Hi all I am trying to set up a shorewall where I want to grant several services to several identified ip ranges. The point is there are some co-workers who always dial-in from a pretty-much known range of ip numbers (an individual set for each of the co-workers), and I want shorewall to allow access to several services to them only (of course this is an extra measure, going along with other means of protection). Doing it the hard way would mean to repeat all the individual ranges (mostly /24 nets, about 40 of them in total) in one line each, and for each service. This is error prone and extends the scripts a lot. Defining the /24 networks for each co-worker as hosts might work (I have not tried yet), but as I have two dial-ups sometimes active in parallel, this means repeating the information inside the hosts file, once for each network interface. This is redundant, too. Is there a way of specifiying sets of ip ranges in the rules file? Titus .-.-.-.-.-.-.-.-.- Titus Green How can you see a red light with green eyes? .-.-.-.-.-.-.-.-.- =================================================Powered by SQWebmail
On Sat, 05 Jul 2003 22:46:37 +0200, Titus Green <tgreen@mail.nexline.ch> wrote:> > Is there a way of specifiying sets of ip ranges in the rules file? >/etc/shorewall/params: FOO=206.124.146.0/24,130.252.100.0/24,... /etc/shorewall/rules: ACCEPT net:$FOO loc ... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
On Sat, 05 Jul 2003 22:46:37 +0200, Titus Green <tgreen@mail.nexline.ch> wrote:> > Defining the /24 networks for each co-worker as hosts might work (I have > not tried yet), but as I have two dial-ups sometimes active in parallel, > this means repeating the information inside the hosts file, once for each > network interface. This is redundant, too. >Can''t you use ''ppp+''? -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Titus Green
2003-Jul-05 14:41 UTC
[Shorewall-users] Re: sets of ip ranges (was: (no subject))
Tom Eastep wrote:> > Can''t you use ''ppp+''? >AFAIK this includes all ppp interfaces, which would be an appropriate answer - thank you. However, the two dial-ups I was referring to are actually a bit more than that: - a cable connection using dhpc, fast but costly, so I use that low-volume (eth0) - an adls connection using private IPs and masq, flat rate but slow (eth1), and frequent drop-outs due to insufficient local cabling - an isdn dial-up and dial-in on ttyS0 using ppp, slow, flat-rate - an analog modem for dial-in using ppp, used by some co-workers Sorry for having been unspecific. Actually, it would be a group spanning eth0, eth1, ppp0 and ppp1. eth2 and 3 connect to inner networks. .-.-.-.-.-.-.-.-.- Titus Green How can you see a red light with green eyes? .-.-.-.-.-.-.-.-.- =================================================Powered by SQWebmail
Titus Green
2003-Jul-05 14:49 UTC
[Shorewall-users] Re: sets of ip ranges (was: (no subject))
Tom Eastep schrieb:> On Sat, 05 Jul 2003 22:46:37 +0200, Titus Green <tgreen@mail.nexline.ch> > wrote: >> Is there a way of specifiying sets of ip ranges in the rules file? > /etc/shorewall/params: > FOO=206.124.146.0/24,130.252.100.0/24,... > /etc/shorewall/rules: > ACCEPT net:$FOO loc ... > -TomThat should do the job. I saw this answer after your first proposing ppp+. Thanks .-.-.-.-.-.-.-.-.- Titus Green How can you see a red light with green eyes? .-.-.-.-.-.-.-.-.- =================================================Powered by SQWebmail
Tom Eastep
2003-Jul-05 15:20 UTC
[Shorewall-users] Re: sets of ip ranges (was: (no subject))
On Sat, 2003-07-05 at 14:48, Titus Green wrote:> Tom Eastep schrieb: > > > On Sat, 05 Jul 2003 22:46:37 +0200, Titus Green <tgreen@mail.nexline.ch> > > wrote: > >> Is there a way of specifiying sets of ip ranges in the rules file? > > /etc/shorewall/params: > > FOO=206.124.146.0/24,130.252.100.0/24,... > > /etc/shorewall/rules: > > ACCEPT net:$FOO loc ... > > -Tom > > That should do the job. > I saw this answer after your first proposing ppp+. >Given your requirements, any way that you do it with Shorewall is going to result in a Netfilter ruleset that''s a real mess. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Titus Green
2003-Jul-06 00:31 UTC
[Shorewall-users] Re: sets of ip ranges (was: (no subject))
Hi Tom Eastep wrote:> Given your requirements, any way that you do it with Shorewall is going > to result in a Netfilter ruleset that''s a real mess.You are right about that. Actually, I already have a Netfilter ruleset that does what I need and which I have generated using a self-written set of scripts. In concept and functionality, these scripts are not unlike shorewall; being written in bash and having modules. However, they were never released publicly (although intended to be open source), they are not documented (having had no more than three admin users), they are slow (starting the firewall takes a full 10 minutes) and when a friend looked through them lately with an independent eye on security, he found that they generate more rules than necessary, a lot of them redundant, although without probable security impact. Enough reasons to migrate to something better-known. I chose to invest in shorewall from among about ten possible solutions. My ruleset has more than 5000 entries right now. This works with kernel 2.4.18, but I don''t know if the kernel acts cleanly upon them. I hope to reduce the list to less than 3000 entries. Kernel 2.4.21 breaks when starting the firewall (kernel panic it was, I think). I still think investing in linux is better than bying a cisco. In short: you did a better job. However, my shorewall is not yet up and running. I''ll let you know. C U .-.-.-.-.-.-.-.-.- Titus Green How can you see a red light with green eyes? .-.-.-.-.-.-.-.-.- =================================================Powered by SQWebmail
Tom Eastep
2003-Jul-06 10:17 UTC
[Shorewall-users] Re: sets of ip ranges (was: (no subject))
On Sun, 2003-07-06 at 00:31, Titus Green wrote:> Hi > > Tom Eastep wrote: > > Given your requirements, any way that you do it with Shorewall is going > > to result in a Netfilter ruleset that''s a real mess. > > You are right about that.The upcoming 1.4.6 Beta 2 has a feature that might help you. It allows for a list of addresses in /etc/shorewall/hosts entries: /etc/shorewall/params: FOO=206.124.146.0/24,130.252.100.0,... /etc/shorewall/hosts: foo eth1:$FOO foo eth2:$FOO ... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net