mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-22 07:33:43 +01:00
Update the Actions document
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
f33f333937
commit
0a2dc77be0
239
docs/Actions.xml
239
docs/Actions.xml
@ -101,8 +101,7 @@
|
||||
# both directions.
|
||||
#
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT PORT(S) LIMIT GROUP
|
||||
#TARGET SOURCE DEST PROTO DPORT SPORT RATE USER
|
||||
ACCEPT - - udp 135,445
|
||||
ACCEPT - - udp 137:139
|
||||
ACCEPT - - udp 1024: 137
|
||||
@ -335,21 +334,11 @@ ACCEPT - - tcp 135,139,445
|
||||
</orderedlist>
|
||||
|
||||
<section>
|
||||
<title>Shorewall 4.4.16 and Later.</title>
|
||||
<title>Shorewall 5.0.0 and Later.</title>
|
||||
|
||||
<para>Beginning with Shorewall 4.4.16, the columns in action.template
|
||||
are the same as those in shorewall-rules (5). The first non-commentary
|
||||
line in the template must be</para>
|
||||
|
||||
<programlisting>FORMAT 2</programlisting>
|
||||
|
||||
<para>Beginning with Shorewall 4.5.11, the preferred format is as shown
|
||||
below, and the above format is deprecated.</para>
|
||||
|
||||
<programlisting>?FORMAT 2</programlisting>
|
||||
|
||||
<para>When using Shorewall 4.4.16 or later, there are no restrictions
|
||||
regarding which targets can be used within your action.</para>
|
||||
<para>In Shorewall 5.0, the columns in action.template are the same as
|
||||
those in shorewall-rules (5). There are no restrictions regarding which
|
||||
targets can be used within your action.</para>
|
||||
|
||||
<para>The SOURCE and DEST columns in the action file may not include
|
||||
zone names; those are given when the action is invoked.</para>
|
||||
@ -361,22 +350,18 @@ ACCEPT - - tcp 135,139,445
|
||||
|
||||
<para>/etc/shorewall/action.A:</para>
|
||||
|
||||
<programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||
# PORT(S) PORT(S) DEST
|
||||
FORMAT 2
|
||||
<programlisting>#TARGET SOURCE DEST PROTO Dport SPORT ORIGDEST
|
||||
$1 - - tcp 80 - 1.2.3.4</programlisting>
|
||||
|
||||
<para>/etc/shorewall/rules:</para>
|
||||
|
||||
<programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||
# PORT(S) PORT(S) DEST
|
||||
<programlisting>#TARGET SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
|
||||
A(REDIRECT) net fw</programlisting>
|
||||
|
||||
<para>The above is equivalent to this rule:</para>
|
||||
|
||||
<programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||
# PORT(S) PORT(S) DEST
|
||||
<programlisting>#TARGET SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
REDIRECT net - tcp 80 - 1.2.3.4</programlisting>
|
||||
|
||||
<para>You can 'omit' parameters by using '-'.</para>
|
||||
@ -413,194 +398,6 @@ REDIRECT net - tcp 80 - 1.2.3.4</programlisting>
|
||||
url="configuration_file_basics.htm#ActionVariables">Action Variables
|
||||
section</ulink> of the Configuration Basics article.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Shorewall 4.4.15 and Earlier.</title>
|
||||
|
||||
<para>Prior to 4.4.16, columns in the
|
||||
<filename>action.template</filename> file were as follows:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>TARGET - Must be ACCEPT, DROP, REJECT, LOG, CONTINUE, QUEUE or
|
||||
an <<emphasis>action</emphasis>> where
|
||||
<<emphasis>action</emphasis>> is a previously-defined action
|
||||
(that is, it must precede the action being defined in this file in
|
||||
your <filename>/etc/shorewall/actions</filename> file). These
|
||||
actions have the same meaning as they do in the
|
||||
<filename>/etc/shorewall/rules</filename> file (CONTINUE terminates
|
||||
processing of the current action and returns to the point where that
|
||||
action was invoked). The TARGET may optionally be followed by a
|
||||
colon (<quote>:</quote>) and a syslog log level (e.g, REJECT:info or
|
||||
ACCEPT:debugging). This causes the packet to be logged at the
|
||||
specified level. You may also specify ULOG (must be in upper case)
|
||||
as a log level. This will log to the ULOG target for routing to a
|
||||
separate log through use of ulogd (<ulink
|
||||
url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html</ulink>).</para>
|
||||
|
||||
<para>You may also use a <ulink url="Macros.html">macro</ulink> in
|
||||
your action provided that the macro's expansion only results in the
|
||||
ACTIONs ACCEPT, DROP, REJECT, LOG, CONTINUE, or QUEUE. See
|
||||
<filename>/usr/share/shorewall/action.Drop</filename> for an example
|
||||
