On 08/16/2012 07:54 AM, Aaron St. Pierre wrote:
> On Thu, Aug 16, 2012 at 9:46 AM, Aaron St. Pierre <[email protected]
> <mailto:[email protected]>> wrote:
>
> Hello,
>
> I've recently signed up for probe service through pingdom. They have
> many probe servers all over the world. Currently I'm not allowing
> ping from the net zone to my firewall. I'd like to track response
> time so I'd like to allow ping from the probe servers to my
> firewall. There are about 30 probe servers and that list changes
> from time to time. Anyway I know that I could do through directly
> through the rules file but I was wondering if there was a better
> approach? I could have sworn there was a whitelist file somewhere
> but the documentation (
> http://shorewall.net/blacklisting_support.htm ) suggests it's only
> through the rules file.
>
> Is the proper way to do this through the rules file and just a big
> list of IP's?
>
> Thanks for your help!
>
> --
>
> Aaron
>
>
> I ended up creating two variables in the /etc/shorewall/params file one
> with the comma separated list of IP's and the other describing the
> zone:IPs. Then I just added a simple rule in the rules file like so:
>
> PING(ACCEPT) $NET_PINGDOM_PROBE_IPS $FW_PUB
>
> And below this I have my PING(DROP)'s.
>
> Things seems to be working fine and I'm able to get responses to the
> probe servers.
>
> I'm new to shorewall so if this isn't the proper way please let me know!
>
> Thanks again!
Hi Aaron,
While what you did works file, there is a more efficient way to handle this.
Add this entry in /etc/shorewall/actions:
Pings # Handle ping from the net
Create /etc/shorewall/action.Ping with this single rule:
ACCEPT $PINGDOM_PROBE_IPS
Replace your entry in /etc/shorewall/rules with:
Pings net $FW_PUB icmp echo-request
The advantage with this approach is that only pings packets are passed
through the 30 rules that each compare one source ip address while your
approach requires all new connection requests from the net to pass
through those rules (unless they have been handled by a rule earlier in
the file).
An even more efficient way would be to use an ipset to define the
Pingdom IP addresses, but unless you are running a quite recent kernel,
that requires that you install the xtables-addons package.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
