rules.
> [ .. ]

It's probaby not high level enough for you, but are you
aware of http://www.fwbuilder.org/ ?

Here's an excerpt from the FAQ. It does cisco pix as well,
but that costs.

Frequently Asked Questions for Firewall Builder 2.0 and 2.1
Vadim Kurland

Revision History
Revision $Revision: 1.6 $ $Date: 2007/01/06 20:09:22 $ Revised by: vk

Firewall Builder consists of an object-oriented GUI and a set of
policy compilers for various firewall platforms. In Firewall Builder,
a firewall policy is a set of rules; each rule consists of abstract
objects that represent real network objects and services (hosts,
routers, firewalls, networks, protocols). Firewall Builder helps
users maintain a database of objects and allows policy editing
using simple drag-and-drop operations.

Object databases are stored in XML format. The GUI and policy
compilers are completely independent. The GUI requires only minimal
changes in order to add support for a new firewall platform even
though a new policy compiler must be written. This provides for a
consistent abstract model and the same GUI for different firewall
platforms. Standardized XML data format opens possibility for
many user interfaces and policy compiler implementations, all

We have policy compilers for the popular free firewalls iptables
http://www.iptables.org/, ipfilter http://coombs.anu.edu.au/~avalon/,
pf http://www.benzedrine.cx/pf.html. Because of the modular
architecture, Firewall Builder can be used to manage firewalls
built on a variety of platforms including, but not limited to, Linux
using iptables, ipfilter on FreeBSD or Solaris and pf on OpenBSD.

firewall-wizards mailing list