[Firehol-support] integration with large routing tables

Costa Tsaousis costa at tsaousis.gr
Tue Feb 15 22:23:12 GMT 2005

Hi Max,

There are several ways to do it. I think however that the optimum would be
to find a way not to restart FireHOL again and again, and of course not to
apply thousands of rules when something changes. I suggest:

You define one interface for each "net". You need a <name> for it:

interface eth0 name src ""
   commands for name

interface eth0 name2 src ""
   commands for name2

For your information, if you run the first interface above in the
"explain" mode, you will see that FireHOL produces:

# Cmd Line : 1
# Command  : interface eth0 name src ""

# Creating chain 'in_name' under 'INPUT' in table 'filter'
/sbin/iptables -t filter -N in_name
/sbin/iptables -t filter -A INPUT -i eth0 -s -j in_name

# Creating chain 'out_name' under 'OUTPUT' in table 'filter'
/sbin/iptables -t filter -N out_name
/sbin/iptables -t filter -A OUTPUT -o eth0 -d -j out_name


Note that it matches both INPUT and OUTPUT. Note also that <name> is used
in two chains as in_name and out_name.

The whole idea is based on adding or removing rules without restarting the
whole firewall.

I assume that once every a few hours you generate a list like this: net1 net1 net2 net2

This list has two columns. The first is the IP or subnet of the remote
host or net to be allowed and the second is the name of the interface (as
used in FireHOL).

The optimal would be just to make a diff every time this list is generated
and apply only the changes in the running firewall, without restarting

To do this, you need just a script. Attached in one that can do it for
you. This script makes a diff of the list running in the firewall (it
keeps a copy of it in /tmp) and runs only the iptables rules (additions or
removals) that need to run in order to bring the running firewall in sync.

Use "-p" to get a list of what it would do.
Use "-f" to force it apply the whole list again (run it like that when you
restart FireHOL).

The script does not have any error control in case an iptables command
fails (invalid IP, or invalid interface name).



On Tue, February 15, 2005 18:20, Max Kutny said:
> I have a box connected to numerous nets via single interface with
> large routing tables (several thousands routing entries per net).
> Moreover, this list is dynamic and periodically updated (every several
> hours in my case).
> In order to restrict traffic with iptables I generally do the following:
> 1. Create one user-defined chain per every net. Rules and restrictions
> specific to each net go here.
> 2. Created a single 'switching' user-defined table which is populated
> with jumps to net-specific rules:
> iptables -A switch -d x.x.x.x/x -j net1
> iptables -A switch -d  y.y.y.y/y -j net2
> ... several thousand rules.
> What is the best way to implement this in firehol?
> I'm not sure the best solution is to define:
> interface eth0 dst "net1 net2 net3 ... net_xxx"
> commands1
> interface eth0 dst "net_yyy ... net_zzz"
> commands2
> Thanks.
> -- Max
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/firehol-support
-------------- next part --------------
A non-text attachment was scrubbed...
Name: apply-rules.sh
Type: application/x-sh
Size: 1559 bytes
Desc: not available
URL: <http://lists.firehol.org/pipermail/firehol-support/attachments/20050216/1be753d3/attachment-0003.sh>

More information about the Firehol-support mailing list