On 11/22/12 4:06 PM, "Mr Dash Four" <mr.dash.f...@googlemail.com> wrote:
>>> The patch works, but there is one *massive* gotcha:
>>>
>>> if ipset is used (I assume that would be valid for any other IP
>>> address/subnet, ports, protocol values specified there as well) then
>>>the
>>> rules generated do not flip the src/dst designators around. For
>>>example:
>>>
>>> conntrack
>>> ~~~~~~~~~
>>> DROP all:+baddies-set
>>>
>>> will generate 2 set of iptables statements all showing "baddies-set
>>>src"
>>> and not, as what seems the more logical thing, create "baddies-set src"
>>> for PREROUTING and "baddies-set dst" for OUTPUT, which may not be the
>>> initial intention. I seem to remember you had a similar arrangement
>>>with
>>> the dhcp option in "interfaces" as well as "routestopped".
>>
>>
>> You need two entries if you want to drop traffic to/from +baddies-set:
>>
>> DROP all-:+baddies-set -
>> DROP all +baddies+set
>>
>> So I don't see anything broken here except that I need to add an example
>> to the manages.
>I didn't say that it was, because it isn't.
>
>What I did point out to you is that the use of "all" in particular is not
>as straight-forward as it seems, simply because if source/destination
>designators are used (either in ipsets, IP addresses or ports) that would
>be applied in *both* directions in the connection *without* flipping them
>around. In other words, if I use "all:+baddies-set" (assuming this is
>one-dimensional set) that would mean match on a source designation ('src'
>match) in *both* directions of a particular connection which in 99% of
>the cases out there wouldn't be desired.
>
>The use of "all-" is not intuitive, unless you can show me how does that
>relate to the PREROUTING chain? Same goes for "$FW" too. That is why I
>suggested to you that you either allow the OUTPUT and PREROUTING chains
>to be explicitly selected - via "O" or "P", or any other,
>appropriate/suitable/more intuitive options ("all-", "$FW" doesn't
>count), in order to avoid this confusion.
The use of 'all' and 'all-' is well-established in the rules file where
zones must be specified. What I could do is invent a FORMAT 3 which does
not accept zones but rather uses a paradigm similar to what you are
advocating. I'm not going to mix the two, though.
>
>
>Case in point of what I've just written - your example above.
>
>If I find it confusing, and it looks as though the use of "all" and
>"all-" is confusing you too (or, at least it isn't as straight-forward to
>you, to the point that you can make an easy mistake and cock everything
>up as you did above), than how do you think other, less-knowledgeable,
>shall we say, shorewall users will find this
The above rules (correcting the obvious typo in the second line) generates
these Netfilter rules:
Shorewall 4.5.10-Beta2 RAW Table at gateway - Thu Nov 22 17:05:20 PST 2012
Counters reset Thu Nov 22 17:05:16 PST 2012
Chain PREROUTING (policy ACCEPT 56 packets, 6169 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
match-set baddies-set src
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
match-set baddies-set dst
Chain OUTPUT (policy ACCEPT 30 packets, 3710 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
match-set baddies-set dst
root@gateway:/etc/shorewall#
That is exactly what I intended. Packets entering from outside and
addressed either to or from members of the baddies-set are dropped.
Similarly, traffic originating from the firewall itself and addressed to
members of the set are DROPPED.
-Tom
You do not need a parachute to skydive. You only need a parachute to
skydive twice.
------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov
_______________________________________________
Shorewall-devel mailing list
Shorewall-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-devel
