Structure of fwsnortsh

The Bourne shell script /etc/fwsnort/ generated by fwsnort is divided into five sections. The first section is a header constructed out of comments that includes a short blurb about the purpose of the script, the command-line arguments given to fwsnort to generate, and the version of fwsnort:

[iptablesfw]# cat /etc/fwsnort/ #!/bin/sh

# File: /etc/fwsnort/

# Purpose: This script was auto-generated by fwsnort and implements an

# iptables ruleset based upon Snort rules. For more information,

# see the fwsnort man page or the documentation available at


# Generated with: fwsnort -no-ipt-sync

# Generated on host: iptablesfw

# Generated at: Sun Jul 15 23:12:43 2007

# Author: Michael Rash <[email protected]>

The second section of the script defines paths to the iptables and echo system binaries. These paths are inherited from the iptablesCmd and echoCmd keywords in the fwsnort.conf configuration file, and fwsnort checks to be sure that the paths make sense before building However, the script does not necessarily have to be executed on the same system where fwsnort is installed. In fact, from a security perspective, it is better not to have Perl or any other highly capable interpreter or compiler installed on a dedicated firewall device that is not strictly necessary from an operations perspective.2 The configuration section allows the paths to be tweaked easily for the eventual system on which is deployed:

ECHO=/bin/echo IPTABLES=/sbin/iptables

The third section in is responsible for building dedicated iptables chains for fwsnort rules. All fwsnort rules, with the exception of the jump rules discussed below, are added to these custom chains to maintain strict separation from any existing iptables policy.

The names given to fwsnort chains broadly describe the type of traffic inspection that is performed within each chain. For example, the FWSNORT_INPUT chain is for the inspection of traffic that is directed at the local system and is therefore governed by the iptables INPUT chain. Similarly, the FWSNORT_OUTPUT chain only applies to packets that originate from the firewall system itself (via the OUTPUT chain), and the FWSNORT_FORWARD chain governs packets that are destined to be forwarded through the local system (via the FORWARD chain).

Was this article helpful?

0 0

Post a comment