johnny bowen
2013-Aug-20 04:11 UTC
Question about using Zones and hosts to define several IP addresses.
I''d like to better organize my rules file for a couple of lines that defines several IP addresses. I have something like this ACCEPT net: 192.168.0.0/24,192.168.1.0/24,192.168.3.0/24,192.168.7.34,192.168.5.43,etc,etc$FW tcp 3306 Anyway my problem is that I list about 20 ips and two ranges and it''s a bit cluttered. I was reading into using zones and hosts and I was thinking I could do something like: ZONE myAsteriskComputers:net ipv4 Host myAsteriskComputers net:(list all the ips here) Rule ACCEPT myAsteriskComputers $FW tcp 3306 will that work? ------------------------------------------------------------------------------ Introducing Performance Central, a new site from SourceForge and AppDynamics. Performance Central is your source for news, insights, analysis and resources for efficient Application Performance Management. Visit us today! http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
Tom Eastep
2013-Aug-20 13:57 UTC
Re: Question about using Zones and hosts to define several IP addresses.
On 8/19/2013 9:11 PM, johnny bowen wrote:> I''d like to better organize my rules file for a couple of lines that > defines several IP addresses. I have something like this > > ACCEPT > net:192.168.0.0/24,192.168.1.0/24,192.168.3.0/24,192.168.7.34,192.168.5.43,etc,etc > <http://192.168.0.0/24,192.168.1.0/24,192.168.3.0/24,192.168.7.34,192.168.5.43,etc,etc> > $FW tcp 3306 > > Anyway my problem is that I list about 20 ips and two ranges and it''s a > bit cluttered. I was reading into using zones and hosts and I was > thinking I could do something like: > > ZONE > myAsteriskComputers:net ipv4 > > Host > myAsteriskComputers net:(list all the ips here) > > Rule > ACCEPT myAsteriskComputers $FW tcp 3306 > > > will that work?The concept is correct, but the name ''myAsteriskComputers'' is much to long. See shorewall-zones(5) for restrictions on the length of a zone name. There are other alternatives: a) Shell Variable /etc/shorewall/params: ASTERISK=net:(list all the ips here) /etc/shorewall/rules: ACCEPT $ASTERISK $FW tcp 3306 b) Action /etc/shorewall/actions: Asterisk /etc/shorewall/action.Asterisk ACCEPT (list all ips here) /etc/shorewall/rules: Asterisk net $FW tcp 3306 I personally use approach b) for allowing the Shorewall mirror sites access via rsync. Note that in the action.Asterisk file, you can specify one ip per line as in: ACCEPT ip1,\ ip2,\ ... ipn -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Introducing Performance Central, a new site from SourceForge and AppDynamics. Performance Central is your source for news, insights, analysis and resources for efficient Application Performance Management. Visit us today! http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
johnny bowen
2013-Aug-20 18:04 UTC
Re: Question about using Zones and hosts to define several IP addresses.
Thanks Tom. You''re alternatives are neater; Defining a variable in params looks perfect for me. On Tue, Aug 20, 2013 at 6:57 AM, Tom Eastep <teastep@shorewall.net> wrote:> On 8/19/2013 9:11 PM, johnny bowen wrote: > > I''d like to better organize my rules file for a couple of lines that > > defines several IP addresses. I have something like this > > > > ACCEPT > > net: > 192.168.0.0/24,192.168.1.0/24,192.168.3.0/24,192.168.7.34,192.168.5.43,etc,etc > > < > http://192.168.0.0/24,192.168.1.0/24,192.168.3.0/24,192.168.7.34,192.168.5.43,etc,etc > > > > $FW tcp 3306 > > > > Anyway my problem is that I list about 20 ips and two ranges and it''s a > > bit cluttered. I was reading into using zones and hosts and I was > > thinking I could do something like: > > > > ZONE > > myAsteriskComputers:net ipv4 > > > > Host > > myAsteriskComputers net:(list all the ips here) > > > > Rule > > ACCEPT myAsteriskComputers $FW tcp 3306 > > > > > > will that work? > > The concept is correct, but the name ''myAsteriskComputers'' is much to > long. See shorewall-zones(5) for restrictions on the length of a zone name. > > There are other alternatives: > > a) Shell Variable > > /etc/shorewall/params: > > ASTERISK=net:(list all the ips here) > > /etc/shorewall/rules: > > ACCEPT $ASTERISK $FW tcp 3306 > > b) Action > > /etc/shorewall/actions: > > Asterisk > > /etc/shorewall/action.Asterisk > > ACCEPT (list all ips here) > > /etc/shorewall/rules: > > Asterisk net $FW tcp 3306 > > I personally use approach b) for allowing the Shorewall mirror sites > access via rsync. > > Note that in the action.Asterisk file, you can specify one ip per line > as in: > > ACCEPT ip1,\ > ip2,\ > ... > ipn > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > > > ------------------------------------------------------------------------------ > Introducing Performance Central, a new site from SourceForge and > AppDynamics. Performance Central is your source for news, insights, > analysis and resources for efficient Application Performance Management. > Visit us today! > http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------------ Introducing Performance Central, a new site from SourceForge and AppDynamics. Performance Central is your source for news, insights, analysis and resources for efficient Application Performance Management. Visit us today! http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk