Hi all, I like the higher-level concept of zones in shorewall, however, on portable devices, defining a zone just by an interface seems somewhat limited. I use my notebook at home, at work, in public places / conferences and on the road using my mobile phone as access point. I would like to apply different rules on all these networks (zones). I use both interfaces (eth0, wlan0, but never at the same time) at home and at work. Connections at public places and direct internet connection via my mobile phone are always on wlan0. Basically, what interface I use doesn''t matter to me, what matters is what network I connect to (never multiple networks at once). Is there a way to use other data to detect what zone we''re in? Looking at the essid for the currently connected access point, or at the mac address of the dhcp server, or at the presence of certain other machines in the network are possible candidates I think. Is there anything in place to do this? Thanks, Mathijs ------------------------------------------------------------------------------ uberSVN''s rich system and user administration capabilities and model configuration take the hassle out of deploying and managing Subversion and the tools developers use with it. Learn more about uberSVN and get a free download at: http://p.sf.net/sfu/wandisco-dev2dev
On Aug 9, 2011, at 3:03 PM, Mathijs Kwik wrote:> Hi all, > > I like the higher-level concept of zones in shorewall, however, on > portable devices, defining a zone just by an interface seems somewhat > limited. > I use my notebook at home, at work, in public places / conferences and > on the road using my mobile phone as access point. > I would like to apply different rules on all these networks (zones). > I use both interfaces (eth0, wlan0, but never at the same time) at > home and at work. > Connections at public places and direct internet connection via my > mobile phone are always on wlan0. > > Basically, what interface I use doesn''t matter to me, what matters is > what network I connect to (never multiple networks at once). > Is there a way to use other data to detect what zone we''re in? > Looking at the essid for the currently connected access point, or at > the mac address of the dhcp server, or at the presence of certain > other machines in the network are possible candidates I think. > Is there anything in place to do this? >Shorewall currently supports nothing along that line. -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ uberSVN''s rich system and user administration capabilities and model configuration take the hassle out of deploying and managing Subversion and the tools developers use with it. Learn more about uberSVN and get a free download at: http://p.sf.net/sfu/wandisco-dev2dev
On 10/08/2011 04:10, Tom Eastep wrote:> > On Aug 9, 2011, at 3:03 PM, Mathijs Kwik wrote: > >> Hi all, >> >> I like the higher-level concept of zones in shorewall, however, on >> portable devices, defining a zone just by an interface seems somewhat >> limited. >> I use my notebook at home, at work, in public places / conferences and >> on the road using my mobile phone as access point. >> I would like to apply different rules on all these networks (zones). >> I use both interfaces (eth0, wlan0, but never at the same time) at >> home and at work. >> Connections at public places and direct internet connection via my >> mobile phone are always on wlan0. >> >> Basically, what interface I use doesn''t matter to me, what matters is >> what network I connect to (never multiple networks at once). >> Is there a way to use other data to detect what zone we''re in? >> Looking at the essid for the currently connected access point, or at >> the mac address of the dhcp server, or at the presence of certain >> other machines in the network are possible candidates I think. >> Is there anything in place to do this? >> > > Shorewall currently supports nothing along that line.But couldn''t NetworkManager, OpenRC, dhcpcd or whatever tool you use to manage your networks set some variables for you to indicate the type of network you are on? This could be pulled in as some kind of shorewall variable and then ... take it from there..? I think the first bit is somewhat outside of the scope of pure shorewall, it''s a bit like shorewall-init is an external project. I think you would need to use your NetworkManager/dhcpcd/etc scripts to pass some higher level "summary" of the network "name" to shorewall and have that react accordingly. Not sure how to interface that with "zones" though? Zones are more like an intersection of IP and interface and not really a "state" kind of concept? I would have thought you want something more like conditional blocks of rules? I guess those could be implemented via "actions" - note that those can be coded in perl, so you can potentially create some action that achieves the effect of allowing you to have rules.wireless, rules.home, rules.office, etc and switch between them based on various external triggers (might even be easier to simply switch "rules" for one of those files though..) The idea seems interesting - good luck Ed W ------------------------------------------------------------------------------ uberSVN''s rich system and user administration capabilities and model configuration take the hassle out of deploying and managing Subversion and the tools developers use with it. Learn more about uberSVN and get a free download at: http://p.sf.net/sfu/wandisco-dev2dev
