Hi,
I deal with a lot of zones and have strict policies to not let zones
talk to each other by default.
This brings a bit of lack of readability in the "policy" file, like :
z1,z2,z3,z4,z5 { dest=z1,z2,z3,z4,z5+ policy=REJECT loglevel=info }
Of course, here with the 2-letter example zones it's still readable but
in the real world with 10+ 4-letters zones, that's another story :-)
Would be possible to create a new reserved zone name which would regroup
all user created zones excluding the $FW ?
Maybe simply "zones" (plural) that would be : all minus $FW ?
so one could have a new policy line :
zones { dest=zones+ policy=REJECT loglevel=info }
which would bring 2 benefits :
1/ Readability of course
2/ Nothing to worry about when a new zone is created, it would be
included in the next "reload" command without having to add it twice here
To further extend the concept, one could add exclusions for the typical
case "I want all zones except these", like : zones[!z1,z2]
I think about the "net" zone to obviously exclude :
zones!net { dest=zones+!net policy=REJECT loglevel=info }
What do you think ?
--
ObNox
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
