Discussion:
[Shorewall-users] Fwd: Destination port variable
Jaryn Znosa
2017-06-06 08:36:57 UTC
Permalink
Hi guys,
thanks for a such great piece of software. We are using shorewall lite with
variable for IP address (like &{myAddress}) and we need the same
functionality for the destination port column. What is the best way to
achieve that?
Thanks a lot for any advices.
Matt Darfeuille
2017-06-06 19:10:37 UTC
Permalink
Post by Jaryn Znosa
Hi guys,
thanks for a such great piece of software. We are using shorewall lite with
variable for IP address (like &{myAddress}) and we need the same
functionality for the destination port column. What is the best way to
achieve that?
You could define a variable in the params file and then use that
variable in the rules file.

EG:

/etc/shorewall/params

PORT=22,56-99

/etc/shorewall/rules

ACCEPT $FW net tcp $PORT

You could apply that scheme to any columns.

-Matt
--
Matt Darfeuille
Tom Eastep
2017-06-06 20:55:19 UTC
Permalink
Post by Matt Darfeuille
Hi guys, thanks for a such great piece of software. We are using
shorewall lite with variable for IP address (like &{myAddress})
and we need the same functionality for the destination port
column. What is the best way to achieve that?
You could define a variable in the params file and then use that
variable in the rules file.
/etc/shorewall/params
PORT=22,56-99
/etc/shorewall/rules
ACCEPT $FW net tcp $PORT
You could apply that scheme to any columns.
Such variables, however, are expanded at compile time whereas address
variables are expanded at run-time. The distinction is expecially
important when using Shorewall[6]-lite. Unfortunately, Shorewall does
not currently support runtime port number variables.

Jaryn -- what is the use case for such variables?

Thanks,
- -Tom
- --
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \ understand
\_______________________________________________
Jaryn Znosa
2017-06-07 06:34:48 UTC
Permalink
Matt:
As Tom explained, we need variable that is expanded at run-time (so I can't
use /etc/shorewall/params).

Tom:
We need dynamic address and port rules, because those values are stored in
the database and can be changed over time from our web UI.
What solution do you suggest? Can we for example write a compile extension
script for such a functionality?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Post by Matt Darfeuille
Hi guys, thanks for a such great piece of software. We are using
shorewall lite with variable for IP address (like &{myAddress})
and we need the same functionality for the destination port
column. What is the best way to achieve that?
You could define a variable in the params file and then use that
variable in the rules file.
/etc/shorewall/params
PORT=22,56-99
/etc/shorewall/rules
ACCEPT $FW net tcp $PORT
You could apply that scheme to any columns.
Such variables, however, are expanded at compile time whereas address
variables are expanded at run-time. The distinction is expecially
important when using Shorewall[6]-lite. Unfortunately, Shorewall does
not currently support runtime port number variables.
Jaryn -- what is the use case for such variables?
Thanks,
- -Tom
- --
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \ understand
\_______________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJZNxa3AAoJEJbms/JCOk0QkwIP/24gtbfG7P95PruaJ4NIfYHp
yjiYST63h/Ewt0aQngjT7ohN9JTZLKI0TKhKL0XD3HbxTkFF87Z+PiX6T3/IEbyM
kShOJz47Y5UT4r+XOF4Nj1asSI2ZNM6Dze1+QIQnR3pfjaFRXEW4/2O5Qb7gRvwh
t+lyOcFBSh995lZUGQALexiulQrTO9d9V/0pl56MrMSTV5u2Mrgg6FBTJPLUMZAE
9QMq/qKFffZWdY+zseLHy4SXwoss7OrEfCdZy7Pnsqzfo4ksps51KkcqLG5kFBUz
SZTYRtaneeIScLRC2hG6rJ/aQ1bf4i1bnCV59acY5b8ycrvZ0qx+pkNrYFukMny9
8qwqwH1kw6iFxeZwcVDfZVFNm1fFFsYOiYf/EGvA6tqj2Yg8tibZp7flOUJQLkgI
kKVK0LK7COpMdaZafjvZkqdXqxWl6+NA9ECpvIpgq//BaZaHM7hQbyS8JD1wJ1mu
zABb0X6KbfW95BtIqGSCOtV6d4bf2CU93XP/xwIAEQr7BpFeiJrVffyQdRhNuicr
jmZFMSaGe+775Rymh4TQAtTsWh4fYlMHAxx9SiPHVE9hAHx6Wz5TCjzJLNwQMp7k
74kVmqz17EMVTeqr9rgAWQL3x+Fi1hS5GYRzRsb4ZL7sTiqTse9h7FpCj4VXYyz+
VYVS+gfUZaYFHZsAuQJV
=tm2k
-----END PGP SIGNATURE-----
------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
https://lists.sourceforge.net/lists/listinfo/shorewall-users
Tom Eastep
2017-06-07 16:47:07 UTC
Permalink
Matt: As Tom explained, we need variable that is expanded at
run-time (so I can't use /etc/shorewall/params).
Tom: We need dynamic address and port rules, because those values
are stored in the database and can be changed over time from our
web UI. What solution do you suggest? Can we for example write a
compile extension script for such a functionality?
You can provide a 'start' extension script that inserts the
appropriate iptables rule(s).

- -Tom
- --
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \ understand
\_______________________________________________

Loading...