[Shorewall-users] [ENHANCEMENT] A way to support macros in "masq" file?

Discussion:

Ob Noxious

2016-10-14 10:32:53 UTC

Hi,

The use of macros make the "rules" file really nice, tidy and clean! It
would be nice if there was a way to support macros in the "masq" file.

Unfortunately, I have to deal with lots of crappy software/appliances which
all have specific sets of destination IP addresses and ports and often need
to "phone home" or reach services outside of my network.

Wherever possible, I create a macro to wrap it up. This makes the "rules"
files look nice but I still have to manually specify all the info on the
"masq" file.

Ex 1: simple :)

rules:
NTP(ACCEPT) { source=lan dest=net:$NTP_HOST }

masq:
$IF_NET { source=$LAN adress=$GW_IP proto=udp port=ntp }

Ok, no big deal really but would look nicer with a macro :)

Ex 2: This an EPT (Electronic Payment Terminal)

rules: (EPT_LIST/SERVERS are a comma separated list of IPs)
custEPT(ACCEPT} { source=lan:$EPT_LIST dest=net:$EPT_SERVERS }

masq:
?COMMENT EPT service
$IF_NET:$EPT_SERVERS { source=$EPT_LIST address=$GW_IP proto=udp port=1146 }
$IF_NET:$EPT_SERVERS { source=$EPT_LIST address=$GW_IP proto=tcp
port=1156,7221,21000 }
?COMMENT

The trouble here is the "hardcoded" kind of configuration. If someday we
switch to another brand of EPT devices, I'll have to update the macro and
also the "masq" file to reflect the changes. The "?COMMENT" is almost
required, otherwise, I have to think hard to remember what are these rules
on a "shorewall show" output.

===============

Following the same idea, there's the "port range" issue too. For example, I
have an Asterisk SIP service for internal phones but it also connects
there's a SIP trunk subscribed at a provider. I have to specify a port
range for the RTP part.

rules:
ACCEPT { source=lan:$SIP dest=net:$SIP_TRUNK proto=udp sport=50000:60000 }

masq:
$IF_NET:$SIP_TRUNK { source=$SIP address=$GW_IP:50000-60000 proto=udp }

Here I can't even use a variable for the port range because the notation
isn't the same for the range separator (":" vs "-").

So if your smart mind could come up with something to cover these cases, it
would be really nice :-)

--
ObNox

Simon Hobson

2016-10-14 11:14:51 UTC

Permalink

Wherever possible, I create a macro to wrap it up. This makes the "rules" files look nice but I still have to manually specify all the info on the "masq" file.
Ex 1: simple :)
NTP(ACCEPT) { source=lan dest=net:$NTP_HOST }
$IF_NET { source=$LAN adress=$GW_IP proto=udp port=ntp }
Ok, no big deal really but would look nicer with a macro :)

The first thing that comes to mind is - do you not have any default outbound masq rules that will cover most of this ? I normally have a masq rule mapping internal networks to the default outside address, and only have per-device masq rules if I need something different to that (which isn't that common).

I see from looking at one of my routers that I have param used in my masc file :
ethext:!$MasqExcl 192.168.xx.0/24 nn.nn.nn.nn

Ob Noxious

2016-10-15 05:28:19 UTC

Permalink

Post by Ob Noxious
Ex 1: simple :)

Post by Ob Noxious
NTP(ACCEPT) { source=lan dest=net:$NTP_HOST }
$IF_NET { source=$LAN adress=$GW_IP proto=udp port=ntp }
Ok, no big deal really but would look nicer with a macro :)

The first thing that comes to mind is - do you not have any default
outbound masq rules that will cover most of this ? I normally have a masq
rule mapping internal networks to the default outside address, and only
have per-device masq rules if I need something different to that (which
isn't that common).
ethext:!$MasqExcl 192.168.xx.0/24 nn.nn.nn.nn

That's not fair, you focused on the "simple" example :) Of course I have a
ready to use "masq" file covering most of my common needs for all the
firewalls I'm in charge of.

What worries me are the very specific situations like the EPT device I
mentioned and other even crappier devices that drive me nuts thanks to
their awful design. Samsung DVRs managing CCTVs are among the worst with a
dozen of TCP/UDP ports to open plus port ranges for RTSP acces, etc.

The "rules" file is clean with a macro covering all this. The "masq" file
OTOH is way less readable at first sight.

--
ObNox

Tom Eastep

2016-10-14 17:01:55 UTC

Permalink

Post by Ob Noxious
Hi,
The use of macros make the "rules" file really nice, tidy and
clean! It would be nice if there was a way to support macros in the
"masq" file.
Unfortunately, I have to deal with lots of crappy
software/appliances which all have specific sets of destination IP
addresses and ports and often need to "phone home" or reach
services outside of my network.
Wherever possible, I create a macro to wrap it up. This makes the
"rules" files look nice but I still have to manually specify all
the info on the "masq" file.
Ex 1: simple :)
rules: NTP(ACCEPT) { source=lan dest=net:$NTP_HOST }
masq: $IF_NET { source=$LAN adress=$GW_IP proto=udp port=ntp }
Ok, no big deal really but would look nicer with a macro :)
Ex 2: This an EPT (Electronic Payment Terminal)
rules: (EPT_LIST/SERVERS are a comma separated list of IPs)
custEPT(ACCEPT} { source=lan:$EPT_LIST dest=net:$EPT_SERVERS }
masq: ?COMMENT EPT service $IF_NET:$EPT_SERVERS { source=$EPT_LIST
address=$GW_IP proto=udp port=1146 } $IF_NET:$EPT_SERVERS {
source=$EPT_LIST address=$GW_IP proto=tcp port=1156,7221,21000 }
?COMMENT
The trouble here is the "hardcoded" kind of configuration. If
someday we switch to another brand of EPT devices, I'll have to
update the macro and also the "masq" file to reflect the changes.
The "?COMMENT" is almost required, otherwise, I have to think hard
to remember what are these rules on a "shorewall show" output.

I would prefer to add support for actions in the masq file like I did
in the mangle file. Inline actions provide a superset of the
functionality of macros.

Post by Ob Noxious
===============
Following the same idea, there's the "port range" issue too. For
example, I have an Asterisk SIP service for internal phones but it
also connects there's a SIP trunk subscribed at a provider. I have
to specify a port range for the RTP part.
rules: ACCEPT { source=lan:$SIP dest=net:$SIP_TRUNK proto=udp
sport=50000:60000 }
masq: $IF_NET:$SIP_TRUNK { source=$SIP address=$GW_IP:50000-60000
proto=udp }
Here I can't even use a variable for the port range because the
notation isn't the same for the range separator (":" vs "-").
So if your smart mind could come up with something to cover these
cases, it would be really nice :-)

This is an inconsistency in iptables that shows through in Shorewall,
but I can map '-' to ':' in DPORT and SPORT columns.

- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________

Ob Noxious

2016-10-15 05:35:14 UTC

Permalink

On Fri, Oct 14, 2016 at 7:01 PM, Tom Eastep <***@shorewall.net> wrote:

I would prefer to add support for actions in the masq file like I did

Post by Tom Eastep
in the mangle file. Inline actions provide a superset of the
functionality of macros.

I don't worry at all. I'm fully confident that soon enough, you'll come up
with a well designed and evolutive way to make this easier :-)

Post by Tom Eastep
This is an inconsistency in iptables that shows through in Shorewall,
but I can map '-' to ':' in DPORT and SPORT columns.

It never crossed my mind to think that it was Shorewall's fault :) A simple
"man iptables" clearly shows the culprit.

--
ObNox