# ssadm edit Initial edit> add address "name" GROUP {"add1"} {"add2"} the first set of braces is addresses to be included the second set of braces is addresses to be excluded armed with that information, I searched the online documentation for exclude and found an explanation in the section on certificates in which it said, "this is just like for addresses". however, where it talked about addresses, it said nothing. I had skipped over the section on certificates, because I'm not doing remote admin or anything else that requires connections to be encrypted by the firewall. on the second question, sunscreen should recognize an IP change if I do a "ssadm activate". If I explicitly defined the address, then I will first need to change that and then do the activate. thanks to 2 who replied: Sir Clark Frazier Hale I <xlark@sdf.lonestar.org> Roy Culley <rgc@admin.swisscom-mobile.ch> my original and their replies follow. --------------- Chris Hoogendyk - O__ ---- Systems Administrator c/ /'_ --- Biology Department (*) \(*) -- 140 Morrill Science Center ~~~~~~~~~~ - University of Massachusetts, Amherst <hoogendyk@bio.umass.edu> --------------- ---------------- My Original Message ---------------- Subject: sunscreen command line syntax Date: Wed, 11 May 2005 17:11:50 -0400 From: Chris Hoogendyk <hoogendyk@bio.umass.edu> To: Sun Managers List <sunmanagers@sunmanagers.org> I've spent a couple of days reading through sunscreen documentation online, playing with "ssadm edit ...", skimming throught various people's tutorials and guides, ... I can't help thinking that the documentation never got user tested by someone who didn't already know it. So, although this sounds elementary, I just haven't been able to find an explanation of the two sets of curly braces in the following: # ssadm edit Initial edit> add address "name" GROUP { } { } or edit> list addresses "eri0.net" RANGE 192.168.54.0 - 192.168.55.255 "server7_eri0" GROUP { } { } with the GROUP form of address there always seems to be two sets of braces at the end. Sometimes there are values in the left one, sometimes in the right one, sometimes both, sometimes neither. neither the man pages (e.g. "man ssadm-edit") nor the online documentation (even appendix b of the admin overview that addresses the command line interface) explain what the significance of these are, whether there is a difference between the first and second, or why I would need an empty set. It leaves me feeling edgy about jumping in and activating a firewall on an active server, even though I feel I understand most of it and am otherwise comfortable with the command line interface. --------------- also, I have a server that I had sunscreen running on, then I changed the server's name and ip address and put it into production. I had to turn sunscreen off, because it broke my ssh connections after the identity change and I couldn't find where to change the identity within sunscreen -- or is the name irrelevent, and all I need to do is change the address? I just did a "/etc/init.d/sunscreen stop". Next reboot, I'll have to do it again if I haven't fixed it. --------------- Chris Hoogendyk - O__ ---- Systems Administrator c/ /'_ --- Biology Department (*) \(*) -- 140 Morrill Science Center ~~~~~~~~~~ - University of Massachusetts, Amherst <hoogendyk@bio.umass.edu> --------------- _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagers ---------------- First Reply to My Message ---------------- Subject: Re: sunscreen command line syntax Date: Wed, 11 May 2005 22:12:53 -0400 From: Sir Clark Frazier Hale I <xlark@sdf.lonestar.org> Organization: Clayton SuperComputing Centre To: Chris Hoogendyk <hoogendyk@bio.umass.edu> References: <42827516.4050109@bio.umass.edu> Hello, I'm doing this off the top of my head, so you'll have to double verify. > edit> list addresses > "eri0.net" RANGE 192.168.54.0 - 192.168.55.255 > "server7_eri0" GROUP { } { } > > > with the GROUP form of address there always seems to be two sets > of braces at the end. Sometimes there are values in the left one, > sometimes in the right one, sometimes both, sometimes neither. I think the first bracket is hosts included and the second bracket is host denied. Take this for example, add addresss theInternet { * } { myNetwork } This defines the object theInternet as everything except what is contained in myNetwork. This statement is incredibly useful in the case where one has a dynamic IP address. add address self Host 10.0.0.1 add address selfPublic group { "localhost" } { self } Given that I only have two IP addresses on this box, this assigns to selfPublic my dynamically acquired address (localhost is a special object, not 127.0.0.1). > also, I have a server that I had sunscreen running on, then I > changed the server's name and ip address and put it into production. > I had to turn sunscreen off, because it broke my ssh connections > after the identity change and I couldn't find where to change the > identity within sunscreen -- or is the name irrelevent, and all I > need to do is change the address? I just did a > "/etc/init.d/sunscreen stop". Next reboot, I'll have to do it again > if I haven't fixed it. IP Address and hostname shouldn't matter unless you have rules that specifically reference the IP addresss. In otherwords, if you created an address object which is the host's old IP address, it needs to be changed to it's new one. If that's all sorted, then what _should_ work is running "ssadm activate Initial" replacing Initial with whatever your policy name is. I've found that if I don't run ssadm activate... after an IP address change then SunScreen won't recognize the change and fail. HTH, Clark -- Sir Clark Frazier Hale I xlark@sdf.lonestar.org For the Snark WAS a bojum, you see. SDF Public Access UNIX System - http://sdf.lonestar.org Clayton SuperComputing Centre - http://cscc.homeunix.net ---------------- Second Reply to My Message ---------------- Subject: Re: sunscreen command line syntax Date: Thu, 12 May 2005 09:31:18 +0200 From: Roy Culley <rgc@admin.swisscom-mobile.ch> To: Chris Hoogendyk <hoogendyk@bio.umass.edu> Hi Chris, > So, although this sounds elementary, I just haven't been able to > find an explanation of the two sets of curly braces in the > following: > > # ssadm edit Initial > edit> add address "name" GROUP { } { } The first set of curly braces are for addresses you want in the group and the second are for those you want excluded. Say you have a subnet defined as a RANGE address and want to have a group comprised of that subnet but excluding a host within that subnet: add address grp_name GROUP { subnet_range } { exclude_this_host } You can have multiple entries within each pair of braces: add address grp_name GROUP { addr1 addr2 } { addr3 addr4 addr5 } I only use the CLI when administering Sunscreens as the GUI is just slow and IMHO horrible. Regards, Roy _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagersReceived on Thu May 12 12:22:37 2005
This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:46 EST