On Sat, 2011-09-24 at 09:00 -0700, Tom Eastep wrote: > > Second question for a different box (xen dom0): I want to add rules for > > certain public IPs that have the form of iptables -t mangle -d $dest -j > > TTL --ttl-inc 1 -- this would hide the firewall from traceroute etc. to > > domU's. How can this be done? > > You will have to use an Action that either has an associated extension > script or that uses BEGIN PERL...END PERL and generates the rule in > Perl. /usr/share/shorewall/action.Invalid would be a good example to > follow. See also http://www.shorewall.net/Actions.html. >
I should note that to use this approach, you must invoke the action in the ALL section of the rules file and your iptables/kernel must allow mangling in the filter chain. If you can't do that, then you will have to use the 'start' extension script and add the rule to the appropriate chain using iptables directly. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2dcopy2
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
