/
SuSEfirewall2-custom.sysconfig
84 lines (72 loc) · 3.12 KB
/
SuSEfirewall2-custom.sysconfig
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
#
# Authors: Marc Heuse,
# Volker Kuhlmann <kuhlmav@elec.canterbury.ac.nz>
#
# /etc/sysconfig/scripts/SuSEfirewall2-custom
#
# ------------------------------------------------------------------------
#
# This is file is for SuSEfirewall2 and is an example for using
# the hooks which are supplied to load customized iptables rules.
#
# THERE IS NO HELP FOR USING HOOKS EXCEPT THIS FILE ! SO READ CAREFULLY !
# IT IS USEFUL TO CROSS-READ /sbin/SuSEfirewall2 TO SEE HOW HOOKS WORK !
#
# ------------------------------------------------------------------------
#
# Note: always use iptables resp ip6tables without path. You are not actually
# calling the binary here. SuSEfirewall2 internally defines an alias to
# collect all rules and apply them in batch later. Set
# FW_USE_IPTABLES_BATCH="no" if you need the rules to be applied
# immediately.
fw_custom_after_chain_creation() {
# these rules will be loaded after the various input_* and forward_* chains
# are created.
# You can use this hook to allow/deny certain IP protocols or TCP/UDP
# ports before the SuSEfirewall2 generated rules are hit.
#example: always filter backorifice/netbus trojan connect requests and log them.
#for target in LOG DROP; do
# for chain in input_ext input_dmz input_int forward_int forward_ext forward_dmz; do
# iptables -A $chain -j $target -p tcp --dport 31337
# iptables -A $chain -j $target -p udp --dport 31337
# iptables -A $chain -j $target -p tcp --dport 12345:12346
# iptables -A $chain -j $target -p udp --dport 12345:12346
# done
#done
true
}
fw_custom_before_port_handling() {
# these rules will be loaded after the anti-spoofing and icmp handling
# and after the input has been redirected to the input_XXX and
# forward_XXX chains and some basic chain-specific anti-circumvention
# rules have been set,
# but before any IP protocol or TCP/UDP port allow/protection rules
# will be set.
# You can use this hook to allow/deny certain IP protocols or TCP/UDP
# ports before the SuSEfirewall2 generated rules are hit.
true
}
fw_custom_before_masq() { # could also be named "after_port_handling()"
# these rules will be loaded after the IP protocol and TCP/UDP port
# handling, but before any IP forwarding (routing), masquerading
# will be done.
# NOTE: reverse masquerading is before directly after
# fw_custom_before_port_handling !!!!
# You can use this hook to ... hmmm ... I'm sure you'll find a use for
# this ...
true
}
fw_custom_before_denyall() { # could also be named "after_forwardmasq()"
# these are the rules to be loaded after IP forwarding and masquerading
# but before the logging and deny all section is set by SuSEfirewall2.
# You can use this hook to prevent the logging of annoying packets.
#example: prevent logging of talk requests from anywhere
#for chain in input_ext input_dmz input_int forward_int forward_ext forward_dmz; do
# iptables -A $chain -j DROP -p udp --dport 517:518
#done
true
}
fw_custom_after_finished() {
# these are the rules to be loaded after the firewall is fully configured
true
}