On Sun, 26 Aug 2007 07:39:36 -0700, "Tom Eastep" <[EMAIL PROTECTED]> said: > mattjackets wrote: > > I hope this is a quick question for the experts...I'm at a loss as to > > how to do this: > > Drop packets with dest port 4321 with the rst flag set. > > > > Here's what the rule I have in mind would look like (iptables -L) > > target prot opt source destination > > DROP tcp -- anywhere anywhere tcp > > dpt:4321 flags:RST/RST > > > > How can this be done in the shorewall rules file? or do I need to > > create a special macro or something? > > > > > > Use an Action defined with an Extension script. The best short example is > probably this one: > > http://www.shorewall.net/3.0/shorewall_extension_scripts.htm#NFQUEUE > > -Tom
Tom, I quickly scanned the document you linked, and have a few questions. Are you suggesting that I use the equivalent iptables command (using run_iptables) in the extension? (on start: run_iptables -A whatever.... on stop: run_iptables -D whatever...) If so, I'm not sure which chain to apply the rule to. Shorewall sets up many chains, and I'm not sure which would be the most appropriate. Below are the chains defined by shorewall on my firewall: Chain INPUT (policy DROP) Chain FORWARD (policy DROP) Chain OUTPUT (policy DROP) Chain Drop (3 references) Chain Reject (9 references) Chain all2all (0 references) Chain dropBcast (2 references) Chain dropInvalid (2 references) Chain dropNotSyn (2 references) Chain dynamic (4 references) Chain eth0_fwd (1 references) Chain eth0_in (1 references) Chain eth1_fwd (1 references) Chain eth1_in (1 references) Chain fw2all (0 references) Chain fw2loc (3 references) Chain fw2net (1 references) Chain loc2all (0 references) Chain loc2fw (1 references) Chain loc2net (1 references) Chain logdrop (0 references) Chain logflags (5 references) Chain logreject (0 references) Chain net2all (0 references) Chain net2fw (1 references) Chain net2loc (1 references) Chain norfc1918 (2 references) Chain reject (18 references) Chain rfc1918 (6 references) Chain shorewall (0 Chain smurfs (4 references) Chain tcpflags (4 references) my guess would be net2loc, or maybe drop, or maybe tcpflags, or maybe it dosn't matter at all....I had no idea so many chains were created by shorewall... Thanks for your help! -- matt [EMAIL PROTECTED] -- http://www.fastmail.fm - Or how I learned to stop worrying and love email again ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
