2004-01-31 17:11:22 +01:00
|
|
|
#
|
2004-07-21 22:55:47 +02:00
|
|
|
# Shorewall 2.1 /etc/shorewall/action.template
|
2004-01-31 17:11:22 +01:00
|
|
|
#
|
|
|
|
# This file is a template for files with names of the form
|
|
|
|
# /etc/shorewall/action.<action-name> where <action> is an
|
|
|
|
# ACTION defined in /etc/shorewall/actions.
|
|
|
|
#
|
|
|
|
# To define a new action:
|
|
|
|
#
|
|
|
|
# 1. Add the <action name> to /etc/shorewall/actions
|
|
|
|
# 2. Copy this file to /etc/shorewall/action.<action name>
|
|
|
|
# 3. Add the desired rules to that file.
|
|
|
|
#
|
|
|
|
# Columns are:
|
|
|
|
#
|
|
|
|
#
|
|
|
|
# TARGET ACCEPT, DROP, REJECT, LOG, QUEUE or a
|
|
|
|
# previously-defined <action>
|
|
|
|
#
|
|
|
|
# ACCEPT -- allow the connection request
|
|
|
|
# DROP -- ignore the request
|
|
|
|
# REJECT -- disallow the request and return an
|
|
|
|
# icmp-unreachable or an RST packet.
|
|
|
|
# LOG -- Simply log the packet and continue.
|
|
|
|
# QUEUE -- Queue the packet to a user-space
|
|
|
|
# application such as p2pwall.
|
2004-02-15 19:03:23 +01:00
|
|
|
# CONTINUE -- Discontinue processing this action
|
|
|
|
# and return to the point where the
|
|
|
|
# action was invoked.
|
2004-01-31 17:11:22 +01:00
|
|
|
# <action> -- An <action> defined in
|
|
|
|
# /etc/shorewall/actions. The <action>
|
|
|
|
# must appear in that file BEFORE the
|
|
|
|
# one being defined in this file.
|
|
|
|
#
|
|
|
|
# The TARGET may optionally be followed
|
|
|
|
# by ":" and a syslog log level (e.g, REJECT:info or
|
|
|
|
# ACCEPT:debugging). This causes the packet to be
|
|
|
|
# logged at the specified level.
|
|
|
|
#
|
2004-07-26 01:26:52 +02:00
|
|
|
# The special log level 'none' does not result in logging
|
|
|
|
# but rather exempts the rule from being overridden by a
|
|
|
|
# non-forcing log level when the action is invoked.
|
|
|
|
#
|
2004-01-31 17:11:22 +01:00
|
|
|
# You may also specify ULOG (must be in upper case) as a
|
|
|
|
# log level.This will log to the ULOG target for routing
|
|
|
|
# to a separate log through use of ulogd
|
|
|
|
# (http://www.gnumonks.org/projects/ulogd).
|
|
|
|
#
|
2004-04-20 23:47:49 +02:00
|
|
|
# Actions specifying logging may be followed by a
|
2004-04-21 22:57:29 +02:00
|
|
|
# log tag (a string of alphanumeric characters)
|
2004-04-20 23:47:49 +02:00
|
|
|
# are appended to the string generated by the
|
|
|
|
# LOGPREFIX (in /etc/shorewall/shorewall.conf).
|
|
|
|
#
|
|
|
|
# Example: ACCEPT:info:ftp would include 'ftp '
|
|
|
|
# at the end of the log prefix generated by the
|
|
|
|
# LOGPREFIX setting.
|
|
|
|
#
|
2004-01-31 17:11:22 +01:00
|
|
|
# SOURCE Source hosts to which the rule applies.
|
|
|
|
# A comma-separated list of subnets
|
|
|
|
# and/or hosts. Hosts may be specified by IP or MAC
|
|
|
|
# address; mac addresses must begin with "~" and must use
|
|
|
|
# "-" as a separator.
|
|
|
|
#
|
|
|
|
# 192.168.2.2 Host 192.168.2.2
|
|
|
|
#
|
|
|
|
# 155.186.235.0/24 Subnet 155.186.235.0/24
|
|
|
|
#
|
|
|
|
# 192.168.1.1,192.168.1.2
|
|
|
|
# Hosts 192.168.1.1 and
|
|
|
|
# 192.168.1.2.
|
|
|
|
# ~00-A0-C9-15-39-78 Host with
|
|
|
|
# MAC address 00:A0:C9:15:39:78.
|
|
|
|
#
|
|
|
|
# Alternatively, clients may be specified by interface
|
|
|
|
# name. For example, eth1 specifies a
|
|
|
|
# client that communicates with the firewall system
|
|
|
|
# through eth1. This may be optionally followed by
|
|
|
|
# another colon (":") and an IP/MAC/subnet address
|
|
|
|
# as described above (e.g., eth1:192.168.1.5).
|
|
|
|
#
|
|
|
|
