2005-01-19 20:45:07 +01:00
<?xml version="1.0" encoding="UTF-8"?>
2008-07-07 22:22:09 +02:00
< !DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
2005-01-19 20:45:07 +01:00
<article >
<!-- $Id$ -->
<articleinfo >
<title > Actions</title>
<authorgroup >
<author >
<firstname > Tom</firstname>
<surname > Eastep</surname>
</author>
</authorgroup>
2006-07-07 03:04:16 +02:00
<pubdate > <?dbtimestamp format="Y/m/d"?> </pubdate>
2005-01-19 20:45:07 +01:00
<copyright >
<year > 2005</year>
2008-03-27 22:04:41 +01:00
<year > 2007</year>
<year > 2008</year>
2009-02-19 16:19:43 +01:00
<year > 2009</year>
2010-01-14 17:04:08 +01:00
<year > 2010</year>
2005-01-19 20:45:07 +01:00
<holder > Thomas M. Eastep</holder>
</copyright>
<legalnotice >
<para > Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote > <ulink url= "GnuCopyright.htm" > GNU Free Documentation
License</ulink> </quote> .</para>
</legalnotice>
</articleinfo>
2005-08-29 01:37:51 +02:00
<caution >
2009-02-28 04:45:43 +01:00
<para > <emphasis role= "bold" > This article applies to Shorewall 4.3 and
later. If you are running a version of Shorewall earlier than Shorewall
4.3.5 then please see the documentation for that
release.</emphasis> </para>
2005-08-29 01:37:51 +02:00
</caution>
2007-06-28 17:09:37 +02:00
<section id= "Intro" >
2005-01-19 20:45:07 +01:00
<title > What are Shorewall Actions?</title>
<para > Shorewall actions allow a symbolic name to be associated with a
series of one or more iptables rules. The symbolic name may appear in the
ACTION column of an <filename > <ulink
2007-08-26 17:14:54 +02:00
url="manpages/shorewall-rules.html">/etc/shorewall/rules</ulink> </filename>
file entry, in which case the traffic matching that rules file entry will
be passed to the series of iptables rules named by the action.</para>
2005-01-19 20:45:07 +01:00
<para > Actions can be thought of as templates. When an action is invoked in
an <filename > /etc/shorewall/rules</filename> entry, it may be qualified by
a logging specification (log level and optionally a log tag). The presence
of the log level/tag causes a modified series of rules to be generated in
which each packet/rule match within the action causes a log message to be
generated.</para>
2009-05-30 17:34:34 +02:00
<para > For readers familiar with iptables, actions are the way in which you
can create your own filter-table chains.</para>
2005-01-19 20:45:07 +01:00
<para > There are three types of Shorewall actions:</para>
<orderedlist >
<listitem >
<para > Built-in Actions. These actions are known by the Shorewall code
itself. They are listed in the comments at the top of the file
<filename > /usr/share/shorewall/actions.std</filename> .</para>
</listitem>
<listitem >
<para > Standard Actions. These actions are released as part of
Shorewall. They are listed in the file
<filename > /usr/share/shorewall/actions.std</filename> and are defined
in the corresponding action.* files in <filename
class="directory">/usr/share/shorewall</filename> . Each
<filename > action.*</filename> file has a comment at the beginning of
the file that describes what the action does. As an example, here is
2006-09-26 00:32:45 +02:00
the definition of the <firstterm > AllowSMB</firstterm> standard action
from Shorewall version 2.2.</para>
2005-01-19 20:45:07 +01:00
<programlisting > #
# Shorewall 2.2 /usr/share/shorewall/action.AllowSMB
#
# Allow Microsoft SMB traffic. You need to invoke this action in
# both directions.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - udp 135,445
ACCEPT - - udp 137:139
ACCEPT - - udp 1024: 137
ACCEPT - - tcp 135,139,445
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
<para > If you wish to modify one of the standard actions, do not modify
2008-08-18 06:32:14 +02:00
the definition in <filename
class="directory">/usr/share/shorewall</filename> . Rather, copy the
file to <filename class= "directory" > /etc/shorewall</filename> (or
somewhere else on your CONFIG_PATH) and modify the copy.</para>
2006-09-26 00:32:45 +02:00
2009-02-28 04:45:43 +01:00
<para > Standard Actions have been largely replaced by <ulink
url="Macros.html">macros</ulink> .</para>
2005-01-19 20:45:07 +01:00
</listitem>
<listitem >
<para > User-defined Actions. These actions are created by end-users.
