Re: [Shorewall-devel] [Shorewall-users] Macro files bug

Sun, 28 Oct 2007 16:45:55 -0800 

Andrew Suffield wrote:
> ...
> Then, for the example rules lines in
> http://www.shorewall.net/PortKnocking.html, here are translations:
> 
> 
> #ACTION          SOURCE            DEST           PROTO       DEST PORT(S)
> SSHKnock         net               $FW            tcp         
> 22,1599,1600,1601
> 
> becomes:
> 
> PERL Knock 'net', 'loc:192.168.1.5', {target => 22, knocker => 1600, trap => 
> [1599, 1601]};
> 
> and:
> 
> #ACTION          SOURCE            DEST            PROTO       DEST PORT(S)  
> SOURCE      ORIGINAL
> #                                                                            
> PORT(S)     DEST
> DNAT-            net               loc:192.168.1.5 tcp         22            
> -           206.124.146.178
> SSHKnock         net               $FW             tcp         1599,1600,1601
> SSHKnock         net               loc:192.168.1.5 tcp         22            
> -           206.124.146.178
> 
> becomes:
> 
> DNAT-            net               loc:192.168.1.5 tcp         22            
> -           206.124.146.178
> PERL Knock 'net', '$FW', {name => 'SSH', knocker => 1600, trap => [1599, 
> 1601]};
> PERL Knock 'net', 'loc:192.168.1.5', {name => 'SSH', target => 22, 
> original_dest => '206.124.136.178'};

My question is: how many people would actually prefer and use the newer
syntax?  The cleanness of rules is one of Shorewall's major draws.  I
would personally rather maintain the clean-looking rules file and wear
the fact that some of the config is in the action.  The number of port
knocking rules on any given firewall is likely to be 0 or 1, so it
doesn't seem like a big win for me.  Perhaps another example of its use
might be more convincing... ;-)

-- 
Paul
<http://paul.gear.dyndns.org/>
--
Are you tired of the major political parties?  Do you want to make a
difference with your vote?  Please support the Family First Party in
your local electorate, and Jeff Buchanan and the Queensland Senate team.
See <http://www.familyfirstqld.org.au/> for more details, or ask me
about how you can help in the electorate of Bowman.

Attachment: signature.asc
Description: OpenPGP digital signature

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Shorewall-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-devel

Reply via email to