-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 10/14/2016 03:32 AM, Ob Noxious wrote:
> Hi,
> 
> The use of macros make the "rules" file really nice, tidy and
> clean! It would be nice if there was a way to support macros in the
> "masq" file.
> 
> Unfortunately, I have to deal with lots of crappy
> software/appliances which all have specific sets of destination IP
> addresses and ports and often need to "phone home" or reach
> services outside of my network.
> 
> Wherever possible, I create a macro to wrap it up. This makes the 
> "rules" files look nice but I still have to manually specify all
> the info on the "masq" file.
> 
> Ex 1: simple :)
> 
> rules: NTP(ACCEPT) { source=lan dest=net:$NTP_HOST }
> 
> masq: $IF_NET { source=$LAN adress=$GW_IP proto=udp port=ntp }
> 
> Ok, no big deal really but would look nicer with a macro :)
> 
> Ex 2: This an EPT (Electronic Payment Terminal)
> 
> rules: (EPT_LIST/SERVERS are a comma separated list of IPs) 
> custEPT(ACCEPT} { source=lan:$EPT_LIST dest=net:$EPT_SERVERS }
> 
> masq: ?COMMENT EPT service $IF_NET:$EPT_SERVERS { source=$EPT_LIST
> address=$GW_IP proto=udp port=1146 } $IF_NET:$EPT_SERVERS {
> source=$EPT_LIST address=$GW_IP proto=tcp port=1156,7221,21000 } 
> ?COMMENT
> 
> The trouble here is the "hardcoded" kind of configuration. If
> someday we switch to another brand of EPT devices, I'll have to
> update the macro and also the "masq" file to reflect the changes.
> The "?COMMENT" is almost required, otherwise, I have to think hard
> to remember what are these rules on a "shorewall show" output.

I would prefer to add support for actions in the masq file like I did
in the mangle file. Inline actions provide a superset of the
functionality of macros.

> 
> ===============
> 
> Following the same idea, there's the "port range" issue too. For 
> example, I have an Asterisk SIP service for internal phones but it
> also connects there's a SIP trunk subscribed at a provider. I have
> to specify a port range for the RTP part.
> 
> rules: ACCEPT { source=lan:$SIP dest=net:$SIP_TRUNK proto=udp
> sport=50000:60000 }
> 
> masq: $IF_NET:$SIP_TRUNK { source=$SIP address=$GW_IP:50000-60000
> proto=udp }
> 
> Here I can't even use a variable for the port range because the
> notation isn't the same for the range separator (":" vs "-").
> 
> So if your smart mind could come up with something to cover these
> cases, it would be really nice :-)
> 

This is an inconsistency in iptables that shows through in Shorewall,
but I can map '-' to ':' in DPORT and SPORT columns.

- -Tom
- -- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJYAQ+DAAoJEJbms/JCOk0QWuYQALV0i2dFFff4h5Jv7WIf0Bov
td/fts8+WjhLyJscJMZF/xP74SRxhaneOZOapu7X+Rl/kjToetuW23DHls+a4JgH
p5qc5iQTkwtScsP0JMBfZk3NxZTF4xcbs2bhoQuB0bWHEbyhKmr5stG/RNBSkBCw
wZqOGHcLCgaGJgXP2DYoG0F4ntv6cCtHxnpADlM8WNWYfEjoxSChwtiHqAosFfjL
a2INMlDiwWFo2qj2dyoIO6iMpn7PDHSFgfyB46NJG72Cxdl3zvykoJdy/ovQN9IO
oGrogudjO5+0kZlLz3M0BtTQVcgTyG24e96NTvRF8yCe5eMsJdwTCoQcNZgIRoTL
/L0lBYb2tSLmDhd3KcNNLspheVe+S+Ujbc7aCta/fBmBOguJ7LMcOpNv+SG2P6ij
vbnZ3OWqsnvPWEvdLuCR/ybsTdTtyzERCLiteZ4F39vCWwKP3Ru2zhh0r+9hEacw
maLY33IALcsnY3oXc8VH/YCUUuzllOOcupaGvnrSOThd+6hg74IEXGT2lRYUKecO
olCPqhniI4B0eeNuw9kzYEy0O4Zp/yRBC4KFIzFps8TgLxmwGUvj/iioijYbt3X6
mPqHbiNzUAsScJyO67fSiFfn6du6YHwozNYPZ/2L6Tmx84pd3BCIZjMeQ8SUtZdc
oC/MTcThqvdiaPtA7hZ4
=jpB2
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to