2008-08-18 06:32:14 +02:00
They are listed in the file
<filename > /etc/shorewall/actions</filename> and are defined in
<filename > action.*</filename> files in <filename
class="directory">/etc/shorewall</filename> or in another directory
2008-08-30 03:00:50 +02:00
listed in your CONFIG_PATH (defined in <filename > <ulink
url="manpages/shorewall.conf.html">/etc/shorewall/shorewall.conf</ulink> </filename> ).</para>
2005-01-19 20:45:07 +01:00
</listitem>
</orderedlist>
</section>
2006-12-19 00:59:27 +01:00
<section id= "Default" >
2006-08-29 19:36:13 +02:00
<title > Default Actions (Formerly Common Actions)</title>
2005-01-19 20:45:07 +01:00
2006-08-29 19:36:13 +02:00
<para > Shorewall allows the association of a <firstterm > default
action</firstterm> with policies. A separate default action may be
2010-01-24 21:06:56 +01:00
associated with ACCEPT, DROP, REJECT, QUEUE and NFQUEUE policies. Default
actions provide a way to invoke a set of common rules just before the
policy is enforced. Default actions accomplish two goals:</para>
2005-01-19 20:45:07 +01:00
<orderedlist >
<listitem >
2006-08-29 19:36:13 +02:00
<para > Relieve log congestion. Default actions typically include rules
2005-01-19 20:45:07 +01:00
to silently drop or reject traffic that would otherwise be logged when
the policy is enforced.</para>
</listitem>
<listitem >
2006-08-29 19:36:13 +02:00
<para > Ensure correct operation. Default actions can also avoid common
2005-01-19 20:45:07 +01:00
pitfalls like dropping connection requests on port TCP port 113. If
these connections are dropped (rather than rejected) then you may
2008-08-15 03:26:15 +02:00
encounter problems connecting to Internet services that utilize the
2005-01-19 20:45:07 +01:00
AUTH protocol of client authentication<footnote >
2008-08-15 03:26:15 +02:00
<para > AUTH is actually pretty silly on today's Internet but it's
2005-01-24 20:04:39 +01:00
amazing how many servers still employ it.</para>
2008-08-18 06:32:14 +02:00
</footnote> .</para>
2005-01-19 20:45:07 +01:00
</listitem>
</orderedlist>
2007-12-10 23:53:20 +01:00
<para > Shorewall supports default actions for the ACCEPT, REJECT, DROP,
QUEUE and NFQUEUE policies. These default actions are specified in the
2008-08-18 06:32:14 +02:00
<filename > /etc/shorewall/shorewall.conf</filename> file using the
ACCEPT_DEFAULT, REJECT_DEFAULT, DROP_DEFAULT, QUEUE_DEFAULT and
NFQUEUE_DEFAULT options respectively. Policies whose default is set to a
value of <quote > none</quote> have no default action.</para>
<para > In addition, the default specified in
<filename > /etc/shorewall/shorewall.conf</filename> may be overridden by
2009-05-30 17:34:34 +02:00
specifying a different action in the POLICY column of <filename > <ulink
2008-08-30 03:00:50 +02:00
url="manpages/shorewall-policy.html">/etc/shorewall/policy</ulink> </filename> .</para>
2005-01-19 20:45:07 +01:00
2010-01-24 21:06:56 +01:00
<important >
2006-08-29 19:36:13 +02:00
<para > Entries in the DROP and REJECT default actions <emphasis
2005-01-19 20:45:07 +01:00
role="bold">ARE NOT THE CAUSE OF CONNECTION PROBLEMS</emphasis> .
