Brian J. Murrell
2007-Apr-06 02:57 UTC
recent shorewall lite for openwrt and shorewall-perl
Hello all, I''m wondering if anyone''s got any pointers to a good and recent version (i.e. a 3.4.x version would be great) of shorewall lite packaged for openwrt. I''m finally biting the bullet and replacing that computer in the basement that''s my firewall/gateway with an appliance. Another thought though, since shoreall-perl is producing iptables-restore compatible rulesets, that must make the shorewall-lite package a lot lighter, yes? Any work in this area yet Tom? b. -- My other computer is your Microsoft Windows server. Brian J. Murrell ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Brian J. Murrell wrote:> > Another thought though, since shoreall-perl is producing > iptables-restore compatible rulesets, that must make the shorewall-lite > package a lot lighter, yes? > > Any work in this area yet Tom?It is unlikely that embedded distributions like OpenWRT will ever have Perl (it''s BIG). So the most promising approach seems to be to run Shorewall-perl on another box and Shorewall-lite on the embedded system. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Brian J. Murrell
2007-Apr-06 13:21 UTC
Re: recent shorewall lite for openwrt and shorewall-perl
On Thu, 2007-05-04 at 22:30 -0700, Tom Eastep wrote:> > It is unlikely that embedded distributions like OpenWRT will ever have > Perl (it''s BIG).Oh definitely.> So the most promising approach seems to be to run > Shorewall-perl on another box and Shorewall-lite on the embedded system.Yeah, that''s exactly what I meant. What I was wondering though is how much smaller shorewall-lite''s footprint will get when it''s work is done by iptables-restore. I''d think that hopefully, a shorewall-lite could be loaded with only two round trips... one to gather information and one to ship the result and run iptables-restore. b. -- My other computer is your Microsoft Windows server. Brian J. Murrell ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Brian J. Murrell wrote:> On Thu, 2007-05-04 at 22:30 -0700, Tom Eastep wrote: >> It is unlikely that embedded distributions like OpenWRT will ever have >> Perl (it''s BIG). > > Oh definitely. > >> So the most promising approach seems to be to run >> Shorewall-perl on another box and Shorewall-lite on the embedded system. > > Yeah, that''s exactly what I meant. What I was wondering though is how > much smaller shorewall-lite''s footprint will get when it''s work is done > by iptables-restore.Not a lot -- each rule generates only one line of script rather than two now.> > I''d think that hopefully, a shorewall-lite could be loaded with only two > round trips... one to gather information and one to ship the result and > run iptables-restore.Shorewall-perl doesn''t change the interaction sequence: - One round trip to gather capabilities (if no capabilities file or if capabilities requested). - One route trip to upload the generated script. - One upload to run the generated script -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV