Hi,
The use of macros make the "rules" file really nice, tidy and clean! It
would be nice if there was a way to support macros in the "masq" file.
Unfortunately, I have to deal with lots of crappy software/appliances which
all have specific sets of destination IP addresses and ports and often need
to "phone home" or reach services outside of my network.
Wherever possible, I create a macro to wrap it up. This makes the "rules"
files look nice but I still have to manually specify all the info on the
"masq" file.
Ex 1: simple :)
rules:
NTP(ACCEPT) { source=lan dest=net:$NTP_HOST }
masq:
$IF_NET { source=$LAN adress=$GW_IP proto=udp port=ntp }
Ok, no big deal really but would look nicer with a macro :)
Ex 2: This an EPT (Electronic Payment Terminal)
rules: (EPT_LIST/SERVERS are a comma separated list of IPs)
custEPT(ACCEPT} { source=lan:$EPT_LIST dest=net:$EPT_SERVERS }
masq:
?COMMENT EPT service
$IF_NET:$EPT_SERVERS { source=$EPT_LIST address=$GW_IP proto=udp port=1146 }
$IF_NET:$EPT_SERVERS { source=$EPT_LIST address=$GW_IP proto=tcp
port=1156,7221,21000 }
?COMMENT
The trouble here is the "hardcoded" kind of configuration. If someday we
switch to another brand of EPT devices, I'll have to update the macro and
also the "masq" file to reflect the changes. The "?COMMENT" is almost
required, otherwise, I have to think hard to remember what are these rules
on a "shorewall show" output.
===============
Following the same idea, there's the "port range" issue too. For example, I
have an Asterisk SIP service for internal phones but it also connects
there's a SIP trunk subscribed at a provider. I have to specify a port
range for the RTP part.
rules:
ACCEPT { source=lan:$SIP dest=net:$SIP_TRUNK proto=udp sport=50000:60000 }
masq:
$IF_NET:$SIP_TRUNK { source=$SIP address=$GW_IP:50000-60000 proto=udp }
Here I can't even use a variable for the port range because the notation
isn't the same for the range separator (":" vs "-").
So if your smart mind could come up with something to cover these cases, it
would be really nice :-)
--
ObNox
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
