On 9/27/2014 2:18 PM, PGNd wrote: > > > On Sat, Sep 27, 2014, at 02:07 PM, Tom Eastep wrote: >> The Shorewall-init SAVE_IPSETS action takes place after the firewall is >> cleared. So in your /etc/shorewall/stopped script, if $COMMAND = clear, >> then you could clean and remove all of the ipsets that you *don't* want >> saved. > > Aha. Do-able. But, imo, suboptimal. > > That provides options to > > save ALL ipsets (by not specifying anything) > seave THESE ipsets, by specifying !THESE (config by negative logic is > confusing) > > there's NO convenient option to save ONLY the dynamic_blacklist ... unless I > specify ALL the !THESE > > hm. > > wait, sort-of. > > re-reading multiple posts ... > > if > > /shorewall.conf > DYNAMIC_BLACKLIST=yes > SAVE_IPSETS=no > > /shorewall.conf > SAVE_IPSETS=no > > /shorewall-init > SAVE_IPSETS=no > > then > > DYNAMIC_BLACKLIST's IPSET *is* persistently saved to disk > across restart, stop+start & system r > reboot > > AND > > NO other IPSETs are save to disk > > > is that correct? if so, that's closer.
The ipsets that back dynamic *zones* are always saved. If SAVE_IPSETS is set, then *all* ipsets are saved. > > But, the moment I want to save even ONE IPSET other than DYNAMIC_BLACKLIST's, > and specify > > /shorewall-init > SAVE_IPSETS=yes The SAVE_IPSETS setting in shorewall-init must specify a pathname to the file where you want the sets saved. > > then I have to add/specify the negative-logic in > > /etc/shorewall/stopped > > again, doable. seems very kludgy. Specific sets is doable too, but it is quite a bit of work. - Both the ipv4 and ipv6 configurations would need to list those ipsets that they want to save. - The generated scripts would support a 'savesets' command, so that Shorewall-init could save the just those sets. - Mismatched shorewall/shorewall6/shorewall-init versions would need to be moderated. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
