On 1/20/19 11:45 AM, ObNox wrote:
> Hi,
>
> I deal with a lot of zones and have strict policies to not let zones
> talk to each other by default.
>
> This brings a bit of lack of readability in the "policy" file, like :
>
> z1,z2,z3,z4,z5 { dest=z1,z2,z3,z4,z5+ policy=REJECT loglevel=info }
>
> Of course, here with the 2-letter example zones it's still readable but
> in the real world with 10+ 4-letters zones, that's another story :-)
>
> Would be possible to create a new reserved zone name which would regroup
> all user created zones excluding the $FW ?
>
> Maybe simply "zones" (plural) that would be : all minus $FW ?
>
> so one could have a new policy line :
>
> zones { dest=zones+ policy=REJECT loglevel=info }
>
> which would bring 2 benefits :
>
> 1/ Readability of course
>
> 2/ Nothing to worry about when a new zone is created, it would be
> included in the next "reload" command without having to add it twice here
>
> To further extend the concept, one could add exclusions for the typical
> case "I want all zones except these", like : zones[!z1,z2]
>
> I think about the "net" zone to obviously exclude :
>
> zones!net { dest=zones+!net policy=REJECT loglevel=info }
>
> What do you think ?
> The current convention in the rules file is that all- represents all zones except $FW. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
