Hi Tom, > >>> Second question for a different box (xen dom0): I want to add > >>> rules for certain public IPs that have the form of iptables -t > >>> mangle -d $dest -j TTL --ttl-inc 1 -- this would hide the > >>> firewall from traceroute etc. to domU's. How can this be done? > >> > >> You will have to use an Action that either has an associated > >> extension script or that uses BEGIN PERL...END PERL and generates > >> the rule in Perl. /usr/share/shorewall/action.Invalid would be a > >> good example to follow. See also > >> http://www.shorewall.net/Actions.html. > >> > > > > I should note that to use this approach, you must invoke the action > > in the ALL section of the rules file and your iptables/kernel must > > allow mangling in the filter table. > > > > Just tried this and, although the MARK targets are allowed in the > filter table, 'TTL' is not. So you will have to place the command in > the 'start' extension script.
Thanks for helping out by trying this. I also have not been able to get this to work via your suggested method, I saw the same results. Then I started to experiment a bit with action files, and, following the simpler SSHKnock file and the more difficult variant, I wrote a pretty lousy perl action file called TTLINC. Unfortunately all it does is add a chain -- trivial. I could not get it to add rules for every destination IP. Maybe it needs a 'foreach' statement, but I'm not sure. Initially I thought that I could perhaps stick this into rules but later I realised that mangle rules probably should reside in tcrules, and not rules, am I correct? Anyway, this is all probably overkill. I'll go with the start extension script. Thanks again though, Mark ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2dcopy2 _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
