"Carter becomes Tom" or "Tom becomes Carter"
LOL. My mistake, really really sorry TOM.
> I can take a look at implementing something in 4.5.20.
WOW. Great news.
Thanks.
On Mon, Jul 22, 2013 at 11:49 AM, Tom Eastep <[email protected]> wrote:
> On 07/22/2013 05:59 AM, Guilsson G wrote:
> > Dear Sirs
> >
> > I looked thru archives and I didn't find the subject discussed before.
> >
> > I have some Shorewall installations running for years.
> > I usually revise them frequently, but I have two of them with hundreds
> > rules to check.
> > It's a huge time consuming.
> >
> > Considering "shorewall show" give me the iptables's counters, I can,
> > after one or two weeks (for example) running my rules (without resetting
> > those counters), see which rule has traffic passing or not.
> >
> > Looking thru counter and "converting" iptables back to shorewall its
> > quite easy when your have couple dozens rules.
> >
> > For those two where I have hundreds rules I ran a python script which
> > generated "COMMENT"s for each rules in /etc/shorewall/rules.
> >
> > INPUT:
> > ACCEPT fw net udp ntp
> >
> > OUTPUT:
> > ?COMMENT @@@ ACCEPT fw net udp ntp @@@
> > ACCEPT fw net udp ntp
> > ?COMMENT
> >
> > But it's not operational because I need to replace /etc/shorewall/rules
> > with the commented one and it's difficult to manage in a day by day
> > basis. And for long rules, it exceeds the maximum length of comments.
> > And it's only for rules. Other iptables (masquerades, dnat, snat, etc)
> > created inside Shorewall does not receive those comments.
> >
> > There points:
> >
> > 1 - Does Shorewall has something builtin to help on this ?
>
> Not specifically. You can 'shorewall trace compile | less' which shows
> the rule(s) generated by each input line, but:
>
> - The optimizer can change/combine/delete rules.
> - Rules generated by Policies are emitted well after the policy file is
> processed.
>
> > 2 - Does anyone has a better recipe to deal with the cleanup of UNUSED
> > RULES ?
>
> Nothing comes to mind.
>
> > 3 - Carter, is there a possibility to implement an option inside
> > shorewall to restart the rules with this "debug/comment" applied, so my
> > rules files stay in the same format as today? If ?comment was used in
> > this case, ?comment could just point to the line number inside "rules",
> > "policy", etc.
>
> Carter?
>
> I can take a look at implementing something in 4.5.20.
>
> -Tom
> --
> Tom Eastep \ When I die, I want to go like my Grandfather who
> Shoreline, \ died peacefully in his sleep. Not screaming like
> Washington, USA \ all of the passengers in his car
> http://shorewall.net \________________________________________________
>
>
>
> ------------------------------------------------------------------------------
> See everything from the browser to the database with AppDynamics
> Get end-to-end visibility with application monitoring from AppDynamics
> Isolate bottlenecks and diagnose root cause in seconds.
> Start your free trial of AppDynamics Pro today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> _______________________________________________
> Shorewall-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