2006-08-29 19:36:13 +02:00
Remember — default actions are only invoked immediately before the
packet is going to be dropped or rejected anyway!!!</para>
2010-01-24 21:06:56 +01:00
</important>
2011-06-12 00:25:48 +02:00
<para > Beginning with Shorewall 4.4.21, the standard Drop and Reject
2011-06-22 17:05:13 +02:00
options are parameterized. Each has five parameters as follows:</para>
2011-06-12 00:25:48 +02:00
<informaltable >
<tgroup cols= "4" >
<tbody >
<row >
<entry > ACTION</entry>
<entry > PARAMETER</entry>
<entry > VALUE</entry>
<entry > DEFAULT</entry>
</row>
<row >
<entry > Drop</entry>
<entry > 1</entry>
<entry > Either '-' or 'audit'. 'audit' causes auditing by the
builtin actions invoked by Drop</entry>
<entry > -</entry>
</row>
<row >
<entry > Drop</entry>
<entry > 2</entry>
<entry > Determines what to do with Auth requests</entry>
<entry > REJECT or A_REJECT depending on the setting of parameter
1</entry>
</row>
<row >
<entry > Drop</entry>
<entry > 3</entry>
<entry > Determines what to do with SMB</entry>
<entry > DROP or A_DROP depending on the setting of parameter
1</entry>
</row>
<row >
<entry > Reject</entry>
<entry > 1</entry>
<entry > Either '-' or 'audit'. 'audit' causes auditing by the
builtin actions invoked by Drop</entry>
<entry > -</entry>
</row>
<row >
<entry > Reject</entry>
<entry > 2</entry>
<entry > Determines what to do with Auth requests</entry>
<entry > REJECT or A_REJECT depending on the setting of parameter
1</entry>
</row>
<row >
<entry > Reject</entry>
<entry > 3</entry>
<entry > Determines what to do with SMB</entry>
<entry > REJECT or A_REJECT depending on the setting of parameter
1</entry>
</row>
2011-06-22 17:05:13 +02:00
<row >
<entry > Both</entry>
<entry > 4</entry>
<entry > Determines what to do with accepted critical ICMP
packets.</entry>
<entry > ACCEPT or A_ACCEPT depending on the setting of parameter
1</entry>
</row>
<row >
<entry > Both</entry>
<entry > 5</entry>
<entry > Determines what to do with late-arriving DNS replies
(source port 53) or UPnP (udp port 1900).</entry>
<entry > DROP or A_DROP depending on the setting of parameter
1.</entry>
</row>
2011-06-12 00:25:48 +02:00
</tbody>
</tgroup>
</informaltable>
<para > The parameters may be specified in either shorewall.conf (e.g.,
DROP_DEFAULT=<emphasis role= "bold" > Drop(-,DROP)</emphasis> or in the
POLICY column of <ulink
url="manpages/shorewall-policy.html">shorewall-policy</ulink> (5) (e.g.,
DROP:<emphasis role= "bold" > Drop(audit)</emphasis> :audit).</para>
2012-11-25 21:09:41 +01:00
<note >
<para > Beginning with Shorewall 4.5.10, a <ulink
url="Macros.html">macro</ulink> may also be specified as a default
action.</para>
</note>
2005-01-19 20:45:07 +01:00
</section>
2007-06-28 17:09:37 +02:00
<section id= "Defining" >
2005-05-13 20:27:08 +02:00
<title > Defining your own Actions</title>
2005-01-19 20:45:07 +01:00
2005-10-02 17:34:20 +02:00
<para > Before defining a new action, you should evaluate whether your goal
can be best accomplished using an action or a
<firstterm > macro</firstterm> . See <ulink url= "Macros.html" > this
article</ulink> for details.</para>
2005-01-19 20:45:07 +01:00
<para > To define a new action:</para>
<orderedlist >
<listitem >
2009-02-19 16:19:43 +01:00
<para > Add a line to <filename > /etc/shorewall/actions</filename> that
2005-01-19 20:45:07 +01:00
names your new action. Action names must be valid shell variable names
2008-08-18 06:32:14 +02:00
(must begin with a letter and be composed of letters, digits and
2005-01-19 20:45:07 +01:00
underscore characters) as well as valid Netfilter chain names. If you
intend to log from the action, the name must have a maximum of 11
characters. It is recommended that the name you select for a new
2005-05-28 00:47:49 +02:00
action begins with a capital letter; that way, the name won't conflict
with a Shorewall-defined chain name.</para>
2005-01-19 20:45:07 +01:00
<para > Shorewall includes pre-defined actions for DROP and REJECT --
see above.</para>
</listitem>
<listitem >
