Firewall configured with dynamic membership sets representing machine attributes

What is claimed is: 1. A method for implementing a distributed firewall on a host running a plurality of endpoints and a firewall manager, wherein each endpoint of the plurality of endpoints is associated with a virtual machine (VM) that has a plurality of attributes and an Internet protocol (IP) address associated therewith, the method comprising: identifying an update to an attribute of the plurality of attributes; identifying a policy rule comprising the updated attribute to transform into one or more firewall rules; matching an attribute in a source machine dependent condition of the identified policy rule to the updated attribute; generating a source machine identifier of a set of firewall rules for each virtual machine that satisfies the attribute of the source machine dependent condition of the identified policy rule; and using the endpoint identifier and the source machine identifier to transform the identified policy rule to one or more new firewall rules. 2. The method of claim 1 , wherein the updated attribute is software that the VM executes. 3. The method of claim 1 , wherein the updated attribute is one of the following: a location of the VM or a network property of the VM. 4. The method of claim 1 , further comprising enabling the one or more new firewall rules to be applied to communications to and from the endpoint, the one or more new firewall rules comprising a second set of firewall rules that are not included in the set of firewall rules. 5. The method of claim 1 , further comprising: matching an attribute in a destination machine dependent condition of the identified policy rule to the updated attribute; generating a destination machine identifier of the set of firewall rules for each virtual machine that satisfies the attribute of the destination machine dependent condition of the identified policy rule; and using the endpoint identifier, the source machine identifier, and the destination machine identifier to transform the identified policy rule to one or more new firewall rules. 6. The method of claim 1 , further comprising: receiving an indication of an updated additional attribute of the plurality of attributes; and updating a firewall rule for the endpoint based on determining one or more attribute conditions within a second policy rule does not match the updated additional attribute of the endpoint. 7. The method of claim 1 , wherein applying the one or more firewall rules comprises permitting or denying passage of messages between the endpoint and a second endpoint having a second IP address. 8. The method of claim 7 , further comprising determining whether a message includes at least one of the IP address and the second IP address, wherein permitting or denying passage of messages between the endpoint and the second endpoint is based on whether the message includes at least one of the IP address and the second IP address. 9. One or more computer-readable media having computer-executable instructions for implementing a distributed firewall on a host running a plurality of endpoints, wherein an endpoint of the plurality of endpoints is associated with a virtual machine (VM) that has a plurality of attributes and an Internet protocol (IP) address associated therewith, the computer-executable instructions causing one or more processors to perform operations comprising: identifying an update to an attribute of the plurality of attributes; identifying a policy rule comprising the updated attribute to transform into one or more firewall rules; matching an attribute in a source machine dependent condition of the identified policy rule to the updated attribute; generating a source machine identifier of a set of firewall rules for each virtual machine that satisfies the attribute of the source machine dependent condition of the identified policy rule; and using the endpoint identifier and the source machine identifier to transform the identified policy rule to one or more new firewall rules. 10. The one or more computer-readable media of claim 9 , wherein the updated attribute software that the VM executes. 11. The one or more computer-readable media of claim 10 , wherein the updated attribute is one of the following: a location of the VM or a network property of the VM. 12. The one or more computer-readable media of claim 9 , wherein the computer-executable instructions further cause the one or more processors to perform operations comprising enabling the one or more new firewall rules to be applied to communications to and from the endpoint, the one or more new firewall rules comprising a second set of firewall rules that are not included in the set of firewall rules. 13. The one or more computer-readable media of claim 9 , wherein the computer-executable instructions further cause the one or more processors to perform operations comprising: matching an attribute in a destination machine dependent condition of the identified policy rule to the updated attribute; generating a destination machine identifier of the set of firewall rules for each virtual machine that satisfies the attribute of the destination machine dependent condition of the identified policy rule; and using the endpoint identifier, the source machine identifier, and the destination machine identifier to transform the identified policy rule to one or more new firewall rules. 14. The one or more computer-readable media of claim 9 , wherein the computer-executable instructions further cause the one or more processors to perform operations comprising: receiving an indication of an updated additional attribute of the plurality of attributes; and updating a firewall rule for the endpoint based on determining one or more attribute conditions within a second policy rule does not match the updated additional attribute of the endpoint. 15. The one or more computer-readable media of claim 9 , wherein applying the one or more firewall rules comprises permitting or denying passage of messages between the endpoint and a second endpoint having a second IP address. 16. The one or more computer-readable media of claim 9 , wherein the computer-executable instructions further cause the one or more processors to perform operations comprising: determining whether a message includes at least one of the IP address and the second IP address, wherein permitting or denying passage of messages between the endpoint and the second endpoint is based on whether the message includes at least one of the IP address and the second IP address. 17. A computer system, wherein system software for the computer system is programmed to execute a method for implementing a distributed firewall, the computer system comprising: a memory storing policy rules; a host running a plurality of endpoints, wherein an endpoint of the plurality of endpoints is associated with a virtual machine (VM) that has a plurality of attributes and an Internet protocol (IP) address associated therewith; a firewall manager running on the host, the firewall manager configured to: identify an update to an attribute of the plurality of attributes; identify a policy rule comprising the updated attribute to transform into one or more firewall rules; match an attribute in a source machine dependent condition of the identified policy rule to the updated attribute; generate a source machine identifier of a set of firewall rules for each virtual machine that satisfies the attribute of the source machine dependent condition of the identified policy rule; and use the endpoint identifier and the source machine identifier to transfo