[Firehol-support] Splitting config file
Phil Whineray
phil at firehol.org
Sun May 8 20:10:55 BST 2016
Hi
On Sun, May 08, 2016 at 06:55:50PM +0000, Simon Szustkowski wrote:
> Hi,
>
> currently i have to write a server setup in ansible, which puts me into the
> need of splitting configuration files for services like firehol. That means
> in detail:
>
> - Create a firehol playbook which installs firehol and deploys a basic
> ruleset which defines one management interface which allows the SSH
> service, and nothing more.
> - Each other playbook which installs a server software adds a bit of
> information, which is usually the service port which has to be opened in
> the firehol configuration so that the server is accessible from $zone.
>
> Is there a possibility to implement this in firehol? Like, create a folder
> /etc/firehol/rules.d and a keyword in the /etc/firehol like "source all the
> files in rules.d", and then every server playbook adds a file like
> /etc/firehol/rules.d/apache.rule which contains like "server http accept"
> and/or service definitions for unknown services?
>
> Currently, the monolithic configuration file approach could result in lots
> of regex insert-and-replace, and you have to re-run every server playbook
> after the basic firehol playbook because this one would replace all the
> neat regexp'd configuration with just the basic one instead.
>
> I know, the firehol configuration is just some kind of bash script, but, to
> be honest, i have no idea how the "source all files in rules.d" command
> could look like, and if it could be possible to merge a server's service
> definition and access rules in just one file - so i'm hoping for answers
> here.
To implement something like this in the top-level firehol.conf you
can just write e.g.
for f in /etc/firehol/rules.d/*.rule
do
if [ -r "$f" ]
then
source "$f"
fi
done
wherever you want to include your rules files.
Please bear in mind that a assuming a set of rules can be linearly loaded
with out a wider context will probably only work in the simplest host
protection scenarios.
Hope that helps
Phil
More information about the Firehol-support
mailing list