extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-01-18 03:29:12 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix Port Knocking Perl code

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7233 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-08-27 20:03:39 +00:00
parent 2c93a90724
commit 5da3a9b9d8
2 changed files with 36 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
docs/PortKnocking.xml
View File

@ -111,11 +111,11 @@ if ( $level ) {
'', '',
$tag, $tag,
'add', 'add',
'-p tcp --dport 22 -m recent --rcheck --name SSH ); '-p tcp --dport 22 -m recent --rcheck --name SSH' );
log_rule_limit( $level, log_rule_limit( $level,
$chainref, $chainref,
'SSHKnock' 'SSHKnock',
'DROP' 'DROP'
'', '',
$tag, $tag,

58
docs/shorewall_extension_scripts.xml
View File

@ -148,14 +148,16 @@ case $1 in
return 0 return 0
;; ;;
esac</programlisting><caution> esac</programlisting><caution>
<para>We recommend that this script only be used with
ADMINISABSENTMINDED=Yes.</para>
<para>The firewall state when this script is invoked is <para>The firewall state when this script is invoked is
indeterminent. So if you have ADMINISABSENTMINDED=No in <ulink indeterminent. So if you have ADMINISABSENTMINDED=No in <ulink
url="manpages/shorewall.conf.html">shorewall.conf</ulink>(8) and url="manpages/shorewall.conf.html">shorewall.conf</ulink>(8) and
output on an interface is not allowed by <ulink output on an interface is not allowed by <ulink
url="manpages/shorewall.conf.html">routestopped</ulink>(8) then url="manpages/shorewall.conf.html">routestopped</ulink>(8) then
the script must blow it's own holes in the firewall before the isuasable script must blow it's own holes in the firewall
probing. We recommend that this script only be used with before probing. </para>
ADMINISABSENTMINDED=Yes.</para>
</caution></para> </caution></para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
@ -469,9 +471,9 @@ esac</programlisting><caution>
</informaltable></para> </informaltable></para>
<para>Compile-time extension scripts are executed using the Perl 'eval <para>Compile-time extension scripts are executed using the Perl 'eval
`cat &lt;file&gt;`' mechanism. Be sure that each script returns a 'true' `cat &lt;<emphasis>file</emphasis>&gt;`' mechanism. Be sure that each
value; otherwise, the compiler will assume that the script failed and script returns a 'true' value; otherwise, the compiler will assume that
will abort the compilation.</para> the script failed and will abort the compilation.</para>
<para>All scripts will need to begin with the following <para>All scripts will need to begin with the following
line:<programlisting>use Shorewall::Chains;</programlisting>For more line:<programlisting>use Shorewall::Chains;</programlisting>For more
@ -480,20 +482,24 @@ esac</programlisting><caution>
class="directory">/usr/share/shorewall-perl/Shorewall/</filename> to see class="directory">/usr/share/shorewall-perl/Shorewall/</filename> to see
what's available.</para> what's available.</para>
<para>When a script is invoked, the $chainref scalar variable will hold <para>When a script is invoked, the <emphasis
a reference to a chain table entry.<simplelist> role="bold">$chainref</emphasis> scalar variable will hold a reference
<member>$chainref-&gt;{name} contains the name of the chain</member> to a chain table entry.<simplelist>
<member><emphasis role="bold">$chainref-&gt;{name}</emphasis>
contains the name of the chain</member>
<member>$chainref-&gt;{table} holds the table name</member> <member><emphasis role="bold">$chainref-&gt;{table}</emphasis> holds
the table name</member>
</simplelist></para> </simplelist></para>
<para>To add a rule to the chain:<programlisting>add_rule( $chainref, &lt;the rule&gt; );</programlisting>Where<simplelist> <para>To add a rule to the chain:<programlisting>add_rule( $chainref, &lt;<emphasis>the rule</emphasis>&gt; );</programlisting>Where<simplelist>
<member>&lt;the rule&gt; is a scalar argument holding the rule text. <member>&lt;<emphasis>the rule</emphasis>&gt; is a scalar argument
Do not include "-A &lt;chain name&gt;"</member> holding the rule text. Do not include "-A &lt;<emphasis>chain
name</emphasis>&gt;"</member>
</simplelist>Example:<programlisting>add_rule( $chainref, '-j ACCEPT' );</programlisting>To </simplelist>Example:<programlisting>add_rule( $chainref, '-j ACCEPT' );</programlisting>To
insert a rule into the chain:<programlisting> insert_rule( $chainref, &lt;rulenum&gt;, &lt;the rule&gt; );</programlisting>The insert a rule into the chain:<programlisting> insert_rule( $chainref, &lt;<emphasis>rulenum</emphasis>&gt;, &lt;<emphasis>the rule</emphasis>&gt; );</programlisting>The
log_rule_limit function works like it does in the shell compiler with <emphasis role="bold">log_rule_limit()</emphasis> function works like it
three exceptions:<itemizedlist> does in the shell compiler with three exceptions:<itemizedlist>
<listitem> <listitem>
<para>You pass the chain reference rather than the name of the <para>You pass the chain reference rather than the name of the
chain.</para> chain.</para>
@ -518,21 +524,23 @@ esac</programlisting><caution>
'add', #Command 'add', #Command
'-p tcp' #Pass as-is '-p tcp' #Pass as-is
);</programlisting>Note that in the 'initdone' script, there is );</programlisting>Note that in the 'initdone' script, there is
no default chain ($chainref). You can obtain a reference to a standard no default chain (<emphasis role="bold">$chainref</emphasis>). You can
chain by:<programlisting>my $chainref = $chain_table{&lt;table&gt;}{&lt;chain name&gt;};</programlisting>Example:<programlisting>my $chainref = $chain_table{filter}{INPUT};</programlisting></para> obtain a reference to a standard chain by:<programlisting>my $chainref = $chain_table{&lt;<emphasis>table</emphasis>&gt;}{&lt;<emphasis>chain name</emphasis>&gt;};</programlisting>Example:<programlisting>my $chainref = $chain_table{filter}{INPUT};</programlisting></para>
<para>You can also use the hash references $filter_table, $mangle_table <para>You can also use the hash references <emphasis
and $nat_table to access chain references in the three main role="bold">$filter_table</emphasis>, <emphasis
tables.</para> role="bold">$mangle_table</emphasis> and <emphasis
role="bold">$nat_table</emphasis> to access chain references in the
three main tables.</para>
<para>Example:</para> <para>Example:</para>
<programlisting>my $chainref = $filter_table-&gt;{INPUT}; #Same as above with a few less keystrokes; runs faster too</programlisting> <programlisting>my $chainref = $filter_table-&gt;{INPUT}; #Same as above with a few less keystrokes; runs faster too</programlisting>
<para>The continue script has been eliminated because it no longer make <para>The 'continue' script has been eliminated because it no longer
any sense under Shorewall-perl. That script was designed to allow you to make any sense under Shorewall-perl. That script was designed to allow
add special temporary rules during [re]start. Shorewall-perl doesn't you to add special temporary rules during [re]start. Shorewall-perl
need such rules since the ruleset is instantianted atomically by doesn't need such rules since the ruleset is instantianted atomically by
table.</para> table.</para>
</section> </section>
</section> </section>