So after using Shorewall for years, I''ve been taking my first foray into real router devices by playing with a MikroTik Routerboard 750. Nice little unit, 400MHz Mips CPU, 32MB RAM, 64MB flash. I''m trying to wrap my head around writing actual router/firewall rules now, and it''s quite interesting. The layout is similar to iptables (RouterOS is, after all, built on top of Linux), but I still have to convert all my existing proxy arp, firewall rules, and zone configurations to RouterOS commands and configuration. Which led me to wonder: Is the shorewall compiler output "pluggable," or at least self-contained as to be easily replaceable? I was thinking along the lines of the rules and config being parsed into a firewall-agnostic datastructure, then I could take that data structure and write out rules in the RouterOS dialect. Any chance of that? j -- Joshua Kugler Part-Time System Admin/Programmer http://www.eeinternet.com PGP Key: http://pgp.mit.edu/ ID 0x14EA086E ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference
that''s an excellent idea if it''s not already in, I throw in my hat for a feature request. Joshua J. Kugler wrote:> So after using Shorewall for years, I''ve been taking my first foray into > real router devices by playing with a MikroTik Routerboard 750. Nice > little unit, 400MHz Mips CPU, 32MB RAM, 64MB flash. > > I''m trying to wrap my head around writing actual router/firewall rules > now, and it''s quite interesting. The layout is similar to iptables > (RouterOS is, after all, built on top of Linux), but I still have to > convert all my existing proxy arp, firewall rules, and zone > configurations to RouterOS commands and configuration. > > Which led me to wonder: Is the shorewall compiler output "pluggable," or > at least self-contained as to be easily replaceable? I was thinking > along the lines of the rules and config being parsed into a > firewall-agnostic datastructure, then I could take that data structure > and write out rules in the RouterOS dialect. > > Any chance of that? > > j >------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Joshua J. Kugler wrote:> > Which led me to wonder: Is the shorewall compiler output "pluggable," or > at least self-contained as to be easily replaceable? I was thinking > along the lines of the rules and config being parsed into a > firewall-agnostic datastructure, then I could take that data structure > and write out rules in the RouterOS dialect. > > Any chance of that?No time soon, I''m afraid. The Shorewall compiler is a two-pass compiler that builds iptables commands and Linux-specific shell code fragments in the first pass then glues them all together in a second pass (although the code structure doesn''t really make that obvious). I have on my long-term list of goals to re-implement Shorewall along the lines that you suggest, but that won''t happen until after I retire (currently planned for 2012). I''m also not convinced that the goal is reachable since the externals of Shorewall itself are very Linux-centric. - -Tom - -Tom - -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkrc+vkACgkQO/MAbZfjDLKpCwCfQ/bdslN5yX6RwKwYEjJYqNqu DSgAn1YFaww9TrLJlRUETzeqtz6SYd7w =LiEE -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference
On Monday 19 October 2009, Tom Eastep said something like:> I have on my long-term list of goals to re-implement Shorewall along > the lines that you suggest, but that won''t happen until after I > retire (currently planned for 2012). I''m also not convinced that the > goal is reachable since the externals of Shorewall itself are very > Linux-centric.Thanks for the note. Not sure exactly what you mean "shorewall externals." Shell? Perl? Network interfaces? I wasn''t looking for something to run on the device, but simply some that would generate the commands I could put into a script that I would then upload (or even copy/paste) to the device. It might at least be a reachable goal for Linux-based routers. I feel like I''m writing IPTables rules (imagine that, RouterOS is based on Linux), but with a slightly different syntax. At any rate, thanks for chiming in. Gives more more to mull over. j -- Joshua Kugler Part-Time System Admin/Programmer http://www.eeinternet.com PGP Key: http://pgp.mit.edu/ ID 0x14EA086E ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Joshua J. Kugler wrote:> Not sure exactly what you mean "shorewall externals." Shell? Perl? > Network interfaces?The "externals" of a software product are the aspects of the end-user deals with. a) The options in /etc/shorewall/interfaces are highly linux-specific. b) The features documented at http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html are completely Linux-specific. c) The sections in the Rules file correspond 1:1 to Netfilter connection states. ...> I wasn''t looking for something to run on the > device, but simply some that would generate the commands I could put > into a script that I would then upload (or even copy/paste) to the > device. > > It might at least be a reachable goal for Linux-based routers. I feel > like I''m writing IPTables rules (imagine that, RouterOS is based on > Linux), but with a slightly different syntax.The people who created LinuxOS thought that they were adding value when they created different interfaces to accomplish the same tasks that standard Linux utilities (like iptables) already handle. The down side is that tools, like Shorewall, that are based on those standard tools, don''t work on LinuxOS? Maybe those people didn''t add as much value as they thought they were... - -Tom - -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkrdAlQACgkQO/MAbZfjDLIdIwCfSdOHzUr5/w4/PKBLiBLroRbG IIsAn00G0f0jJ1vV5c8uYDI/yErXGrMq =v6KD -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference