You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is there some way to replace the interface e+ statement below with some sort of interface not "[devices...]" syntax, maybe in a future FireHOL version if it's not supported today?
The interface not "[devices...]" syntax (second stanza below) breaks my firehol-based firewall; maybe it "works" but it does not work the desired way for my team (which is represented by the interface e+ exposed directive in the first stanza). The not directive would theoretically be more elegant (to catch "all devices that are not in the list") than matching against a more-hard-coded device wildcard (e+), and would (again, theoretically) make our /etc/firehol.conf much more portable.
eg: imagine a Linux system that has a regular ethernet device whose name does not begin with e. Seems quite within the realm of feasibility.
#
# TODO: find a more-elegant way of specifying
# non-wireguard, non-local network devices
# other than 'e+', which accounts for:
# eth[x]
# ens[x]
# enp[x]
# eno[x]
# ...per:
# https://en.wikipedia.org/wiki/Consistent_Network_Device_Naming#Device_naming_rules
#
interface e+ exposed
protection strong
server custom wireguard_udp udp/12345 default accept
server custom wireguard_udp udp/12346 default accept
client all accept
...with something like this (note the not "[devices...]", which breaks on our system for both of the not "wg0 wg1 lo" and "not wg0 wg1 lo" variants):
interface not "wg0 wg1 lo" exposed
protection strong
server custom wireguard_udp udp/12345 default accept
server custom wireguard_udp udp/12346 default accept
client all accept
Is there some way to replace the
interface e+
statement below with some sort ofinterface not "[devices...]"
syntax, maybe in a future FireHOL version if it's not supported today?The
interface not "[devices...]"
syntax (second stanza below) breaks my firehol-based firewall; maybe it "works" but it does not work the desired way for my team (which is represented by theinterface e+ exposed
directive in the first stanza). Thenot
directive would theoretically be more elegant (to catch "all devices that are not in the list") than matching against a more-hard-coded device wildcard (e+
), and would (again, theoretically) make our/etc/firehol.conf
much more portable.eg: imagine a Linux system that has a regular ethernet device whose name does not begin with
e
. Seems quite within the realm of feasibility....with something like this (note the
not "[devices...]"
, which breaks on our system for both of thenot "wg0 wg1 lo"
and"not wg0 wg1 lo"
variants):References:
The text was updated successfully, but these errors were encountered: