[Firehol-devs] user-defined chains

Costa Tsaousis costa at tsaousis.gr
Mon Jul 23 20:06:16 BST 2007


Andrew Schulman wrote:
>> Added helper 'action':
>>
>> action [chain <name> <action>]
>> The action helper creates an iptables chain which can be used to control 
>> the
>> action of other firewall rules during runtime.
>>
>> For example, you can setup the custom action ACT1, which by default is 
>> ACCEPT,
>> but under certain cases it can be changed to DROP, REJECT or RETURN without
>> restarting the firewall.       
>>     
>
> Costa, thanks.  I think that I can use this to do what I want, as long as
> the 'action chain' command accepts optional rule parameters, e.g.
>
> interface eth0
>     action chain mathieu DENY user mathieu
>
> Then I can set up e.g. cron jobs to add or remove RETURN rules to the
> 'mathieu' chains at certain times, or just do it manually when I want, as
> you describe.
>
> However what I'd also like to see is the "chain" top-level command, which
> would allow me to add rules directly to that chain within firehol, e.g.
>
> interface eth0
>     action chain mathieu DENY user mathieu
>
> chain mathieu
>     client all return custom '-m condition --condition mathieu_all_allow'
>     client all deny   custom '-m condition --condition mathieu_all_deny'
>     client all return custom '-m time --timestart 0700 --timestop 2100'
>
> To me this is a more natural way to solve the problem-- it's how I do it in
> my hand-built firewall.  It doesn't require any cron jobs, because the
> "time" match already filters on the right times.  And with the "condition"
> match, I can run e.g.
>
> echo 1 > /proc/net/nf_condition/mathieu_all_allow
>
> which I find to be more intuitive than 'iptables -A mathieu -j RETURN'.
>
> Another advantage of putting the rules into a user-defined chain is that I
> can call the chain from more than one place.  E.g. I can limit mathieu's
> traffic from an interface or through a router, with the same set of rules.
> Another example is when I have a list of clients that I want to allow on an
> interface and a router.  The natural (to me) way to do that is
>
> interface eth0
>     action chain common_clients
>     ...
>
> router eth1 eth0
>     action chain common_clients
>     ...
>
> chain common_clients
>     client ... accept
>     client ... accept
>
> Of course I can work around this by scripting to put the same rules into
> both the interface and the router.  Again it's a question of which approach
> is more natural.
>
> As the developer it's your call, of course.  I find user-defined chains to
> be a more natural way of addressing these problems.  But I think that both
> methods can be made to work.
>
> Thanks,
> Andrew.
>   
Andrew,

what I did is to allow you create custom actions for whatever you like, 
which I think is more efficient and more generic.
For example, this is a firehol.conf:

---

# create the custom action 'mathieu'
action chain mathieu accept
   # put custom iptables commands for chain 'mathieu'
   iptables -F mathieu # empty the chain
   iptables -A mathieu -m condition --condition mathieu_all_allow -j 
ACCEPT # accept via proc
   iptables -A mathieu -m time --timestart 0700 --timestop 2100 -j 
ACCEPT # accept in working hours
   iptables -A mathieu -j RETURN # do whatever other rules say

interface eth0 lan
   client all mathieu user mathieu

interface eth1 wan
   client all mathieu user mathieu

router internet inface eth1 outface eth0
   client all mathieu src mathieu.pc.hostname

---

I think the above keeps the complexity of the custom action away from 
the core firewall.
What would be nice too, is to allow FireHOL directives instead of plain 
iptables commands for controlling the results of the custom action chains.
I'll think about it...

Costa







More information about the Firehol-devs mailing list