Projects / NetSPoC


The Network Security Policy Compiler (NetSPoC) is a tool for security management of large computer networks with different security domains. It generates configuration files for packet filters controlling the borders of security domains. It provides its own language for describing security policy and the topology of a network. The security policy is a set of rules that state which packets are allowed to pass the network and which are not. NetSPoC is topology aware; a rule for traffic from A to B is automatically applied to all managed packet filters on the path from A to B.

Operating Systems

Last announcement

Netspoc moved to github 18 May 2012 22:17

The website of Netspoc has been moved to github. Documentation is on the way to be rewritten. Some new versions have been released already. Full history of source code is available.

Recent releases

  •  02 Jan 2011 21:50

    Release Notes: Generated code for Linux iptables is highly optimized now. Deeply nested chains are used to minimize the number of tests for each checked packet. Support has been added for Cisco ASA devices as packet filter, VPN gateway, and for LAN-to-LAN IPSec tunnels. A new option to generate outgoing access lists has been added. Many other improvements and bugfixes have been applied.

    •  03 Jan 2008 10:33

      Release Notes: The rule set can be better adapted to stateful and stateless devices. New "automatic" groups can be used for simpler definition of similar rules which affect a large set of objects. Loopback interfaces and negotiated interfaces are now supported. Support for Cisco VPN 3000 devices has been added, but currently isn't well documented. More checks are done to prevent an inconsistent configuration. There are many other improvements and some bugfixes.

      •  18 Sep 2005 09:56

        Release Notes: IPSec encryption is supported now. A new concept of areas was introduced. An area denotes a part of the topology which is delimited by a set of interfaces. The IP address and mask of networks may alternatively be declared as an IP address and a prefix length. Some network objects get an optional attribute "owner" which is used for documentation purposes. Optimization has been improved by automatically joining rules with adjacent port ranges. Netspoc now runs on 64-bit systems.

        •  06 May 2005 03:05

          Release Notes: This release fixes a bug in local optimization, where some deny rules could inadvertently be marked as redundant, leading to missing ACLs for these rules in generated code. A second bug with automatically generated rules at stateless packet filters has also been fixed. For TCP, reverse deny rules no longer generated.

          •  16 Feb 2005 06:31

            Release Notes: PIX commands like "icmp" and "telnet", which filter traffic for the device itself, are generated now. There was a syntax error with IOS routers when applying an access list to an interface. This has been fixed.


            Project Spotlight


            A Fluent OpenStack client API for Java.


            Project Spotlight

            TurnKey TWiki Appliance

            A TWiki appliance that is easy to use and lightweight.