forked from extern/shorewall_code
07d90b6fe4
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@672 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
119 lines
4.6 KiB
HTML
119 lines
4.6 KiB
HTML
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
|
<html>
|
|
<head>
|
|
|
|
<meta http-equiv="Content-Language" content="en-us">
|
|
|
|
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
|
|
|
<meta name="ProgId" content="FrontPage.Editor.Document">
|
|
|
|
<meta http-equiv="Content-Type"
|
|
content="text/html; charset=windows-1252">
|
|
<title>Shorewall Extension Scripts</title>
|
|
</head>
|
|
<body>
|
|
|
|
<table border="0" cellpadding="0" cellspacing="0"
|
|
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
|
id="AutoNumber1" bgcolor="#3366ff" height="90">
|
|
<tbody>
|
|
<tr>
|
|
<td width="100%">
|
|
<h1 align="center"><font color="#ffffff">Extension Scripts</font></h1>
|
|
</td>
|
|
</tr>
|
|
|
|
</tbody>
|
|
</table>
|
|
|
|
<p> Extension scripts are user-provided scripts that are invoked at various
|
|
points during firewall start, restart, stop and clear. The scripts are
|
|
placed in /etc/shorewall and are processed using the Bourne shell "source"
|
|
mechanism.<br>
|
|
</p>
|
|
|
|
<p><font color="#ff0000"><b>Caution: <br>
|
|
</b></font></p>
|
|
|
|
<ol>
|
|
<li><font color="#ff0000"><b>Be sure that you actually need to use an
|
|
extension script to do what you want. Shorewall has a wide range of features
|
|
that cover most requirements.</b></font></li>
|
|
<li><font color="#ff0000"><b>DO NOT SIMPLY COPY RULES THAT YOU FIND ON
|
|
THE NET INTO AN EXTENSION SCRIPT AND EXPECT THEM TO WORK AND TO NOT BREAK
|
|
SHOREWALL. TO USE SHOREWALL EXTENSION SCRIPTS YOU MUST KNOW WHAT YOU ARE
|
|
DOING WITH RESPECT TO iptables/Netfilter</b></font></li>
|
|
|
|
</ol>
|
|
|
|
<p>The following scripts can be supplied:</p>
|
|
|
|
<ul>
|
|
<li>init -- invoked early in "shorewall start" and "shorewall
|
|
restart"</li>
|
|
<li>start -- invoked after the firewall has been started or restarted.</li>
|
|
<li>stop -- invoked as a first step when the firewall is being stopped.</li>
|
|
<li>stopped -- invoked after the firewall has been stopped.</li>
|
|
<li>clear -- invoked after the firewall has been cleared.</li>
|
|
<li>refresh -- invoked while the firewall is being refreshed but
|
|
before the common and/or blacklst chains have been rebuilt.</li>
|
|
<li>newnotsyn (added in version 1.3.6) -- invoked after the 'newnotsyn'
|
|
chain has been created but before any rules have been added to it.</li>
|
|
|
|
</ul>
|
|
|
|
<p><u><b>If your version of Shorewall doesn't have the file that you want
|
|
to use from the above list, you can simply create the file yourself.</b></u></p>
|
|
|
|
<p> You can also supply a script with the same name as any of the filter
|
|
chains in the firewall and the script will be invoked after the /etc/shorewall/rules
|
|
file has been processed but before the /etc/shorewall/policy file has
|
|
been processed.</p>
|
|
|
|
<p>The /etc/shorewall/common file receives special treatment. If this file
|
|
is present, the rules that it defines will totally replace the default
|
|
rules in the common chain. These default rules are contained in the
|
|
file /etc/shorewall/common.def which may be used as a starting point
|
|
for making your own customized file.</p>
|
|
|
|
<p> Rather than running iptables directly, you should run it using the
|
|
function run_iptables. Similarly, rather than running "ip" directly, you
|
|
should use run_ip. These functions accept the same arguments as the underlying
|
|
command but cause the firewall to be stopped if an error occurs during
|
|
processing of the command.</p>
|
|
|
|
<p> If you decide to create /etc/shorewall/common it is a good idea to
|
|
use the following technique</p>
|
|
|
|
<p> /etc/shorewall/common:</p>
|
|
|
|
<blockquote>
|
|
<pre>. /etc/shorewall/common.def<br><add your rules here></pre>
|
|
</blockquote>
|
|
|
|
<p>If you need to supercede a rule in the released common.def file, you can
|
|
add the superceding rule before the '.' command. Using this technique allows
|
|
you to add new rules while still getting the benefit of the latest common.def
|
|
file.</p>
|
|
|
|
<p>Remember that /etc/shorewall/common defines rules that are only applied
|
|
if the applicable policy is DROP or REJECT. These rules are NOT applied
|
|
if the policy is ACCEPT or CONTINUE<br>
|
|
</p>
|
|
|
|
<p> </p>
|
|
|
|
<p align="left"><font size="2">Last updated 6/30/2003 - <a
|
|
href="support.htm">Tom Eastep</a></font></p>
|
|
|
|
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002, 2003
|
|
Thomas M. Eastep</font></a></p>
|
|
<br>
|
|
<br>
|
|
<br>
|
|
<br>
|
|
<br>
|
|
</body>
|
|
</html>
|