mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-15 12:14:32 +01:00
a44e4a46f8
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1143 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
140 lines
5.6 KiB
XML
140 lines
5.6 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
|
<article>
|
|
<!--$Id$-->
|
|
|
|
<articleinfo>
|
|
<title>Extension Scripts and Common Actions</title>
|
|
|
|
<authorgroup>
|
|
<author>
|
|
<firstname>Tom</firstname>
|
|
|
|
<surname>Eastep</surname>
|
|
</author>
|
|
</authorgroup>
|
|
|
|
<pubdate>2004-02-04</pubdate>
|
|
|
|
<copyright>
|
|
<year>2001-2004</year>
|
|
|
|
<holder>Thomas M. Eastep</holder>
|
|
</copyright>
|
|
|
|
<legalnotice>
|
|
<para>Permission is granted to copy, distribute and/or modify this
|
|
document under the terms of the GNU Free Documentation License, Version
|
|
1.2 or any later version published by the Free Software Foundation; with
|
|
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
|
Texts. A copy of the license is included in the section entitled
|
|
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
|
</legalnotice>
|
|
</articleinfo>
|
|
|
|
<para>Extension scripts are user-provided scripts that are invoked at
|
|
various points during firewall start, restart, stop and clear. The scripts
|
|
are placed in /etc/shorewall and are processed using the Bourne shell
|
|
<quote>source</quote> mechanism.</para>
|
|
|
|
<caution>
|
|
<orderedlist>
|
|
<listitem>
|
|
<para>Be sure that you actually need to use an extension script to do
|
|
what you want. Shorewall has a wide range of features that cover most
|
|
requirements.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>DO NOT SIMPLY COPY RULES THAT YOU FIND ON THE NET INTO AN
|
|
EXTENSION SCRIPT AND EXPECT THEM TO WORK AND TO NOT BREAK SHOREWALL.
|
|
TO USE SHOREWALL EXTENSION SCRIPTS YOU MUST KNOW WHAT YOU ARE DOING
|
|
WITH RESPECT TO iptables/Netfilter AND SHOREWALL.</para>
|
|
</listitem>
|
|
</orderedlist>
|
|
</caution>
|
|
|
|
<para>The following scripts can be supplied:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>init -- invoked early in <quote>shorewall start</quote> and
|
|
<quote>shorewall restart</quote></para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>start -- invoked after the firewall has been started or restarted.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>stop -- invoked as a first step when the firewall is being
|
|
stopped.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>stopped -- invoked after the firewall has been stopped.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>clear -- invoked after the firewall has been cleared.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>refresh -- invoked while the firewall is being refreshed but
|
|
before the common and/or blacklst chains have been rebuilt.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>newnotsyn (added in version 1.3.6) -- invoked after the
|
|
<quote>newnotsyn</quote> chain has been created but before any rules
|
|
have been added to it.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para><emphasis role="bold">If your version of Shorewall doesn't have
|
|
the file that you want to use from the above list, you can simply create the
|
|
file yourself.</emphasis> You can also supply a script with the same name as
|
|
any of the filter chains in the firewall and the script will be invoked
|
|
after the /etc/shorewall/rules file has been processed but before the
|
|
/etc/shorewall/policy file has been processed.</para>
|
|
|
|
<para>Beginning with Shorewall 2.0.0, you can also define a
|
|
<emphasis>common action</emphasis> to be performed immediately before a
|
|
policy of ACCEPT, DROP or REJECT is applied. Separate actions can be
|
|
assigned to each policy type so for example you can have a different common
|
|
action for DROP and REJECT policies. The most common usage of common actions
|
|
is to silently drop traffic that you don't wish to have logged by the
|
|
policy.</para>
|
|
|
|
<para>As released, Shorewall defines a number of actions which are cataloged
|
|
in the <filename>/etc/shorewall/actions.std</filename> file. The default
|
|
<filename>/etc/shorewall/actions</filename> file contains <quote>INCLUDE
|
|
/etc/shorewall/actions.std</quote> so that the Shorewall-defined actions are
|
|
included by default. Among the entries in <filename>/etc/shorewall/actions.std</filename>
|
|
are:</para>
|
|
|
|
<programlisting>Drop:DROP
|
|
Reject:REJECT</programlisting>
|
|
|
|
<para>So the action named <quote>Drop</quote> is performed immediately
|
|
before DROP policies are applied and the action called <quote>Reject</quote>
|
|
is performed before REJECT policies are applied. These actions are defined
|
|
in the files <filename>/etc/shorewall/action.Drop</filename> and
|
|
<filename>/etc/shorewall/action.Reject</filename> respectively.</para>
|
|
|
|
<para>You can override these defaults with entries in your
|
|
/etc/shorewall/actions file. For example, if that file were to contain
|
|
<quote>MyDrop:DROP</quote> then the common action for DROP policies would
|
|
become <quote>MyDrop</quote>. For an example, see <ulink url="myfiles.htm">my
|
|
configuration files</ulink>.</para>
|
|
|
|
<para>One final note. The chain created to perform an action has the same
|
|
name as the action. You can use an extension script by that name to add
|
|
rules to the action's chain in the same way as you can any other chain.
|
|
So if you create the new action <quote>Dagger</quote> and define it in
|
|
<filename>/etc/shorewall/action.Dagger</filename>, you can also have an
|
|
extension script named <filename>/etc/shorewall/Dagger</filename> that can
|
|
add rules to the <quote>Dagger</quote> chain that can't be created using
|
|
<filename>/etc/shorewall/action.Dagger</filename>.</para>
|
|
</article> |