mirror of
https://github.com/firehol/firehol.git
synced 2024-06-30 19:02:21 +00:00
Added helper 'mark'
Abstract from the documentation: mark <NUMBER> <WHERE> [optional rule parameters] The mark helper marks the traffic with a specific mark NUMBER that can be matched by traffic shapping tools for controlling the traffic. Parameters * NUMBER is a number to mark the packets with. * WHERE tells FireHOL where to search for the specific traffic to be marked. Currently, WHERE can be one of the build-in iptables chains attached to table mangle. (for example: INPUT, FORWARD, OUTPUT, PREROUTING, POSTROUTING - case does matter here). * optional rule parameters is a set of rules that allow further restriction of the traffic that gets matched by this rule. See Optional Rules Parameters for more information. Example 1: mark 1 OUTPUT will mark with 1 all packets send by the local machine. Example 2: mark 2 FORWARD will mark with 2 all packets passing through the local machine. Example 3: mark 3 FORWARD proto tcp dport 25 dst 1.1.1.1 src 2.2.2.2 will match with 3 all packets sent by 2.2.2.2, passing through the local machine and targeting port TCP/25 of host 1.1.1.1.
This commit is contained in:
parent
71966cd7dc
commit
160dec4ba7
21
TODO
21
TODO
@ -1,21 +1,12 @@
|
||||
$Id: TODO,v 1.4 2003/01/06 01:49:36 ktsaou Exp $
|
||||
$Id: TODO,v 1.5 2003/09/13 01:03:46 ktsaou Exp $
|
||||
|
||||
The following is a list of features I plan to add to FireHOL,
|
||||
assuming that my time permits and there is demand for them.
|
||||
|
||||
The list appears in no particular order.
|
||||
|
||||
* NAT support, including port redirections and load balancing
|
||||
per firehol element. Today there is some limited support for
|
||||
masquerading and of course you can embed normal iptables
|
||||
NAT rules within firehol.conf. However, today these are just
|
||||
work-arounds since there is no connection between a firehol
|
||||
rule and the NAT system.
|
||||
|
||||
* Bandwidth shaping support per firehol element.
|
||||
|
||||
Ideally both the above should be "embedded" in firehol.conf rules
|
||||
with something like:
|
||||
Ideally I would like to achieve a situation where FireHOL
|
||||
directives will be something like:
|
||||
|
||||
interface eth0 internet maxbw 1Mbps queue-type htb
|
||||
server smtp accept \
|
||||
@ -30,7 +21,7 @@ interface eth0 internet maxbw 1Mbps queue-type htb
|
||||
|
||||
client ssh accept priority hi
|
||||
|
||||
Nice, eh? I guess the only way to implement this is by making heavy use of the
|
||||
I guess the only way to implement this is by making heavy use of the
|
||||
MANGLE table and MARKing uniquely each FireHOL rule. This will allow all
|
||||
iptables tables (mangle, nat, filter) and iproute to share the same traffic
|
||||
categorization (through the MARK id on each packet). Some research has to be
|
||||
@ -51,10 +42,6 @@ have different actions - accept, drop, reject, etc).
|
||||
solution should show the active connections categorized according to firehol
|
||||
rules, not iptables rules.
|
||||
|
||||
* More documentation:
|
||||
- a man page for firehol
|
||||
- a man page for firehol.conf
|
||||
|
||||
* A Web interface for configuring FireHOL.
|
||||
|
||||
* A secure mechanism for centralized control of a large number
|
||||
|
@ -48,16 +48,17 @@ automatically. FireHOL is extremely easy to understand, configure and audit.
|
||||
</li>
|
||||
<li><a href="#helpers">Helper commands</a>
|
||||
<ul>
|
||||
<li><a href="#version">version</a>, require a specific version of FireHOL
|
||||
<li><a href="#iptables">iptables</a>, add some custom iptables commands to the firewall
|
||||
<li><a href="#masquerade">masquerade</a>, setup masquerading (NAT) to the output of a network interface</li>
|
||||
<li><a href="#transparent_squid">transparent_squid</a>, setup a transparent squid proxy running on the firewall host</li>
|
||||
<li><a href="#nat">nat</a>, setup a NAT rule for routed traffic</li>
|
||||
<li><a href="#dnat">dnat</a>, setup a Destination NAT rule for routed traffic</li>
|
||||
<li><a href="#snat">snat</a>, setup a Source NAT rule for routed traffic</li>
|
||||
<li><a href="#redirect">redirect</a>, setup a port redirection rule</li>
|
||||
<li><a href="#mac">mac</a>, setup a source mac address with IP match</li>
|
||||
<li><a href="#blacklist">blackilist</a>, setup a unidirectional or bidirectional blacklist</li>
|
||||
<li><a href="#dnat">dnat</a>, setup a Destination NAT rule for routed traffic</li>
|
||||
<li><a href="#iptables">iptables</a>, add some custom iptables commands to the firewall
|
||||
<li><a href="#mac">mac</a>, setup a source mac address with IP match</li>
|
||||
<li><a href="#mark">mark</a>, mark traffic for traffic shapping tools</li>
|
||||
<li><a href="#masquerade">masquerade</a>, setup masquerading (NAT) to the output of a network interface</li>
|
||||
<li><a href="#nat">nat</a>, setup a NAT rule for routed traffic</li>
|
||||
<li><a href="#redirect">redirect</a>, setup a port redirection rule</li>
|
||||
<li><a href="#snat">snat</a>, setup a Source NAT rule for routed traffic</li>
|
||||
<li><a href="#transparent_squid">transparent_squid</a>, setup a transparent squid proxy running on the firewall host</li>
|
||||
<li><a href="#version">version</a>, require a specific version of FireHOL
|
||||
</ul>
|
||||
|
||||
</li>
|
||||
@ -354,27 +355,43 @@ Subcommands must be given within <a href="#primary_commands">Primary commands</a
|
||||
<small>Helper commands provide shortcuts for common functions not handled by the core of FireHOL's logic.</small>
|
||||
<p>
|
||||
|
||||
<a name="version"><h3><b>version</b> <font color="red"><number></font></h3></a>
|
||||
<H4>Description</H4>
|
||||
The <b>version</b> command states the FireHOL <u>release</u> the configuration file was
|
||||
created for. In case the configuration file is newer than FireHOL, FireHOL will deny
|
||||
to run it.
|
||||
<a name="blacklist"><h3><b>blacklist</b> [option] <font color="red"><IPs></font></h3></a>
|
||||
The <b>blacklist</b> helper creates a blacklist for the <b>IP</b> addresses given. It supports two modes of operation
|
||||
based on the option given (or the absence of it).
|
||||
<p>
|
||||
This command is here to allow you or anyone else design and distribute FireHOL configuration files, while
|
||||
ensuring that the correct FireHOL version is going to run them.
|
||||
The option can be:
|
||||
<ul>
|
||||
<li>one of the words <b>them, him, her, it, this, these, input</b> in which case it will generate a unidirectional
|
||||
statefull blacklist, meaning that you will be able to ask (initiate connections) anything from them,
|
||||
but they will not be able to ask (initiate connections) anything from you or the remote hosts you protect (routing).
|
||||
<br>
|
||||
</li>
|
||||
<li>one of the words <b>all, full</b> or ommitted (no option given), in which case FireHOL will create bidirectional
|
||||
stateless rules that will DROP all traffic comming in from these IPs and will REJECT all traffic going to them.
|
||||
</li>
|
||||
<p>
|
||||
</ul>
|
||||
The blacklist helper affects both interfaces and routers and can be used as many times as needed, but before the first interface statement.
|
||||
The blacklist helper accepts multiple IPs both as one quoted and space separated list and as separate arguments.
|
||||
<p>
|
||||
Since FireHOL configurations are BASH script, it is relatively easy to use FireHOL configurations as small
|
||||
scripts that dynamically process rules stored in a database, in a file system as separate files, or elsewhere.
|
||||
This directive will help the developers of FireHOL configurations to control the required version of
|
||||
FireHOL.
|
||||
<p>
|
||||
The FireHOL release is increased every time the format of the configuration file and the internals of FireHOL are changed.
|
||||
<p>
|
||||
Since FireHOL v1.67 <b>version</b> is not required to be present in every configuration file.
