mirror of
https://gitlab.com/shorewall/code.git
synced 2025-08-16 11:44:28 +02:00
Changes for 1.3.7
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@208 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
@ -6,12 +6,17 @@
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
|
||||
<title>Shorewall Extension Scripts</title>
|
||||
<meta name="Microsoft Theme" content="radial 011, default">
|
||||
</head>
|
||||
|
||||
<body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica">
|
||||
<body>
|
||||
|
||||
<h1 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Extension Scripts<!--mstheme--></font></h1>
|
||||
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#FFFFFF">Extension Scripts</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
</table>
|
||||
|
||||
<p>
|
||||
Extension scripts are user-provided
|
||||
@ -19,17 +24,17 @@
|
||||
stop and clear. The scripts are placed in /etc/shorewall and are processed
|
||||
using the Bourne shell "source" mechanism. The following scripts can be
|
||||
supplied:</p>
|
||||
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
|
||||
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">init -- invoked early in "shorewall start" and "shorewall restart"<!--mstheme--></font><!--msthemelist--></td></tr>
|
||||
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">start -- invoked after the firewall has been started or restarted.<!--mstheme--></font><!--msthemelist--></td></tr>
|
||||
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">stop -- invoked as a first step when the firewall is being stopped.<!--mstheme--></font><!--msthemelist--></td></tr>
|
||||
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">stopped -- invoked after the firewall has been stopped.<!--mstheme--></font><!--msthemelist--></td></tr>
|
||||
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">clear -- invoked after the firewall has been cleared.<!--mstheme--></font><!--msthemelist--></td></tr>
|
||||
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">refresh -- invoked while the firewall is being refreshed but before the
|
||||
common and/or blacklst chains have been rebuilt.<!--mstheme--></font><!--msthemelist--></td></tr>
|
||||
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">newnotsyn (added in version 1.3.6) -- invoked after the 'newnotsyn' chain
|
||||
has been created but before any rules have been added to it.<!--mstheme--></font><!--msthemelist--></td></tr>
|
||||
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
|
||||
<ul>
|
||||
<li>init -- invoked early in "shorewall start" and "shorewall restart"</li>
|
||||
<li>start -- invoked after the firewall has been started or restarted.</li>
|
||||
<li>stop -- invoked as a first step when the firewall is being stopped.</li>
|
||||
<li>stopped -- invoked after the firewall has been stopped.</li>
|
||||
<li>clear -- invoked after the firewall has been cleared.</li>
|
||||
<li>refresh -- invoked while the firewall is being refreshed but before the
|
||||
common and/or blacklst chains have been rebuilt.</li>
|
||||
<li>newnotsyn (added in version 1.3.6) -- invoked after the 'newnotsyn' chain
|
||||
has been created but before any rules have been added to it.</li>
|
||||
</ul>
|
||||
|
||||
|
||||
|
||||
@ -41,20 +46,10 @@ been processed.</p>
|
||||
|
||||
|
||||
|
||||
<p>The following two files receive
|
||||
special treatment:</p>
|
||||
|
||||
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
|
||||
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/common -- If this file is present, the rules that it
|
||||
<p>The /etc/shorewall/common file receives special treatment. If this file is present, the rules that it
|
||||
defines will totally replace the default rules in the common chain. These
|
||||
default rules are contained in the file /etc/shorewall/common.def which
|
||||
may be used as a starting point for making your own customized file.<!--mstheme--></font><!--msthemelist--></td></tr>
|
||||
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/icmpdef -- If this file is present, the rules that it
|
||||
defines will totally replace the default rules in the icmpdef chain.
|
||||
These default rules are contained in the file /etc/shorewall/icmp.def
|
||||
which may be used as a starting point for making your own customized
|
||||
file.<!--mstheme--></font><!--msthemelist--></td></tr>
|
||||
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
|
||||
may be used as a starting point for making your own customized file.</p>
|
||||
|
||||
|
||||
|
||||
@ -68,9 +63,8 @@ processing of the command.</p>
|
||||
|
||||
|
||||
<p>
|
||||
If you decide to create /etc/shorewall/common or /etc/shorewall/icmp.def, it
|
||||
is a good idea to use the following technique (common file shown but the same
|
||||
technique applies to icmpdef).</p>
|
||||
If you decide to create /etc/shorewall/common it is a good idea to use the
|
||||
following technique</p>
|
||||
|
||||
|
||||
|
||||
@ -80,29 +74,40 @@ processing of the command.</p>
|
||||
|
||||
|
||||
<blockquote>
|
||||
<!--mstheme--></font><pre>source /etc/shorewall/common.def
|
||||
<add your rules here></pre><!--mstheme--><font face="arial, Arial, Helvetica">
|
||||
<pre>. /etc/shorewall/common.def
|
||||
<add your rules here></pre>
|
||||
</blockquote>
|
||||
<p>If you need to supercede a rule in the released common.def file, you can add
|
||||
the superceding rule before the 'source' command. Using this technique allows
|
||||
the superceding rule before the '.' command. Using this technique allows
|
||||
you to add new rules while still getting the benefit of the latest common.def
|
||||
file.</p>
|
||||
|
||||
|
||||
|
||||
<p>Remember that /etc/shorewall/common and /etc/shorewall/icmpdef define rules
|
||||
<p>Remember that /etc/shorewall/common defines rules
|
||||
that are only applied if the applicable policy is DROP or REJECT. These rules
|
||||
are NOT applied if the policy is ACCEPT or CONTINUE.<br>
|
||||
</p>
|
||||
are NOT applied if the policy is ACCEPT or CONTINUE.</p>
|
||||
|
||||
|
||||
|
||||
<p align="left"><font size="2">Last updated
|
||||
8/5/2002 - <a href="support.htm">Tom
|
||||
<p>If you set ALLOWRELATED=No in shorewall.conf, then most ICMP packets will be
|
||||
rejected by the firewall. It is recommended with this setting that you create
|
||||
the file /etc/shorewall/icmpdef and in it place the following commands:</p>
|
||||
|
||||
|
||||
|
||||
<pre> run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT
|
||||
run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT
|
||||
run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT
|
||||
run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT
|
||||
run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT
|
||||
</pre>
|
||||
<p align="left"><font size="2">Last updated
|
||||
8/22/2002 - <a href="support.htm">Tom
|
||||
Eastep</a></font></p>
|
||||
|
||||
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas M. Eastep</font></a></p>
|
||||
|
||||
<!--mstheme--></font></body>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
Reference in New Issue
Block a user