of an action that users macros extensively.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>SOURCE - Source hosts to which the rule applies. A
|
||||
comma-separated list of subnets and/or hosts. Hosts may be specified
|
||||
by IP or MAC address; MAC addresses must begin with <quote>~</quote>
|
||||
and must use <quote>-</quote> as a separator.</para>
|
||||
|
||||
<para>Alternatively, clients may be specified by interface name. For
|
||||
example, eth1 specifies a client that communicates with the firewall
|
||||
system through eth1. This may be optionally followed by another
|
||||
colon (<quote>:</quote>) and an IP/MAC/subnet address as described
|
||||
above (e.g., eth1:192.168.1.5).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>DEST - Location of Server. Same as above with the exception
|
||||
that MAC addresses are not allowed.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>PROTO - Protocol - Must be <quote>tcp</quote>,
|
||||
<quote>udp</quote>, <quote>icmp</quote>, a protocol number, or
|
||||
<quote>all</quote>.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>DEST PORT(S) - Destination Ports. A comma-separated list of
|
||||
Port names (from <filename>/etc/services</filename>), port numbers
|
||||
or port ranges; if the protocol is <quote>icmp</quote>, this column
|
||||
is interpreted as the destination icmp-type(s).</para>
|
||||
|
||||
<para>A port range is expressed as <<emphasis>low
|
||||
port</emphasis>>:<<emphasis>high port</emphasis>>.</para>
|
||||
|
||||
<para>This column is ignored if PROTO = <quote>all</quote>, but must
|
||||
be entered if any of the following fields are supplied. In that
|
||||
case, it is suggested that this field contain
|
||||
<quote>-</quote>.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>SOURCE PORT(S) - Port(s) used by the client. If omitted, any
|
||||
source port is acceptable. Specified as a comma-separated list of
|
||||
port names, port numbers or port ranges.</para>
|
||||
|
||||
<para>If you don't want to restrict client ports but need to specify
|
||||
any of the subsequent fields, then place <quote>-</quote> in this
|
||||
column.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>RATE LIMIT - You may rate-limit the rule by placing a value in
|
||||
this column:</para>
|
||||
|
||||
<para><programlisting> <<emphasis>rate</emphasis>>/<<emphasis>interval</emphasis>>[:<<emphasis>burst</emphasis>>]</programlisting>where
|
||||
<<emphasis>rate</emphasis>> is the number of connections per
|
||||
<<emphasis>interval</emphasis>> (<quote>sec</quote> or
|
||||
<quote>min</quote>) and <<emphasis>burst</emphasis>> is the
|
||||
largest burst permitted. If no <<emphasis>burst</emphasis>> is
|
||||
given, a value of 5 is assumed. There may be no whitespace embedded
|
||||
in the specification.</para>
|
||||
|
||||
<para><programlisting> Example: 10/sec:20</programlisting></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>USER/GROUP - For output rules (those with the firewall as
|
||||
their source), you may control connections based on the effective
|
||||
UID and/or GID of the process requesting the connection. This column
|
||||
can contain any of the following:</para>
|
||||
|
||||
<simplelist>
|
||||
<member>[!]<<emphasis>user number</emphasis>>[:]</member>
|
||||
|
||||
<member>[!]<<emphasis>user name</emphasis>>[:]</member>
|
||||
|
||||
<member>[!]:<<emphasis>group number</emphasis>></member>
|
||||
|
||||
<member>[!]:<<emphasis>group name</emphasis>></member>
|
||||
|
||||
<member>[!]<<emphasis>user
|
||||
number</emphasis>>:<<emphasis>group
|
||||
number</emphasis>></member>
|
||||
|
||||
<member>[!]<<emphasis>user
|
||||
name</emphasis>>:<<emphasis>group
|
||||
number</emphasis>></member>
|
||||
|
||||
<member>[!]<<emphasis>user
|
||||
inumber</emphasis>>:<<emphasis>group
|
||||
name</emphasis>></member>
|
||||
|
||||
<member>[!]<<emphasis>user
|
||||
name</emphasis>>:<<emphasis>group
|
||||
name</emphasis>></member>
|
||||
|
||||
<member>[!]+<<emphasis>program name</emphasis>> (Note:
|
||||
support for this form was removed from Netfilter in kernel version
|
||||
2.6.14).</member>
|
||||
</simplelist>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>MARK</para>
|
||||
|
||||
<para><simplelist>
|
||||
<member>[!]<<emphasis>value</emphasis>>[/<<emphasis>mask</emphasis>>][:C]</member>
|
||||
</simplelist></para>
|
||||
|
||||
<para>Defines a test on the existing packet or connection mark. The
|
||||
rule will match only if the test returns true.</para>
|
||||
|
||||
<para>If you don’t want to define a test but need to specify
|
