or, implementing dynamic WHITE-listing
I''m using ''shorewall add/delete'' to move
IP''s in/out of an initially-empty
zone. Said zone has a DNAT rule to allow access to an internal web server.
After much testing, I''m finally convinced it''s working
perfectly. The main
problem was it worked correctly the first time, which made me very nervous,
and cost many extra hours in testing ;)
As I iron out the details of now running ''shorewall
add/delete''
programmatically instead of manually, I want to test if a given IP has
already been added to the zone. That way I don''t run shorewall
needlessly,
and I avoid causing a ''already in zone'' error. For aesthetic
reasons if
nothing else...
Rather than keep my own state about what''s been added, I found the
/var/lib/shorewall/zones file has a great list of who''s who.
It''s nice and
clean to simply grep it for ''^zonename .* eth0:ipaddy''
My question: is /var/lib/shorewall/zones the best place to check the
contents of a dynamic zone? Or should I bite the bullet and parse the output
of a nat table dump? Or should I just keep my own state, and hope I can stay
in sync with shorewall?
other semi-relevant details, just for completeness:
rhel es 3.0, w/redhat''s 2.4.21 kernel
shorewall 1.4.10c with errata firewall script
typical two interface setup with net and loc zones
my DNAT rule is:
DNAT owa loc:192.168.23.13 tcp 4560
I declare the dynamic zone in /etc/shorewall/zones thusly:
owa OWA OWA users
I have nothing in /etc/shorewall/hosts