Complex Policy Rules for Custom Services

[Alasdair Muckart]

We're trying to replicate our current fwbuilder-generated configurations using fwcloud.

One of the things we've found is that there's no way in fwcloud to use the policy module do do things like match previously-encrypted GRE traffic with --proto 47 -m policy --pol ipsec --dir in for example.

Am I missing something or is this something fwcloud can't do yet?

Thanks.

 

[Carles Munyoz]

Hi Alasdair,
At this moment you can do it using the feature that we have called hook scripts at the rule level.

If you edit the the rule options, you can add shell script code that will be executed before or after the rule loading.
Then you can do something like this:


In the future we will add better control of all Netfilter modules in the FWCloud user interface, but at this moment you can do it using this feature.

 

[Alasdair Muckart]

Thank you for the reply, it's good to know that's possible. It probably won't work for our use cases since we have enough of this type of config in our environment that it probably isn't practical at the moment.

Thanks again.

 

[Carles Munyoz]

Can you give us examples of how do you manage this in fwbuilder?
We can do something similar and maybe we can include it in our next FWCloud release.

 

[Alasdair Muckart]

Hi,

Here's a screenshot of the custom service we created in FWBuilder. We then use this service in rules.

 

[Carles Munyoz]

We have add this feature to our roadmap and will be available soon.
Thank you very much.