|
||||
|
||||
Example 1: <b>blacklist this "195.97.5.202 10.1.1.1"</b> # please note the quotes<br>
|
||||
Example 2: <b>blacklist full 195.97.5.202 10.1.1.1</b> # please note the absence of quotes<br>
|
||||
<p>
|
||||
|
||||
<hr noshade size=1 width="100%">
|
||||
|
||||
|
||||
<a name="dnat"><h3><b>dnat</b> [to] <font color="red"><target></font> [optional rule parameters]</h3></a>
|
||||
The <b>dnat</b> helper sets up a Destination NAT rule for routed traffic, by calling<br>
|
||||
<b>nat to-destination <target> [optional rule parameters]</b>
|
||||
<p>
|
||||
See the <a href="#nat">nat</a> helper.
|
||||
<p>
|
||||
Example: <b>dnat to 1.1.1.1 inface eth0 src 2.2.2.2 dst 3.3.3.3</b>
|
||||
<p>
|
||||
|
||||
<hr noshade size=1 width="100%">
|
||||
|
||||
<a name="iptables"><h3><b>iptables</b> <font color="red"><arguments></font></h3></a>
|
||||
<H4>Description</H4>
|
||||
The <b>iptables</b> command passes all its arguments to the real iptables command, during run-time.
|
||||
@ -387,6 +404,54 @@ Subcommands must be given within <a href="#primary_commands">Primary commands</a
|
||||
Always use the <b>iptables</b> directive to hook iptables commands in a FireHOL firewall. Nothing else.
|
||||
<p>
|
||||
|
||||
<hr noshade size=1 width="100%">
|
||||
|
||||
<a name="mac"><h3><b>mac</b> <font color="red"><IP></font> <font color="red"><MAC></font></h3></a>
|
||||
The <b>mac</b> helper verifies that all traffic <b>comming in</b> with source the <b>IP</b> address, comes from the
|
||||
<b>MAC</b> address. The helper applies its rules to filter/INPUT and filter/FORWARD and checks the source IP address
|
||||
in combination with the source MAC address.
|
||||
<p>
|
||||
The same MAC address is allowed to use other IPs; only the specific IP is required to be used with the specified MAC
|
||||
address.
|
||||
<p>
|
||||
Packets with the given IP address but with wrong MAC address will be DROPped and a log (as in <A HREF="#loglimit">loglimit</a>)
|
||||
with label "MAC MISSMATCH" will appear in the system logs.
|
||||
<p>
|
||||
This helper has to be used before all interface or router statements. Of course, you can use as many mac statements as you wish.
|
||||
<p>
|
||||
Example: <b>mac 195.97.5.202 00:02:8a:21:a9:d8</b>
|
||||
<p>
|
||||
|
||||
<hr noshade size=1 width="100%">
|
||||
|
||||
<a name="mark"><h3><b>mark</b> <font color="red"><NUMBER></font> <font color="red"><WHERE></font> [optional rule parameters]</h3></a>
|
||||
The <b>mark</b> helper marks the traffic with a specific mark NUMBER that can be matched by traffic shapping tools
|
||||
for controlling the traffic.
|
||||
|
||||
<H4>Parameters</H4>
|
||||
<ul>
|
||||
<li> <b>NUMBER</b> is a number to mark the packets with.
|
||||
<br>
|
||||
</li>
|
||||
|
||||
<li> <b>WHERE</b> tells FireHOL where to search for the specific traffic to be marked.
|
||||
<br>Currently, WHERE can be one of the build-in iptables chains attached to table <b>mangle</b>.
|
||||
(for example: INPUT, FORWARD, OUTPUT, PREROUTING, POSTROUTING - case does matter here).
|
||||
<br>
|
||||
</li>
|
||||
|
||||
<li> <b>optional rule parameters</b> is a set of rules that allow further restriction of the traffic that
|
||||
gets matched by this rule. See <a href="#parameters">Optional Rules Parameters</a> for more information.
|
||||
<br>
|
||||
</li>
|
||||
</ul>
|
||||
<br>
|
||||
<br>Example 1: <b>mark 1 OUTPUT</b>, will mark with 1 all packets send by the local machine.
|
||||
<br>Example 2: <b>mark 2 FORWARD</b>, will mark with 2 all packets passing through the local machine.
|
||||
<br>Example 3: <b>mark 3 FORWARD proto tcp dport 25 dst 1.1.1.1 src 2.2.2.2</b>, will match with 3
|
||||
all packets sent by 2.2.2.2, passing through the local machine and targeting port TCP/25 of host 1.1.1.1.
