Shorewall users - Jan 2007 - 'temporary' or 'on the fly' rule additions/removals

Hi!

  I think gmane ate my previous posting of this - if its a dupe, I''m
sorry...

I''d like to add/remove ''temporary'' rules to a running
shorewall.  I''d
like to add a port forward to redirect web traffic when I shut my
virtual servers down for backups, etc. ("Site currently down for
maintenance please try later" type thing)

It seems silly to bounce/reload shorewall 10 times in an hour for
this, so I was just going to manually add/remove the rule from the
firewall.  However, I don''t want to break anything Shorewall setup...

So its there a specific table/chain I should add rules like this to
(shorewall creates a lot of them!)?  And should I use raw netfilter
commands, or the run_iptables thingy that comes with shorewall?

Any help would be appreciated!

Thanks and Happy New Year!
Steve

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Steve Hindle wrote:
> I''d like to add/remove ''temporary'' rules to a
running shorewall.  I''d
> like to add a port forward to redirect web traffic when I shut my
> virtual servers down for backups, etc. ("Site currently down for
> maintenance please try later" type thing)
> 
> It seems silly to bounce/reload shorewall 10 times in an hour for
> this, so I was just going to manually add/remove the rule from the
> firewall.  However, I don''t want to break anything Shorewall
setup...
> 
> So its there a specific table/chain I should add rules like this to
> (shorewall creates a lot of them!)?  And should I use raw netfilter
> commands, or the run_iptables thingy that comes with shorewall?
> 
> Any help would be appreciated!
Port Forward/Redirect rules may be *inserted* (use the ''iptables
-I''
command) into the nat table''s PREROUTING chain. Such rules will preempt
anything that Shorewall has done. You will probably also have to insert an
appropriate ACCEPT rule into the filter table INPUT chain.

Use iptables directly. ''run_iptables'' is only intended for use
in Shorewall
extension scripts.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

On 1/3/07, Tom Eastep <teastep@shorewall.net>
wrote:
> Port Forward/Redirect rules may be *inserted* (use the ''iptables
-I''
> command) into the nat table''s PREROUTING chain. Such rules will
preempt
> anything that Shorewall has done. You will probably also have to insert an
> appropriate ACCEPT rule into the filter table INPUT chain.
>
Thanks Tom - thats what I needed...

BTW, after getting bit by a co-lo provider that caches ARP addresses
for _4 Hours_, I took your proxyarp advice to heart, and converted all
the systems to proxy arp on the firewall.  Works great!

And thanks for shorewall!  Its one of the nicest pieces of software
I''ve used. Good docs, great features.. truly wonderful software :-)

Steve

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV