[ previous ] [ next ] [ threads ]
 
 From:  Dave Warren <maillist at devilsplayground dot net>
 To:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  Jason Lane <jason at deafwv dot org>, m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Firewall address grouping
 Date:  Mon, 24 Jan 2005 00:30:40 -0700
Chris Buechler wrote:

>On Sun, 23 Jan 2005 19:28:06 -0500, Jason Lane <jason at deafwv dot org> wrote:
>  
>
>>Is it possible to group external addresses into a variable as a
>>source...example
>>
>>I have the following external addresses (not real only examples)
>>
>>216.127.218.69
>>117.235.67.2
>>114.32.94.10
>>
>>and i want only them 3 addresses to be able to access my mailserver on
>>192.168.0.253
>>
>>can i do somethng similiar to this if i can get like ssh access or
>>something to m0n0wall
>>
>>$mailAllowedIP = array(216.127.218.69,117.235.67.2,114.32.94.10)
>>
>>    
>>
>
>No.  IPFilter, the firewall software used, doesn't support
>arrays/groups/lists in the current stable version.  It does in the
>next version, but I have no idea when that will be stable enough for
>widespread production use.
>  
>
While technically true, this could be implemented into m0n0wall today 
since the GUI could abstract the process from the user.

As an example for a possible implementation, m0n0wall could allow 
multiple aliases with the same name.  When m0n0wall detects a rule which 
matches multiple aliases, the rule would get written into the ipfilter 
configuration once with each matching alias.

It could potentially get a little hairy when using "not" rules, but 
these can largely be avoided.

The end result would be that grouping becomes possible without any 
direct support in IPFilter but it's possible to use one group in more 
then one location within m0n0wall.

-- 
If a job is worth doing, then get someone in to do it properly.