|
||||
<p>
|
||||
|
||||
<hr noshade size=1 width="100%">
|
||||
|
||||
<a name="masquerade"><h3><b>masquerade</b> [reverse | interface] [optional rule parameters]</h3></a>
|
||||
@ -420,44 +485,6 @@ Subcommands must be given within <a href="#primary_commands">Primary commands</a
|
||||
<br>Example 3: within a router: <b>masquerade reverse</b>, to masquerade on the output of the router's inface.
|
||||
<p>
|
||||
|
||||
<hr noshade size=1 width="100%">
|
||||
|
||||
<a name="transparent_squid"><h3><b>transparent_squid</b> <font color="red"><port> <user></font> [optional rule parameters]</h3></a>
|
||||
The <b>transparent_squid</b> helper sets up trasparent caching for HTTP traffic.
|
||||
The squid proxy is assumed to be running on the firewall host at port <b>port</b> (normally port is <b>squid</b>), with the credentials of the local user <b>user</b> (normally user is <b>squid</b>).
|
||||
<p>
|
||||
The <b>transparent_squid</b> helper can be used for two kinds of traffic:
|
||||
<ul>
|
||||
<li>Incomming HTTP traffic, either targeted to the firewall host or passing through the firewall host.
|
||||
<br>The optional rule parameters can be used to specify which kind of <b>incomming</b> traffic to be catched
|
||||
(by using <a href="#inface">inface</a>, <a href="#src">src</a>, <a href="#dst">dst</a>, etc --
|
||||
<a href="#outface">outface</a> should not be used here, because the rules generated are placed before
|
||||
the routing decision and therefore the outgoing interface is not yet known).
|
||||
<p>
|
||||
If no optional rule parameters are given, then the transparent
|
||||
cache will be setup on <b>all network interfaces for all HTTP traffic</b> (use this with care since you are
|
||||
risking to serve requests from the internet using your squid).
|
||||
<br>
|
||||
</li>
|
||||
<li>Locally generated outgoing HTTP traffic, except HTTP traffic generated by processes running as the <b>user</b> argument.
|
||||
The optional rule parameters <a href="#inface">inface</a>, <a href="#outface">outface</a> and <a href="#src">src</a> are
|
||||
ignored for this type of traffic.
|
||||
<p>
|
||||
This kind of matching makes it possible to support transparent caching for WEB browsers running on the firewall
|
||||
host, as far as they do not run as the user excluded. More that one users can be specified by space-separating
|
||||
and enclosing them in double quotes.
|
||||
<p>
|
||||
This rule can be disabled by specifing as user the empty string: <b>""</b>
|
||||
<br>
|
||||
</li>
|
||||
</ul>
|
||||
<p>
|
||||
Of course, make sure that your firewall allows requests to reach your proxy server.
|
||||
<p>
|
||||
Example 1: <b>transparent_squid 3128 squid inface eth0 src 10.0.0.0/8</b>
|
||||
<br>Example 2: <b>transparent_squid 8080 "squid privoxy root bin" inface not "ppp+ ipsec+" dst not "a.not.proxied.server"</b>
|
||||
<p>
|
||||
|
||||
<hr noshade size=1 width="100%">
|
||||
|
||||
<a name="nat"><h3><b>nat</b> <font color="red"><type> <target></font> [optional rule parameters]</h3></a>
|
||||
@ -543,6 +570,18 @@ Subcommands must be given within <a href="#primary_commands">Primary commands</a
|
||||
<br>Example 2: <b>nat to-destination 4.4.4.4 inface eth0 src 5.5.5.5 dst 6.6.6.6</b>
|
||||
<br>Example 3: <b>nat redirect-to 8080 inface eth0 src 2.2.2.0/24 proto tcp dport 80</b>
|
||||
<p>
|
||||
|
||||
<hr noshade size=1 width="100%">
|
||||
|
||||
<a name="redirect"><h3><b>redirect</b> [to] <font color="red"><target></font> [optional rule parameters]</h3></a>
|
||||
The <b>redirect</b> helper catches all incomming traffic matching the optional rule parameters given and
|
||||
redirects it to ports on the local host, by calling<br>
|
||||
<b>nat redirect-to <target> [optional rule parameters]</b>
|
||||
<p>
|
||||
See the <a href="#nat">nat</a> helper.
|
||||
<p>
|
||||
Example: <b>redirect to 8080 inface eth0 src 2.2.2.0/24 proto tcp dport 80</b>
|
||||
<p>
|
||||
|
||||
<hr noshade size=1 width="100%">
|
||||
|
||||
@ -557,69 +596,61 @@ Subcommands must be given within <a href="#primary_commands">Primary commands</a
|
||||
|
||||
<hr noshade size=1 width="100%">
|
||||
|
||||
<a name="dnat"><h3><b>dnat</b> [to] <font color="red"><target></font> [optional rule parameters]</h3></a>
|
||||
The <b>dnat</b> helper sets up a Destination NAT rule for routed traffic, by calling<br>
|
||||
<b>nat to-destination <target> [optional rule parameters]</b>
|
||||
<a name="transparent_squid"><h3><b>transparent_squid</b> <font color="red"><port> <user></font> [optional rule parameters]</h3></a>
|
||||
The <b>transparent_squid</b> helper sets up trasparent caching for HTTP traffic.
|
||||
The squid proxy is assumed to be running on the firewall host at port <b>port</b> (normally port is <b>squid</b>), with the credentials of the local user <b>user</b> (normally user is <b>squid</b>).
|
||||
<p>
|
||||
See the <a href="#nat">nat</a> helper.
|
||||
The <b>transparent_squid</b> helper can be used for two kinds of traffic:
|
||||
<ul>
|
||||
<li>Incomming HTTP traffic, either targeted to the firewall host or passing through the firewall host.
|
||||
<br>The optional rule parameters can be used to specify which kind of <b>incomming</b> traffic to be catched
|
||||
(by using <a href="#inface">inface</a>, <a href="#src">src</a>, <a href="#dst">dst</a>, etc --
|
||||
<a href="#outface">outface</a> should not be used here, because the rules generated are placed before
|
||||
the routing decision and therefore the outgoing interface is not yet known).
|
||||
<p>
|
||||
If no optional rule parameters are given, then the transparent
|
||||
cache will be setup on <b>all network interfaces for all HTTP traffic</b> (use this with care since you are
|
||||
risking to serve requests from the internet using your squid).
|
||||
<br>
|
||||
</li>
|
||||
<li>Locally generated outgoing HTTP traffic, except HTTP traffic generated by processes running as the <b>user</b> argument.
|
||||
The optional rule parameters <a href="#inface">inface</a>, <a href="#outface">outface</a> and <a href="#src">src</a> are
|
||||
ignored for this type of traffic.
|
||||
<p>
|
||||
This kind of matching makes it possible to support transparent caching for WEB browsers running on the firewall
|
||||
host, as far as they do not run as the user excluded. More that one users can be specified by space-separating
|
||||
and enclosing them in double quotes.
|
||||
<p>
|
||||
This rule can be disabled by specifing as user the empty string: <b>""</b>
|
||||
<br>
|
||||
</li>
|
||||
</ul>
|
||||
<p>
|
||||
Example: <b>dnat to 1.1.1.1 inface eth0 src 2.2.2.2 dst 3.3.3.3</b>
|
||||
<p>
|
||||
|
||||
<hr noshade size=1 width="100%">
|
||||
|
||||
<a name="redirect"><h3><b>redirect</b> [to] <font color="red"><target></font> [optional rule parameters]</h3></a>
|
||||
The <b>redirect</b> helper catches all incomming traffic matching the optional rule parameters given and
|
||||
redirects it to ports on the local host, by calling<br>
|
||||
<b>nat redirect-to <target> [optional rule parameters]</b>
|
||||
<p>
|
||||
See the <a href="#nat">nat</a> helper.
|
||||
<p>
|
||||
Example: <b>redirect to 8080 inface eth0 src 2.2.2.0/24 proto tcp dport 80</b>
|
||||
<p>
|
||||
|
||||
<hr noshade size=1 width="100%">
|
||||
|
||||
<a name="mac"><h3><b>mac</b> <font color="red"><IP></font> <font color="red"><MAC></font></h3></a>
|
||||
The <b>mac</b> helper verifies that all traffic <b>comming in</b> with source the <b>IP</b> address, comes from the
|
||||
<b>MAC</b> address. The helper applies its rules to filter/INPUT and filter/FORWARD and checks the source IP address
|
||||
in combination with the source MAC address.
