Re: [Fwbuilder-discussion] [Fwd: "global" rules?]
Brought to you by:
mikehorn
From: <va...@vk...> - 2006-08-01 21:32:47
|
On Aug 1, 2006, at 8:58 PM, urgrue wrote: > Vadim Kurland =E2=9C=88 wrote: >> I plan to work on this feature for the next major release, but it =20 >> won't >> be available in 2.1. >> >> With current versions (2.0.X and 2.1) you can create a firewall =20 >> object >> with all interfaces marked as 'dynamic'. Generated script will =20 >> determine >> their actual IP addresses at run time, so you can use the same =20 >> script on >> different firewall machines. You did not mention which firewall =20 >> platform >> you use but this should work for iptables and pf >> >> --vk >> > > Thanks for your reply and glad to hear this feature is on the todo-=20 > list. > > I guess I could have one firewall specified as the "global FW" that > would have ONLY the global rules, then add an epilog script which =20 > syncs > the generated firewall script to the other firewalls, and all the =20 > other > firewalls then have that script specified in their prolog section... > > The only problem I see is with interfaces. Some machines have 1 > interface, others have 5. For example I cant set up a global INPUT =20 > rule, > because when specifying inbound or outbound, fwbuilder insists I =20 > specify > an interface. I suppose one way would be to have a generic "LocalHost" > object that I can put in as the source or destination, instead of =20 > using > in/outbound. I see what you mean. Different number of interfaces makes it difficult. 2.1 has some additional optimization that may help, provided you use =20 iptables. If you put firewall object in 'Destination' of a policy =20 rule and leave direction 'Both', then compiler will place the rule in =20= the INPUT chain and won't add code to discriminate by the destination =20= address and interface. This seems to be the global INPUT rule you =20 mention. The only restriction for this is that you can't have NAT =20 rules translation to or from addresses that do not belong to =20 interfaces of the firewall. If this restriction is not too strong and =20= can be satisfied, then this new optimization seems to be useful in =20 your case. You could create a firewall object with one interface, or =20 two, or any minimum number that is absolutely necessary to build =20 common rule set for all firewalls. You would then build all the rules =20= using firewall object if rule controls sessions opened to or from the =20= firewall itself to get iptables code in INPUT and OUTPUT chains. --vk |