celejar <[EMAIL PROTECTED]> wrote:
Hi,
I use shorewall to create a local (personal) firewall on my sid
machine. I have a wireless nic which is sometimes connected to my
private wireless network which I control and can secure (with WPA or
WPA2), and sometimes to other networks which are insecure (eg. airport
hotspot). I use ifscheme to manage the different network
configurations, and I obviously have different security assumptions
about the two situations. What is the standard way to have shorewall
treat the two situations differently? I'm using the Madwifi driver, so
a simple trick is to simply bring up the card as ath0 on the private
network and ath1 on the public network and to write shorewall config
files accordingly, but this is a bit of a kludge and not portable to
other drivers.
The most straightforward technique I can think of is to call pre-up
scripts in /etc/network/interfaces that will manipulate the shorewall
config files (eg. modify /etc/shorewall/zones , policy, and/or rules)
but I'm wondering if there's a more standard way to do this - it seems
like a fairly common requirement.
Maybe this helps (from 'man shorewall'):
DYNAMIC ZONES COMMAND
Shorewall’s zones can be altered dynamically:
add <interface>[:host] <zone>
Adds the specified interface (and host if included) to the
specified zone.
del <interface>[:host] <zone>
Deletes the specified interface (and host if included) from the
specified zone.
Then make two small scripts that moves the interface ath0 from net to a net2
zone and back, called by ifscheme (if it can do that). AFAICT the scripts would
have to be run as root, so you might have to use sudo.
HTH,
Andrei
In conjunction with the above, and other advice received, would run
levels help you achieve this. Switching to a different run level would
also enable you to shut down the services you dont want to run on the
public network fairly easily. I'm no expert on shorewall, but maybe a
script to swap profile in the two different run levels would do it.
HTH
Wackojacko
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
