Simon Matter schrieb:>
> Hi,
>
> I''m a long time shorewall user and I like it very much. There is
only
> one thing were I''m not always happy with: the config files.
> There has been discussion on the list about the comments in the files.
> My concern is that I loose overview over my configuration because of the
> many config files. Of course there are advantages too but I thinking
> wether another config format would be better (or maybe it could be an
> additional configuration method).
> To make it short, I was thinking about writing a preprocessor which
> generates the shorewall config files on the fly. Now, my question is,
> what do other people think? I have attached a sample config file with
> all comments removed, just to show the syntax I intended to use. I like
> to have the hole config in one file.
>
> Any comments?
>
> Simon
>
Looks like the attachment got lost. Here it is via cut&paste:
config LOGFILE /var/log/messages
config LOGUNCLEAN info
config MACLIST_LOG_LEVEL info
config PATH /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
config SUBSYSLOCK /var/lock/subsys/shorewall
config STATEDIR /var/lib/shorewall
config FW fw
config NAT_ENABLED Yes
config MANGLE_ENABLED Yes
config IP_FORWARDING On
config NEWNOTSYN No
config BLACKLIST_DISPOSITION DROP
config MACLIST_DISPOSITION REJECT
config TCP_FLAGS_DISPOSITION DROP
common include common.def
common run_iptables -A common -p tcp --dport 672 -j reject
interfaces loc eth1 detect
interfaces sec eth2 detect
interfaces dmz eth3 detect
interfaces net eth4 detect
ecn eth4 182.128.148.0/16
zones net Net Internet
zones loc Local Local networks
zones dmz DMZ Demilitarized zone
zones sec Sec Security zone
masq 10.0.0.0/8 234.123.157.130
nat 10.1.6.83 eth1 234.123.157.134 No No
policy net all DROP info
policy all all REJECT info
proxyarp 234.123.157.131 eth3 eth4
proxyarp 234.123.157.132 eth3 eth4
proxyarp 234.123.157.133 eth3 eth4
tunnels openvpn loc 10.10.0.250
start /usr/bin/start_my_something
stop /usr/bin/killall start_my_something
routestopped eth1
rules ACCEPT fw loc tcp ssh
rules ACCEPT fw loc udp domain
rules ACCEPT fw loc tcp domain
rules ACCEPT fw loc udp ntp
rules ACCEPT fw sec tcp ssh
rules ACCEPT fw dmz tcp ssh
rules ACCEPT fw net tcp ssh
rules ACCEPT loc:10.1.200.117 fw tcp ssh
rules ACCEPT loc:10.1.6.25 dmz:234.123.157.132 tcp smtp
rules DNAT loc dmz:234.123.157.134 tcp 3028 - 10.1.6.83
rules ACCEPT dmz loc udp ntp
rules ACCEPT dmz:234.123.157.132 loc:10.1.6.25 tcp smtp
rules ACCEPT dmz net udp ntp
rules ACCEPT dmz:234.123.157.131 net udp domain
rules ACCEPT dmz:234.123.157.131 net tcp domain
rules ACCEPT dmz:234.123.157.132 net tcp smtp
rules ACCEPT dmz:234.123.157.134 net tcp domain,http
rules ACCEPT dmz:234.123.157.134 net udp domain
rules ACCEPT dmz:234.123.157.131 net tcp http,https,ftp,ssh
rules ACCEPT sec loc udp ntp
rules ACCEPT net dmz:234.123.157.131 tcp ssh
rules ACCEPT net dmz:234.123.157.131 udp domain
rules ACCEPT net dmz:234.123.157.131 tcp domain
rules ACCEPT net dmz:234.123.157.132 tcp smtp
rules ACCEPT net:212.23.224.70 dmz:234.123.157.131 udp 1024: domain
rules ACCEPT net:212.23.227.70 dmz:234.123.157.131 udp 1024: domain
rules ACCEPT net dmz:234.123.157.134 tcp 8080,3028
rules ACCEPT net dmz:234.123.157.135 tcp 8080
rules ACCEPT net dmz:234.123.157.136 tcp http,https
rules ACCEPT net dmz:234.123.157.133 tcp http,https