On Wed, 2011-09-28 at 01:18 +0100, Mr Dash Four wrote: > >> Not really! blacklist/whitelist entries are usually the first and > >> precede anything else in a given chain - its their most valuable asset > >> and is the reason I'd like these new features implemented in them. > >> > > > > Yes -- and they come before traffic is broken out by zone. > > > Currently, they are inserted for each branch of the zone in which the > "whitelist" option is used (I am assuming the "worse" case scenario > where both src and dst options are used). > > >> I know I could place a bunch of rules in the "rules" file, but they will > >> be useless, because: 1) the blacklist/whitelist will already have been > >> checked; > >> > > > > So, only place entries that are zone-neutral in the blacklist file. > > > I simply can't. > > I think its better to illustrate this with a simple example: say I have > 3 interfaces: eth0, eth1 and tun0. eth0 and tun0 have the whitelist > option defined for them and I have a hefty ipsets containing subnets I > don't want traffic appearing on either interfaces - in both directions, > so src and dst are also specified. > > I want, however, to have access to specific set of iface:subnet:proto > tripples also based on userid/owner on tun0 for traffic going out to be > allowed on tun0. I can define the iface:subnet:proto tripples as a > specific ipset called, say, vpn-out-whitelist[dst,dst], which, if placed > properly in the blackout chain of the tun0 interface will punch a hole > through that defined blacklist for this particular interface (tun0). > This is what I currently do with the "start" shorewall script - a > hacking job. > > Ideally, what I'd like to have is this in the blacklist file: > > +whitelist - - - src,dst,whitelist # whitelist applicable to all > interfaces, including tun0 > +vpn-out-whitelist[dst,dst] - - root dst,vpn,whitelist # this to > indicate that this ipset will punch a hole in the fw2vpn's blackout > chain, allowing the defined ip:proto pair to pass through for user id=0 > (root) - the value of the 3rd column > +blacklist - - - src,dst > ...
Adding a USER/GROUP column to the blacklist file is fairly easy, although it requires that there now be three blacklist chains: blacklst, blackfwd and blackout. That feature will be included in the next Beta. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2dcopy1
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
