From a7b8b53f7224ceb38a64c9b44ae4d40b47efdd04 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Tue, 4 Dec 2012 10:39:29 -0800 Subject: [PATCH 1/2] Small change to the Actions document. Signed-off-by: Tom Eastep --- docs/Actions.xml | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/docs/Actions.xml b/docs/Actions.xml index 2fdb9aae3..1f274578d 100644 --- a/docs/Actions.xml +++ b/docs/Actions.xml @@ -58,8 +58,9 @@ series of one or more iptables rules. The symbolic name may appear in the ACTION column of an /etc/shorewall/rules - file entry, in which case the traffic matching that rules file entry will - be passed to the series of iptables rules named by the action. + entry, in a macro body and within another + action, in which case the traffic matching that rules file entry will be + passed to the series of iptables rules named by the action. Actions can be thought of as templates. When an action is invoked in an /etc/shorewall/rules entry, it may be qualified by @@ -289,12 +290,6 @@ ACCEPT - - tcp 135,139,445 POLICY column of shorewall-policy(5) (e.g., DROP:Drop(audit):audit). - - - Beginning with Shorewall 4.5.10, a macro may also be specified as a default - action. -
From 60012d12085497593174e06d01f49deae3d185f2 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Tue, 4 Dec 2012 10:54:32 -0800 Subject: [PATCH 2/2] Add additional space for the OPTIONS column - actions and actions.std problem Signed-off-by: Tom Eastep --- Shorewall-core/lib.cli | 24 ++++++++++++------------ Shorewall/actions.std | 20 ++++++++++---------- Shorewall/configfiles/actions | 6 +++--- Shorewall6/actions.std | 22 +++++++++++----------- Shorewall6/configfiles/actions | 6 +++--- 5 files changed, 39 insertions(+), 39 deletions(-) diff --git a/Shorewall-core/lib.cli b/Shorewall-core/lib.cli index c9acbd026..6a9eb6d95 100644 --- a/Shorewall-core/lib.cli +++ b/Shorewall-core/lib.cli @@ -1007,18 +1007,18 @@ show_command() { case $1 in actions) [ $# -gt 1 ] && usage 1 - echo "A_ACCEPT # Audit and accept the connection" - echo "A_DROP # Audit and drop the connection" - echo "A_REJECT # Audit and reject the connection " - echo "allowBcast # Silently Allow Broadcast/multicast" - echo "allowInvalid # Accept packets that are in the INVALID conntrack state." - echo "allowinUPnP # Allow UPnP inbound (to firewall) traffic" - echo "allowoutUPnP # Allow traffic from local command 'upnpd' (does not work with kernels after 2.6.13)" - echo "dropBcast # Silently Drop Broadcast/multicast" - echo "dropInvalid # Silently Drop packets that are in the INVALID conntrack state" - echo "dropNotSyn # Silently Drop Non-syn TCP packets" - echo "forwardUPnP # Allow traffic that upnpd has redirected from" - echo "rejNotSyn # Silently Reject Non-syn TCP packets" + echo "A_ACCEPT # Audit and accept the connection" + echo "A_DROP # Audit and drop the connection" + echo "A_REJECT # Audit and reject the connection " + echo "allowBcast # Silently Allow Broadcast/multicast" + echo "allowInvalid # Accept packets that are in the INVALID conntrack state." + echo "allowinUPnP # Allow UPnP inbound (to firewall) traffic" + echo "allowoutUPnP # Allow traffic from local command 'upnpd' (does not work with kernels after 2.6.13)" + echo "dropBcast # Silently Drop Broadcast/multicast" + echo "dropInvalid # Silently Drop packets that are in the INVALID conntrack state" + echo "dropNotSyn # Silently Drop Non-syn TCP packets" + echo "forwardUPnP # Allow traffic that upnpd has redirected from" + echo "rejNotSyn # Silently Reject Non-syn TCP packets" if [ -f ${g_confdir}/actions ]; then cat ${g_sharedir}/actions.std ${g_confdir}/actions | grep -Ev '^\#|^$' diff --git a/Shorewall/actions.std b/Shorewall/actions.std index f826ff688..ae18bd9ae 100644 --- a/Shorewall/actions.std +++ b/Shorewall/actions.std @@ -33,13 +33,13 @@ # ############################################################################### #ACTION -A_Drop # Audited Default Action for DROP policy -A_Reject # Audited Default action for REJECT policy -Broadcast noinline # Handles Broadcast/Multicast/Anycast -Drop # Default Action for DROP policy -DropSmurfs noinline # Drop smurf packets -Invalid noinline # Handles packets in the INVALID conntrack state -NotSyn noinline # Handles TCP packets which do not have SYN=1 and ACK=0 -Reject # Default Action for REJECT policy -RST noinline # Handle packets with RST set -TCPFlags noinline # Handle bad flag combinations. +A_Drop # Audited Default Action for DROP policy +A_Reject # Audited Default action for REJECT policy +Broadcast noinline # Handles Broadcast/Multicast/Anycast +Drop # Default Action for DROP policy +DropSmurfs noinline # Drop smurf packets +Invalid noinline # Handles packets in the INVALID conntrack state +NotSyn noinline # Handles TCP packets which do not have SYN=1 and ACK=0 +Reject # Default Action for REJECT policy +RST noinline # Handle packets with RST set +TCPFlags noinline # Handle bad flag combinations. diff --git a/Shorewall/configfiles/actions b/Shorewall/configfiles/actions index 4c5e05c8b..84bedefbc 100644 --- a/Shorewall/configfiles/actions +++ b/Shorewall/configfiles/actions @@ -7,6 +7,6 @@ # # Please see http://shorewall.net/Actions.html for additional information. # -#################################################################################### -#ACTION OPTIONS COMMENT (place '# ' below the 'C' in comment followed by -# v a comment describing the action) +######################################################################################## +#ACTION OPTIONS COMMENT (place '# ' below the 'C' in comment followed by +# v a comment describing the action) diff --git a/Shorewall6/actions.std b/Shorewall6/actions.std index 264df75ab..8e2d727a4 100644 --- a/Shorewall6/actions.std +++ b/Shorewall6/actions.std @@ -19,15 +19,15 @@ # ############################################################################### #ACTION -A_Drop # Audited Default Action for DROP policy -A_Reject # Audited Default Action for REJECT policy -A_AllowICMPs # Audited Accept needed ICMP6 types -AllowICMPs # Accept needed ICMP6 types -Broadcast noinline # Handles Broadcast/Multicast/Anycast -Drop # Default Action for DROP policy -DropSmurfs noinline # Handles packets with a broadcast source address -Invalid noinline # Handles packets in the INVALID conntrack state -NotSyn noinline # Handles TCP packets that do not have SYN=1 and ACK=0 -Reject # Default Action for REJECT policy -TCPFlags noinline # Handles bad flags combinations +A_Drop # Audited Default Action for DROP policy +A_Reject # Audited Default Action for REJECT policy +A_AllowICMPs # Audited Accept needed ICMP6 types +AllowICMPs # Accept needed ICMP6 types +Broadcast noinline # Handles Broadcast/Multicast/Anycast +Drop # Default Action for DROP policy +DropSmurfs noinline # Handles packets with a broadcast source address +Invalid noinline # Handles packets in the INVALID conntrack state +NotSyn noinline # Handles TCP packets that do not have SYN=1 and ACK=0 +Reject # Default Action for REJECT policy +TCPFlags noinline # Handles bad flags combinations diff --git a/Shorewall6/configfiles/actions b/Shorewall6/configfiles/actions index 84ad2f15e..02df48e7a 100644 --- a/Shorewall6/configfiles/actions +++ b/Shorewall6/configfiles/actions @@ -8,6 +8,6 @@ # Please see http://shorewall.net/Actions.html for additional information. # ############################################################################### -#################################################################################### -#ACTION OPTIONS COMMENT (place '# ' below the 'C' in comment followed by -# v a comment describing the action) +######################################################################################## +#ACTION OPTIONS COMMENT (place '# ' below the 'C' in comment followed by +# v a comment describing the action)