Hash: SHA256

On 10/14/2016 03:32 AM, Ob Noxious wrote:
> Hi,
> The use of macros make the "rules" file really nice, tidy and
> clean! It would be nice if there was a way to support macros in the
> "masq" file.
> Unfortunately, I have to deal with lots of crappy
> software/appliances which all have specific sets of destination IP
> addresses and ports and often need to "phone home" or reach
> services outside of my network.
> Wherever possible, I create a macro to wrap it up. This makes the 
> "rules" files look nice but I still have to manually specify all
> the info on the "masq" file.
> Ex 1: simple :)
> rules: NTP(ACCEPT) { source=lan dest=net:$NTP_HOST }
> masq: $IF_NET { source=$LAN adress=$GW_IP proto=udp port=ntp }
> Ok, no big deal really but would look nicer with a macro :)
> Ex 2: This an EPT (Electronic Payment Terminal)
> rules: (EPT_LIST/SERVERS are a comma separated list of IPs) 
> custEPT(ACCEPT} { source=lan:$EPT_LIST dest=net:$EPT_SERVERS }
> masq: ?COMMENT EPT service $IF_NET:$EPT_SERVERS { source=$EPT_LIST
> address=$GW_IP proto=udp port=1146 } $IF_NET:$EPT_SERVERS {
> source=$EPT_LIST address=$GW_IP proto=tcp port=1156,7221,21000 } 
> The trouble here is the "hardcoded" kind of configuration. If
> someday we switch to another brand of EPT devices, I'll have to
> update the macro and also the "masq" file to reflect the changes.
> The "?COMMENT" is almost required, otherwise, I have to think hard
> to remember what are these rules on a "shorewall show" output.

I would prefer to add support for actions in the masq file like I did
in the mangle file. Inline actions provide a superset of the
functionality of macros.

> ===============
> Following the same idea, there's the "port range" issue too. For 
> example, I have an Asterisk SIP service for internal phones but it
> also connects there's a SIP trunk subscribed at a provider. I have
> to specify a port range for the RTP part.
> rules: ACCEPT { source=lan:$SIP dest=net:$SIP_TRUNK proto=udp
> sport=50000:60000 }
> masq: $IF_NET:$SIP_TRUNK { source=$SIP address=$GW_IP:50000-60000
> proto=udp }
> Here I can't even use a variable for the port range because the
> notation isn't the same for the range separator (":" vs "-").
> So if your smart mind could come up with something to cover these
> cases, it would be really nice :-)

This is an inconsistency in iptables that shows through in Shorewall,
but I can map '-' to ':' in DPORT and SPORT columns.

- -Tom
- -- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org


Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
Shorewall-users mailing list

Reply via email to