On Tue, Sep 05, 2000 at 17:23 +1200, Volker Kuhlmann wrote:
Here my setup, if anyone wants to play as well (for SuSEfirewall 3.1):
First, because it can't be done through a variable, I need a hook into SuSEfirewall, calling a function:
--- SuSEfirewall-3.1.orig Sun Sep 3 20:45:40 2000 +++ SuSEfirewall Sun Sep 3 21:15:37 2000 @@ -927,6 +927,10 @@ $IPCHAINS -A input -j "$DENY" -p udp -l ( $IPCHAINS -A forward -j "$DENY" -p tcp -y -l ) > /dev/null 2>&1 } +###################### +# Add more rules, VK # +test "$FW_CUSTOM_RULES" = yes && fw_custom_rules +###################### $IPCHAINS -A input -j "$DENY" $LDA ( $IPCHAINS -A forward -j "$DENY" $LDA ) > /dev/null 2>&1
The is is just before the input chain finishes with "deny + log all".
In firewall.rc.config, insert:
[ ... ] FW_CUSTOM_RULES="no" FW_CUSTOM_RULES="yes" # uncomment to execute function at end of SuSEfirewall # isifup() { $IFCONFIG "$1" 2>/dev/null | $GREP '^ *UP ' >/dev/null } fw_custom_rules() { # This function is called by SuSEfirewall. # It inserts some rules preventing logging of certain denied packets, # and opens sufficient ports to make NFS functional. [ ... ] }
I wouldn't mess up rc.config with "code". Instead it would be better to stick with rc.config as a bunch of variables and ask SuSE to extend the firewall script like sketched below (didn't think very long about pathnames, adjust what's incorrect or inflexible as you please). ----- SuSEfirewall ---------------------------------------------- ... IPCHAINS=... ... +# optional(?): empty function body as a fallback, +# would be overridden when sourcing the specified script +fw_custom_rules() { + # EMPTY +} + +# make use of what the user supplies us with +[ -r "$FW_CUSTOMRULES" ] && . "$FW_CUSTOMRULES" ... # code as above ... +# call the hook function +fw_custom_rules # code as above ... ... ----- SuSEfirewall ---------------------------------------------- ----- /etc/rc.config -------------------------------------------- ... +# script's filename with local rules in addition to or as a +# substitute for what can be done with the FW_* variables +# e.g. FW_CUSTOMRULES=/sbin/init.d/rc.d/firewall.custom +FW_CUSTOMRULES="" ... ----- /etc/rc.config -------------------------------------------- ----- /sbin/init.d/rc.d/firewall.custom ------------------------- ... do whatever you like, the way you want to ... ----- /sbin/init.d/rc.d/firewall.custom ------------------------- This allows for - leaving everything as it is after installation :> - adding or modifying rules as you see fit - leave the FW_ variables alone and doing it *all* yourself :) - switching between several rule sets just by pointing to a different function (i.e. script) And it leaves the rc.config "semantics" as it is. :) Of course there's room for improvement: - specify relative pathnames and look for (as well as source, of course) a `dirname $0`/$FW_CUSTOMRULES file -- but this means to explicitely exclude empty FW_CUSTOMRULES settings - deliver some "usually asked for" scripts in /usr/doc/packages with the SuSEfirewall script virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you.