Skip to first unread message
Sean Alderman
Jul 12, 2013, 2:40:31 PM7/12/13
to example42-pu...@googlegroups.com
Greetings,
I ran into a funny firewall problem today. When applying the firewall = true globally today, I found a problem in how rules are applied. Maybe I'm not using the module correctly, but take a look and let me know...
I'm using the Resolver Module. $dns_servers has two IP addresses. and the firewall rule looks like:
-A OUTPUT -p udp --dport 53 -s 0.0.0.0/0 -d 131.238.74.11, 131.238.74.12 -j ACCEPT
Of course, IP Tables won't start with this rule. But this is really an unintended consequence of making $firewall = true globally. So in the short run, I've set $firewall = false inside resolver for the nodes. It makes me wonder if the situation might apply in other ways like for openssh where I want to allow only sources from two /24 subnets. Like our System Admin's Workstation Subnet and our System Admin's VPN subnet. So, in openssh, I'd like to say:
$firewall_src => [ '10.10.10.0/24', '192.168.10.0/24' ]
Sorry if my syntax is off, I'm going off the cuff here.
I ran into a funny firewall problem today. When applying the firewall = true globally today, I found a problem in how rules are applied. Maybe I'm not using the module correctly, but take a look and let me know...
I'm using the Resolver Module. $dns_servers has two IP addresses. and the firewall rule looks like:
-A OUTPUT -p udp --dport 53 -s 0.0.0.0/0 -d 131.238.74.11, 131.238.74.12 -j ACCEPT
Of course, IP Tables won't start with this rule. But this is really an unintended consequence of making $firewall = true globally. So in the short run, I've set $firewall = false inside resolver for the nodes. It makes me wonder if the situation might apply in other ways like for openssh where I want to allow only sources from two /24 subnets. Like our System Admin's Workstation Subnet and our System Admin's VPN subnet. So, in openssh, I'd like to say:
$firewall_src => [ '10.10.10.0/24', '192.168.10.0/24' ]
Sorry if my syntax is off, I'm going off the cuff here.
Alessandro Franceschi
Jul 13, 2013, 6:11:36 AM7/13/13
to example42-pu...@googlegroups.com
If you have multiple source or destination addresses to define for a speific module, you have to use an array, so:should work.
In the resolver class the $dns_servers variable is used to build the firewall rules, so also $dns_servers should be an array, when ou have ore than one dns server to set.
In the resolver class the $dns_servers variable is used to build the firewall rules, so also $dns_servers should be an array, when ou have ore than one dns server to set.
Reply all
Reply to author
Forward
0 new messages