<para > Once you have defined your new action name (ActionName), then
2008-08-18 06:32:14 +02:00
copy <filename > /usr/share/shorewall/action.template</filename> to
2005-01-19 20:45:07 +01:00
<filename > /etc/shorewall/action.ActionName</filename> (for example, if
your new action name is <quote > Foo</quote> then copy
<filename > /usr/share/shorewall/action.template</filename> to
<filename > /etc/shorewall/action.Foo</filename> ).</para>
</listitem>
<listitem >
<para > Now modify the new file to define the new action.</para>
</listitem>
</orderedlist>
2010-12-14 20:19:17 +01:00
<section >
<title > Shorewall 4.4.16 and Later.</title>
<para > Beginning with Shorewall 4.4.16, the columns in action.template
are the same as those in shorewall-rules (5). The first non-commentary
line in the template must be</para>
<programlisting > FORMAT 2</programlisting>
<para > When using Shorewall 4.4.16 or later, there are no restrictions
regarding which targets can be used within your action.</para>
2010-12-24 23:03:55 +01:00
<para > The SOURCE and DEST columns in the action file may not include
zone names; those are given when the action is invoked.</para>
2010-12-27 21:32:28 +01:00
2010-12-26 17:59:31 +01:00
<para > Additionally, it is possible to pass parameters to an action, when
it is invoked in the rules file or in another action.</para>
<para > Here's a trivial example:</para>
<para > /etc/shorewall/action.A:</para>
<programlisting > #TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT(S) PORT(S) DEST
FORMAT 2
$1 - - tcp 80 - 1.2.3.4</programlisting>
<para > /etc/shorewall/rules:</para>
<programlisting > #TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT(S) PORT(S) DEST
A(REDIRECT) net fw</programlisting>
<para > The above is equivalent to this rule:</para>
<programlisting > #TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT(S) PORT(S) DEST
REDIRECT net - tcp 80 - 1.2.3.4</programlisting>
2010-12-27 01:13:53 +01:00
<para > You can 'omit' parameters by using '-'.</para>
2010-12-27 02:03:05 +01:00
<para > Example: ACTION(REDIRECT,-,info)</para>
2010-12-27 01:13:53 +01:00
<para > In the above example, $2 would expand to nothing.</para>
2010-12-27 02:03:05 +01:00
<para > If you want to make '-' a parameter value, use '--' (e.g.,
ACTION(REDIRECT,--.info)).</para>
2011-06-11 16:29:25 +02:00
<para > Beginning with Shorewall 4.4.21, you can specify the default
values of your FORMAT-2 actions:</para>
<programlisting > DEFAULTS <replaceable > def1</replaceable> ,<replaceable > def2</replaceable> ,...</programlisting>
<para > where <replaceable > def1</replaceable> is the default value for the
first parameter, <replaceable > def2</replaceable> is the default value
for the second parameter and so on. You can specify an empty default
using '-' (e.g. DEFAULTS DROP,-,audit).</para>
2011-07-03 16:22:29 +02:00
<para > The DEFAULTS directive also determines the maximum number of
parameters that an action may have. If more parameters are passed than
2012-11-25 21:09:41 +01:00
have default values, an error message is issued.</para>
2010-12-14 20:19:17 +01:00
</section>
<section >
<title > Shorewall 4.4.15 and Earlier.</title>
<para > Prior to 4.4.16, columns in the
<filename > action.template</filename> file were as follows:</para>
<itemizedlist >
<listitem >
<para > TARGET - Must be ACCEPT, DROP, REJECT, LOG, CONTINUE, QUEUE or
an < <emphasis > action</emphasis> > where
< <emphasis > action</emphasis> > is a previously-defined action
(that is, it must precede the action being defined in this file in
your <filename > /etc/shorewall/actions</filename> file). These
actions have the same meaning as they do in the
<filename > /etc/shorewall/rules</filename> file (CONTINUE terminates
processing of the current action and returns to the point where that
action was invoked). The TARGET may optionally be followed by a
colon (<quote > :</quote> ) and a syslog log level (e.g, REJECT:info or
ACCEPT:debugging). This causes the packet to be logged at the
specified level. You may also specify ULOG (must be in upper case)