# DEST Location of Server. Same as above with the exception that
|
|
|
|
# MAC addresses are not allowed.
|
|
|
|
#
|
|
|
|
# Unlike in the SOURCE column, you may specify a range of
|
|
|
|
# up to 256 IP addresses using the syntax
|
|
|
|
# <first ip>-<last ip>.
|
|
|
|
#
|
|
|
|
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, or
|
|
|
|
# "all".
|
|
|
|
#
|
|
|
|
# DEST PORT(S) Destination Ports. A comma-separated list of Port
|
|
|
|
# names (from /etc/services), port numbers or port
|
|
|
|
# ranges; if the protocol is "icmp", this column is
|
|
|
|
# interpreted as the destination icmp-type(s).
|
|
|
|
#
|
|
|
|
# A port range is expressed as <low port>:<high port>.
|
|
|
|
#
|
|
|
|
# This column is ignored if PROTOCOL = all but must be
|
2004-02-21 16:38:51 +01:00
|
|
|
# entered if any of the following fields are supplied.
|
2004-01-31 17:11:22 +01:00
|
|
|
# In that case, it is suggested that this field contain
|
|
|
|
# "-"
|
|
|
|
#
|
|
|
|
# If your kernel contains multi-port match support, then
|
|
|
|
# only a single Netfilter rule will be generated if in
|
|
|
|
# this list and the CLIENT PORT(S) list below:
|
|
|
|
# 1. There are 15 or less ports listed.
|
|
|
|
# 2. No port ranges are included.
|
|
|
|
# Otherwise, a separate rule will be generated for each
|
|
|
|
# port.
|
|
|
|
#
|
|
|
|
# SOURCE PORT(S) (Optional) Port(s) used by the client. If omitted,
|
|
|
|
# any source port is acceptable. Specified as a comma-
|
|
|
|
# separated list of port names, port numbers or port
|
|
|
|
# ranges.
|
|
|
|
#
|
|
|
|
# If you don't want to restrict client ports but need to
|
|
|
|
# specify an ADDRESS in the next column, then place "-"
|
|
|
|
# in this column.
|
|
|
|
#
|
|
|
|
# If your kernel contains multi-port match support, then
|
|
|
|
# only a single Netfilter rule will be generated if in
|
|
|
|
# this list and the DEST PORT(S) list above:
|
|
|
|
# 1. There are 15 or less ports listed.
|
|
|
|
# 2. No port ranges are included.
|
|
|
|
# Otherwise, a separate rule will be generated for each
|
|
|
|
# port.
|
|
|
|
#
|
|
|
|
# RATE LIMIT You may rate-limit the rule by placing a value in
|
|
|
|
# this column:
|
|
|
|
#
|
|
|
|
# <rate>/<interval>[:<burst>]
|
|
|
|
#
|
|
|
|
# where <rate> is the number of connections per
|
|
|
|
# <interval> ("sec" or "min") and <burst> is the
|
|
|
|
# largest burst permitted. If no <burst> is given,
|
|
|
|
# a value of 5 is assumed. There may be no
|
|
|
|
# no whitespace embedded in the specification.
|
|
|
|
#
|
|
|
|
# Example: 10/sec:20
|
|
|
|
#
|
|
|
|
# USER/GROUP This column may only be non-empty if the SOURCE is
|
|
|
|
# the firewall itself.
|
|
|
|
#
|
|
|
|
# The column may contain:
|
|
|
|
#
|
|
|
|
# [!][<user name or number>][:<group name or number>]
|
|
|
|
#
|
|
|
|
# When this column is non-empty, the rule applies only
|
|
|
|
# if the program generating the output is running under
|
|
|
|
# the effective <user> and/or <group> specified (or is
|
|
|
|
# NOT running under that id if "!" is given).
|
|
|
|
#
|
|
|
|
# Examples:
|
|
|
|
#
|
|
|
|
# joe #program must be run by joe
|
|
|
|
# :kids #program must be run by a member of
|
|
|
|
# #the 'kids' group
|
|
|
|
# !:kids #program must not be run by a member
|
|
|
|
# #of the 'kids' group
|
|
|
|
#
|
|
|
|
######################################################################################
|
2004-09-05 02:10:19 +02:00
|
|
|
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
|
|
|
# PORT PORT(S) LIMIT GROUP
|
2004-01-31 17:11:22 +01:00
|
|
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|