This guide is organized according to what you want to do. Each section covers a particular task, and shows you what steps to take to accomplish that task.
To see what a module is for:
/usr/lib/modwall/tcpchk help
If you want to see the rules that will be called, without actually making them live in your firewall (note that the actual calls from INPUT, OUTPUT, and FORWARD may do some additional checks to reduce the amount of traffic processed by this chain):
/usr/lib/modwall/tcpchk create
To actually use the rules in this brick in an existing firewall, edit your firewall startup script and put one of the following lines at the point where you want the checks to take place. You'll need to choose what action(s) to take when an illegal packet is found; multiple actions are legal, and performed in the order specified:
To just keep counts of illegal packets (the safest approach):
/usr/lib/modwall/tcpchk start NONE
To actually drop the packets and send back an error:
/usr/lib/modwall/tcpchk start REJECT
To drop and log:
/usr/lib/modwall/tcpchk start LOG DROP
If you're adding this brick to an already running firewall and want to force the INPUT/OUTPUT/FORWARD calling lines to the top or bottom of those chains, add the word
insertor
appendto one of the above lines.
To atomically replace the rules in the chain without affecting the rest of the firewall (allows you to specify new action(s) or load a new ruleset):
/usr/lib/modwall/tcpchk replace DROP
To completely shut down a chain without wiping out the rest of the firewall:
/usr/lib/modwall/tcpchk stop
Optional stuff: