Re: Multiple firewall profiles with shorewall
celejar <firstname.lastname@example.org> wrote:
> I use shorewall to create a local (personal) firewall on my sid
> machine. I have a wireless nic which is sometimes connected to my
> private wireless network which I control and can secure (with WPA or
> WPA2), and sometimes to other networks which are insecure (eg. airport
> hotspot). I use ifscheme to manage the different network
> configurations, and I obviously have different security assumptions
> about the two situations. What is the standard way to have shorewall
> treat the two situations differently? I'm using the Madwifi driver, so
> a simple trick is to simply bring up the card as ath0 on the private
> network and ath1 on the public network and to write shorewall config
> files accordingly, but this is a bit of a kludge and not portable to
> other drivers.
> The most straightforward technique I can think of is to call pre-up
> scripts in /etc/network/interfaces that will manipulate the shorewall
> config files (eg. modify /etc/shorewall/zones , policy, and/or rules)
> but I'm wondering if there's a more standard way to do this - it seems
> like a fairly common requirement.
Maybe this helps (from 'man shorewall'):
DYNAMIC ZONES COMMAND
Shorewall’s zones can be altered dynamically:
add <interface>[:host] <zone>
Adds the specified interface (and host if included) to the specified zone.
del <interface>[:host] <zone>
Deletes the specified interface (and host if included) from the specified zone.
Then make two small scripts that moves the interface ath0 from net to a net2
zone and back, called by ifscheme (if it can do that). AFAICT the scripts would
have to be run as root, so you might have to use sudo.
If you can't explain it simply, you don't understand it well enough.