X-Original-To: alpine-devel@lists.alpinelinux.org Delivered-To: alpine-devel@mail.alpinelinux.org Received: from smtp.freemail.gr (smtp.freemail.gr [81.171.104.132]) by mail.alpinelinux.org (Postfix) with ESMTP id 52099DC1667 for ; Thu, 5 Jan 2012 08:27:38 +0000 (UTC) Received: from [10.10.10.222] (ppp-94-65-206-243.home.otenet.gr [94.65.206.243]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.freemail.gr (Postfix) with ESMTP id CD400339180; Thu, 5 Jan 2012 10:51:19 +0200 (EET) Message-ID: <4F055EF6.7020004@freemail.gr> Date: Thu, 05 Jan 2012 10:27:34 +0200 From: Harry Lachanas User-Agent: Mozilla/5.0 (X11; Linux i686; rv:8.0) Gecko/20111105 Thunderbird/8.0 X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: MIME-Version: 1.0 To: Kaarle Ritvanen CC: "alpine-devel@lists.alpinelinux.org" Subject: Re: [alpine-devel] Alpine Wall for firewall management References: <4F041FB0.10109@freemail.gr> In-Reply-To: Content-Type: multipart/alternative; boundary="------------090508030804040807050805" This is a multi-part message in MIME format. --------------090508030804040807050805 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit >> This should also consider the aspect if incoming and outgoing >> connections, so >> expanding this would impose >> ZONE = ( iface ) U ( Subnet(s) ) U ( ipset/Incoming ) U ( >> ipset/outgoing ) > > Why would you need separate ipsets for incoming and outgoing packets? > Couldn't you just define two zones? > > BR, > Kaarle Haloo Kaarle, Actually this came into my mind as I was pressing the SEND Button ... But then again .... My mind flashed ... What about the pre-routing , outgoing chain, one aspect that I like in tables is the high-route marks issue that lets me do shaping as well as policy based routing. i.e. Route port 25 traffic through ISP provider X .... ( Sorry I never mentioned the Multi ISP Setups ) the condition module comes very handy in such cases ... Here is a live example in one of my firewalls pkts bytes target prot opt in out source destination 17516 1426K MARK tcp -- vlan20 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 condition !isp1_down MARK xset 0x100/0xffffffff 0 0 MARK tcp -- vlan20 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 condition isp1_down MARK xset 0x200/0xffffffff Line status detector issues an "echo 1 > /proc/net/nf_condition/isp1_down" and SMTP traffic flows through ISP2 that otherwise would have been routed through ISP1 ... or redirect port 80 traffic to a proxy ... etc ... Thanks Harry --------------090508030804040807050805 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit

This should also consider the aspect if incoming and outgoing connections, so expanding this would impose ZONE = ( iface ) U ( Subnet(s) ) U ( ipset/Incoming ) U ( ipset/outgoing )
Why would you need separate ipsets for incoming and outgoing packets? Couldn't you just define two zones? BR, Kaarle

Haloo Kaarle, Actually this came into my mind as I was pressing the SEND Button ... But then again .... My mind flashed ... What about the pre-routing , outgoing chain, one aspect that I like in tables is the high-route marks issue that lets me do shaping as well as policy based routing. i.e. Route port 25 traffic through ISP provider X .... ( Sorry I never mentioned the Multi ISP Setups ) the condition module comes very handy in such cases ... Here is a live example in one of my firewalls pkts bytes target prot opt in out source destination 17516 1426K MARK tcp -- vlan20 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 condition !isp1_down MARK xset 0x100/0xffffffff 0 0 MARK tcp -- vlan20 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 condition isp1_down MARK xset 0x200/0xffffffff Line status detector issues an "echo 1 > /proc/net/nf_condition/isp1_down" and SMTP traffic flows through ISP2 that otherwise would have been routed through ISP1 ... or redirect port 80 traffic to a proxy ... etc ... Thanks Harry --------------090508030804040807050805-- --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org ---