[Firehol-support] Splitting config file

Simon Szustkowski mail at simonszu.de
Sun May 8 22:07:22 CEST 2016 

Perfect, thanks!
Yes, i was wondering about this as well. But since the for-loop loops about
the snippets in alphabetical order, i think i can use this fact as a means
to control the order of the files loaded, and maybe i can split the roles
directory more granularly (is that even a word?) into several other
directories which are then loaded at different positions in the main config
file.
But thanks very much, this solution is easier as i was thinking.

Phil Whineray <phil at firehol.org> schrieb am So., 8. Mai 2016 um 21:11 Uhr:

> Hi
>
> On Sun, May 08, 2016 at 06:55:50PM +0000, Simon Szustkowski wrote:
> > Hi,
> >
> > currently i have to write a server setup in ansible, which puts me into
> the
> > need of splitting configuration files for services like firehol. That
> means
> > in detail:
> >
> > - Create a firehol playbook which installs firehol and deploys a basic
> > ruleset which defines one management interface which allows the SSH
> > service, and nothing more.
> > - Each other playbook which installs a server software adds a bit of
> > information, which is usually the service port which has to be opened in
> > the firehol configuration so that the server is accessible from $zone.
> >
> > Is there a possibility to implement this in firehol? Like, create a
> folder
> > /etc/firehol/rules.d and a keyword in the /etc/firehol like "source all
> the
> > files in rules.d", and then every server playbook adds a file like
> > /etc/firehol/rules.d/apache.rule which contains like "server http accept"
> > and/or service definitions for unknown services?
> >
> > Currently, the monolithic configuration file approach could result in
> lots
> > of regex insert-and-replace, and you have to re-run every server playbook
> > after the basic firehol playbook because this one would replace all the
> > neat regexp'd configuration with just the basic one instead.
> >
> > I know, the firehol configuration is just some kind of bash script, but,
> to
> > be honest, i have no idea how the "source all files in rules.d" command
> > could look like, and if it could be possible to merge a server's service
> > definition and access rules in just one file - so i'm hoping for answers
> > here.
>
> To implement something like this in the top-level firehol.conf you
> can just write e.g.
>
> for f in /etc/firehol/rules.d/*.rule
> do
>         if [ -r "$f" ]
>         then
>                 source "$f"
>         fi
> done
>
> wherever you want to include your rules files.
>
> Please bear in mind that a assuming a set of rules can be linearly loaded
> with out a wider context will probably only work in the simplest host
> protection scenarios.
>
> Hope that helps
> Phil
>

More information about the Firehol-support mailing list