Tom Eastep 2004-02-04 2001-2004 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License. Extension scripts are user-provided scripts that are invoked at various points during firewall start, restart, stop and clear. The scripts are placed in /etc/shorewall and are processed using the Bourne shell source mechanism. Be sure that you actually need to use an extension script to do what you want. Shorewall has a wide range of features that cover most requirements. DO NOT SIMPLY COPY RULES THAT YOU FIND ON THE NET INTO AN EXTENSION SCRIPT AND EXPECT THEM TO WORK AND TO NOT BREAK SHOREWALL. TO USE SHOREWALL EXTENSION SCRIPTS YOU MUST KNOW WHAT YOU ARE DOING WITH RESPECT TO iptables/Netfilter AND SHOREWALL. The following scripts can be supplied: init -- invoked early in shorewall start and shorewall restart start -- invoked after the firewall has been started or restarted. stop -- invoked as a first step when the firewall is being stopped. stopped -- invoked after the firewall has been stopped. clear -- invoked after the firewall has been cleared. refresh -- invoked while the firewall is being refreshed but before the common and/or blacklst chains have been rebuilt. newnotsyn (added in version 1.3.6) -- invoked after the newnotsyn chain has been created but before any rules have been added to it. If your version of Shorewall doesn't have the file that you want to use from the above list, you can simply create the file yourself. You can also supply a script with the same name as any of the filter chains in the firewall and the script will be invoked after the /etc/shorewall/rules file has been processed but before the /etc/shorewall/policy file has been processed. Beginning with Shorewall 2.0.0, you can also define a common action to be performed immediately before a policy of ACCEPT, DROP or REJECT is applied. Separate actions can be assigned to each policy type so for example you can have a different common action for DROP and REJECT policies. The most common usage of common actions is to silently drop traffic that you don't wish to have logged by the policy. As released, Shorewall defines a number of actions which are cataloged in the /etc/shorewall/actions.std file. The default /etc/shorewall/actions file contains INCLUDE /etc/shorewall/actions.std so that the Shorewall-defined actions are included by default. Among the entries in /etc/shorewall/actions.std are: Drop:DROP Reject:REJECT So the action named Drop is performed immediately before DROP policies are applied and the action called Reject is performed before REJECT policies are applied. These actions are defined in the files /etc/shorewall/action.Drop and /etc/shorewall/action.Reject respectively. You can override these defaults with entries in your /etc/shorewall/actions file. For example, if that file were to contain MyDrop:DROP then the common action for DROP policies would become MyDrop. For an example, see my configuration files. One final note. The chain created to perform an action has the same name as the action. You can use an extension script by that name to add rules to the action's chain in the same way as you can any other chain. So if you create the new action Dagger and define it in /etc/shorewall/action.Dagger, you can also have an extension script named /etc/shorewall/Dagger that can add rules to the Dagger chain that can't be created using /etc/shorewall/action.Dagger.