Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Helper tables or macros #6

Open
mikemol opened this issue Jan 3, 2012 · 7 comments
Open

Helper tables or macros #6

mikemol opened this issue Jan 3, 2012 · 7 comments

Comments

@mikemol
Copy link
Owner

mikemol commented Jan 3, 2012

It would be very nice to have helper tables to jump to, or, at the very least, macros for inserting recurring sets of rules.

For example, I have five interfaces on one machine which have several rules in common:

  • All accept ping
  • All accept ssh
  • All accept smtp

Two of the interfaces also have these commonalities:

  • Accepts DHCP
  • Accepts dns
  • Accepts ntp
  • Accepts smtp
  • Accepts IPP
  • Accepts connections to a proxy server

Additional groupable rules would include internally-facing ICMPv6 vs externally-facing ICMPv6 behaviors.
@philwhineray
Copy link
Collaborator

As bash is the base for firehol you should be already able to do this, e.g.:

standard() {
server ping accept
server ssh accept
}

interface "$wan" wan
policy deny
standard

interface "$lan" lan
policy deny
standard

Works just fine. Perhaps we could add an example showing this usage?

I notice that adding a parameter will defeat ipv4/ipv6 autodetection so the the following will not work without making the wan interface "standard" command ipv4 explicitly:

standard() {
server ping accept "$@"
server ssh accept "$@"
}

interface "$wan" wan
policy deny
standard src 10.0.0.0/8

interface "$lan" lan
policy deny
standard

@mikemol
Copy link
Owner Author

mikemol commented Jan 3, 2012

philwhineray wrote:

Leaving aside whether the use of bash is ideal as a base for firehol, you should be already able to do this, e.g.:

standard() {
server ping accept
server ssh accept
}

interface "$wan" wan
policy deny
standard

interface "$lan" lan
policy deny
standard

Works just fine. Perhaps we could add an example showing this usage?

I notice that adding a parameter will defeat ipv4/ipv6 autodetection so the the following will not work without making the wan interface "standard" command ipv4 explicitly:

standard() {
server ping accept "$@"
server ssh accept "$@"
}

interface "$wan" wan
policy deny
standard src 10.0.0.0/8

interface "$lan" lan
policy deny
standard src

Interesting. My approach for that would have been:

standard() {
server ping accept
server ssh accept
}

interface "spc$wan" wan src 10.0.0.0/8
policy deny
standard

interface "$wan" wan
policy deny

interface "$lan" lan
policy deny
standard

I suppose I should look into how the ipv4/ipv6 autodetection works.

@philwhineray
Copy link
Collaborator

interface "spc$wan" wan src 10.0.0.0/8

Nice; I had not considered that way of doing it. Makes a lot of sense if there will be groups of IPs and services. I currently just have bash variables everywhere.

Mostly I just wanted to check that it was possible to pass parameters through to functions and just stumbled on the problem with the autodetection.

@mikemol
Copy link
Owner Author

mikemol commented Jan 3, 2012

philwhineray wrote:

interface "spc$wan" wan src 10.0.0.0/8

Nice; I had not considered that way of doing it. Makes a lot of sense if there will be groups of IPs and services. I currently just have bash variables everywhere.

Mostly I just wanted to check that it was possible to pass parameters through to functions and just stumbled on the problem with the autodetection.

I have it this way mostly because my firehol config is a derivative of
running "firehol helpme" a long time ago. Your approach is about equally
alien to me. :)

@philwhineray
Copy link
Collaborator

Quick question; do we agree that bash functions are sufficient to meet your original requirement or are you thinking of something more?

@mikemol
Copy link
Owner Author

mikemol commented Jan 28, 2012

The "something more" I'd like to see eventually is being able to avoid
reinstanciating the same table multiple times, which causes a large
increase in the number of rules. With iptables, if I have a table, I
could jump to that table from wherever. When I leave that table, it
returns flow back to wherever the jump came from.

I'm uncertain, though if that's just an aesthetic difference, or if
there are notable performance gains to be found. (Either in time
required to generate the firewall rules or in iptables overhead once
the firewall is set up)

:wq

@philwhineray
Copy link
Collaborator

Okay, I follow now. I guess something should be possible with a bit of
thought.
On Jan 28, 2012 3:49 PM, "Michael Mol" <
[email protected]>
wrote:

The "something more" I'd like to see eventually is being able to avoid
reinstanciating the same table multiple times, which causes a large
increase in the number of rules. With iptables, if I have a table, I
could jump to that table from wherever. When I leave that table, it
returns flow back to wherever the jump came from.

I'm uncertain, though if that's just an aesthetic difference, or if
there are notable performance gains to be found. (Either in time
required to generate the firewall rules or in iptables overhead once
the firewall is set up)

:wq

Reply to this email directly or view it on GitHub:
#6 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mikemol @philwhineray