I have implemented the ability to specify ''all'' in the SOURCE and DESTINATION columns of the rules file and I''m not sure I like the result. The code is in CVS if any of you are interested in giving it a try. If you do try it, please let me know what you think. If you specify ''all'' in those columns it must not be qualified (may not be followed by ":") and ''all'' doesn''t effect intra-zone traffic (e.g., "ACCEPT all loc http" doesn''t enable http from loc to loc). -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://shorewall.sf.net ICQ: #60745924 \ teastep@shorewall.net
Tom Eastep wrote:> I have implemented the ability to specify ''all'' in the SOURCE and > DESTINATION columns of the rules file and I''m not sure I like the > result. The code is in CVS if any of you are interested in giving it a > try. If you do try it, please let me know what you think. > > If you specify ''all'' in those columns it must not be qualified (may not > be followed by ":") and ''all'' doesn''t effect intra-zone traffic (e.g., > "ACCEPT all loc http" doesn''t enable http from loc to loc).Thanks a lot! You can only guess how much this helps when you have 18 interfaces on your firewall box. It makes configuring simpler, really. Without that change I had to specify smtp-server in dmz zone with 18 rules... Btw. Is there really reason to make fw zone configurable? -- Tuomo Soini <tis@foobar.fi> http://tis.foobar.fi/
--On Tuesday, November 12, 2002 12:28:43 PM +0200 Tuomo Soini <tis@foobar.fi> wrote:> Thanks a lot! You can only guess how much this helps when you have 18 > interfaces on your firewall box. It makes configuring simpler, really. > Without that change I had to specify smtp-server in dmz zone with 18 > rules...My experience is that while it may result in less entries in /etc/shorewall/rules, that it results in each connection request having to go through more iptables rules. That''s what I dislike about it.> > Btw. Is there really reason to make fw zone configurable? >At least one user has a network of firewalls and gives each of them a different internal name. -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://shorewall.sf.net ICQ: #60745924 \ teastep@shorewall.net
--On Tuesday, November 12, 2002 04:15:29 PM -0800 Tom Eastep <teastep@shorewall.net> wrote:> > My experience is that while it may result in less entries in > /etc/shorewall/rules, that it results in each connection request having > to go through more iptables rules. That''s what I dislike about it. >Hmmm -- that sentence broke new syntactic ground. What I was trying to say is that while this new code may make it simpler to maintain /etc/shorewall/rules, the firewall will become less efficient as a result. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://shorewall.sf.net ICQ: #60745924 \ teastep@shorewall.net