Hi, Matt Joyce wrote: > I just thought I'd offer as a suggestion here, I think this can be done > nice and tidy as a one line job I'm presuming from your example that ssh > is available and is therefore a viable option. [...]
Thank you. I am thinking of something similar. Actual I am facing the problem, that I don't want to dump every ipset in one file (so I would need a way to dump only the sets I want; this is not a problem with ipset, but need to be implemented in my solution) and I need documentation at least on the master, so using ipset dumps is not quite an option (I prefer recreation). Let me clarify the last point: When you need to whitelist or blacklist a new IP/net/system you can just run the "ipset add $setname $ip/net/system" command. On shutdown/stop, you would just dump all the ipsets (ipset save > myipsets.dat) so that you can read this file on startup/start (ipset restore < myipsets.dat). But: 1) Do you remember *why* IP/net/system is part of your whitelist/blacklist? 2) How can you be sure that your ipset only contain trusted data? Isn't it possible that someone manipulate the data (hack, ex-colleague in his final days...) That's why I prefer recreation: I am thinking about a simple bash script which starts with > ipset -exist create allowed_ssh4 hash:ip family inet hashsize 64 > > # sys administration building 03/e4/pc427 > ipset add allowed_ssh4 192.168.24.117 Well, you could also omit the inline comments, because I am going to store the file in a VCS, so you have commit logs. This will address #1 and #2. We know exactly the state of our ipsets and why, when and who changed something. Well, the script I am working on will do something more, e.g. providing a "update" method using ipset's swap command, but I think you will get the point. When I have solve this problem, I have the infrastructure to automatically update the ipsets on any clients. I am actual not sure if a cronjob should update ipsets automatically or if we prefer pushing the updates (this could be issuing a ssh command to the client to run the updater). When we would store the actual "data" (the "ipset add ..." commands) separate from the logic, we could also easily create individual ipsets per client. -- Regards, Igor ------------------------------------------------------------------------------ Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the endpoint security space. For insight on selecting the right partner to tackle endpoint security challenges, access the full report. http://p.sf.net/sfu/symantec-dev2dev _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
