Hi I keep a single rsc file for 2 CCR's that have the same firewall rules simple like /ip firewall filter remove [ find ] # ##### # YB IN # ##### add action=jump chain=YBIN comment="Check YB SRC" jump-target=YBSRC add chain=YBIN comment="Allow SSH" dst-port=22 protocol=tcp add chain=YBIN comment=OSPF protocol=ospf add chain=YBIN comment=NTP dst-port=123 protocol=udp src-port=123 Now I find I have need to have specific rules for each router, for natting. is there some what to include some sort if statement where I can go if hostname = rtr1 then include this line instead of having to have 2 files.
On Sat, 2016-01-09 at 22:20 +0000, Alex Samad - Yieldbroker wrote:
I keep a single rsc file for 2 CCR's that have the same firewall rules [...] Is there some way to include some sort if statement where I can go if hostname = rtr1 then include this line instead of having to have 2 files.
Yes. :global hostname [/system identity get name]; :if ( $hostname = "rtr" ) \ do={ :put "hostname is rtr" } \ else={ :put "Hostname is not rtr" } It's all documented on the Mikrotik website - google for "mikrotik scripting manual" or go here: http://wiki.mikrotik.com/wiki/Manual:Scripting Loops and conditionals are described in section 1.8. You might also be interested in the scripting examples here: http://wiki.mikrotik.com/wiki/Manual:Scripting-examples Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 GPG fingerprint: 6D59 8AE6 810D 44E3 7626 7040 4DD6 F89F 3053 4774 Old fingerprint: 9DCA 0903 BCBD 0647 BCCC 2FA7 A35C 57A1 ACF9 00BB
Are no miss understanding I have a file fw.rsc which I keep my firewall definition in I use it by going import fw.rsc I would like some of those line to be enabled or disabled based on the hostname . Alex -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Karl Auer Sent: Sunday, 10 January 2016 11:33 AM To: public@talk.mikrotik.com.au Subject: Re: [MT-AU Public] scripting question On Sat, 2016-01-09 at 22:20 +0000, Alex Samad - Yieldbroker wrote:
I keep a single rsc file for 2 CCR's that have the same firewall rules [...] Is there some way to include some sort if statement where I can go if hostname = rtr1 then include this line instead of having to have 2 files.
Yes. :global hostname [/system identity get name]; :if ( $hostname = "rtr" ) \ do={ :put "hostname is rtr" } \ else={ :put "Hostname is not rtr" } It's all documented on the Mikrotik website - google for "mikrotik scripting manual" or go here: http://wiki.mikrotik.com/wiki/Manual:Scripting Loops and conditionals are described in section 1.8. You might also be interested in the scripting examples here: http://wiki.mikrotik.com/wiki/Manual:Scripting-examples Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 GPG fingerprint: 6D59 8AE6 810D 44E3 7626 7040 4DD6 F89F 3053 4774 Old fingerprint: 9DCA 0903 BCBD 0647 BCCC 2FA7 A35C 57A1 ACF9 00BB _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
On Sun, 2016-01-10 at 02:09 +0000, Alex Samad - Yieldbroker wrote:
Are no miss understanding I have a file fw.rsc which I keep my firewall definition in I use it by going import fw.rsc I would like some of those line to be enabled or disabled based on the hostname .
Yes - use the same technique. Your file fw.rsc would look like this: # Common firewall lines blah blah blah blah blah blah :global hostname [/system identity get name] :if ( $hostname = "rtr" ) \ do={ # Firewall lines for host name "rtr" only bloo bloo bloo bloo bloo bloo } Now when you import fw.rsc, the script will inspect the system name and only apply the "bloo bloo bloo" lines if the system name is "rtr". If you need to intersperse the differences, just have more :if statements. You may also find it useful to use chain names based on the router identity, and insert into appropriate chains with strategically placed :if statements. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 GPG fingerprint: 6D59 8AE6 810D 44E3 7626 7040 4DD6 F89F 3053 4774 Old fingerprint: 9DCA 0903 BCBD 0647 BCCC 2FA7 A35C 57A1 ACF9 00BB
Oh awesome thanks, time to wipe out the test VM Thanks -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Karl Auer Sent: Sunday, 10 January 2016 1:54 PM To: public@talk.mikrotik.com.au Subject: Re: [MT-AU Public] scripting question On Sun, 2016-01-10 at 02:09 +0000, Alex Samad - Yieldbroker wrote:
Are no miss understanding I have a file fw.rsc which I keep my firewall definition in I use it by going import fw.rsc I would like some of those line to be enabled or disabled based on the hostname .
