1
0
mirror of https://gitlab.com/shorewall/code.git synced 2025-01-05 04:58:49 +01:00

minor modifications for v3.0 ..(probably more work is needed )

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2660 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
judas_iscariote 2005-09-11 23:39:52 +00:00
parent 5f1af929b1
commit 9cd4c864b1

View File

@ -15,7 +15,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2005-05-13</pubdate> <pubdate>2005-09-11</pubdate>
<copyright> <copyright>
<year>2001-2005</year> <year>2001-2005</year>
@ -34,6 +34,13 @@
</legalnotice> </legalnotice>
</articleinfo> </articleinfo>
<caution>
<para><emphasis role="bold">This article applies to Shorewall 3.0 and
later. If you are running a version of Shorewall earlier than Shorewall
3.0.0 then please see the documentation for that
release.</emphasis></para>
</caution>
<para>Extension scripts are user-provided scripts that are invoked at <para>Extension scripts are user-provided scripts that are invoked at
various points during firewall start, restart, stop and clear. The scripts various points during firewall start, restart, stop and clear. The scripts
are placed in /etc/shorewall and are processed using the Bourne shell are placed in /etc/shorewall and are processed using the Bourne shell
@ -65,9 +72,8 @@
</listitem> </listitem>
<listitem> <listitem>
<para>initdone (added in Shorewall 2.0.2 RC1) -- invoked after Shorewall <para>initdone -- invoked after Shorewall has flushed all existing rules
has flushed all existing rules but before any rules have been added to but before any rules have been added to the builtin chains.</para>
the builtin chains.</para>
</listitem> </listitem>
<listitem> <listitem>
@ -75,6 +81,11 @@
restarted.</para> restarted.</para>
</listitem> </listitem>
<listitem>
<para>started -- invoked as a first step when the firewall is being
started</para>
</listitem>
<listitem> <listitem>
<para>stop -- invoked as a first step when the firewall is being <para>stop -- invoked as a first step when the firewall is being
stopped.</para> stopped.</para>
@ -94,18 +105,11 @@
</listitem> </listitem>
<listitem> <listitem>
<para>newnotsyn (added in version 1.3.6) -- invoked after the <para>continue -- invoked to allow you to insert special rules to allow
<quote>newnotsyn</quote> chain has been created but before any rules traffic while Shorewall is [re]starting. Any rules added in this script
have been added to it.</para> should be deleted in your <emphasis>start</emphasis> script. This script
</listitem> is invoked earlier in the [re]start process than is the
<emphasis>initdone</emphasis> script described above.</para>
<listitem>
<para>continue (added in version 2.2.3) -- invoked to allow you to
insert special rules to allow traffic while Shorewall is [re]starting.
Any rules added in this script should be deleted in your
<emphasis>start</emphasis> script. This script is invoked earlier in the
[re]start process than is the <emphasis>initdone</emphasis> script
described above.</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
@ -125,10 +129,7 @@
<command>run_iptables</command> instead. <command>run_iptables</command> <command>run_iptables</command> instead. <command>run_iptables</command>
will run the iptables utility passing the arguments to will run the iptables utility passing the arguments to
<command>run_iptables</command> and if the command fails, the firewall <command>run_iptables</command> and if the command fails, the firewall
will be stopped (Shorewall version &lt; 2.0.2 Beta 1 or there is no will be stopped.</para>
<filename>/var/lib/shorewall/restore</filename> file) or restored
(Shorewall version &gt;= 2.0.2 Beta 1 and
<filename>/var/lib/shorewall/restore</filename> exists).</para>
</listitem> </listitem>
<listitem> <listitem>
@ -159,8 +160,7 @@
<listitem> <listitem>
<para>Rate Limit (if passed as "" then $LOGLIMIT is assumed — see <para>Rate Limit (if passed as "" then $LOGLIMIT is assumed — see
the LOGLIMIT option in <ulink the LOGLIMIT option in <ulink
url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>) url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>)</para>
</para>
</listitem> </listitem>
<listitem> <listitem>
@ -168,8 +168,7 @@
</listitem> </listitem>
<listitem> <listitem>
<para>Command (-A or -I for append or insert). This argument applies <para>Command (-A or -I for append or insert).</para>
to Shorewall 2.2.0 and later only.</para>
</listitem> </listitem>
<listitem> <listitem>
@ -179,11 +178,10 @@
</listitem> </listitem>
<listitem> <listitem>
<para>With Shorewall 2.0.2 Beta 1 and later versions, if you run <para>if you run commands other than <command>iptables</command> that
commands other than <command>iptables</command> that must be re-run in must be re-run in order to restore the firewall to its current state
order to restore the firewall to its current state then you must save then you must save the commands to the <firstterm>restore
the commands to the <firstterm>restore file</firstterm>. The restore file</firstterm>. The restore file is a temporary file in <filename
file is a temporary file in <filename
class="directory">/var/lib/shorewall</filename> that will be renamed class="directory">/var/lib/shorewall</filename> that will be renamed
<filename>/var/lib/shorewall/restore-base</filename> at the successful <filename>/var/lib/shorewall/restore-base</filename> at the successful
completion of the Shorewall command. The <command>shorewall completion of the Shorewall command. The <command>shorewall
@ -228,13 +226,12 @@
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<para>Beginning with Shorewall 2.0.0, you can also define a <emphasis>common <para> You can also define a <emphasis>common action</emphasis> to be
action</emphasis> to be performed immediately before a policy of ACCEPT, performed immediately before a policy of ACCEPT, DROP or REJECT is applied.
DROP or REJECT is applied. Separate <ulink Separate <ulink url="Actions.html">actions</ulink> can be assigned to each
url="Actions.html">actions</ulink> can be assigned to each policy type so policy type so for example you can have a different common action for DROP
for example you can have a different common action for DROP and REJECT and REJECT policies. The most common usage of common actions is to silently
policies. The most common usage of common actions is to silently drop drop traffic that you don't wish to have logged by the policy.</para>
traffic that you don't wish to have logged by the policy.</para>
<para>As released, Shorewall defines a number of actions which are cataloged <para>As released, Shorewall defines a number of actions which are cataloged
in the <filename>/usr/share/shorewall/actions.std</filename> file. That file in the <filename>/usr/share/shorewall/actions.std</filename> file. That file