as a log level. This will log to the ULOG target for routing to a
separate log through use of ulogd (<ulink
url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html</ulink> ).</para>
<para > You may also use a <ulink url= "Macros.html" > macro</ulink> in
your action provided that the macro's expansion only results in the
ACTIONs ACCEPT, DROP, REJECT, LOG, CONTINUE, or QUEUE. See
<filename > /usr/share/shorewall/action.Drop</filename> for an example
of an action that users macros extensively.</para>
</listitem>
<listitem >
<para > SOURCE - Source hosts to which the rule applies. A
comma-separated list of subnets and/or hosts. Hosts may be specified
by IP or MAC address; MAC addresses must begin with <quote > ~</quote>
and must use <quote > -</quote> as a separator.</para>
<para > Alternatively, clients may be specified by interface name. For
example, eth1 specifies a client that communicates with the firewall
system through eth1. This may be optionally followed by another
colon (<quote > :</quote> ) and an IP/MAC/subnet address as described
above (e.g., eth1:192.168.1.5).</para>
</listitem>
<listitem >
<para > DEST - Location of Server. Same as above with the exception
that MAC addresses are not allowed.</para>
</listitem>
<listitem >
<para > PROTO - Protocol - Must be <quote > tcp</quote> ,
<quote > udp</quote> , <quote > icmp</quote> , a protocol number, or
<quote > all</quote> .</para>
</listitem>
<listitem >
<para > DEST PORT(S) - Destination Ports. A comma-separated list of
Port names (from <filename > /etc/services</filename> ), port numbers
or port ranges; if the protocol is <quote > icmp</quote> , this column
is interpreted as the destination icmp-type(s).</para>
<para > A port range is expressed as < <emphasis > low
port</emphasis> > :< <emphasis > high port</emphasis> > .</para>
<para > This column is ignored if PROTO = <quote > all</quote> , but must
be entered if any of the following fields are supplied. In that
case, it is suggested that this field contain
<quote > -</quote> .</para>
</listitem>
<listitem >
<para > SOURCE PORT(S) - Port(s) used by the client. If omitted, any
source port is acceptable. Specified as a comma-separated list of
port names, port numbers or port ranges.</para>
<para > If you don't want to restrict client ports but need to specify
any of the subsequent fields, then place <quote > -</quote> in this
column.</para>
</listitem>
<listitem >
<para > RATE LIMIT - You may rate-limit the rule by placing a value in
this column:</para>
<para > <programlisting > < <emphasis > rate</emphasis> > /< <emphasis > interval</emphasis> > [:< <emphasis > burst</emphasis> > ]</programlisting> where
< <emphasis > rate</emphasis> > is the number of connections per
< <emphasis > interval</emphasis> > (<quote > sec</quote> or
<quote > min</quote> ) and < <emphasis > burst</emphasis> > is the
largest burst permitted. If no < <emphasis > burst</emphasis> > is
given, a value of 5 is assumed. There may be no whitespace embedded
in the specification.</para>
<para > <programlisting > Example: 10/sec:20</programlisting> </para>
</listitem>
<listitem >
<para > USER/GROUP - For output rules (those with the firewall as
their source), you may control connections based on the effective
UID and/or GID of the process requesting the connection. This column
can contain any of the following:</para>
<simplelist >
<member > [!]< <emphasis > user number</emphasis> > [:]</member>
<member > [!]< <emphasis > user name</emphasis> > [:]</member>
<member > [!]:< <emphasis > group number</emphasis> > </member>
<member > [!]:< <emphasis > group name</emphasis> > </member>
<member > [!]< <emphasis > user
number</emphasis> > :< <emphasis > group
number</emphasis> > </member>
<member > [!]< <emphasis > user
name</emphasis> > :< <emphasis > group
number</emphasis> > </member>
<member > [!]< <emphasis > user
inumber</emphasis> > :< <emphasis > group
name</emphasis> > </member>
<member > [!]< <emphasis > user
name</emphasis> > :< <emphasis > group
name</emphasis> > </member>