Yes - use the same technique. Your file fw.rsc would look like this: # Common firewall lines blah blah blah blah blah blah :global hostname [/system identity get name] :if ( $hostname = "rtr" ) \ do={ # Firewall lines for host name "rtr" only bloo bloo bloo bloo bloo bloo } Now when you import fw.rsc, the script will inspect the system name and only apply the "bloo bloo bloo" lines if the system name is "rtr". If you need to intersperse the differences, just have more :if statements. You may also find it useful to use chain names based on the router identity, and insert into appropriate chains with strategically placed :if statements. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 GPG fingerprint: 6D59 8AE6 810D 44E3 7626 7040 4DD6 F89F 3053 4774 Old fingerprint: 9DCA 0903 BCBD 0647 BCCC 2FA7 A35C 57A1 ACF9 00BB _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Can I butt in and make a suggestion? It would be easier to maintain if you keep doing seperate firewall rule files on disk: fw.common fw.rtr1 fw.rtr2 Then include them in the config with something like: import fw.common :global hostname [/system identity get name]; import fw.$hostname That will be nicer for version control, easier to create new hosts (cp fw.rtr2 fw.rtr3), you can make hosts' firewalls identical just by using symlinks (ln -s fw.rtr2 fw.rtr3) and in theory means no differences in the on-device config (for the firewall section at least) - they're all just going to say "import rules.$hostname". I realise your first question was along the lines of "I just want one firewall file", but I reckon that's counter-productive. - Ben On Sun, Jan 10, 2016 at 8:25 PM, Alex Samad - Yieldbroker < Alex.Samad@yieldbroker.com> wrote:
Oh awesome thanks, time to wipe out the test VM
Thanks
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Karl Auer Sent: Sunday, 10 January 2016 1:54 PM To: public@talk.mikrotik.com.au Subject: Re: [MT-AU Public] scripting question
On Sun, 2016-01-10 at 02:09 +0000, Alex Samad - Yieldbroker wrote:
Are no miss understanding I have a file fw.rsc which I keep my firewall definition in I use it by going import fw.rsc I would like some of those line to be enabled or disabled based on the hostname .
Yes - use the same technique. Your file fw.rsc would look like this:
# Common firewall lines blah blah blah blah blah blah :global hostname [/system identity get name] :if ( $hostname = "rtr" ) \ do={ # Firewall lines for host name "rtr" only bloo bloo bloo bloo bloo bloo }
Now when you import fw.rsc, the script will inspect the system name and only apply the "bloo bloo bloo" lines if the system name is "rtr". If you need to intersperse the differences, just have more :if statements.
You may also find it useful to use chain names based on the router identity, and insert into appropriate chains with strategically placed :if statements.
Regards, K.
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160
GPG fingerprint: 6D59 8AE6 810D 44E3 7626 7040 4DD6 F89F 3053 4774 Old fingerprint: 9DCA 0903 BCBD 0647 BCCC 2FA7 A35C 57A1 ACF9 00BB
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
-- "If you made a Venn diagram [of my life], there would be two non-overlapping circles, one of which was labeled, 'Times when I am truly happy' and the other of which was labeled, 'Times when I am logged in as root, holding a cable, or have the case open.' " - Jamie Zawinski [jwz.org]
Hi Yes thought of that. Even thought of making a template and then running a pre processor over it . << too much work I like the inline, because I can specify the order of the firewall rules. Alex -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Ben Williams Sent: Monday, 11 January 2016 9:42 AM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] scripting question Can I butt in and make a suggestion? It would be easier to maintain if you keep doing seperate firewall rule files on disk: fw.common fw.rtr1 fw.rtr2 Then include them in the config with something like: import fw.common :global hostname [/system identity get name]; import fw.$hostname That will be nicer for version control, easier to create new hosts (cp fw.rtr2 fw.rtr3), you can make hosts' firewalls identical just by using symlinks (ln -s fw.rtr2 fw.rtr3) and in theory means no differences in the on-device config (for the firewall section at least) - they're all just going to say "import rules.$hostname". I realise your first question was along the lines of "I just want one firewall file", but I reckon that's counter-productive. - Ben On Sun, Jan 10, 2016 at 8:25 PM, Alex Samad - Yieldbroker < Alex.Samad@yieldbroker.com> wrote:
Oh awesome thanks, time to wipe out the test VM
Thanks
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Karl Auer Sent: Sunday, 10 January 2016 1:54 PM To: public@talk.mikrotik.com.au Subject: Re: [MT-AU Public] scripting question
On Sun, 2016-01-10 at 02:09 +0000, Alex Samad - Yieldbroker wrote:
Are no miss understanding I have a file fw.rsc which I keep my firewall definition in I use it by going import fw.rsc I would like some of those line to be enabled or disabled based on the hostname .
Yes - use the same technique. Your file fw.rsc would look like this:
# Common firewall lines blah blah blah blah blah blah :global hostname [/system identity get name] :if ( $hostname = "rtr" ) \ do={ # Firewall lines for host name "rtr" only bloo bloo bloo bloo bloo bloo }
Now when you import fw.rsc, the script will inspect the system name and only apply the "bloo bloo bloo" lines if the system name is "rtr". If you need to intersperse the differences, just have more :if statements.
You may also find it useful to use chain names based on the router identity, and insert into appropriate chains with strategically placed :if statements.
Regards, K.
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160
GPG fingerprint: 6D59 8AE6 810D 44E3 7626 7040 4DD6 F89F 3053 4774 Old fingerprint: 9DCA 0903 BCBD 0647 BCCC 2FA7 A35C 57A1 ACF9 00BB
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
-- "If you made a Venn diagram [of my life], there would be two non-overlapping circles, one of which was labeled, 'Times when I am truly happy' and the other of which was labeled, 'Times when I am logged in as root, holding a cable, or have the case open.' " - Jamie Zawinski [jwz.org] _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
participants (3)
-
Alex Samad - Yieldbroker
-
Ben Williams
-
Karl Auer