2003-12-04 03:01:08 +01:00
|
|
|
#
|
2005-07-26 01:08:09 +02:00
|
|
|
# Shorewall 2.6 /etc/shorewall/action.template
|
2003-12-04 03:01:08 +01:00
|
|
|
#
|
|
|
|
# This file is a template for files with names of the form
|
2003-12-07 19:15:55 +01:00
|
|
|
# /etc/shorewall/action.<action-name> where <action> is an
|
|
|
|
# ACTION defined in /etc/shorewall/actions.
|
2003-12-04 03:01:08 +01:00
|
|
|
#
|
|
|
|
# To define a new action:
|
|
|
|
#
|
|
|
|
# 1. Add the <action name> to /etc/shorewall/actions
|
|
|
|
# 2. Copy this file to /etc/shorewall/action.<action name>
|
|
|
|
# 3. Add the desired rules to that file.
|
|
|
|
#
|
2005-07-09 07:45:05 +02:00
|
|
|
# Please see http://shorewall.net/Actions.html for additional
|
|
|
|
# information.
|
|
|
|
#
|
2003-12-04 03:01:08 +01:00
|
|
|
# Columns are:
|
|
|
|
#
|
|
|
|
#
|
2003-12-07 19:15:55 +01:00
|
|
|
# TARGET ACCEPT, DROP, REJECT, LOG, QUEUE or a
|
|
|
|
# previously-defined <action>
|
2003-12-04 03:01:08 +01:00
|
|
|
#
|
|
|
|
# ACCEPT -- allow the connection request
|
|
|
|
# DROP -- ignore the request
|
|
|
|
# REJECT -- disallow the request and return an
|
|
|
|
# icmp-unreachable or an RST packet.
|
|
|
|
# LOG -- Simply log the packet and continue.
|
|
|
|
# QUEUE -- Queue the packet to a user-space
|
|
|
|
# application such as p2pwall.
|
2005-07-09 06:45:32 +02:00
|
|
|
# CONTINUE -- Discontinue processing this action
|
|
|
|
# and return to the point where the
|
|
|
|
# action was invoked.
|
2003-12-07 19:15:55 +01:00
|
|
|
# <action> -- An <action> defined in
|
|
|
|
# /etc/shorewall/actions. The <action>
|
|
|
|
# must appear in that file BEFORE the
|
|
|
|
# one being defined in this file.
|
2003-12-04 03:01:08 +01:00
|
|
|
#
|
|
|
|
# The TARGET may optionally be followed
|
|
|
|
# by ":" and a syslog log level (e.g, REJECT:info or
|
2003-12-08 02:01:29 +01:00
|
|
|
# ACCEPT:debugging). This causes the packet to be
|
2003-12-04 03:01:08 +01:00
|
|
|
# logged at the specified level.
|
|
|
|
#
|
2005-07-09 07:45:05 +02:00
|
|
|
# The special log level 'none' does not result in logging
|
|
|
|
# but rather exempts the rule from being overridden by a
|
|
|
|
# non-forcing log level when the action is invoked.
|
|
|
|
#
|
2003-12-04 03:01:08 +01:00
|
|
|
# You may also specify ULOG (must be in upper case) as a
|
|
|
|
# log level.This will log to the ULOG target for routing
|
|
|
|
# to a separate log through use of ulogd
|
|
|
|
# (http://www.gnumonks.org/projects/ulogd).
|
|
|
|
#
|
2005-07-09 06:45:32 +02:00
|
|
|
# Actions specifying logging may be followed by a
|
|
|
|
# log tag (a string of alphanumeric characters)
|
|
|
|
# are appended to the string generated by the
|
|
|
|
# LOGPREFIX (in /etc/shorewall/shorewall.conf).
|
|
|
|
#
|
|
|
|
# Example: ACCEPT:info:ftp would include 'ftp '
|
|
|
|
# at the end of the log prefix generated by the
|
|
|
|
# LOGPREFIX setting.
|
|
|
|
#
|
2003-12-04 03:01:08 +01:00
|
|
|
# SOURCE Source hosts to which the rule applies.
|
|
|
|
# A comma-separated list of subnets
|
|
|
|
# and/or hosts. Hosts may be specified by IP or MAC
|
|
|
|
# address; mac addresses must begin with "~" and must use
|
|
|
|
# "-" as a separator.
|
|
|
|
#
|
|
|
|
# 192.168.2.2 Host 192.168.2.2
|
|
|
|
#
|
|
|
|
# 155.186.235.0/24 Subnet 155.186.235.0/24
|
|
|
|
#
|
2005-07-09 07:45:05 +02:00
|
|
|
# 10.0.0.4-10.0.0.9 Range of IP addresses; your
|
|
|
|
# kernel and iptables must have
|
2005-07-09 07:55:29 +02:00
|
|
|
# iprange match support.
|
|
|
|
#
|
|
|
|
# +remote The name of an ipset prefaced
|
|
|
|
# by "+". Your kernel and
|
|
|
|
# iptables must have set match
|
|
|
|
# support
|
|
|
|
#
|
|
|
|
# +remote[4] The name of the ipset may
|
|
|
|
# followed by a number of
|
|
|
|
# levels of ipset bindings
|
|
|
|
# enclosed in square brackets.
|
2005-07-09 07:45:05 +02:00
|
|
|
#
|
2003-12-04 03:01:08 +01:00
|
|
|
# 192.168.1.1,192.168.1.2
|
|
|
|
# Hosts 192.168.1.1 and
|
|
|
|
# 192.168.1.2.
|
|
|
|
# ~00-A0-C9-15-39-78 Host with
|
|
|
|
# MAC address 00:A0:C9:15:39:78.
|
|
|
|
#
|
|
|
|
# Alternatively, clients may be specified by interface
|
|
|
|
# name. For example, eth1 specifies a
|
