[Firehol-devs] user-defined chains
Costa Tsaousis
costa at tsaousis.gr
Thu Jul 26 23:07:25 BST 2007
Andrew Schulman wrote:
>
> Right, this is a little tricky. IOW, should "action chain mathieu" create
> just one "mathieu" chain, or should it create parallel "in_mathieu" and
> "out_mathieu" chains, as elsewhere in firehol? I'm not sure, but I think
> that two chains would make sense. In my hand-built firewall, I almost
> always do this-- when I have to create a separate chain, I actually make
> two, one for input and one for output.
>
> If that were the case, then e.g. "client" commands would make sense under
> "action chain". But it would require more reworking of the code, I agree.
>
Well, given the FireHOL philosophy I can't figure out what a server or
client statement (i.e. service rule) will do in action chains or in any
other element outside interfaces and routers, for filtering traffic.
This is why I preferred not to have 2 chains, but only one. The only
reason for the action chain is to just make the decision smarter, not to
implement the traffic matching rules that should be in interfaces and
routers.
I truly understand the need for firehol rules in action chains however.
I could write a wrapper around the function rule() which will
effectively allow firehol directives in action chains.
Something like this:
action chain mathieu
action reject custom "..."
action accept src "A B C" dst "D E F"
action return # which could also be the default rule in order to be
committed
The above would be easy to implement. What will require some more work
is to modify rule() in order to support time, condition and other
modules, and to find a CLI way of altering the action chains without
restarting the whole firewall or to write all the documentation to
support this feature effectively.
The whole package requires some time I don't currently have. Anyway,
I'll keep it open until there is some more demand for it...
Costa
More information about the Firehol-devs
mailing list