|
||||
<p>
|
||||
The same MAC address is allowed to use other IPs; only the specific IP is required to be used with the specified MAC
|
||||
address.
|
||||
<p>
|
||||
Packets with the given IP address but with wrong MAC address will be DROPped and a log (as in <A HREF="#loglimit">loglimit</a>)
|
||||
with label "MAC MISSMATCH" will appear in the system logs.
|
||||
<p>
|
||||
This helper has to be used before all interface or router statements. Of course, you can use as many mac statements as you wish.
|
||||
<p>
|
||||
Example: <b>mac 195.97.5.202 00:02:8a:21:a9:d8</b>
|
||||
Of course, make sure that your firewall allows requests to reach your proxy server.
|
||||
<p>
|
||||
Example 1: <b>transparent_squid 3128 squid inface eth0 src 10.0.0.0/8</b>
|
||||
<br>Example 2: <b>transparent_squid 8080 "squid privoxy root bin" inface not "ppp+ ipsec+" dst not "a.not.proxied.server"</b>
|
||||
<p>
|
||||
|
||||
<hr noshade size=1 width="100%">
|
||||
|
||||
<a name="blacklist"><h3><b>blacklist</b> [option] <font color="red"><IPs></font></h3></a>
|
||||
The <b>blacklist</b> helper creates a blacklist for the <b>IP</b> addresses given. It supports two modes of operation
|
||||
based on the option given (or the absence of it).
|
||||
<a name="version"><h3><b>version</b> <font color="red"><number></font></h3></a>
|
||||
<H4>Description</H4>
|
||||
The <b>version</b> command states the FireHOL <u>release</u> the configuration file was
|
||||
created for. In case the configuration file is newer than FireHOL, FireHOL will deny
|
||||
to run it.
|
||||
<p>
|
||||
The option can be:
|
||||
<ul>
|
||||
<li>one of the words <b>them, him, her, it, this, these, input</b> in which case it will generate a unidirectional
|
||||
statefull blacklist, meaning that you will be able to ask (initiate connections) anything from them,
|
||||
but they will not be able to ask (initiate connections) anything from you or the remote hosts you protect (routing).
|
||||
<br>
|
||||
</li>
|
||||
<li>one of the words <b>all, full</b> or ommitted (no option given), in which case FireHOL will create bidirectional
|
||||
stateless rules that will DROP all traffic comming in from these IPs and will REJECT all traffic going to them.
|
||||
</li>
|
||||
<p>
|
||||
</ul>
|
||||
The blacklist helper affects both interfaces and routers and can be used as many times as needed, but before the first interface statement.
|
||||
The blacklist helper accepts multiple IPs both as one quoted and space separated list and as separate arguments.
|
||||
This command is here to allow you or anyone else design and distribute FireHOL configuration files, while
|
||||
ensuring that the correct FireHOL version is going to run them.
|
||||
<p>
|
||||
|
||||
Example 1: <b>blacklist this "195.97.5.202 10.1.1.1"</b> # please note the quotes<br>
|
||||
Example 2: <b>blacklist full 195.97.5.202 10.1.1.1</b> # please note the absence of quotes<br>
|
||||
Since FireHOL configurations are BASH script, it is relatively easy to use FireHOL configurations as small
|
||||
scripts that dynamically process rules stored in a database, in a file system as separate files, or elsewhere.
|
||||
This directive will help the developers of FireHOL configurations to control the required version of
|
||||
FireHOL.
|
||||
<p>
|
||||
The FireHOL release is increased every time the format of the configuration file and the internals of FireHOL are changed.
|
||||
<p>
|
||||
Since FireHOL v1.67 <b>version</b> is not required to be present in every configuration file.
|
||||
<p>
|
||||
|
||||
<table border=0 cellpadding=10 cellspacing=0 width="100%"><tr bgcolor="#777777"><td align=center><font color="white"><b><big><a name="actions">Actions</a></td</tr></table>
|
||||
@ -1252,7 +1283,7 @@ about optional rule parameters that should not be used in certain commands.
