[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Nufw-devel] nupyf with manual rules
|
From: |
Glen Ogilvie |
|
Subject: |
[Nufw-devel] nupyf with manual rules |
|
Date: |
Tue, 10 Feb 2009 23:29:35 +1300 (NZDT) |
Hi,
I've had a look at how nupyf works, and now understand it a little.
Our problem is, we want to add some FORWARD rules manually to our firewall
ruleset, and keep it managed with nuface. These rules should be after all
targets are defined, and after the established/related and invalid rules. We
also can't add them at the end of the ruleset using filter_wd.rules.post,
because it has default drop rules, our rules get appended after that, they
never get any traffic.
In: scripts/nupyf
Currently, dispatch (forward) rules are created in the below function in
scripts/nupyf
file: scripts/nupyf, line: 407
def createIptablesCommands(self):
if self.options.ulog:
log_type = 'ulog'
else:
log_type = 'log'
fwp = FWipt(self.myfw, logtype = log_type)
rules_create = fwp.create_ipt_chains()
rules_connect = fwp.connect_chains()
input_rules, output_rules, srules = fwp.gen_rules(rescue =
self.options.rescue)
intro = "#Generated by nupyf on %s from %s\n\n" % (
datetime.now(), self.acl_filename)
if self.options.dispatch:
try_write_file(self.options.dispatch, intro, '#DISPATCH and DEFAULT
Rules%s'%(linesep), rules_create, rules_connect)
if we did something like
===
if self.options.dispatch:
try_write_file(self.options.dispatch, intro, '#DISPATCH
Rules%s'%(linesep), rules_create)
try_write_file(self.options.dispatch_connect, intro, '#DEFAULT
Rules%s'%(linesep), rules_connect)
This would allow insertion of rules after targets are created, but before any
forward rules. (would also require self.options.dispatch_connect defined, and
changes to init-firewall)
However, we would like to add rules at the end, but before the drop, or after
the established and related packets rules. I expect other users may have
reasons for both of these cases.
To do this, we need to look into def connect_chains(self): in
scripts/nupyf/ipt.py
Currently, the return line is:
file: scripts/nupyf/ipt.py, line: 317
return estrel + invalid + s_sorted_vpn + s_sorted_forward +
s_sorted_input +\
s_sorted_output + s_sorted_ininternet + s_sorted_outinternet +\
s_sorted_internet + linesep + sloopback + linesep +\
default_log_drop + linesep
So, currently, I am thinking if the connect_chains function had a way we could
tell it to insert our rules in a particular place, that would be good.
Otherwise, what about splitting it out, so that we end up with seperate
functions to return estrel + invalid, and default_log_drop.
Suggestions on the best way to do this would be really good.
I would like to get something that can end up in nuface, so I don't end up
having to have my own version of scripts/nupyf/ipt.py
Regards
--
Glen Ogilvie
Open Systems Specialists
Level 1, 162 Grafton Road
http://www.oss.co.nz/
Ph: +64 9 984 3000
Mobile: +64 21 684 146
GPG Key: ACED9C17
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Nufw-devel] nupyf with manual rules,
Glen Ogilvie <=