Shorewall users - May 2008 - how to avoid hosts configuration

Hi folks! 
I am learning how to use Shorewall and 
it has been a nice experience. 

My University has a range of IP numbers, 
under the same domain. They have been 
named hiis after the domain name. This 
is done in the hosts file. 

My problem is that I can not avoid 
using the hosts configuration. 

My Question is: Is it possible to achieve 
this without using the hosts configuration? 

The Shorewall configuration is this: 

   interfaces:

#ZONE   INTERFACE       BROADCAST       OPTIONS
loc     eth2            detect         
tcpflags,logmartians,blacklist,routefilter

   zones:

#ZONE   TYPE    OPTIONS                 IN                      OUT
#                                       OPTIONS                 OPTIONS
loc     firewall
any     ipv4
hiis:any        ipv4

   hosts:

#ZONE   HOST(S)                                 OPTIONS
hiis   
eth2:130.208.67.0/24,130.208.68.0/22,130.208.72.0/21,130.208.96.0/19,130.208.128.0/18
\
                                                tcpflags
any     eth2:0.0.0.0/0                          tcpflags

   policy: 

#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
$FW             any             ACCEPT
hiis            $FW             ACCEPT
all             all             REJECT          info


I am using Shorewall version : 3.4.4 
-- 
Kindest Regards, Anna Jonna Ármannsdóttir,       %&   A: Because people read
from top to bottom.
Unix System Aministration, Computing Services,   %&   Q: Why is top posting
bad?
University of Iceland.


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft 
Defy all challenges. Microsoft(R) Visual Studio 2008. 
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Anna Jonna Armannsdottir wrote:
> Hi folks!
> 
> I am learning how to use Shorewall and it has been a nice experience.
> 
> 
> My University has a range of IP numbers, under the same domain. They
> have been named hiis after the domain name. This is done in the hosts
> file.
> 
> My problem is that I can not avoid using the hosts configuration.
> 
> My Question is: Is it possible to achieve this without using the
> hosts configuration?
> ...
> #ZONE   HOST(S)                                 OPTIONS
> hiis   
eth2:130.208.67.0/24,130.208.68.0/22,130.208.72.0/21,130.208.96.0/19,130.208.128.0/18
\
>                                                 tcpflags
> any     eth2:0.0.0.0/0                          tcpflags
An alternative is to put those IP addresses in params like this:

HIIS=130.208.67.0/24,130.208.68.0/22,130.208.72.0/21,130.208.96.0/19,130.208.128.0/18

and then add a rule that checks for it, e.g.:

ACCEPT	any:$HIIS	$FW	tcp	80

Or something like that.  On my systems, i prefer to see it defined as a
zone, because it''s a lot more flexible.  Most of the time, i define all
of my zones in hosts and leave interfaces empty.

Paul


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft 
Defy all challenges. Microsoft(R) Visual Studio 2008. 
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

On þri, 2008-05-20 at 21:43 +1000, Paul Gear wrote:
> An alternative is to put those IP addresses in params like this:
> 
>
HIIS=130.208.67.0/24,130.208.68.0/22,130.208.72.0/21,130.208.96.0/19,130.208.128.0/18
> 
> and then add a rule that checks for it, e.g.:
> 
> ACCEPT  any:$HIIS       $FW     tcp     80
> 
> Or something like that. 

Thanks. That does it. 
I did not know that it is possible to define arbitrary 
variables in Shorewall. 
Then maybe I can change my policy to: 
$HIIS           $FW             ACCEPT

BTW: I would have given the name variables to this 
file. Not params. 
-- 
Kindest Regards, Anna Jonna Ármannsdóttir,       %&   A: Because people read
from top to bottom.
Unix System Aministration, Computing Services,   %&   Q: Why is top posting
bad?
University of Iceland.


