Re: Multiple firewall profiles with shorewall

[Andrei Popescu <andreimpopescu@gmail.com>]

Douglas Tutty <dtutty@porchlight.ca> wrote:

> On Sun, Oct 29, 2006 at 07:33:31PM +0000, Wackojacko wrote:
> > >celejar <celejar@gmail.com> wrote:
> > >
> > >
> > >>Hi,
> > >>
> > >>I use shorewall to create a local (personal) firewall on my sid
> > >>machine. I have a wireless nic which is sometimes connected to my
> > >>private wireless network which I control and can secure (with WPA or
> > >>WPA2), and sometimes to other networks which are insecure (eg. airport
> > >>hotspot). I use ifscheme to manage the different network
> > >>configurations, and I obviously have different security assumptions
> > >>about the two situations. What is the standard way to have shorewall
> > >>treat the two situations differently? I'm using the Madwifi driver, so
> > >>a simple trick is to simply bring up the card as ath0 on the private
> > >>network and ath1 on the public network and to write shorewall config
> > >>files accordingly, but this is a bit of a kludge and not portable to
> > >>other drivers.
> > >>The most straightforward technique I can think of is to call pre-up
> > >>scripts in /etc/network/interfaces that will manipulate the shorewall
> > >>config files (eg. modify /etc/shorewall/zones , policy, and/or rules)
> > >>but I'm wondering if there's a more standard way to do this - it seems
> > >>like a fairly common requirement.
> > >
> 
> What about having two sets of shorwall config files (where they would
> differ for the two setups), use a .loc and .pub extension.  Then write a
> script that copies the .loc or .pub files to their regular names, then
> reruns shorewall.

Or you could just use the -c option (man shorewall):

       -c directory
              Look for configuration files in directory instead of /etc/shorewall/.

Regards,
Andrei
-- 
If you can't explain it simply, you don't understand it well enough.
(Albert Einstein)