Homework answers / question archive / Project 3(20 Points) Description A firewall may contain a large number of rules and some of them might be conflicting with others

Project 3(20 Points) Description A firewall may contain a large number of rules and some of them might be conflicting with others

Computer Science

Share With

---

Project 3(20 Points)

Description

A firewall may contain a large number of rules and some of them might be conflicting with others. We consider a firewall whose rules use the following format:

 

1. The lower bound of the source IP, denoted as an integer whose value belongs to [0, 255]
2. The upper bound of the source IP, denoted as an integer whose value belongs to [0, 255]
3. The lower bound of the destination IP, denoted as an integer whose value belongs to [0, 255]
4. The upper bound of the destination IP, denoted as an integer whose value belongs to [0, 255]
5. Protocol, TCP or UDP
6. Action, DENY or ACCEPT

 

The lower bound of the source IP and the upper bound of the source IP together form the subnet for the source IP addresses; The lower bound of the destination IP and the upper bound of the destination IP together form the subnet for the destination IP addresses.

 

Two examples of rules are given as follows:

1. 10, 20, 30, 40, TCP, ACCEPT
2. 10, 10, 30, 30, TCP, DENY

 

For the first rule, [10, 20] is the subnet of the source IP addresses and [30, 40] is the subnet of the destination IP addresses;

For the second rule, [10, 10] is the subnet of the source IP addresses (actually it represents a single IP address); and [30, 30] is the subnet of the destination IP addresses.

 

Two rules will be conflicting if one packet can match both rules but lead to different actions. For two rules above, they are conflicting since a TCP packet with source IP address of 10 and destination IP address of 30 may lead to conflicting actions (ACCEPT or DENY).

 

You are asked to implement the conflicting rule detection engine using the Prolog. You can use the following rules to test your system. But the instructor may use additional rules to test your system for grading.

 

1. 10, 20, 30, 40, TCP, ACCEPT
2. 10, 10, 30, 30, TCP, DENY
3. 10, 10, 30, 30, UDP, ACCEPT
4. 10, 15, 20, 25, TCP, ACCEPT
5. 50, 60, 70, 80, TCP, DENY

 

 

Deliverable

 

You will deliver a package that contains

1. Source code
2. README.txt to describe your compiling and run-time environment. Team members will also be included in the README.txt.  

 

Your prolog-based model should be able to enumerate all possible conflicting rules in a given rule set.

 

Team

 

1. A team can have up to three students.
2. One team only needs to submit one copy of source code and README.txt to Pilot.
3. Other members in the same team need to submit a file indicating team members in Pilot.

Programming Environment

For the programming environment, B-Prolog is recommended.