|
||||
<tr><td align=center valign=middle>
|
||||
<A href="http://sourceforge.net"><IMG src="http://sourceforge.net/sflogo.php?group_id=58425&type=5" width="210" height="62" border="0" alt="SourceForge Logo"></A>
|
||||
</td><td align=center valign=middle>
|
||||
<small>$Id: commands.html,v 1.38 2003/08/23 23:26:50 ktsaou Exp $</small>
|
||||
<small>$Id: commands.html,v 1.39 2003/09/13 01:03:46 ktsaou Exp $</small>
|
||||
<p>
|
||||
<b>FireHOL</b>, a firewall for humans...<br>
|
||||
© Copyright 2003
|
||||
|
31
firehol.sh
31
firehol.sh
@ -10,7 +10,7 @@
|
||||
#
|
||||
# config: /etc/firehol/firehol.conf
|
||||
#
|
||||
# $Id: firehol.sh,v 1.153 2003/08/31 22:21:49 ktsaou Exp $
|
||||
# $Id: firehol.sh,v 1.154 2003/09/13 01:03:46 ktsaou Exp $
|
||||
#
|
||||
FIREHOL_FILE="${0}"
|
||||
|
||||
@ -1334,6 +1334,27 @@ blacklist() {
|
||||
return 0
|
||||
}
|
||||
|
||||
mark_count=0
|
||||
mark() {
|
||||
work_realcmd=($FUNCNAME "$@")
|
||||
|
||||
set_work_function -ne "Initializing $FUNCNAME"
|
||||
|
||||
require_work clear || ( error "$FUNCNAME cannot be used in '${work_cmd}'. Put it before any '${work_cmd}' definition."; return 1 )
|
||||
|
||||
local num="${1}"; shift
|
||||
local where="${1}"; shift
|
||||
test -z "${where}" && where=OUTPUT
|
||||
|
||||
mark_count=$[mark_count + 1]
|
||||
|
||||
set_work_function "Setting up rules for MARK"
|
||||
|
||||
create_chain mangle "mark.${mark_count}" "${where}" "$@" action "mark.${mark_count}" || return 1
|
||||
iptables -t mangle -A "mark.${mark_count}" -j MARK --set-mark ${num}
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
|
||||
# ------------------------------------------------------------------------------
|
||||
@ -3610,7 +3631,7 @@ case "${arg}" in
|
||||
else
|
||||
|
||||
${CAT_CMD} <<EOF
|
||||
$Id: firehol.sh,v 1.153 2003/08/31 22:21:49 ktsaou Exp $
|
||||
$Id: firehol.sh,v 1.154 2003/09/13 01:03:46 ktsaou Exp $
|
||||
(C) Copyright 2003, Costa Tsaousis <costa@tsaousis.gr>
|
||||
FireHOL is distributed under GPL.
|
||||
|
||||
@ -3796,7 +3817,7 @@ then
|
||||
|
||||
${CAT_CMD} <<EOF
|
||||
|
||||
$Id: firehol.sh,v 1.153 2003/08/31 22:21:49 ktsaou Exp $
|
||||
$Id: firehol.sh,v 1.154 2003/09/13 01:03:46 ktsaou Exp $
|
||||
(C) Copyright 2003, Costa Tsaousis <costa@tsaousis.gr>
|
||||
FireHOL is distributed under GPL.
|
||||
Home Page: http://firehol.sourceforge.net
|
||||
@ -4091,7 +4112,7 @@ then
|
||||
|
||||
${CAT_CMD} >&2 <<EOF
|
||||
|
||||
$Id: firehol.sh,v 1.153 2003/08/31 22:21:49 ktsaou Exp $
|
||||
$Id: firehol.sh,v 1.154 2003/09/13 01:03:46 ktsaou Exp $
|
||||
(C) Copyright 2003, Costa Tsaousis <costa@tsaousis.gr>
|
||||
FireHOL is distributed under GPL.
|
||||
Home Page: http://firehol.sourceforge.net
|
||||
@ -4184,7 +4205,7 @@ EOF
|
||||
echo "# "
|
||||
|
||||
${CAT_CMD} <<EOF
|
||||
# $Id: firehol.sh,v 1.153 2003/08/31 22:21:49 ktsaou Exp $
|
||||
# $Id: firehol.sh,v 1.154 2003/09/13 01:03:46 ktsaou Exp $
|
||||
# (C) Copyright 2003, Costa Tsaousis <costa@tsaousis.gr>
|
||||
# FireHOL is distributed under GPL.
|
||||
# Home Page: http://firehol.sourceforge.net
|
||||
|
Loading…
Reference in New Issue
Block a user