[Firehol-support] Splitting config file

Tsaousis, Costa costa at tsaousis.gr
Sun May 8 22:13:22 CEST 2016 

Simon,

firehol.conf is a BASH script.

Write in it whatever BASH supports.

Keep in mind that if you want to call iptables commands directly, don't
prefix the path to them. I.e. don't write /usr/bin/iptables, use just plain
"iptables ...". The later is controlled by firehol and will merge your
commands into the firewall.

Costa


On Sun, May 8, 2016 at 11:07 PM, Simon Szustkowski <mail at simonszu.de> wrote:

> Perfect, thanks!
> Yes, i was wondering about this as well. But since the for-loop loops about
> the snippets in alphabetical order, i think i can use this fact as a means
> to control the order of the files loaded, and maybe i can split the roles
> directory more granularly (is that even a word?) into several other
> directories which are then loaded at different positions in the main config
> file.
> But thanks very much, this solution is easier as i was thinking.
>
> Phil Whineray <phil at firehol.org> schrieb am So., 8. Mai 2016 um 21:11 Uhr:
>
> > Hi
> >
> > On Sun, May 08, 2016 at 06:55:50PM +0000, Simon Szustkowski wrote:
> > > Hi,
> > >
> > > currently i have to write a server setup in ansible, which puts me into
> > the
> > > need of splitting configuration files for services like firehol. That
> > means
> > > in detail:
> > >
> > > - Create a firehol playbook which installs firehol and deploys a basic
> > > ruleset which defines one management interface which allows the SSH
> > > service, and nothing more.
> > > - Each other playbook which installs a server software adds a bit of
> > > information, which is usually the service port which has to be opened
> in
> > > the firehol configuration so that the server is accessible from $zone.
> > >
> > > Is there a possibility to implement this in firehol? Like, create a
> > folder
> > > /etc/firehol/rules.d and a keyword in the /etc/firehol like "source all
> > the
> > > files in rules.d", and then every server playbook adds a file like
> > > /etc/firehol/rules.d/apache.rule which contains like "server http
> accept"
> > > and/or service definitions for unknown services?
> > >
> > > Currently, the monolithic configuration file approach could result in
> > lots
> > > of regex insert-and-replace, and you have to re-run every server
> playbook
> > > after the basic firehol playbook because this one would replace all the
> > > neat regexp'd configuration with just the basic one instead.
> > >
> > > I know, the firehol configuration is just some kind of bash script,
> but,
> > to
> > > be honest, i have no idea how the "source all files in rules.d" command
> > > could look like, and if it could be possible to merge a server's
> service
> > > definition and access rules in just one file - so i'm hoping for
> answers
> > > here.
> >
> > To implement something like this in the top-level firehol.conf you
> > can just write e.g.
> >
> > for f in /etc/firehol/rules.d/*.rule
> > do
> >         if [ -r "$f" ]
> >         then
> >                 source "$f"
> >         fi
> > done
> >
> > wherever you want to include your rules files.
> >
> > Please bear in mind that a assuming a set of rules can be linearly loaded
> > with out a wider context will probably only work in the simplest host
> > protection scenarios.
> >
> > Hope that helps
> > Phil
> >
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.firehol.org
> http://lists.firehol.org/mailman/listinfo/firehol-support
>

More information about the Firehol-support mailing list