Yeah that's what I was aiming for now (external script running on
NetworkManager dispatch event).
I was just checking if I didn't miss any features already there.
For now, I think it's easiest to just have a few config directories.
I let the script setup a 'current' symlink and restart shorewall with that.
This might quickly grow out of control, and the amount of duplication in the
configs is quite a lot, but most of the time, firewall rules are something I
setup once, and don't change a lot anymore, until a revision some 5 years
If it bothers me, I might look into params / conditional blocks.
On Wed, Aug 10, 2011 at 9:08 PM, Ed W <lists@...> wrote:
> On 10/08/2011 04:10, Tom Eastep wrote:
> > On Aug 9, 2011, at 3:03 PM, Mathijs Kwik wrote:
> >> Hi all,
> >> I like the higher-level concept of zones in shorewall, however, on
> >> portable devices, defining a zone just by an interface seems somewhat
> >> limited.
> >> I use my notebook at home, at work, in public places / conferences and
> >> on the road using my mobile phone as access point.
> >> I would like to apply different rules on all these networks (zones).
> >> I use both interfaces (eth0, wlan0, but never at the same time) at
> >> home and at work.
> >> Connections at public places and direct internet connection via my
> >> mobile phone are always on wlan0.
> >> Basically, what interface I use doesn't matter to me, what matters is
> >> what network I connect to (never multiple networks at once).
> >> Is there a way to use other data to detect what zone we're in?
> >> Looking at the essid for the currently connected access point, or at
> >> the mac address of the dhcp server, or at the presence of certain
> >> other machines in the network are possible candidates I think.
> >> Is there anything in place to do this?
> > Shorewall currently supports nothing along that line.
> But couldn't NetworkManager, OpenRC, dhcpcd or whatever tool you use to
> manage your networks set some variables for you to indicate the type of
> network you are on? This could be pulled in as some kind of shorewall
> variable and then ... take it from there..?
> I think the first bit is somewhat outside of the scope of pure
> shorewall, it's a bit like shorewall-init is an external project. I
> think you would need to use your NetworkManager/dhcpcd/etc scripts to
> pass some higher level "summary" of the network "name" to shorewall and
> have that react accordingly.
> Not sure how to interface that with "zones" though? Zones are more like
> an intersection of IP and interface and not really a "state" kind of
> concept? I would have thought you want something more like conditional
> blocks of rules? I guess those could be implemented via "actions" -
> note that those can be coded in perl, so you can potentially create some
> action that achieves the effect of allowing you to have rules.wireless,
> rules.home, rules.office, etc and switch between them based on various
> external triggers (might even be easier to simply switch "rules" for one
> of those files though..)
> The idea seems interesting - good luck
> Ed W
> uberSVN's rich system and user administration capabilities and model
> configuration take the hassle out of deploying and managing Subversion and
> the tools developers use with it. Learn more about uberSVN and get a free
> download at: http://p.sf.net/sfu/wandisco-dev2dev
> Shorewall-users mailing list