Update the Actions document

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2016-02-17 15:32:24 -08:00
parent f33f333937
commit 0a2dc77be0

View File

@ -101,8 +101,7 @@
# both directions.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
#TARGET SOURCE DEST PROTO DPORT SPORT RATE USER
ACCEPT - - udp 135,445
ACCEPT - - udp 137:139
ACCEPT - - udp 1024: 137
@ -335,21 +334,11 @@ ACCEPT - - tcp 135,139,445
</orderedlist>
<section>
<title>Shorewall 4.4.16 and Later.</title>
<title>Shorewall 5.0.0 and Later.</title>
<para>Beginning with Shorewall 4.4.16, the columns in action.template
are the same as those in shorewall-rules (5). The first non-commentary
line in the template must be</para>
<programlisting>FORMAT 2</programlisting>
<para>Beginning with Shorewall 4.5.11, the preferred format is as shown
below, and the above format is deprecated.</para>
<programlisting>?FORMAT 2</programlisting>
<para>When using Shorewall 4.4.16 or later, there are no restrictions
regarding which targets can be used within your action.</para>
<para>In Shorewall 5.0, the columns in action.template are the same as
those in shorewall-rules (5). There are no restrictions regarding which
targets can be used within your action.</para>
<para>The SOURCE and DEST columns in the action file may not include
zone names; those are given when the action is invoked.</para>
@ -361,22 +350,18 @@ ACCEPT - - tcp 135,139,445
<para>/etc/shorewall/action.A:</para>
<programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT(S) PORT(S) DEST
FORMAT 2
<programlisting>#TARGET SOURCE DEST PROTO Dport SPORT ORIGDEST
$1 - - tcp 80 - 1.2.3.4</programlisting>
<para>/etc/shorewall/rules:</para>
<programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT(S) PORT(S) DEST
<programlisting>#TARGET SOURCE DEST PROTO DPORT SPORT ORIGDEST
A(REDIRECT) net fw</programlisting>
<para>The above is equivalent to this rule:</para>
<programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT(S) PORT(S) DEST
<programlisting>#TARGET SOURCE DEST PROTO DPORT SPORT ORIGDEST
REDIRECT net - tcp 80 - 1.2.3.4</programlisting>
<para>You can 'omit' parameters by using '-'.</para>
@ -413,194 +398,6 @@ REDIRECT net - tcp 80 - 1.2.3.4</programlisting>
url="configuration_file_basics.htm#ActionVariables">Action Variables
section</ulink> of the Configuration Basics article.</para>
</section>
<section>
<title>Shorewall 4.4.15 and Earlier.</title>
<para>Prior to 4.4.16, columns in the
<filename>action.template</filename> file were as follows:</para>
<itemizedlist>
<listitem>
<para>TARGET - Must be ACCEPT, DROP, REJECT, LOG, CONTINUE, QUEUE or
an &lt;<emphasis>action</emphasis>&gt; where
&lt;<emphasis>action</emphasis>&gt; is a previously-defined action
(that is, it must precede the action being defined in this file in
your <filename>/etc/shorewall/actions</filename> file). These
actions have the same meaning as they do in the
<filename>/etc/shorewall/rules</filename> file (CONTINUE terminates
processing of the current action and returns to the point where that
action was invoked). The TARGET may optionally be followed by a
colon (<quote>:</quote>) and a syslog log level (e.g, REJECT:info or
ACCEPT:debugging). This causes the packet to be logged at the
specified level. You may also specify ULOG (must be in upper case)
as a log level. This will log to the ULOG target for routing to a
separate log through use of ulogd (<ulink
url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html</ulink>).</para>
<para>You may also use a <ulink url="Macros.html">macro</ulink> in
your action provided that the macro's expansion only results in the
ACTIONs ACCEPT, DROP, REJECT, LOG, CONTINUE, or QUEUE. See
<filename>/usr/share/shorewall/action.Drop</filename> for an example
of an action that users macros extensively.</para>
</listitem>
<listitem>
<para>SOURCE - Source hosts to which the rule applies. A
comma-separated list of subnets and/or hosts. Hosts may be specified
by IP or MAC address; MAC addresses must begin with <quote>~</quote>
and must use <quote>-</quote> as a separator.</para>
<para>Alternatively, clients may be specified by interface name. For
example, eth1 specifies a client that communicates with the firewall
system through eth1. This may be optionally followed by another
colon (<quote>:</quote>) and an IP/MAC/subnet address as described
above (e.g., eth1:192.168.1.5).</para>
</listitem>
<listitem>
<para>DEST - Location of Server. Same as above with the exception
that MAC addresses are not allowed.</para>
</listitem>
<listitem>
<para>PROTO - Protocol - Must be <quote>tcp</quote>,
<quote>udp</quote>, <quote>icmp</quote>, a protocol number, or
<quote>all</quote>.</para>
</listitem>
<listitem>
<para>DEST PORT(S) - Destination Ports. A comma-separated list of
Port names (from <filename>/etc/services</filename>), port numbers
or port ranges; if the protocol is <quote>icmp</quote>, this column
is interpreted as the destination icmp-type(s).</para>
<para>A port range is expressed as &lt;<emphasis>low
port</emphasis>&gt;:&lt;<emphasis>high port</emphasis>&gt;.</para>
<para>This column is ignored if PROTO = <quote>all</quote>, but must
