Shorewall devel - Jun 2005 - use of shell code in shorewall/params

The params file appears to be simply "sourced" by the firewall script,
which means one can put any Bourne shell code into it and it will
execute it.  This feature isn''t documented, so I''m wondering
if it can
be documented and thus guaranteed to always work.  I''d like to dig out
the IP parameters of my interface cards from the ifcfg-eth? files and
set shorewall variables with those values.  If I can put that code to
the params file, it saves me writing a separate script that runs and
creates the params file before shorewall starts.

-- 
-IAN!  Ian! D. Allen       Ottawa, Ontario, Canada - www.ottawa.ca
       EMail: idallen@idallen.ca   Home Page: http://www.idallen.com/
       College professor (Linux) via: http://teaching.idallen.com/
       Support free and open public digital rights:  http://eff.org/

Ian! D. Allen wrote:
> The params file appears to be simply "sourced" by the firewall
script,
> which means one can put any Bourne shell code into it and it will
> execute it.  This feature isn''t documented, so I''m
wondering if it can
> be documented and thus guaranteed to always work.  I''d like to dig
out
> the IP parameters of my interface cards from the ifcfg-eth? files and
> set shorewall variables with those values.  If I can put that code to
> the params file, it saves me writing a separate script that runs and
> creates the params file before shorewall starts.
While i can see this providing benefit, i can also see it causing
problems.  I look on it as the same kind of situation as using DNS to
identify hosts in zones: can it be done?  Yes.  Is it a good idea?
Possibly not.

I''d prefer to see this documented with warnings that you should only
use
it if you know what you''re doing, and that it''s not guaranteed
to always
work.  Thoughts?

-- 
Paul
<http://paulgear.webhop.net>
--
This message is signed with a GNU Privacy Guard cryptographic signature.
If you are reading this message in a text attachment, it is because your
email program does not support OpenPGP.  Please consider upgrading to
one of the secure alternatives at <http://mozilla.org/>.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
Url :
http://lists.shorewall.net/pipermail/shorewall-devel/attachments/20050602/dc11554c/signature.bin

2005/6/1, Paul Gear <paul@gear.dyndns.org>:

 I look on it as the same kind of situation as using DNS
to
> identify hosts in zones: can it be done?  Yes.  Is it a good idea?
> Possibly not.
DNS namesin the config files is a really bad idea ,additionaly to the
information already included in the docs, DNS names can be
spoofed,cache-poisoned etc..a lot of bad things can happend.

Paul Gear wrote on 01/06/2005 17:58:52:
> Ian! D. Allen wrote:
> > The params file appears to be simply "sourced" by the
firewall script,
> > which means one can put any Bourne shell code into it and it will
> > execute it.  This feature isn''t documented, so I''m
wondering if it can
> > be documented and thus guaranteed to always work.  I''d like
to dig out
> > the IP parameters of my interface cards from the ifcfg-eth? files and
> > set shorewall variables with those values.  If I can put that code to
> > the params file, it saves me writing a separate script that runs and
> > creates the params file before shorewall starts.
> 
> While i can see this providing benefit, i can also see it causing
> problems.  I look on it as the same kind of situation as using DNS to
> identify hosts in zones: can it be done?  Yes.  Is it a good idea?
> Possibly not.
I desagree. 
> 
> I''d prefer to see this documented with warnings that you should
only use
> it if you know what you''re doing, and that it''s not
guaranteed to always
> work.  Thoughts?
I think that it must be documented that any shorewall file that is sourced 
could use shell code (extensions included).  And I think a HUGE WARNING 
should be written both in the documentation and in the params file.  IIRC, 
Tom uses shell code in its params file.  It is up to the sysadmin to test 
his/her code carefully.

my 2c,

________________________
Eduardo Ferreira
Icatu Holding S.A.
Supervisor de TI
(5521) 3804-8606

Paul,

Paul Gear wrote:
> 
> I''d prefer to see this documented with warnings that you should
only use
> it if you know what you''re doing, and that it''s not
guaranteed to always
> work.  Thoughts?
> 
It has been documented in a fashion for some time since both FAQs 1d and
2 mention doing it and give examples. It is unlikely to ever stop
working since there is no more efficient way to bind a set of
user-defined symbols to values in a running shell than to source a set
of assignment statements (which is what is done with /etc/shorewall/params).

While I agree that you need to know what you are doing, it can be very
useful in some cases. This morning, I updated the Configuration File
Basics document (http://shorewall.net/configuration_file_basics.htm)
with another example. Feel free to add caveats if you think they are
warranted.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep wrote:
> ...
> It has been documented in a fashion for some time since both FAQs 1d and
> 2 mention doing it and give examples. It is unlikely to ever stop
> working since there is no more efficient way to bind a set of
> user-defined symbols to values in a running shell than to source a set
> of assignment statements (which is what is done with
/etc/shorewall/params).
> 
> While I agree that you need to know what you are doing, it can be very
> useful in some cases. This morning, I updated the Configuration File
> Basics document (http://shorewall.net/configuration_file_basics.htm)
> with another example. Feel free to add caveats if you think they are
> warranted.
I think at the very least we need statements that the code:

- should not have side-effects, especially on shorewall files

- should be safe to execute multiple times without producing different
results (really just a specialisation of the above rule)

- should not depend on the timing of the call to params

- should not assume anything about the state of shorewall (e.g. whether
it is starting or stopping)

There could be other issues - those are just off the top of my head.
Perhaps a reiteration of the suggestion to use all upper case would be
good, too.  (Even though it''s stated only a few lines above,
it''s easy
to miss one part if you''re looking for something particular.)

-- 
Paul
<http://paulgear.webhop.net>
--
This message is signed with a GNU Privacy Guard cryptographic signature.
If you are reading this message in a text attachment, it is because your
email program does not support OpenPGP.  Please consider upgrading to
one of the secure alternatives at <http://mozilla.org/>.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
Url :
http://lists.shorewall.net/pipermail/shorewall-devel/attachments/20050602/5410d9a0/signature.bin