Ramiro Morales
2003-Mar-05 11:18 UTC
[Shorewall-devel] A couple of enhacements suggestions
... are they possible?, or better yet: Are they enhacements at all? First, make it possible to use the vars defined in the params file usable in the policy and shorewall.conf also. Second, make it possible to specify a pseudo log level like NULL, SWNULL (SW by Shorewall) or an appropiate name that would have the same effect as not specifying a log level at all. These modifications together would make it easy to define something like MY_RFC1918_LOGLVL=ULOG MY_LOC2FW_LOGLVL=NULL MY_SSH_LOGLVL=info in params and then be able to put things like RFC1918_LOG_LEVEL=$RFC1918_LOG_LEVEL in shorewall.conf, loc fw REJECT $MY_LOC2FW_LOGLVL in policy and ACCEPT:$MY_SSH_LOGLVL net $FW tcp ssh in rules. (note: the examples are not real) One could then have a more fine grained control of the things that will get logged and could change them from a single place (the params file). Suppose I wanted to stop logging the SSH connection, I would just need to change the MY_SSH_LOGLVL=info line to MY_SSH_LOGLVL=NULL there. Note that after the var value replacement the rules file would change from ACCEPT:info to ACCEPT:NULL The NULL pseudo log level exists beacuse if this functionality was implemented by means of leaving the vars that specify log levels undefined we would end with a dangling trailing colon. Best regards, - Ramiro
--On Wednesday, March 05, 2003 04:19:53 PM -0300 Ramiro Morales <rm0@gmx.net> wrote:> ... are they possible?, or better yet: Are they enhacements at all?Turns out that both are possible today.> > First, make it possible to use the vars defined in the params > file usable in the policy and shorewall.conf also.Variables have always been usable in shorewall.conf because shorewall.conf is sourced by the shell using the "." command (e.g., ". /etc/shorewall/shorewall.conf"). So variable expansion takes place automatically there. Variable have been usable in the policy file for many releases now.> > Second, make it possible to specify a pseudo log level > like NULL,>> The NULL pseudo log level exists beacuse if this functionality > was implemented by means of leaving the vars that specify log > levels undefined we would end with a dangling trailing colon.Shorewall accepts such dangling trailing colons in rules. I use a strategy similar to what you are describing for logging specification in my own configuration. You can see it in the 1.4.0-RC1 documentation (myfiles.htm). -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
--On Wednesday, March 05, 2003 11:31:57 AM -0800 Tom Eastep <teastep@shorewall.net> wrote:> > > --On Wednesday, March 05, 2003 04:19:53 PM -0300 Ramiro Morales > <rm0@gmx.net> wrote: > >> ... are they possible?, or better yet: Are they enhacements at all? > > Turns out that both are possible today. >>I probably should change that to "both are possible today using version 1.4.0". In earlier versions the order of processing shorewall.conf and params was wrong.... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Ramiro Morales
2003-Mar-05 14:39 UTC
[Shorewall-devel] A couple of enhacements suggestions
On 5 Mar 2003 at 11:37, Tom Eastep wrote about "Re: [Shorewall-devel] A couple of enhacements sug":> > > --On Wednesday, March 05, 2003 11:31:57 AM -0800 Tom Eastep > <teastep@shorewall.net> wrote: > > > > > > > --On Wednesday, March 05, 2003 04:19:53 PM -0300 Ramiro Morales > > <rm0@gmx.net> wrote: > > > >> ... are they possible?, or better yet: Are they enhacements at all? > > > > Turns out that both are possible today. > >> > > I probably should change that to "both are possible today using version > 1.4.0". In earlier versions the order of processing shorewall.conf and > params was wrong....Tom, Ok, thanks for the fast answer and the clarification. Also, neither shorewall.conf nor policy are listed among the files where var substitution is possible in the doc blurb at the top of the param file. At least in 1.3.14 and in the then-current cVS copy when I checked it a couple of hours ago. Regards, -- Ramiro
--On Wednesday, March 05, 2003 07:40:19 PM -0300 Ramiro Morales <rm0@gmx.net> wrote:> > Also, neither shorewall.conf nor policy are listed among the files > where var substitution is possible in the doc blurb at the > top of the param file. > At least in 1.3.14 and in the then-current cVS copy when I > checked it a couple of hours ago.Any time that the comments at the head of the file and the web documentation conflict, the Web Documentation is to be considered authoritative. The web documentation at http://www.shorewall.net/configuration_file_basics.htm states that variables may be used in all files. This is yet one more reason why I hate documentation in configuration files and would love to do away with it... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> > > --On Wednesday, March 05, 2003 07:40:19 PM -0300 Ramiro Morales > <rm0@gmx.net> wrote: > >> >> Also, neither shorewall.conf nor policy are listed among the files >> where var substitution is possible in the doc blurb at the >> top of the param file. >> At least in 1.3.14 and in the then-current cVS copy when I >> checked it a couple of hours ago. >I''ve updated the params file in CVS to reflect reality :-) Thanks! -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
--On Wednesday, March 05, 2003 07:40:19 PM -0300 Ramiro Morales <rm0@gmx.net> wrote:> >> I probably should change that to "both are possible today using version >> 1.4.0". In earlier versions the order of processing shorewall.conf and >> params was wrong.... >Hmmm -- this problem still exists in RC1. I''ll fix it before 1.4.0 final. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net