|
|
|
# client that communicates with the firewall system
|
|
|
|
# through eth1. This may be optionally followed by
|
|
|
|
# another colon (":") and an IP/MAC/subnet address
|
|
|
|
# as described above (e.g., eth1:192.168.1.5).
|
|
|
|
#
|
2005-07-09 07:55:29 +02:00
|
|
|
# DEST Location of destination host. Same as above with the exception that
|
|
|
|
# MAC addresses are not allowed and that you cannot specify
|
|
|
|
# an ipset name in both the SOURCE and DEST columns.
|
2003-12-04 03:01:08 +01:00
|
|
|
#
|
|
|
|
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, or
|
|
|
|
# "all".
|
|
|
|
#
|
|
|
|
# DEST PORT(S) Destination Ports. A comma-separated list of Port
|
|
|
|
# names (from /etc/services), port numbers or port
|
|
|
|
# ranges; if the protocol is "icmp", this column is
|
|
|
|
# interpreted as the destination icmp-type(s).
|
|
|
|
#
|
|
|
|
# A port range is expressed as <low port>:<high port>.
|
|
|
|
#
|
|
|
|
# This column is ignored if PROTOCOL = all but must be
|
2005-07-09 06:45:32 +02:00
|
|
|
# entered if any of the following fields are supplied.
|
2003-12-04 03:01:08 +01:00
|
|
|
# In that case, it is suggested that this field contain
|
|
|
|
# "-"
|
|
|
|
#
|
|
|
|
# If your kernel contains multi-port match support, then
|
|
|
|
# only a single Netfilter rule will be generated if in
|
|
|
|
# this list and the CLIENT PORT(S) list below:
|
|
|
|
# 1. There are 15 or less ports listed.
|
|
|
|
# 2. No port ranges are included.
|
|
|
|
# Otherwise, a separate rule will be generated for each
|
|
|
|
# port.
|
|
|
|
#
|
2004-01-22 03:06:56 +01:00
|
|
|
# SOURCE PORT(S) (Optional) Port(s) used by the client. If omitted,
|
2003-12-04 03:01:08 +01:00
|
|
|
# any source port is acceptable. Specified as a comma-
|
|
|
|
# separated list of port names, port numbers or port
|
|
|
|
# ranges.
|
|
|
|
#
|
|
|
|
# If you don't want to restrict client ports but need to
|
|
|
|
# specify an ADDRESS in the next column, then place "-"
|
|
|
|
# in this column.
|
|
|
|
#
|
|
|
|
# If your kernel contains multi-port match support, then
|
|
|
|
# only a single Netfilter rule will be generated if in
|
|
|
|
# this list and the DEST PORT(S) list above:
|
|
|
|
# 1. There are 15 or less ports listed.
|
|
|
|
# 2. No port ranges are included.
|
|
|
|
# Otherwise, a separate rule will be generated for each
|
|
|
|
# port.
|
|
|
|
#
|
|
|
|
# RATE LIMIT You may rate-limit the rule by placing a value in
|
2003-12-08 02:01:29 +01:00
|
|
|
# this column:
|
2003-12-04 03:01:08 +01:00
|
|
|
#
|
|
|
|
# <rate>/<interval>[:<burst>]
|
|
|
|
#
|
|
|
|
# where <rate> is the number of connections per
|
|
|
|
# <interval> ("sec" or "min") and <burst> is the
|
|
|
|
# largest burst permitted. If no <burst> is given,
|
|
|
|
# a value of 5 is assumed. There may be no
|
|
|
|
# no whitespace embedded in the specification.
|
|
|
|
#
|
|
|
|
# Example: 10/sec:20
|
|
|
|
#
|
2005-07-09 06:45:32 +02:00
|
|
|
# USER/GROUP This column may only be non-empty if the SOURCE is
|
|
|
|
# the firewall itself.
|
|
|
|
#
|
|
|
|
# The column may contain:
|
|
|
|
#
|
2005-07-09 07:55:29 +02:00
|
|
|
# [!][<user name or number>][:<group name or number>][+<program name>]
|
2005-07-09 06:45:32 +02:00
|
|
|
#
|
|
|
|
# When this column is non-empty, the rule applies only
|
|
|
|
# if the program generating the output is running under
|
|
|
|
# the effective <user> and/or <group> specified (or is
|
|
|
|
# NOT running under that id if "!" is given).
|
|
|
|
#
|
|
|
|
# Examples:
|
|
|
|
#
|
|
|
|
# joe #program must be run by joe
|
|
|
|
# :kids #program must be run by a member of
|
|
|
|
# #the 'kids' group
|
|
|
|
# !:kids #program must not be run by a member
|
|
|
|
# #of the 'kids' group
|
2005-07-09 07:55:29 +02:00
|
|
|
# +upnpd #program named upnpd
|
2003-12-04 03:01:08 +01:00
|
|
|
#
|
|
|
|
######################################################################################
|
2005-07-09 07:45:05 +02:00
|
|
|
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
|
|
|
# PORT PORT(S) LIMIT GROUP
|
2003-12-04 03:01:08 +01:00
|
|
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|