From: Tom E. <te...@sh...> - 2005-09-02 18:41:48
|
Steve Herber wrote: > The great responses I got to my original question reminded me of another > problem I have with the zone file which is remembering the order in > which zones and subzones need to be placed in the zones file. At the front of the zone file is the following: # THE ORDER OF THE ENTRIES IN THIS FILE IS IMPORTANT IF YOU HAVE NESTED # OR OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts. This reminds me of Paul's remark from an earlier post: >> I think rather than major changes, a simple, highly-visible comment >> about $FW would solve Steve's issue, and require no changes. Steve's current issue illustrates the marginal effectiveness of "highly-visible comments". > > With the new 3.0 format can zones and subzones be defined instead > of implied by order? Does the syntax below work? No. 'subzone' is not a type of zone but rather expresses a topological relationship between zones. A better syntax would be: <zone>[:<parent list>] <type> <options> ... This would impose a (totally different) order on the zone definitions since I would require the <parent list> zones to be defined before their sub-zone(s). So you would still need to order the zone list properly and you would be required to type more than you currently do. I recently made a weekend-long attempt to do something smarter with subzones (using similar syntax to what I shown above) and concluded that would require a revolutionary rather than an evolutionary change. So unless the fundamental algorithms of Shorewall are redesigned, the order of the zones in the zone list will continue to determine the overall order of the generated rules. About all that the above syntactic sugar could accomplish in the near term would be to cause the zone list to be sorted so that subzones appeared before all of their parents. That strikes me as "false advertising". -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ te...@sh... PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key |