From 5da3a9b9d8c25690d492c83cfb2779e58fcf0479 Mon Sep 17 00:00:00 2001 From: teastep Date: Mon, 27 Aug 2007 20:03:39 +0000 Subject: [PATCH] Fix Port Knocking Perl code git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7233 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- docs/PortKnocking.xml | 6 +-- docs/shorewall_extension_scripts.xml | 58 ++++++++++++++++------------ 2 files changed, 36 insertions(+), 28 deletions(-) diff --git a/docs/PortKnocking.xml b/docs/PortKnocking.xml index 80a83afa6..1140c4e1c 100644 --- a/docs/PortKnocking.xml +++ b/docs/PortKnocking.xml @@ -111,11 +111,11 @@ if ( $level ) { '', $tag, 'add', - '-p tcp --dport 22 -m recent --rcheck --name SSH ); + '-p tcp --dport 22 -m recent --rcheck --name SSH' ); log_rule_limit( $level, $chainref, - 'SSHKnock' + 'SSHKnock', 'DROP' '', $tag, @@ -313,4 +313,4 @@ add_rule $chainref, '-j ACCEPT'; 1; - + \ No newline at end of file diff --git a/docs/shorewall_extension_scripts.xml b/docs/shorewall_extension_scripts.xml index 1cd4b2fde..98246096c 100644 --- a/docs/shorewall_extension_scripts.xml +++ b/docs/shorewall_extension_scripts.xml @@ -148,14 +148,16 @@ case $1 in return 0 ;; esac + We recommend that this script only be used with + ADMINISABSENTMINDED=Yes. + The firewall state when this script is invoked is indeterminent. So if you have ADMINISABSENTMINDED=No in shorewall.conf(8) and output on an interface is not allowed by routestopped(8) then - the script must blow it's own holes in the firewall before - probing. We recommend that this script only be used with - ADMINISABSENTMINDED=Yes. + the isuasable script must blow it's own holes in the firewall + before probing. @@ -469,9 +471,9 @@ esac Compile-time extension scripts are executed using the Perl 'eval - `cat <file>`' mechanism. Be sure that each script returns a 'true' - value; otherwise, the compiler will assume that the script failed and - will abort the compilation. + `cat <file>`' mechanism. Be sure that each + script returns a 'true' value; otherwise, the compiler will assume that + the script failed and will abort the compilation. All scripts will need to begin with the following line:use Shorewall::Chains;For more @@ -480,20 +482,24 @@ esac class="directory">/usr/share/shorewall-perl/Shorewall/ to see what's available. - When a script is invoked, the $chainref scalar variable will hold - a reference to a chain table entry. - $chainref->{name} contains the name of the chain + When a script is invoked, the $chainref scalar variable will hold a reference + to a chain table entry. + $chainref->{name} + contains the name of the chain - $chainref->{table} holds the table name + $chainref->{table} holds + the table name - To add a rule to the chain:add_rule( $chainref, <the rule> );Where - <the rule> is a scalar argument holding the rule text. - Do not include "-A <chain name>" + To add a rule to the chain:add_rule( $chainref, <the rule> );Where + <the rule> is a scalar argument + holding the rule text. Do not include "-A <chain + name>" Example:add_rule( $chainref, '-j ACCEPT' );To - insert a rule into the chain: insert_rule( $chainref, <rulenum>, <the rule> );The - log_rule_limit function works like it does in the shell compiler with - three exceptions: + insert a rule into the chain: insert_rule( $chainref, <rulenum>, <the rule> );The + log_rule_limit() function works like it + does in the shell compiler with three exceptions: You pass the chain reference rather than the name of the chain. @@ -518,21 +524,23 @@ esac 'add', #Command '-p tcp' #Pass as-is );Note that in the 'initdone' script, there is - no default chain ($chainref). You can obtain a reference to a standard - chain by:my $chainref = $chain_table{<table>}{<chain name>};Example:my $chainref = $chain_table{filter}{INPUT}; + no default chain ($chainref). You can + obtain a reference to a standard chain by:my $chainref = $chain_table{<table>}{<chain name>};Example:my $chainref = $chain_table{filter}{INPUT}; - You can also use the hash references $filter_table, $mangle_table - and $nat_table to access chain references in the three main - tables. + You can also use the hash references $filter_table, $mangle_table and $nat_table to access chain references in the + three main tables. Example: my $chainref = $filter_table->{INPUT}; #Same as above with a few less keystrokes; runs faster too - The continue script has been eliminated because it no longer make - any sense under Shorewall-perl. That script was designed to allow you to - add special temporary rules during [re]start. Shorewall-perl doesn't - need such rules since the ruleset is instantianted atomically by + The 'continue' script has been eliminated because it no longer + make any sense under Shorewall-perl. That script was designed to allow + you to add special temporary rules during [re]start. Shorewall-perl + doesn't need such rules since the ruleset is instantianted atomically by table.