Massimo Dal Zotto
2005-Apr-16 10:00 UTC
[Shorewall-devel] wishlist: ''none'' as source address in rules
Hi,
I plug my laptop in different networks and use the following hack to
configure automatically shorewall for trusted/untrusted networks:
In /etc/shorewall/params:
# none is a dummy zone associated to the loopback interface
NONE="none:0.0.0.0"
# Network scheme, automatically detected by intuitively
NETWORK_SCHEME="$(cat /etc/network/scheme 2>/dev/null)"
case "$NETWORK_SCHEME" in
home)
TRUSTED_FTP="net:192.168.0.1"
TRUSTED_SMB="net:192.168.0.1,192.168.0.2"
;;
work)
TRUSTED_FTP="$NONE"
TRUSTED_SMB="net:10.1.2.100,10.1.2.102"
;;
*)
TRUSTED_FTP="$NONE"
TRUSTED_SMB="$NONE"
;;
esac
In /etc/shorewall/rules:
AllowFTP $TRUSTED_FTP $FW
AllowSMB $TRUSTED_SMB $FW
In this way I can use a common (and simple) rules file which works for
all networks, provided that the variables are set up correctly in the
params file.
Now, I would like that the SOURCE field in rules could accept the value
''none'' so that I could write the following code in params
without need
to use the "none:0.0.0.0" hack:
case "$NETWORK_SCHEME" in
home)
TRUSTED_FTP="net:192.168.0.1"
TRUSTED_SMB="net:192.168.0.1,192.168.0.2"
;;
work)
TRUSTED_FTP="none"
TRUSTED_SMB="net:10.1.2.100,10.1.2.102"
;;
*)
TRUSTED_FTP="none"
TRUSTED_SMB="none"
;;
esac
The value ''none'' should mean the exact opposite of
''all'' and since the
rule doesn''t apply to any source address it should be simply skipped
and
no corresponding iptable rules should be generated.
Could this be added in a future release?
--
Massimo Dal Zotto <dz@debian.org>
Tom Eastep
2005-Apr-16 12:22 UTC
[Shorewall-devel] wishlist: ''none'' as source address in rules
Massimo Dal Zotto wrote:> esac > > The value ''none'' should mean the exact opposite of ''all'' and since the > rule doesn''t apply to any source address it should be simply skipped and > no corresponding iptable rules should be generated. > > Could this be added in a future release? >I''ll consider it. Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep
2005-Apr-16 17:47 UTC
[Shorewall-devel] wishlist: ''none'' as source address in rules
Tom Eastep wrote:> Massimo Dal Zotto wrote: > >> esac >> >>The value ''none'' should mean the exact opposite of ''all'' and since the >>rule doesn''t apply to any source address it should be simply skipped and >>no corresponding iptable rules should be generated. >> >>Could this be added in a future release? >> > > I''ll consider it.Just checked into CVS (Shorewall2/) -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Paul Gear
2005-Apr-16 18:09 UTC
[Shorewall-devel] wishlist: ''none'' as source address in rules
Tom Eastep wrote:> ... >>>Could this be added in a future release? >>> >> >>I''ll consider it. > > > Just checked into CVS (Shorewall2/)Ah, Tom - ever a sucker for a sad story... ;-) -- Paul <http://paulgear.webhop.net> -- Did you know? Microsoft Internet Explorer and Outlook have a poor track record for security <http://www.kb.cert.org/vuls/id/713878>. Why not try one of the more secure alternatives from <http://mozilla.org>? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 256 bytes Desc: OpenPGP digital signature Url : http://lists.shorewall.net/pipermail/shorewall-devel/attachments/20050417/16c145ba/signature.bin
Tom Eastep
2005-Apr-16 18:31 UTC
[Shorewall-devel] wishlist: ''none'' as source address in rules
Paul Gear wrote:> Tom Eastep wrote: >>... >>>>Could this be added in a future release? >>>> >>>I''ll consider it. >> >>Just checked into CVS (Shorewall2/) > > Ah, Tom - ever a sucker for a sad story... ;-) >Yep -- and it was a grueling 6-line change (2 of which were cleanup of an old cut and paste anachronism) .... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Paul Gear
2005-Apr-16 20:13 UTC
[Shorewall-devel] wishlist: ''none'' as source address in rules
Tom Eastep wrote:> ... > Yep -- and it was a grueling 6-line change (2 of which were cleanup of an > old cut and paste anachronism) ....We stand in awe of your code-cutting prowess. ;-) Seriously, though, good on you mate. You''ve made a lot of people happy with what you''ve done so far - one more can''t hurt! :-) A friend tried to convince me to try a different firewall the other day. I was almost offended. -- Paul <http://paulgear.webhop.net> -- Did you know? Email is not private and can be viewed by your ISP, the recipient''s ISP, and possibly other parties. You can make sure your emails are private by using GNU Privacy Guard <http://www.gnupg.org> and an email plug-in like Enigmail <http://enigmail.mozdev.org>. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 256 bytes Desc: OpenPGP digital signature Url : http://lists.shorewall.net/pipermail/shorewall-devel/attachments/20050417/9a8a9d5d/signature.bin
Tom Eastep
2005-Apr-17 08:17 UTC
[Shorewall-devel] wishlist: ''none'' as source address in rules
Paul Gear wrote:> Tom Eastep wrote:> A friend tried to convince me to try a different firewall the other day. > I was almost offended.Friends don''t let friends use other firewalls :-) -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key