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft 
Defy all challenges. Microsoft(R) Visual Studio 2008. 
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Anna Jonna Armannsdottir wrote:
> On þri, 2008-05-20 at 21:43 +1000, Paul Gear wrote:
>> An alternative is to put those IP addresses in params like this:
>>
>>
HIIS=130.208.67.0/24,130.208.68.0/22,130.208.72.0/21,130.208.96.0/19,130.208.128.0/18
>>
>> and then add a rule that checks for it, e.g.:
>>
>> ACCEPT  any:$HIIS       $FW     tcp     80
>>
>> Or something like that.
> 
> Thanks. That does it.
> I did not know that it is possible to define arbitrary
> variables in Shorewall.
> Then maybe I can change my policy to:
> $HIIS           $FW             ACCEPT
No -- zone names may not be qualified by an IP address list in the policy 
file. If you want to do that, you''ll need to define the zone using the
hosts
file.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft 
Defy all challenges. Microsoft(R) Visual Studio 2008. 
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Paul Gear wrote:
> Anna Jonna Armannsdottir wrote:
>> Hi folks!
>>
>> I am learning how to use Shorewall and it has been a nice experience.
>>
>>
>> My University has a range of IP numbers, under the same domain. They
>> have been named hiis after the domain name. This is done in the hosts
>> file.
>>
>> My problem is that I can not avoid using the hosts configuration.
>>
>> My Question is: Is it possible to achieve this without using the
>> hosts configuration?
>> ...
>> #ZONE   HOST(S)                                 OPTIONS
>> hiis   
eth2:130.208.67.0/24,130.208.68.0/22,130.208.72.0/21,130.208.96.0/19,130.208.128.0/18
\
>>                                                 tcpflags
>> any     eth2:0.0.0.0/0                          tcpflags
> 
> An alternative is to put those IP addresses in params like this:
> 
>
HIIS=130.208.67.0/24,130.208.68.0/22,130.208.72.0/21,130.208.96.0/19,130.208.128.0/18
> 
> and then add a rule that checks for it, e.g.:
> 
> ACCEPT	any:$HIIS	$FW	tcp	80
> 
Another thing that you can consider is to combine the shell variable with an 
action:

/etc/shorewall/params:

HIIS=130.208.67.0/24,130.208.68.0/22,130.208.72.0/21,130.208.96.0/19,130.208.128.0/18

/etc/shorewall/actions:

hiis

/etc/shorewall/action.hiis

ACCEPT	$HIIS

/etc/shorewall/rules

hiis		all	$FW	tcp	80

The advantage of this approach is that only TCP connections to port 80 go 
through the ''hiis'' action chain. If you do it as Paul
suggests, ALL
connection requests go through a series of 5 rules, each of which tests for 
tcp port 80 and a particular source network.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft 
Defy all challenges. Microsoft(R) Visual Studio 2008. 
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

On þri, 2008-05-20 at 08:54 -0700, Tom Eastep wrote:
> The advantage of this approach is that only TCP connections to port 80
> go 
> through the 'hiis' action chain. If you do it as Paul suggests, ALL
> connection requests go through a series of 5 rules, each of which
> tests for 
> tcp port 80 and a particular source network. 
That is more efficient, especially if there are many rules. 

Thanks for showing me this possibility. 

-- 
Kindest Regards, Anna Jonna Ármannsdóttir,       %&   A: Because people read
from top to bottom.
Unix System Aministration, Computing Services,   %&   Q: Why is top posting
bad?
University of Iceland.


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft 
Defy all challenges. Microsoft(R) Visual Studio 2008. 
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Anna Jonna Armannsdottir wrote:
> On þri, 2008-05-20 at 08:54 -0700, Tom Eastep wrote:
>> The advantage of this approach is that only TCP connections to port 80
>> go 
>> through the 'hiis' action chain. If you do it as Paul suggests,
ALL
>> connection requests go through a series of 5 rules, each of which
>> tests for 
>> tcp port 80 and a particular source network. 
> That is more efficient, especially if there are many rules. 
> 
> Thanks for showing me this possibility. 
What i can't understand is why you want to avoid the use of the hosts
file in the first place.  Having a zone that matches your targets is the
most flexible way to manage traffic to and from those hosts.

Paul


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft 
Defy all challenges. Microsoft(R) Visual Studio 2008. 
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

On mið, 2008-05-21 at 05:54 +1000, Paul Gear wrote:
> What i can't understand is why you want to avoid the use of the hosts
> file in the first place.  Having a zone that matches your targets is
> the
> most flexible way to manage traffic to and from those hosts.
Hi Paul,
the reason is, that my configuration was not behaving as I 
expected and the documentation does not recommend using 
hosts. At least it does not recommend using the hosts file 
the way I am using it. 
Maybe if I configure by the book, the results will be as 
I expected. 

-- 
Kindest Regards, Anna Jonna Ármannsdóttir,       %&   A: Because people read
from top to bottom.
Unix System Aministration, Computing Services,   %&   Q: Why is top posting
bad?
University of Iceland.


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft 
Defy all challenges. Microsoft(R) Visual Studio 2008. 
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Anna Jonna Armannsdottir wrote:
> the reason is, that my configuration was not behaving as I 
> expected and the documentation does not recommend using 
> hosts. At least it does not recommend using the hosts file 
> the way I am using it. 
> Maybe if I configure by the book, the results will be as 
> I expected. 
> 
Anna,

When the hosts file doesn''t yield the expected results, the cause is
usually
the order in which the zones are defined. You must either ensure that 
sub-zones appear before parent zones or use the zone:parent,... syntax.

-Tom

-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft 
Defy all challenges. Microsoft(R) Visual Studio 2008. 
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/