For discussion of Alpine Linux development and developer support

3 3

[alpine-devel] AWall Policy files

Mika Havela
Details
Message ID
<CAPH1gWFhrfhQi_ugH=6qE7T1pN4O0X9Tc7jUv=3SCoXsanyidw@mail.gmail.com>
Sender timestamp
1350632847
DKIM signature
missing
Download raw message
Hi!
Thanks for working on AWall!

I have a question about where AWall Policy files are/should be saved.
As I understand it, AWall will look for user-created Policy files in
'/usr/share/awall/optional'.
Technically it works fine.
But when using AWall on Alpine that boots from read only media, you
will need to add this additional step when configuring AWall
  lbu include /usr/share/awall/optional
(If you have HDD installed Alpine you can skip the above step.)
But /each/ time read only media (eg. USB,CD,CF,...) is used, you will
need to remember to do the 'lbu inc...' step or you will loose your
configs at next reboot.

Most other packages in Alpine saves config-files in '/etc' and
therefore 'lbu' takes care of these automatically without forcing user
to run 'lbu inc'.
If AWall would do the same (in addition to read Policy files from
'/usr/share/awall/optional') then it might reduce situations when a
user sets up AWall but loses their config at next reboot because they
forgot to run 'lbu inc /usr/share/awall/optional'.

My suggestion for improving AWall would be that we make AWall read for
Policy files from:
* /usr/share/awall/optional/ (as it already does)
* /etc/awall/policy.d/ (or some other appropriate dir name that
indicates that here are some Policies that could be enabled/activated)

This way users could be directed to create their own policies in
'/etc/awall/policy.d/' and as long as they run 'lbu ci' (which they
would when running on read only media) then they will not lose
anything.
'/usr/share/awall/optional/' could be a path where 'apk' can store
AWall policies that comes from some package(s).

Might be AWall already has takes care about the 'lbu' issue mentioned
above, in that case please direct me where user-specific configs
should be stored (preferably somewhere in /etc/).

These where just some thoughts about AWall improvements.

<<mhavela>>


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---
Details
Message ID
<c59cde94054c6e6060b2425da6b5040f@qcslink.com>
In-Reply-To
<CAPH1gWFhrfhQi_ugH=6qE7T1pN4O0X9Tc7jUv=3SCoXsanyidw@mail.gmail.com> (view parent)
Sender timestamp
1350649575
DKIM signature
missing
Download raw message
On 2012-10-19 02:47, Mika Havela wrote:
> Hi!
> Thanks for working on AWall!
>
> I have a question about where AWall Policy files are/should be saved.
> As I understand it, AWall will look for user-created Policy files in
> '/usr/share/awall/optional'.
> Technically it works fine.
> But when using AWall on Alpine that boots from read only media, you
> will need to add this additional step when configuring AWall
>   lbu include /usr/share/awall/optional
> (If you have HDD installed Alpine you can skip the above step.)
> But /each/ time read only media (eg. USB,CD,CF,...) is used, you will
> need to remember to do the 'lbu inc...' step or you will loose your
> configs at next reboot.
>
> Most other packages in Alpine saves config-files in '/etc' and
> therefore 'lbu' takes care of these automatically without forcing 
> user
> to run 'lbu inc'.
> If AWall would do the same (in addition to read Policy files from
> '/usr/share/awall/optional') then it might reduce situations when a
> user sets up AWall but loses their config at next reboot because they
> forgot to run 'lbu inc /usr/share/awall/optional'.
>
> My suggestion for improving AWall would be that we make AWall read 
> for
> Policy files from:
> * /usr/share/awall/optional/ (as it already does)
> * /etc/awall/policy.d/ (or some other appropriate dir name that
> indicates that here are some Policies that could be 
> enabled/activated)
>
> This way users could be directed to create their own policies in
> '/etc/awall/policy.d/' and as long as they run 'lbu ci' (which they
> would when running on read only media) then they will not lose
> anything.
> '/usr/share/awall/optional/' could be a path where 'apk' can store
> AWall policies that comes from some package(s).
>
> Might be AWall already has takes care about the 'lbu' issue mentioned
> above, in that case please direct me where user-specific configs
> should be stored (preferably somewhere in /etc/).
>

I believe that you can place user-specific policies in /etc/awall, 
according to 
http://wiki.alpinelinux.org/wiki/Alpine_Wall_User%27s_Guide.

I think that the idea is that /usr/share/awall/optional will be used 
for policies that come from apk packages, and then these can be enabled 
or disabled from /etc/awall.

