Is there an easier way to do ACLs in Shorewall? I am currently writing out lots of lines in the rules file that differ only by an IP address. Instead of writing rules like: SSH(ACCEPT) wan:some.ip.addr dmz tcp 22 SSH(ACCEPT) wan:ano.ther.ip.addr dmz tcp 22 SSH(ACCEPT) wan:home.ip.addr dmz tcp 22 Can I do something like: #/etc/shorewall/acls trusted some.ip.addr trusted ano.ther.ip.addr trusted home.ip.addr #/etc/shorewall/rules SSH(ACCEPT) wan:trusted dmz tcp 22 Am I missing something in the docs? The reason I''m asking is one particular client is expanding rapidly and the offices need to ''mesh''. Each new office requires me to add another line to all the existing firewalls. It''s easy with a handful of offices. It''s much more difficult with hundreds of offices. -A ------------------------------------------------------------------------------ Monitor your physical, virtual and cloud infrastructure from a single web console. Get in-depth insight into apps, servers, databases, vmware, SAP, cloud infrastructure, etc. Download 30-day Free Trial. Pricing starts from $795 for 25 servers or applications! http://p.sf.net/sfu/zoho_dev2dev_nov
On 11/26/2012 10:23 AM, Aaron C. de Bruyn wrote:> Is there an easier way to do ACLs in Shorewall? > I am currently writing out lots of lines in the rules file that differ > only by an IP address. > > Instead of writing rules like: > SSH(ACCEPT) wan:some.ip.addr dmz tcp 22 > SSH(ACCEPT) wan:ano.ther.ip.addr dmz tcp 22 > SSH(ACCEPT) wan:home.ip.addr dmz tcp 22 > > Can I do something like: > #/etc/shorewall/acls > trusted some.ip.addr > trusted ano.ther.ip.addr > trusted home.ip.addr > > #/etc/shorewall/rules > SSH(ACCEPT) wan:trusted dmz tcp 22 > > Am I missing something in the docs?ipsets? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Monitor your physical, virtual and cloud infrastructure from a single web console. Get in-depth insight into apps, servers, databases, vmware, SAP, cloud infrastructure, etc. Download 30-day Free Trial. Pricing starts from $795 for 25 servers or applications! http://p.sf.net/sfu/zoho_dev2dev_nov
Thanks Tom--that''s exactly what I''m looking for. -A On Mon, Nov 26, 2012 at 11:05 AM, Tom Eastep <teastep@shorewall.net> wrote:> On 11/26/2012 10:23 AM, Aaron C. de Bruyn wrote: > > Is there an easier way to do ACLs in Shorewall? > > I am currently writing out lots of lines in the rules file that differ > > only by an IP address. > > > > Instead of writing rules like: > > SSH(ACCEPT) wan:some.ip.addr dmz tcp 22 > > SSH(ACCEPT) wan:ano.ther.ip.addr dmz tcp 22 > > SSH(ACCEPT) wan:home.ip.addr dmz tcp 22 > > > > Can I do something like: > > #/etc/shorewall/acls > > trusted some.ip.addr > > trusted ano.ther.ip.addr > > trusted home.ip.addr > > > > #/etc/shorewall/rules > > SSH(ACCEPT) wan:trusted dmz tcp 22 > > > > Am I missing something in the docs? > > ipsets? > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > > ------------------------------------------------------------------------------ > Monitor your physical, virtual and cloud infrastructure from a single > web console. Get in-depth insight into apps, servers, databases, vmware, > SAP, cloud infrastructure, etc. Download 30-day Free Trial. > Pricing starts from $795 for 25 servers or applications! > http://p.sf.net/sfu/zoho_dev2dev_nov > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------------ Monitor your physical, virtual and cloud infrastructure from a single web console. Get in-depth insight into apps, servers, databases, vmware, SAP, cloud infrastructure, etc. Download 30-day Free Trial. Pricing starts from $795 for 25 servers or applications! http://p.sf.net/sfu/zoho_dev2dev_nov
Tom Eastep skrev den 26-11-2012 20:05:>> #/etc/shorewall/rules >> SSH(ACCEPT) wan:trusted dmz tcp 22>> Am I missing something in the docs?> ipsets?blrules with whitelist entry ? ------------------------------------------------------------------------------ Monitor your physical, virtual and cloud infrastructure from a single web console. Get in-depth insight into apps, servers, databases, vmware, SAP, cloud infrastructure, etc. Download 30-day Free Trial. Pricing starts from $795 for 25 servers or applications! http://p.sf.net/sfu/zoho_dev2dev_nov
Aaron C. de Bruyn skrev den 26-11-2012 20:14:> Thanks Tom--that''s exactly what I''m looking for.sure ? man shorewall-blrules, see whitelist ------------------------------------------------------------------------------ Monitor your physical, virtual and cloud infrastructure from a single web console. Get in-depth insight into apps, servers, databases, vmware, SAP, cloud infrastructure, etc. Download 30-day Free Trial. Pricing starts from $795 for 25 servers or applications! http://p.sf.net/sfu/zoho_dev2dev_nov
Hi, what do you think about this - relative to /etc/shorewall: in params file define: TRUSTED="1.2.3.4,9.8.7.6" and then use it in rules file like: SSH(ACCEPT) wan:$TRUSTED dmz or you could define new zone and then assign IPs to the zone in the hosts file and you simple rule: hosts: trust eth0:1.2.3.4,9.8.7.6" rules: SSH(ACCEPT) trust dmz Best regards, -- Karel Ziegler e-mail: ziegleka@gmail.com ------------------------------------------------------------------------------ Keep yourself connected to Go Parallel: INSIGHTS What''s next for parallel hardware, programming and related areas? Interviews and blogs by thought leaders keep you ahead of the curve. http://goparallel.sourceforge.net