On 1/23/2015 9:08 AM, Gerhard Wiesinger wrote: > On 23.01.2015 17:44, Tom Eastep wrote: >> On 1/23/2015 5:59 AM, Gerhard Wiesinger wrote: >>> Hello, >>> >>> Is it possible to specify multiple zones or define virtual zones to get >>> better readibility? >>> >>> e.g. following config (all can not be used because there exist more than >>> the 3 zones): >>> SSH(ACCEPT) loc $FW >>> SSH(ACCEPT) loc dmz >>> SSH(ACCEPT) loc net >>> >>> # Should be written as: >>> SSH(ACCEPT) loc $FW,dmz,net >> That is possible already. > > Great, didn't find anything in the documation. A note would be great
That is documented in shorewall-rules(5). See 'zone-list' in that manpage. > >>> # Or virtual zone: >>> fw-dmz-net: $FW,dmz,net >>> SSH(ACCEPT) loc fw-dmz-net >> So is that: >> >> /etc/shorewall/params: >> >> FW_DMZ_NET=$FW,dmz,net >> >> /etc/shorewall/rules: >> >> SSH(ACCEPT) loc $FW_DMZ_NET > > Yes, clear when above notation works. > >>> # or subtract it (% means subtract, just for illustration): >>> SSH(ACCEPT) loc all%dmz2%dmz3 >>> >>> # so can look like for generating the whole n x m product: >>> SSH(ACCEPT) loc,dmz4 all%dmz2%dmz3 >>> >>> Any plan to implement such a feature if it is not possible? >> I can consider something along those lines for 4.6.7. > > Great. As it turns out, that is already implemented. The syntax is: SSH(ACCEPT) loc,dmz4 all!dmz2,dmz3 It is described in shorewall-exclusion(5) but shorewall-rules(5) is missing a reference to the exclusion manpage. I will add it. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ New Year. New Location. New Benefits. New Data Center in Ashburn, VA. GigeNET is offering a free month of service with a new server in Ashburn. Choose from 2 high performing configs, both with 100TB of bandwidth. Higher redundancy.Lower latency.Increased capacity.Completely compliant. http://p.sf.net/sfu/gigenet
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
