[Firehol-devs] user-defined chains

Costa Tsaousis costa at tsaousis.gr
Thu Jul 26 23:07:25 BST 2007


Andrew Schulman wrote:
>
> Right, this is a little tricky.  IOW, should "action chain mathieu" create
> just one "mathieu" chain, or should it create parallel "in_mathieu" and
> "out_mathieu" chains, as elsewhere in firehol?  I'm not sure, but I think
> that two chains would make sense.  In my hand-built firewall, I almost
> always do this-- when I have to create a separate chain, I actually make
> two, one for input and one for output.
>
> If that were the case, then e.g. "client" commands would make sense under
> "action chain".  But it would require more reworking of the code, I agree.
>   
Well, given the FireHOL philosophy I can't figure out what a server or 
client statement (i.e. service rule) will do in action chains or in any 
other element outside interfaces and routers, for filtering traffic. 
This is why I preferred not to have 2 chains, but only one. The only 
reason for the action chain is to just make the decision smarter, not to 
implement the traffic matching rules that should be in interfaces and 
routers.

I truly understand the need for firehol rules in action chains however.
I could write a wrapper around the function rule() which will 
effectively allow firehol directives in action chains.
Something like this:

action chain mathieu
    action reject custom "..."
    action accept src "A B C" dst "D E F"
    action return # which could also be the default rule in order to be 
committed

The above would be easy to implement. What will require some more work 
is to modify rule() in order to support time, condition and other 
modules, and to find a CLI way of altering the action chains without 
restarting the whole firewall or to write all the documentation to 
support this feature effectively.

The whole package requires some time I don't currently have. Anyway, 
I'll keep it open until there is some more demand for it...

Costa





More information about the Firehol-devs mailing list