Yeah that''s what I was aiming for now (external script running on NetworkManager dispatch event). I was just checking if I didn''t miss any features already there. For now, I think it''s easiest to just have a few config directories. I let the script setup a ''current'' symlink and restart shorewall with that. This might quickly grow out of control, and the amount of duplication in the configs is quite a lot, but most of the time, firewall rules are something I setup once, and don''t change a lot anymore, until a revision some 5 years later. If it bothers me, I might look into params / conditional blocks. Thanks, Mathijs On Wed, Aug 10, 2011 at 9:08 PM, Ed W <lists@wildgooses.com> wrote:> On 10/08/2011 04:10, Tom Eastep wrote: > > > > On Aug 9, 2011, at 3:03 PM, Mathijs Kwik wrote: > > > >> Hi all, > >> > >> I like the higher-level concept of zones in shorewall, however, on > >> portable devices, defining a zone just by an interface seems somewhat > >> limited. > >> I use my notebook at home, at work, in public places / conferences and > >> on the road using my mobile phone as access point. > >> I would like to apply different rules on all these networks (zones). > >> I use both interfaces (eth0, wlan0, but never at the same time) at > >> home and at work. > >> Connections at public places and direct internet connection via my > >> mobile phone are always on wlan0. > >> > >> Basically, what interface I use doesn''t matter to me, what matters is > >> what network I connect to (never multiple networks at once). > >> Is there a way to use other data to detect what zone we''re in? > >> Looking at the essid for the currently connected access point, or at > >> the mac address of the dhcp server, or at the presence of certain > >> other machines in the network are possible candidates I think. > >> Is there anything in place to do this? > >> > > > > Shorewall currently supports nothing along that line. > > But couldn''t NetworkManager, OpenRC, dhcpcd or whatever tool you use to > manage your networks set some variables for you to indicate the type of > network you are on? This could be pulled in as some kind of shorewall > variable and then ... take it from there..? > > I think the first bit is somewhat outside of the scope of pure > shorewall, it''s a bit like shorewall-init is an external project. I > think you would need to use your NetworkManager/dhcpcd/etc scripts to > pass some higher level "summary" of the network "name" to shorewall and > have that react accordingly. > > Not sure how to interface that with "zones" though? Zones are more like > an intersection of IP and interface and not really a "state" kind of > concept? I would have thought you want something more like conditional > blocks of rules? I guess those could be implemented via "actions" - > note that those can be coded in perl, so you can potentially create some > action that achieves the effect of allowing you to have rules.wireless, > rules.home, rules.office, etc and switch between them based on various > external triggers (might even be easier to simply switch "rules" for one > of those files though..) > > The idea seems interesting - good luck > > Ed W > > > ------------------------------------------------------------------------------ > uberSVN''s rich system and user administration capabilities and model > configuration take the hassle out of deploying and managing Subversion and > the tools developers use with it. Learn more about uberSVN and get a free > download at: http://p.sf.net/sfu/wandisco-dev2dev > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------------ uberSVN''s rich system and user administration capabilities and model configuration take the hassle out of deploying and managing Subversion and the tools developers use with it. Learn more about uberSVN and get a free download at: http://p.sf.net/sfu/wandisco-dev2dev
On Wed, 2011-08-10 at 21:43 +0200, Mathijs Kwik wrote:> Yeah that''s what I was aiming for now (external script running on > NetworkManager dispatch event). > I was just checking if I didn''t miss any features already there. > > > For now, I think it''s easiest to just have a few config directories. > I let the script setup a ''current'' symlink and restart shorewall with > that.Shorewall also supports multiple configuration directories; see http://www.shorewall.net/configuration_file_basics.htm#Levels> > > This might quickly grow out of control, and the amount of duplication > in the configs is quite a lot, but most of the time, firewall rules > are something I setup once, and don''t change a lot anymore, until a > revision some 5 years later. > If it bothers me, I might look into params / conditional blocks.You can also put files that are the same in multiple configs in a separate directory and use CONFIG_PATH. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ uberSVN''s rich system and user administration capabilities and model configuration take the hassle out of deploying and managing Subversion and the tools developers use with it. Learn more about uberSVN and get a free download at: http://p.sf.net/sfu/wandisco-dev2dev
On Wed, 2011-08-10 at 12:53 -0700, Tom Eastep wrote:> Shorewall also supports multiple configuration directories; see > http://www.shorewall.net/configuration_file_basics.htm#Levels > > > You can also put files that are the same in multiple configs in a > separate directory and use CONFIG_PATH.I should also point out that shell variable expansion occurs before INCLUDE processing, so ''INCLUDE $RULES'' is also a viable means to achieve what you want. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ uberSVN''s rich system and user administration capabilities and model configuration take the hassle out of deploying and managing Subversion and the tools developers use with it. Learn more about uberSVN and get a free download at: http://p.sf.net/sfu/wandisco-dev2dev