[Firehol-devs] user-defined chains
Costa Tsaousis
costa at tsaousis.gr
Mon Aug 20 03:28:03 BST 2007
Andrew Schulman wrote:
> If I understand correctly, to use a custom chain in this way would send
> traffic through it that's going in both directions. For example, in
>
> interface eth0 lan
> client all mathieu user mathieu
>
> firehol will insert rules in both the in_lan and out_lan chains, directing
> traffic for user mathieu into the mathieu chain. What this means is that no
> source or destination ports, IP addresses, or interfaces can be used in rules
> in that chain, because you don't know whether e.g. a given port will be the
> source or destination port-- it will be both at different times for traffic
> that passes through that chain. Am I correct?
>
> Unfortunately this matters to me because I want to block traffic on certain
> ports, e.g. chat and email when Mathieu should be doing his homework. In the
> current setup this isn't possible.
>
> One possible solution would be to have e.g. the "client" statement interpret
> any action that's a chain as really two actions: in_${action} for input rules,
> and out_${action} for output rules. Then I could set up separate action
> chains in_mathieu and out_mathieu. But this might not work or might break
> "client" in other ways.
>
Andrew, I must be missing something.
To my understanding you can do what you describe with the current
implementation.
Could you please provide an example case that the current FireHOL cannot
do, in order to help me undestand?
Costa
More information about the Firehol-devs
mailing list