On Sat, 3 Aug 2002, Tom Eastep wrote:
> > Can the userspace area be made use of to create chains on the fly? Say
> > maybe running a shell script as a service that takes an IP as an
> > argument to create the chain? I do not know if userspace allows this.
> >
Remember that Shorewall itself is nothing but a set of shell scripts :-)
If you choose to programmatically modify the /etc/shorewall/blacklist and
then refresh the firewall, there are some syncronization functions in
/var/lib/shorewall/functions file that are of interest.
get_statedir - establish environment
mutex_on - Create a lock file
mutex_off - Remove lock file
Using these functions insure that your script isn't modifying the
firewall during a shorewall start/restart/stop operation.
If you choose to issue a "shorewall refresh" command between "mutex_on"
and "mutex_off", you must run the command as "shorewall nolock refresh";
otherwise, /sbin/shorewall will hang waiting for the lock file to be
removed.
The dynamic blacklisting facility is easier to use programatically because
you don't have to modify any files. Just issue the appropriate
"shorewall" command.
It is up to you whether you do a "shorewall save" or not. If you do, you
will want to check the dynamic chain periodocally and delete old entries
using the "shorewall accept" command (then "shorewall save").
-Tom
--
Tom Eastep \ Shorewall - iptables made easy
AIM: tmeastep \ http://www.shorewall.net
ICQ: #60745924 \ [EMAIL PROTECTED]
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
