shorewall_code/STABLE/documentation/shorewall_extension_scripts.htm
teastep 07d90b6fe4 Shorewall-1.4.6
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@672 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2003-07-21 22:06:18 +00:00

119 lines
4.6 KiB
HTML

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall Extension Scripts</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Extension Scripts</font></h1>
</td>
</tr>
</tbody>
</table>
<p> Extension scripts are user-provided scripts that are invoked at various
points during firewall start, restart, stop and clear. The scripts are
placed in /etc/shorewall and are processed using the Bourne shell "source"
mechanism.<br>
</p>
<p><font color="#ff0000"><b>Caution: <br>
</b></font></p>
<ol>
<li><font color="#ff0000"><b>Be sure that you actually need to use an
extension script to do what you want. Shorewall has a wide range of features
that cover most requirements.</b></font></li>
<li><font color="#ff0000"><b>DO NOT SIMPLY COPY RULES THAT YOU FIND ON
THE NET INTO AN EXTENSION SCRIPT AND EXPECT THEM TO WORK AND TO NOT BREAK
SHOREWALL. TO USE SHOREWALL EXTENSION SCRIPTS YOU MUST KNOW WHAT YOU ARE
DOING WITH RESPECT TO iptables/Netfilter</b></font></li>
</ol>
<p>The following scripts can be supplied:</p>
<ul>
<li>init -- invoked early in "shorewall start" and "shorewall
restart"</li>
<li>start -- invoked after the firewall has been started or restarted.</li>
<li>stop -- invoked as a first step when the firewall is being stopped.</li>
<li>stopped -- invoked after the firewall has been stopped.</li>
<li>clear -- invoked after the firewall has been cleared.</li>
<li>refresh -- invoked while the firewall is being refreshed but
before the common and/or blacklst chains have been rebuilt.</li>
<li>newnotsyn (added in version 1.3.6) -- invoked after the 'newnotsyn'
chain has been created but before any rules have been added to it.</li>
</ul>
<p><u><b>If your version of Shorewall doesn't have the file that you want
to use from the above list, you can simply create the file yourself.</b></u></p>
<p> You can also supply a script with the same name as any of the filter
chains in the firewall and the script will be invoked after the /etc/shorewall/rules
file has been processed but before the /etc/shorewall/policy file has
been processed.</p>
<p>The /etc/shorewall/common file receives special treatment. If this file
is present, the rules that it defines will totally replace the default
rules in the common chain. These default rules are contained in the
file /etc/shorewall/common.def which may be used as a starting point
for making your own customized file.</p>
<p> Rather than running iptables directly, you should run it using the
function run_iptables. Similarly, rather than running "ip" directly, you
should use run_ip. These functions accept the same arguments as the underlying
command but cause the firewall to be stopped if an error occurs during
processing of the command.</p>
<p> If you decide to create /etc/shorewall/common it is a good idea to
use the following technique</p>
<p> /etc/shorewall/common:</p>
<blockquote>
<pre>. /etc/shorewall/common.def<br>&lt;add your rules here&gt;</pre>
</blockquote>
<p>If you need to supercede a rule in the released common.def file, you can
add the superceding rule before the '.' command. Using this technique allows
you to add new rules while still getting the benefit of the latest common.def
file.</p>
<p>Remember that /etc/shorewall/common defines rules that are only applied
if the applicable policy is DROP or REJECT. These rules are NOT applied
if the policy is ACCEPT or CONTINUE<br>
</p>
<p> </p>
<p align="left"><font size="2">Last updated 6/30/2003 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002, 2003
Thomas M. Eastep</font></a></p>
<br>
<br>
<br>
<br>
<br>
</body>
</html>