hello,list.
Because I will use the nat table do many dnat,so I write a shell
script manage the nat table though mysql database. So , I want let the
shorewall only manage the filter table when the shorewall
star,stop,or reboot etc.
How can I do?
-------------------------------------------
hmy
-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
huang mingyou wrote:> hello,list. > Because I will use the nat table do many dnat,so I write a shell > script manage the nat table though mysql database. So , I want let the > shorewall only manage the filter table when the shorewall > star,stop,or reboot etc. > How can I do?You don''t. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
huang mingyou
2005-Aug-22 03:32 UTC
Re: how to let the shorewall not change the nat table?
if I no rule about the nat table,what will do on the nat table when the shorewall start and stop. 2005/8/22, Tom Eastep <teastep@shorewall.net>:> huang mingyou wrote: > > hello,list. > > Because I will use the nat table do many dnat,so I write a shell > > script manage the nat table though mysql database. So , I want let the > > shorewall only manage the filter table when the shorewall > > star,stop,or reboot etc. > > How can I do? > > You don''t. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > >-- ------------------------------------------- hmy ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
Tom Eastep wrote:> huang mingyou wrote: >>hello,list. >> Because I will use the nat table do many dnat,so I write a shell >>script manage the nat table though mysql database. So , I want let the >>shorewall only manage the filter table when the shorewall >>star,stop,or reboot etc. >> How can I do? > > You don''t. >Hint: If you want to solve a problem, ask how to solve the problem. Don''t come up with a solution and ask how to implement the solution. Because while there is no way to implement your solution, there is probably a way to solve the problem that you are trying to solve. In general terms a) Using /etc/shorewall/init to access your mysql database and generate a set of DNAT- rules in some file. b) Using INCLUDE in your /etc/shorewall/rules file to include your set of DNAT- rules into your configuration. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
huang mingyou wrote:> if I no rule about the nat table,what will do on the nat table when > the shorewall start and stop. >All tables will be cleared. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
huang mingyou
2005-Aug-22 03:47 UTC
Re: how to let the shorewall not change the nat table?
ok,but I think that will be very trouble,because the dnat set is not static.but the firewall rule is static,so I can only dump the filter table .and when I use the fire I only load it.don''t start the shorewall . 2005/8/22, Tom Eastep <teastep@shorewall.net>:> Tom Eastep wrote: > > huang mingyou wrote: > >>hello,list. > >> Because I will use the nat table do many dnat,so I write a shell > >>script manage the nat table though mysql database. So , I want let the > >>shorewall only manage the filter table when the shorewall > >>star,stop,or reboot etc. > >> How can I do? > > > > You don''t. > > > > Hint: If you want to solve a problem, ask how to solve the problem. > Don''t come up with a solution and ask how to implement the solution. > Because while there is no way to implement your solution, there is > probably a way to solve the problem that you are trying to solve. > > In general terms > > a) Using /etc/shorewall/init to access your mysql database and generate > a set of DNAT- rules in some file. > b) Using INCLUDE in your /etc/shorewall/rules file to include your set > of DNAT- rules into your configuration. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > >-- ------------------------------------------- hmy ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
Cristian Rodriguez
2005-Aug-22 03:51 UTC
Re: how to let the shorewall not change the nat table?
huang mingyou escribió:> hello,list. > Because I will use the nat table do many dnat,so I write a shell > script manage the nat table though mysql database. So , I want let the > shorewall only manage the filter table when the shorewall > star,stop,or reboot etc. > How can I do? >Don''t do that. trust me. somebody can magically change your firewall rules with an sql injection.. or your mysql sevrer can trash your system to death if traffic is high..
huang mingyou wrote:> ok,but I think that will be very trouble,because the dnat set is not > static.but the firewall rule is static,so I can only dump the filter > table .and when I use the fire I only load it.don''t start the > shorewall . >Then don''t use Shorewall -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
huang mingyou
2005-Aug-22 04:05 UTC
Re: how to let the shorewall not change the nat table?
oh, thank you,but the dnat port more than 10000,and need update .our is a IDC com.so ,I use database manage the port dnat . and the mysql problem I will think. 2005/8/22, Cristian Rodriguez <judas_iscariote@shorewall.net>:> huang mingyou escribió: > > hello,list. > > Because I will use the nat table do many dnat,so I write a shell > > script manage the nat table though mysql database. So , I want let the > > shorewall only manage the filter table when the shorewall > > star,stop,or reboot etc. > > How can I do? > > > > > Don''t do that. trust me. > somebody can magically change your firewall rules with an sql > injection.. or your mysql sevrer can trash your system to death if > traffic is high.. > > > >-- ------------------------------------------- hmy ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf