On Thu, 2011-09-29 at 17:30 +0100, Mr Dash Four wrote:
> >> Can I specify the zone(s) to which that whitelist applies (vpn in
> >> my example above) or is it just user id/owner?
> >>
> >
> > Just userid/owner at this point. To allow zone names, the implementation
> > of blacklisting will have to change rather dramatically (no blacklist
> > chains at all with the possible exception of 'blacklog').
> >
> Fair enough, though I am intrigued - what is the cause/obstacle(s) for
> not implementing it at this stage? What sort of big change in the
> blacklisting needs to happen in order for this to be implemented?
>
> I only used the zone names in my example as I thought together with the
> specified direction ("src" or "dst") it gives a "unique" reference as to
> where to include the whitelist (or blacklist for that matter, as this
> can also be implemented for blacklists as well).
>
> For example, "src,vpn,whitelist" uniquely identifies this, I think, as a
> "RETURN" condition in the blackout chain name (or whatever name you
> decide to call this) to be included/added in the fw2vpn chain.
> Similarly, "src,vpn" would identify a "DROP" condition for the blackout
> chain to be included on the fw2vpn chain - the same principle applies. I
> am, obviously, simplifying this (and there are probably more complex
> scenarios than that), but this is to clarify that the inclusion of a
> zone name is only for the purpose of identifying where this
> whitelist/blacklist condition goes. If there is another - easier - way,
> that so be it.Today, if you don't specify a zone, then it means 'all zones'. So if my blacklist has three 'all' entries followed by one for zone 'z', followed by three more 'all' entries, I would presume that you would want the 7 entries applied in sequence for zone 'z', would you not? So, in effect, that means that every zone might need two blacklist chains - one for 'src' and one for 'dst'. It is way too ugly to generate the code for a zone test inside of the blacklist chains because zones can be rather complicated things. The code to do that is implemented in the function Shorewall::Misc::generate_matrix() and close friends and I want to keep it that way. That means that 'all-zone' blacklist rules need to be inserted into each appropriate 'zX2zY' chain with the zone-specific rules interspersed among them. -Tom. -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2dcopy1
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