Hope that helps.

-Andrew

> These where just some thoughts about AWall improvements.
>
> <<mhavela>>



---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---
Mika Havela
Details
Message ID
<CAPH1gWE=yoBtkfTRkmSTgj2eDrxhfWW4YD4Ge+rUVb+-9vdo3w@mail.gmail.com>
In-Reply-To
<c59cde94054c6e6060b2425da6b5040f@qcslink.com> (view parent)
Sender timestamp
1350650139
DKIM signature
missing
Download raw message
Thank you for your suggestion.
You could put your Policy files directly in /etc/awall, but then you
would not be able to 'awall disable' such policies (unless I
misunderstood it).
I really like the feature that you can 'awall enable|disable'.
So if AWall would to look in /etc/awall/policy.d/ in addition to
/usr/share/awall/optional/ then the 'awall disable|enable' feature
would still work.

Thanks for your feedback!
<<mhavela>>

On Fri, Oct 19, 2012 at 2:26 PM,  <elactrum@jamailca.com> wrote:
> On 2012-10-19 02:47, Mika Havela wrote:
>>
>> Hi!
>> Thanks for working on AWall!
>>
>> I have a question about where AWall Policy files are/should be saved.
>> As I understand it, AWall will look for user-created Policy files in
>> '/usr/share/awall/optional'.
>> Technically it works fine.
>> But when using AWall on Alpine that boots from read only media, you
>> will need to add this additional step when configuring AWall
>>   lbu include /usr/share/awall/optional
>> (If you have HDD installed Alpine you can skip the above step.)
>> But /each/ time read only media (eg. USB,CD,CF,...) is used, you will
>> need to remember to do the 'lbu inc...' step or you will loose your
>> configs at next reboot.
>>
>> Most other packages in Alpine saves config-files in '/etc' and
>> therefore 'lbu' takes care of these automatically without forcing user
>> to run 'lbu inc'.
>> If AWall would do the same (in addition to read Policy files from
>> '/usr/share/awall/optional') then it might reduce situations when a
>> user sets up AWall but loses their config at next reboot because they
>> forgot to run 'lbu inc /usr/share/awall/optional'.
>>
>> My suggestion for improving AWall would be that we make AWall read for
>> Policy files from:
>> * /usr/share/awall/optional/ (as it already does)
>> * /etc/awall/policy.d/ (or some other appropriate dir name that
>> indicates that here are some Policies that could be enabled/activated)
>>
>> This way users could be directed to create their own policies in
>> '/etc/awall/policy.d/' and as long as they run 'lbu ci' (which they
>> would when running on read only media) then they will not lose
>> anything.
>> '/usr/share/awall/optional/' could be a path where 'apk' can store
>> AWall policies that comes from some package(s).
>>
>> Might be AWall already has takes care about the 'lbu' issue mentioned
>> above, in that case please direct me where user-specific configs
>> should be stored (preferably somewhere in /etc/).
>>
>
> I believe that you can place user-specific policies in /etc/awall, according
> to http://wiki.alpinelinux.org/wiki/Alpine_Wall_User%27s_Guide.
>
> I think that the idea is that /usr/share/awall/optional will be used for
> policies that come from apk packages, and then these can be enabled or
> disabled from /etc/awall.
>
> Hope that helps.
>
> -Andrew
>
>
>> These where just some thoughts about AWall improvements.
>>
>> <<mhavela>>
>
>
>
>
> ---
> Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
> Help:         alpine-devel+help@lists.alpinelinux.org
> ---
>


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---
Kaarle Ritvanen
Details
Message ID
<alpine.LFD.2.02.1210231306180.20819@kunkku.net>
In-Reply-To
<CAPH1gWE=yoBtkfTRkmSTgj2eDrxhfWW4YD4Ge+rUVb+-9vdo3w@mail.gmail.com> (view parent)
Sender timestamp
1350986880
DKIM signature
missing
Download raw message
On Fri, 19 Oct 2012, Mika Havela wrote:

> Thank you for your suggestion.
> You could put your Policy files directly in /etc/awall, but then you
> would not be able to 'awall disable' such policies (unless I
> misunderstood it).
> I really like the feature that you can 'awall enable|disable'.
> So if AWall would to look in /etc/awall/policy.d/ in addition to
> /usr/share/awall/optional/ then the 'awall disable|enable' feature
> would still work.

I made awall search for optional policies also in /etc/awall/optional. 
This feature will be available in version 0.2.12.

BR,
Kaarle


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---