<member > [!]+< <emphasis > program name</emphasis> > (Note:
support for this form was removed from Netfilter in kernel version
2.6.14).</member>
</simplelist>
</listitem>
<listitem >
<para > MARK</para>
<para > <simplelist >
<member > [!]< <emphasis > value</emphasis> > [/< <emphasis > mask</emphasis> > ][:C]</member>
</simplelist> </para>
<para > Defines a test on the existing packet or connection mark. The
rule will match only if the test returns true.</para>
2010-12-13 18:06:29 +01:00
2010-12-14 20:19:17 +01:00
<para > If you don’ t want to define a test but need to specify
anything in the subsequent columns, place a <quote > -</quote> in this
field.<simplelist >
<member > ! — Inverts the test (not equal)</member>
2010-12-13 18:06:29 +01:00
2010-12-14 20:19:17 +01:00
<member > < <emphasis > value</emphasis> > — Value of the packet
or connection mark.</member>
2005-01-19 20:45:07 +01:00
2010-12-14 20:19:17 +01:00
<member > < <emphasis > mask</emphasis> > —A mask to be applied
to the mark before testing.</member>
2005-01-19 20:45:07 +01:00
2010-12-14 20:19:17 +01:00
<member > :C — Designates a connection mark. If omitted, the
packet mark’ s value is tested. This option is only supported by
Shorewall-perl</member>
</simplelist> </para>
</listitem>
</itemizedlist>
2005-01-19 20:45:07 +01:00
2010-12-14 20:19:17 +01:00
<para > Omitted column entries should be entered using a dash
(<quote > -</quote> ).</para>
2005-01-19 20:45:07 +01:00
2010-12-14 20:19:17 +01:00
<para > Example:</para>
2005-01-19 20:45:07 +01:00
2010-12-14 20:19:17 +01:00
<para > <filename > /etc/shorewall/actions</filename> :</para>
2005-01-19 20:45:07 +01:00
2010-12-14 20:19:17 +01:00
<para > <programlisting > #ACTION COMMENT (place '# ' below the 'C' in comment followed by
2008-03-27 22:00:53 +01:00
# v a comment describing the action)
2008-03-27 22:09:46 +01:00
LogAndAccept # LOG and ACCEPT a connection</programlisting> <emphasis
2010-12-14 20:19:17 +01:00
role="bold">Note:</emphasis> If your
<filename > /etc/shorewall/actions</filename> file doesn't have an
indication where to place the comment, put the <quote > #</quote> in
column 21.</para>
2005-01-19 20:45:07 +01:00
2010-12-14 20:19:17 +01:00
<para > <phrase > <filename > /etc/shorewall/action.LogAndAccept</filename> </phrase> <programlisting > LOG:info
2008-03-27 22:09:46 +01:00
ACCEPT</programlisting> </para>
2008-03-27 22:04:41 +01:00
2010-12-14 20:19:17 +01:00
<para > Placing a comment on the line causes the comment to appear in the
output of the <command > shorewall show actions</command> command.</para>
2008-03-27 22:00:53 +01:00
2010-12-14 20:19:17 +01:00
<para > To use your action, in <filename > /etc/shorewall/rules</filename>
you might do something like:</para>
2005-01-19 20:45:07 +01:00
2010-12-14 20:19:17 +01:00
<programlisting > #ACTION SOURCE DEST PROTO DEST PORT(S)
2005-09-12 20:43:26 +02:00
LogAndAccept loc $FW tcp 22</programlisting>
2010-12-14 20:19:17 +01:00
</section>
2005-01-19 20:45:07 +01:00
</section>
2007-06-28 17:09:37 +02:00
<section id= "Logging" >
2005-01-19 20:45:07 +01:00
<title > Actions and Logging</title>
2007-01-18 16:30:55 +01:00
<para > Specifying a log level in a rule that specifies a user-defined or
2005-08-29 01:37:51 +02:00
Shorewall-defined action will cause each rule in the action to be logged
with the specified level (and tag).</para>
2005-01-19 20:45:07 +01:00
2005-05-28 00:47:49 +02:00
<para > The extent to which logging of action rules occur is governed by the
2005-01-19 20:45:07 +01:00
following:</para>
<orderedlist >
<listitem >
<para > When you invoke an action and specify a log level, only those
rules in the action that have no log level will be changed to log at
the level specified at the action invocation.</para>
<para > Example:</para>
<para > /etc/shorewall/action.foo</para>
<programlisting > #TARGET SOURCE DEST PROTO DEST PORT(S)
ACCEPT - - tcp 22
bar:info</programlisting>
<para > /etc/shorewall/rules:</para>
<programlisting > #ACTION SOURCE DEST PROTO DEST PORT(S)
