Greetings, I am trying to find out the most elegant way to handle access form a group of external hosts. My shorewall installation (ver. 3.0.4) works fine, this is a question from the "how to do it the right way" type :) I have a server which is directly connected to internet (public address). I would like a set of machines on internet to connect to some services on the (firewall) server. This will be, say, 20 machines connecting to 5-6 services. I was wondering if there is a way to create a "group" where I would list these internet hosts and use this group in my config files. I would like to avoid ennumerating all the 20 machines for each service - which is not an elegant solution and not an easy one to maintain either. I tried to find this kind of functionality but failed to locate the right incantation in the right config file. I would appreciate any hints. Thank you, Wojtek ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
On Friday 27 January 2006 12:19, Wojtek Swiatek wrote:> Greetings, > > I am trying to find out the most elegant way to handle access form a > group of external hosts. My shorewall installation (ver. 3.0.4) works > fine, this is a question from the "how to do it the right way" type :) > > I have a server which is directly connected to internet (public > address). I would like a set of machines on internet to connect to some > services on the (firewall) server. > This will be, say, 20 machines connecting to 5-6 services. > I was wondering if there is a way to create a "group" where I would list > these internet hosts and use this group in my config files. I would like > to avoid ennumerating all the 20 machines for each service - which is > not an elegant solution and not an easy one to maintain either. > > I tried to find this kind of functionality but failed to locate the > right incantation in the right config file. > > I would appreciate any hints.Check out how I handle Shorewall mirrors at http://www.shorewall.net/myfiles.htm. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> On Friday 27 January 2006 12:19, Wojtek Swiatek wrote:(...)>> This will be, say, 20 machines connecting to 5-6 services. >> I was wondering if there is a way to create a "group" where I would list >> these internet hosts and use this group in my config files. I would like >> to avoid ennumerating all the 20 machines for each service - which is >> not an elegant solution and not an easy one to maintain either.(...)> Check out how I handle Shorewall mirrors at > http://www.shorewall.net/myfiles.htm.Thank you for that -- I wonder however why $MIRRORS are handled differently from, for instance, $POPSERVERS: - $MIRRORS are used in Actions, then in action.Mirrors, and subsequently in Rules - $POPSERVERS are used verbatim and directly in Rules (in an ACCEPT statement) Is there a reason why these two sets of machines are handled in such different ways? Thank you, Wojtek ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
On Friday 27 January 2006 12:56, Wojtek Swiatek wrote:> > Is there a reason why these two sets of machines are handled in such > different ways? >There are two pop servers -- there are 30 mirrors. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> On Friday 27 January 2006 12:56, Wojtek Swiatek wrote: > >> Is there a reason why these two sets of machines are handled in such >> different ways? >> > > There are two pop servers -- there are 30 mirrors.Tom - thanks for the help so far but I think I am missing something. In order to test the setup you suggested I added to my network some test ranges in the following files: params: # two groups of hosts on internet GROUP1=149.156.110.1,149.156.110.11 GROUP2=149.156.110.2,149.156.110.22 actions: # Group1 will be allowed in Group1 actions.Group1: ACCEPT $GROUP1 rules: # wan i Internet where all the test ranges sit # $FW is the firewall # the ports numbers are not relevant ACCEPT wan:$GROUP2 $FW tcp 555 Group1 wan $FW tcp 666 After restarting shorewall I have: # shorewall show | grep 149 0 0 ACCEPT all -- * * 149.156.110.1 0.0.0.0/0 0 0 ACCEPT all -- * * 149.156.110.11 0.0.0.0/0 0 0 ACCEPT tcp -- * * 149.156.110.2 0.0.0.0/0 tcp dpt:555 0 0 ACCEPT tcp -- * * 149.156.110.22 0.0.0.0/0 tcp dpt:555 Therefore: - the trick with GROUP2 works as expected - GROUP1 was handled properly, except that it did not take into account the port restriction (666) - even if it did take the port into account (I assume that I made a mistake in the config ?) I am not sure what is the added value of the GROUP1 approach. There is more places where the rule needs to be maintained (actions and action.Group1). You mention that there are 2 pop servers and 30 mirrors - but they are all maintained in params, right? Thanks for your great help, Wojtek ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642