Scott Ruckh wrote:> I do not remember seeing this in the documentation so I will take my
> chances at being called out.
>
> In the 3.x versions of shorewall using "native" 3.0 configuration
files
> you need to name your firewall zone. I assume most people are not naming
> their firewall zone $FW, but rather some other name which is not prefixed
> with a dollar sign. Yet when I read the messages from this list the
> firewall zone is almost always referred to as $FW. I don''t know
if this
> is to keep the conversation generic or if the reason is because that is
> the correct syntax.
>
> As the firewall zone is no longer a variable in the shorewall.conf file I
> assume you do not refer to the firewall zone as $FW in your other conf
> files (rules, policy, etc.)? I assume you refer to it by its name in the
> zones file. Is this correct, or are both forms acceptable?
$FW is a variable substitution similar to those defined in params. It
expands to the name of your firewall, regardless of where it is defined
(IIRC). It is still acceptable to define FW in shorewall.conf.
It used to be (back in 1.x somewhere) that the firewall zone was always
called ''fw''. Tom added the ability to rename it, but $FW
still always
refers to the firewall.
It is acceptable to refer to the firewall either as $FW or as its value
(or both, but i wouldn''t recommend doing this without having a very
good
reason). Which way is a matter of your preference and how you want to
define your rules. My suggestion is to always use $FW if you have a
single firewall system, unless there''s a good reason to do otherwise.
In our network, several machines run shorewall, and their configurations
are all generated from the same set of config files, and each with the
same policy and zones files. (The rules file becomes a subset of those
rules which apply to the firewall in question.) In this scenario, it''s
undesirable to refer to the firewall as $FW. All of our rules are
written with zone names, and we just redefine FW for each host on which
we run shorewall. (See http://gear.dyndns.org/~paulgear/linux/#shoregen
for details if you''d like to know more about this. The page is rather
out of date, but the software works. ;-)
Paul
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642