2005-09-12 20:43:26 +02:00
foo:debug $FW net</programlisting>
2005-01-19 20:45:07 +01:00
2009-02-19 16:19:43 +01:00
<para > Logging in the invoke <quote > foo</quote> action will be as if
foo had been defined as:</para>
2005-01-19 20:45:07 +01:00
<programlisting > #TARGET SOURCE DEST PROTO DEST PORT(S)
ACCEPT:debug - - tcp 22
bar:info</programlisting>
</listitem>
<listitem >
2008-08-18 06:32:14 +02:00
<para > If you follow the log level with <quote > !</quote> then logging
will be set at that level for all rules recursively invoked by the
action.</para>
2005-01-19 20:45:07 +01:00
<para > Example:</para>
<para > /etc/shorewall/action.foo</para>
<programlisting > #TARGET SOURCE DEST PROTO DEST PORT(S)
ACCEPT - - tcp 22
bar:info</programlisting>
<para > /etc/shorewall/rules:</para>
<programlisting > #ACTION SOURCE DEST PROTO DEST PORT(S)
2005-09-12 20:43:26 +02:00
foo:debug! $FW net</programlisting>
2005-01-19 20:45:07 +01:00
2009-02-19 16:19:43 +01:00
<para > Logging in the invoke <quote > foo</quote> action will be as if
foo had been defined as:</para>
2005-01-19 20:45:07 +01:00
<programlisting > #TARGET SOURCE DEST PROTO DEST PORT(S)
ACCEPT:debug - - tcp 22
bar:debug</programlisting>
</listitem>
</orderedlist>
</section>
<section id= "Extension" >
<title > Creating an Action using an Extension Script</title>
<para > There may be cases where you wish to create a chain with rules that
2008-08-18 06:32:14 +02:00
can't be constructed using the tools defined in the
<filename > action.template</filename> . In that case, you can use an <ulink
2007-05-20 19:21:59 +02:00
url="shorewall_extension_scripts.htm">extension script</ulink> .<note >
2005-01-19 20:45:07 +01:00
<para > If you actually need an action to drop broadcast packets, use
the <command > dropBcast</command> standard action rather than create
one like this.</para>
</note> </para>
2007-06-28 17:09:37 +02:00
<example id= "Example" >
2005-01-19 20:45:07 +01:00
<title > An action to drop all broadcast packets</title>
2009-09-15 15:59:59 +02:00
<para > If you define an action <quote > acton</quote> and you have an
<filename > /etc/shorewall/acton</filename> script, the rules compiler
sets lexical variables as follows:</para>
<itemizedlist >
<listitem >
<para > <emphasis role= "bold" > $chainref</emphasis> is a reference to
the chain-table entry for the chain where your rules are to be
placed.</para>
</listitem>
<listitem >
<para > <emphasis role= "bold" > $level</emphasis> is the log level. If
false, no logging was specified.</para>
</listitem>
<listitem >
<para > <emphasis role= "bold" > $tag</emphasis> is the log tag.</para>
</listitem>
2010-12-23 00:09:54 +01:00
<listitem >
<para > <emphasis role= "bold" > @params</emphasis> is the list of
2010-12-27 01:13:53 +01:00
parameter values (Shorewall 4.4.16 and later). 'Omitted' parameters
contain '-'.</para>
2010-12-23 00:09:54 +01:00
</listitem>
2009-09-15 15:59:59 +02:00
</itemizedlist>
<para > Example:</para>
2005-01-19 20:45:07 +01:00
<para > /etc/shorewall/actions<programlisting > DropBcasts</programlisting> </para>
2009-02-28 04:45:43 +01:00
<para > /etc/shorewall/action.DropBcasts<programlisting > # This file is empty</programlisting> /etc/shorewall/DropBcasts<programlisting > use Shorewall::Chains;
2007-05-20 19:21:59 +02:00
2010-01-24 21:06:56 +01:00
if ( $level ne '' ) {
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ';
}
add_rule $chainref, '-m addrtype --dst-type BROADCAST -j DROP';
add_rule $chainref, '-d 224.0.0.0/4 -j DROP';
2007-06-26 01:37:55 +02:00
1;</programlisting> </para>
2005-01-19 20:45:07 +01:00
</example>
2005-05-13 20:27:08 +02:00
2009-05-30 17:34:34 +02:00
<para > For a richer example, see the next section.</para>
</section>
<section id= "Limit" >
<title > Limiting Per-IP Connection Rate using the Limit Action</title>
2010-12-23 00:09:54 +01:00
<para > Shorewall supports a <quote > Limit</quote> built-in action. Prior to
Shorewall 4.4.16, Limit is invoked with a comma-separated list in place of
a logging tag. Beginning in Shorewall 4.4.16, it may also be invoked with
