Hi Darren, David, et al,
Very nifty idea -- would make related/complex
application port usage simpler & more efficient.
Somewhat vaguely related:
Is there any interest out there in a nested "include"
facility for *.conf files?
Would be useful for common variable definitions,
e.g. assuming file "our_ips.conf" contained:
dbip=w.x.y.z/32;
webfarmip=a.b.c.d/28;
then one could have organisation-wide or application
specific rule-sets in other include files, e.g. webapp.conf:
include our_ips.conf;
pass in on $int proto tcp from $webfarmip to any port 1521 flags S/SAFR keep
state keep frags
pass out from $(dbip) to any
which would be included by the server-specific file:
int=bge0;
include webapp.conf;
...
or whatever.
Or is this way too complicated/unmanageable/
potentially-insecure-if-it-gets-stuffed-up?
We have ~90 Solaris servers/domains, most with
host-protection filters; these tend to be in groups
with similar functionality. Had thought about m4+make
but not as neat, although generating a final filter file
does perhaps make it easier to keep filter rule numbering
and line numbers straight.
Do others use any scheme to manage rule sets?
Or push them out/verify them (cfengine, ssh+cron...?)
While off the topic and onto IPF variables/macros,
allowing underscores in the grammar for pool and
variable names would be a nice touch.
Rgds, Stuart.
By the way, love the concept of using packet filter hooks
with IPMP group names (and later Crossbow/Crossfire? names)
as interface names in the IPF file. Thanks for your efforts there.
>>> On 18-Nov-07 at 3:43 pm, in message <[EMAIL PROTECTED]>,
Darren Reed <[EMAIL PROTECTED]> wrote:
> David Stes wrote:
>> Greetings,
>>
>> I read about the *ippool* feature where the examples show how ippools can
>> be defined as groups of ip addresses.
>>
>> Is it possible to use ippools for other objects as well ?
>>
>> Like sets (pools) of tcp port numbers, for example.
>>
>> If this is possible, is it please possible to give an example ?
>>
>> It would be nice if a pool could be defined for example,
>>
>> pool ports = { telnet, ftp, rexec, www }
>>
>> so to speak and then in the /etc/ipf.conf file it could be possible to
>> accept traffic (or block traffic) to that pool of "ports", instead of
>> enumerating the ports in the ipf.conf file, it could just refer to the pool.
>>
>> I am also thinking specifically of my application of RPC filtering.
>>
>> I am trying to setup RPC call/response filtering, and I was thinking that
>> it could be nice to use the IPFILTER ippool feature to define pools of RPC
>> program numbers.
>>
>> For example, for NetWorker, I could define the pool as the union of
>>
>> portmapper and 390100:390120
>>
>> This is a pool of 1 rpc program number (100000, portmapper) + a set of about
>> 20 other rpc program numbers.
>>
>>
>> Is this possible , does it make sense to try to extend the ippool feature
>> for tcp / udp or rpc ports and not use pools only for ip addresses ?
>>
>
> Interesting idea!
>
> I can't see why it shouldn't be extended like this...
>
> I think the thing to do would be to define a new backend for ip_lookup.c
> that
> managed a collection of port numbers (plus maybe protocol?).
>
> If you limit it to doing exact port number matches and given that the
> port number
> space is much smaller, what I think would be interesting to try is to
> build a backend
> that tried to maintain a perfect hash table, so that both postive and
> negative lookups
> are O(1).
>
> Darren
