I''ll planned to open mysql port for a trusted host. I added an user action action.AllowMySQL the content is ACCEPT net:100.100.100.100 - tcp 3306 follow that I added this action in the /etc/shorewall/actions file Lastly, I added a rule in the /etc/shorewall/rules AllowMySQL net $FW However I did a "shorewall check" it returned an error when processing my custom action file ACCEPT net:220.189.250.104 - tcp 3306 What is the problem ? ------------------------------------------------------- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today * Register for a JBoss Training Course Free Certification Exam for All Training Attendees Through End of 2005 Visit http://www.jboss.com/services/certification for more information
On Sun, 2005-10-23 at 17:30 +0800, Adrian Mak wrote:> I''ll planned to open mysql port for a trusted host. > I added an user action action.AllowMySQL > the content is > > ACCEPT net:100.100.100.100 - tcp 3306If you''re going to limit the action to a particular host, you don''t really gain any benefit from using actions. Actions are great for defining common (possibly complex) sets of rules. These actions then can be used in the ''rules'' file to be applied to particular hosts. The above line just could be used in your ''rules'' file with "fw" rather than the dash. No need for an action, if this really is the only host and the action consists of only one rule...> follow that I added this action in the /etc/shorewall/actions file > > Lastly, I added a rule in the /etc/shorewall/rules > > AllowMySQL net $FWNot sure, but I think the problem is due to the double definition of SOURCE -- first in ''action.AllowMySQL'', then in the rule itself.> However I did a "shorewall check" > it returned an error when processing my custom action file > ACCEPT net:220.189.250.104 - tcp 3306 > > What is the problem ?Again, if you really want an action, make it a generic one that does what its name promises -- allowing SQL. There is no host mentioned in the name... ;) action.AllowMySQL ACCEPT - - tcp 3306 rules AllowMySQL net:100.100.100.100 fw # one trusted host BTW, you did not mention the Shorewall version. You mentioned "it returned an error", but you missed to post the actual error message. Please be way more verbose, when hoping for help by others... Karsten -- Davision - Atelier fuer Gestaltung / Internet / Multimedia UNIX / Linux Netzwerke und Schulungen Telefon 06151/273859 Fax 06151/273862
On Sunday 23 October 2005 06:09, K. Bräckelmann wrote:> On Sun, 2005-10-23 at 17:30 +0800, Adrian Mak wrote: > > I''ll planned to open mysql port for a trusted host. > > I added an user action action.AllowMySQL > > the content is > > > > ACCEPT net:100.100.100.100 - tcp 3306 > > If you''re going to limit the action to a particular host, you don''t > really gain any benefit from using actions. Actions are great for > defining common (possibly complex) sets of rules. These actions then can > be used in the ''rules'' file to be applied to particular hosts. > > The above line just could be used in your ''rules'' file with "fw" rather > than the dash. No need for an action, if this really is the only host > and the action consists of only one rule... >Plus if Adrian will read the action documentation carefully, he will note that zone names are not allowed in the SOURCE (or DESTINATION) columns of an action definition. And if a few minutes are spent thinking about it, I believe that it will become obvious why that is so. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
> > > ACCEPT net:100.100.100.100 - tcp 3306 > > > > If you''re going to limit the action to a particular host, you don''t > > really gain any benefit from using actions. Actions are great for > > defining common (possibly complex) sets of rules. These actions then can > > be used in the ''rules'' file to be applied to particular hosts. > > > > The above line just could be used in your ''rules'' file with "fw" rather > > than the dash. No need for an action, if this really is the only host > > and the action consists of only one rule... > > Plus if Adrian will read the action documentation carefully, he will note that > zone names are not allowed in the SOURCE (or DESTINATION) columns of an > action definition. And if a few minutes are spent thinking about it, I > believe that it will become obvious why that is so./me slaps self Doh! Actually, that prepending "net:" was suspicious to me as well. Didn''t mention it, cause I simply misread "interface" in the last paragraph of the SOURCE section in ''action.template''. Should have spent more than a few seconds glimpsing at that doc. ;) That perfectly explains "unknown interface". :) Karsten -- Davision - Atelier fuer Gestaltung / Internet / Multimedia UNIX / Linux Netzwerke und Schulungen Telefon 06151/273859 Fax 06151/273862