a list of three parameters enclosed in parentheses. The list has three
elements:</para>
2009-05-30 17:34:34 +02:00
<orderedlist >
<listitem >
<para > The name of a <quote > recent</quote> list. You select the list
name which must conform to the rules for a valid chain name. Different
rules that specify the same list name will use the same set of
counters.</para>
</listitem>
<listitem >
<para > The number of connections permitted in a specified time
period.</para>
</listitem>
<listitem >
<para > The time period, expressed in seconds.</para>
</listitem>
</orderedlist>
<para > Connections that exceed the specified rate are dropped.</para>
<para > For example, to use a recent list name of <emphasis
role="bold">SSHA</emphasis> , and to limit SSH connections to 3 per minute,
use this entry in <filename > /etc/shorewall/rules</filename> :</para>
<programlisting > #ACTION SOURCE DEST PROTO DEST PORT(S)
Limit:none:SSHA,3,60 net $FW tcp 22</programlisting>
2010-12-23 00:09:54 +01:00
<para > Using Shorewall 4.4.16 or later, you can also invoke the action this
2010-12-24 23:03:55 +01:00
way:</para>
2010-12-23 00:09:54 +01:00
<programlisting > #ACTION SOURCE DEST PROTO DEST PORT(S)
Limit(SSHA,3,60):none net $FW tcp 22</programlisting>
2009-05-30 17:34:34 +02:00
<para > If you want dropped connections to be logged at the info level, use
this rule instead:</para>
<programlisting > #ACTION SOURCE DEST PROTO DEST PORT(S)
Limit:info:SSHA,3,60 net $FW tcp 22</programlisting>
2010-12-23 00:09:54 +01:00
<para > Shorewall 4.4.16 and later:<programlisting > #ACTION SOURCE DEST PROTO DEST PORT(S)
Limit(SSH,3,60):info net $FW tcp 22</programlisting> </para>
2009-05-30 17:34:34 +02:00
<para > To summarize, you pass four pieces of information to the Limit
action:</para>
<itemizedlist >
<listitem >
<para > The log level. If you don't want to log, specify
<quote > none</quote> .</para>
</listitem>
<listitem >
<para > The name of the recent list that you want to use
(<quote > SSHA</quote> in this example).</para>
</listitem>
<listitem >
<para > The maximum number of connections to accept (3 in this
example).</para>
</listitem>
<listitem >
<para > The number of seconds over which you are willing to accept that
many connections (60 in this example).</para>
</listitem>
</itemizedlist>
<section id= "LimitImp" >
<title > How Limit is Implemented</title>
2010-12-23 00:09:54 +01:00
<para > For those who are curious, the Limit action in Shorewall 4.4.16 is
implemented as follows:</para>
2009-05-30 17:34:34 +02:00
2010-01-14 17:04:08 +01:00
<programlisting > use Shorewall::Chains;
2010-12-26 17:59:31 +01:00
@params = split( /,/, $tag ), $tag='' unless @params;
2009-05-30 17:34:34 +02:00
2010-12-23 00:09:54 +01:00
fatal_error 'Limit rules must include < list name> ,< max connections> ,< interval> as the log tag or params' unless @params == 3;
2009-05-30 17:34:34 +02:00
2010-12-26 17:59:31 +01:00
my $list = $params[0];
2009-05-30 17:34:34 +02:00
2010-12-26 17:59:31 +01:00
for ( @params[1,2] ) {
2010-12-23 00:09:54 +01:00
fatal_error 'Max connections and interval in Limit rules must be numeric (' . $_ . ')' unless /^\d+$/
2009-05-30 17:34:34 +02:00
}
2010-12-23 00:09:54 +01:00
my $count = $params[1] + 1;
2009-05-30 17:34:34 +02:00
add_rule $chainref, "-m recent --name $list --set";
if ( $level ) {
my $xchainref = new_chain 'filter' , "$chainref-> {name}%";
2010-12-26 17:59:31 +01:00
log_rule_limit $level, $xchainref, $params[0], 'DROP', $tag, '', 'add', '';
2009-05-30 17:34:34 +02:00
add_rule $xchainref, '-j DROP';
2010-12-23 00:09:54 +01:00
add_rule $chainref, "-m recent --name $list --update --seconds $params[2] --hitcount $count -j $xchainref-> {name}";
2009-05-30 17:34:34 +02:00
} else {
2010-12-23 00:09:54 +01:00
add_rule $chainref, "-m recent --update --name $list --seconds $params[2] --hitcount $count -j DROP";
2009-05-30 17:34:34 +02:00
}
add_rule $chainref, '-j ACCEPT';
1; </programlisting>
</section>
2005-01-19 20:45:07 +01:00
</section>
2008-07-04 17:11:51 +02:00
</article>