||||
anything in the subsequent columns, place a <quote>-</quote> in this
|
||||
field.<simplelist>
|
||||
<member>! — Inverts the test (not equal)</member>
|
||||
|
||||
<member><<emphasis>value</emphasis>> — Value of the packet
|
||||
or connection mark.</member>
|
||||
|
||||
<member><<emphasis>mask</emphasis>> —A mask to be applied
|
||||
to the mark before testing.</member>
|
||||
|
||||
<member>:C — Designates a connection mark. If omitted, the
|
||||
packet mark’s value is tested. This option is only supported by
|
||||
Shorewall-perl</member>
|
||||
</simplelist></para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>Omitted column entries should be entered using a dash
|
||||
(<quote>-</quote>).</para>
|
||||
|
||||
<para>Example:</para>
|
||||
|
||||
<para><filename>/etc/shorewall/actions</filename>:</para>
|
||||
|
||||
<para><programlisting> #ACTION COMMENT (place '# ' below the 'C' in comment followed by
|
||||
# v a comment describing the action)
|
||||
LogAndAccept # LOG and ACCEPT a connection</programlisting><emphasis
|
||||
role="bold">Note:</emphasis> If your
|
||||
<filename>/etc/shorewall/actions</filename> file doesn't have an
|
||||
indication where to place the comment, put the <quote>#</quote> in
|
||||
column 21.</para>
|
||||
|
||||
<para><phrase><filename>/etc/shorewall/action.LogAndAccept</filename></phrase><programlisting> LOG:info
|
||||
ACCEPT</programlisting></para>
|
||||
|
||||
<para>Placing a comment on the line causes the comment to appear in the
|
||||
output of the <command>shorewall show actions</command> command.</para>
|
||||
|
||||
<para>To use your action, in <filename>/etc/shorewall/rules</filename>
|
||||
you might do something like:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
LogAndAccept loc $FW tcp 22</programlisting>
|
||||
</section>
|
||||
</section>
|
||||
|
||||
<section id="Logging">
|
||||
@ -625,19 +422,19 @@ LogAndAccept loc $FW tcp 22</programlisting>
|
||||
|
||||
<para>/etc/shorewall/action.foo</para>
|
||||
|
||||
<programlisting>#TARGET SOURCE DEST PROTO DEST PORT(S)
|
||||
<programlisting>#TARGET SOURCE DEST PROTO DPORT
|
||||
ACCEPT - - tcp 22
|
||||
bar:info</programlisting>
|
||||
|
||||
<para>/etc/shorewall/rules:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
foo:debug $FW net</programlisting>
|
||||
|
||||
<para>Logging in the invoke <quote>foo</quote> action will be as if
|
||||
foo had been defined as:</para>
|
||||
|
||||
<programlisting>#TARGET SOURCE DEST PROTO DEST PORT(S)
|
||||
<programlisting>#TARGET SOURCE DEST PROTO DPORT
|
||||
ACCEPT:debug - - tcp 22
|
||||
bar:info</programlisting>
|
||||
</listitem>
|
||||
@ -651,19 +448,19 @@ bar:info</programlisting>
|
||||
|
||||
<para>/etc/shorewall/action.foo</para>
|
||||
|
||||
<programlisting>#TARGET SOURCE DEST PROTO DEST PORT(S)
|
||||
<programlisting>#TARGET SOURCE DEST PROTO DPORT
|
||||
ACCEPT - - tcp 22
|
||||
bar:info</programlisting>
|
||||
|
||||
<para>/etc/shorewall/rules:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
foo:debug! $FW net</programlisting>
|
||||
|
||||
<para>Logging in the invoke <quote>foo</quote> action will be as if
|
||||
foo had been defined as:</para>
|
||||
|
||||
<programlisting>#TARGET SOURCE DEST PROTO DEST PORT(S)
|
||||
<programlisting>#TARGET SOURCE DEST PROTO DPORT
|
||||
ACCEPT:debug - - tcp 22
|
||||
bar:debug</programlisting>
|
||||
</listitem>
|
||||
@ -1113,22 +910,22 @@ add_rule $chainref, '-d 224.0.0.0/4 -j DROP';
|
||||
role="bold">SSHA</emphasis>, and to limit SSH connections to 3 per minute,
|
||||
use this entry in <filename>/etc/shorewall/rules</filename>:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
Limit:none:SSHA,3,60 net $FW tcp 22</programlisting>
|
||||
|
||||
<para>Using Shorewall 4.4.16 or later, you can also invoke the action this
|
||||
way:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
Limit(SSHA,3,60):none net $FW tcp 22</programlisting>
|
||||
|
||||
<para>If you want dropped connections to be logged at the info level, use
|
||||
this rule instead:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
Limit:info:SSHA,3,60 net $FW tcp 22</programlisting>
|
||||
|
||||
<para>Shorewall 4.4.16 and later:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
<para>Shorewall 4.4.16 and later:<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
Limit(SSH,3,60):info net $FW tcp 22</programlisting></para>
|
||||
|
||||
<para>To summarize, you pass four pieces of information to the Limit
|
||||
|
Loading…
Reference in New Issue
Block a user