Shorewall devel - Sep 2004 - Fwd: Bug#268999: shorewall: Allow action templates to use DNAT target

Hi all in the ShoreWall community,

[please CC me since I''m not on the list]

I had been using FIAIF for a little while, and the setup of ShoreWall 
has been much easier, the config for each operation in one place, and 
I''m very happy with it.

That said, it looks like one of the concepts could be taken a bit 
further.  In this case, it is actions.

To get the process started, I filed this bug in the Debian BTS:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=268999
>Allow action templates to use DNAT target:
>
>  
>Package: shorewall
>Version: 2.0.7-2
>Severity: wishlist
>
>Adding this feature would enable you to make a rule like
>
>Action 	    net      dmz:192.0.2.177  tcp    25
>
>that forwards multiple ports with DNAT targets as needed in the action file.
>
>It would leave the src and dest unmodified[1] and use them as the src and
>dest for each line with a DNAT target in the action file.
>
>[1] complaining about port numbers in src or dest on the action caller of
course
>
Now, let me go into a little more detail.  Right now, AFAIK actions are 
limited to a single target, be that ACCEPT, DNAT or etc.

What I would like to do is refer to one action, and call it from 
different rules to use those ports in the action file for DNAT, ACCEPT, 
REJECT, and etc.  Right now, you need a different action for each variation.

What do you guys think of this?

On Thursday 02 September 2004 16:44, Mike Fedyk wrote:
> Hi all in the ShoreWall community,
> >
> >Adding this feature would enable you to make a rule like
> >
> >Action 	    net      dmz:192.0.2.177  tcp    25
> >
>
> What I would like to do is refer to one action, and call it from
> different rules to use those ports in the action file for DNAT, ACCEPT,
> REJECT, and etc.  Right now, you need a different action for each
> variation.
>
> What do you guys think of this?
I''m still not seeing the whole picture.

a) The syntax that you show above is accepted today -- It says that all SMTP 
traffic from the net to DMZ host 192.0.2.177 should be sent to
"Action".

b) Currently, actions only affect the filter table and not the nat table so 
DNAT is not permitted in an action.

So exactly what change in behavior are you proposing?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

[Should I reply only to list, or can I just reply to all?]

Tom Eastep wrote:
>On Thursday 02 September 2004 16:44, Mike Fedyk wrote:
>  
>
>>Hi all in the ShoreWall community,
>>    
>>
>
>  
>
>>>Adding this feature would enable you to make a rule like
>>>
>>>Action 	    net      dmz:192.0.2.177  tcp    25
>>>
>>>      
>>>
>>What I would like to do is refer to one action, and call it from
>>different rules to use those ports in the action file for DNAT, ACCEPT,
>>REJECT, and etc.  Right now, you need a different action for each
>>variation.
>>
>>What do you guys think of this?
>>    
>>
>
>I''m still not seeing the whole picture.
>
>a) The syntax that you show above is accepted today -- It says that all SMTP
>traffic from the net to DMZ host 192.0.2.177 should be sent to
"Action".
>
>b) Currently, actions only affect the filter table and not the nat table so 
>DNAT is not permitted in an action.
>
>So exactly what change in behavior are you proposing?
>
First of all, I''d like to be able to use actions for DNAT rules.

And secondly, I''d like to be able to define an action once, and use it 
for DNAT, ACCEPT, DROP and REJECT rules.
The first thing I can think of on implementing that is to add a field to 
the rules file.

How''s that?

Mike

On Thursday 02 September 2004 17:08, Mike Fedyk wrote:
> >
> >So exactly what change in behavior are you proposing?
>
> First of all, I''d like to be able to use actions for DNAT rules.
Noted -- I would have already done it if it wasn''t so much work.
>
> And secondly, I''d like to be able to define an action once, and
use it
> for DNAT, ACCEPT, DROP and REJECT rules.
Sorry if I''m being dense but I still don''t understand what
that means.
> The first thing I can think of on implementing that is to add a field to
> the rules file.
Can you give us an example?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key