be entered if any of the following fields are supplied. In that
case, it is suggested that this field contain
<quote>-</quote>.</para>
</listitem>
<listitem>
<para>SOURCE PORT(S) - Port(s) used by the client. If omitted, any
source port is acceptable. Specified as a comma-separated list of
port names, port numbers or port ranges.</para>
<para>If you don't want to restrict client ports but need to specify
any of the subsequent fields, then place <quote>-</quote> in this
column.</para>
</listitem>
<listitem>
<para>RATE LIMIT - You may rate-limit the rule by placing a value in
this column:</para>
<para><programlisting> &lt;<emphasis>rate</emphasis>&gt;/&lt;<emphasis>interval</emphasis>&gt;[:&lt;<emphasis>burst</emphasis>&gt;]</programlisting>where
&lt;<emphasis>rate</emphasis>&gt; is the number of connections per
&lt;<emphasis>interval</emphasis>&gt; (<quote>sec</quote> or
<quote>min</quote>) and &lt;<emphasis>burst</emphasis>&gt; is the
largest burst permitted. If no &lt;<emphasis>burst</emphasis>&gt; is
given, a value of 5 is assumed. There may be no whitespace embedded
in the specification.</para>
<para><programlisting> Example: 10/sec:20</programlisting></para>
</listitem>
<listitem>
<para>USER/GROUP - For output rules (those with the firewall as
their source), you may control connections based on the effective
UID and/or GID of the process requesting the connection. This column
can contain any of the following:</para>
<simplelist>
<member>[!]&lt;<emphasis>user number</emphasis>&gt;[:]</member>
<member>[!]&lt;<emphasis>user name</emphasis>&gt;[:]</member>
<member>[!]:&lt;<emphasis>group number</emphasis>&gt;</member>
<member>[!]:&lt;<emphasis>group name</emphasis>&gt;</member>
<member>[!]&lt;<emphasis>user
number</emphasis>&gt;:&lt;<emphasis>group
number</emphasis>&gt;</member>
<member>[!]&lt;<emphasis>user
name</emphasis>&gt;:&lt;<emphasis>group
number</emphasis>&gt;</member>
<member>[!]&lt;<emphasis>user
inumber</emphasis>&gt;:&lt;<emphasis>group
name</emphasis>&gt;</member>
<member>[!]&lt;<emphasis>user
name</emphasis>&gt;:&lt;<emphasis>group
name</emphasis>&gt;</member>
<member>[!]+&lt;<emphasis>program name</emphasis>&gt; (Note:
support for this form was removed from Netfilter in kernel version
2.6.14).</member>
</simplelist>
</listitem>
<listitem>
<para>MARK</para>
<para><simplelist>
<member>[!]&lt;<emphasis>value</emphasis>&gt;[/&lt;<emphasis>mask</emphasis>&gt;][:C]</member>
</simplelist></para>
<para>Defines a test on the existing packet or connection mark. The
rule will match only if the test returns true.</para>
<para>If you dont want to define a test but need to specify
anything in the subsequent columns, place a <quote>-</quote> in this
field.<simplelist>
<member>! — Inverts the test (not equal)</member>
<member>&lt;<emphasis>value</emphasis>&gt; — Value of the packet
or connection mark.</member>
<member>&lt;<emphasis>mask</emphasis>&gt; —A mask to be applied
to the mark before testing.</member>
<member>:C — Designates a connection mark. If omitted, the
packet marks value is tested. This option is only supported by
Shorewall-perl</member>
</simplelist></para>
</listitem>
</itemizedlist>
<para>Omitted column entries should be entered using a dash
(<quote>-</quote>).</para>
<para>Example:</para>
<para><filename>/etc/shorewall/actions</filename>:</para>
<para><programlisting> #ACTION COMMENT (place '# ' below the 'C' in comment followed by
# v a comment describing the action)
LogAndAccept # LOG and ACCEPT a connection</programlisting><emphasis
role="bold">Note:</emphasis> If your
<filename>/etc/shorewall/actions</filename> file doesn't have an
indication where to place the comment, put the <quote>#</quote> in
column 21.</para>
<para><phrase><filename>/etc/shorewall/action.LogAndAccept</filename></phrase><programlisting> LOG:info
ACCEPT</programlisting></para>
<para>Placing a comment on the line causes the comment to appear in the
output of the <command>shorewall show actions</command> command.</para>
<para>To use your action, in <filename>/etc/shorewall/rules</filename>
you might do something like:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
LogAndAccept loc $FW tcp 22</programlisting>
</section>
</section>
<section id="Logging">
@ -625,19 +422,19 @@ LogAndAccept loc $FW tcp 22</programlisting>
<para>/etc/shorewall/action.foo</para>
<programlisting>#TARGET SOURCE DEST PROTO DEST PORT(S)
<programlisting>#TARGET SOURCE DEST PROTO DPORT
ACCEPT - - tcp 22
bar:info</programlisting>
<para>/etc/shorewall/rules:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT
foo:debug $FW net</programlisting>
<para>Logging in the invoke <quote>foo</quote> action will be as if
foo had been defined as:</para>
<programlisting>#TARGET SOURCE DEST PROTO DEST PORT(S)
<programlisting>#TARGET SOURCE DEST PROTO DPORT
ACCEPT:debug - - tcp 22
bar:info</programlisting>
</listitem>
@ -651,19 +448,19 @@ bar:info</programlisting>
<para>/etc/shorewall/action.foo</para>
<programlisting>#TARGET SOURCE DEST PROTO DEST PORT(S)
<programlisting>#TARGET SOURCE DEST PROTO DPORT
ACCEPT - - tcp 22
bar:info</programlisting>
<para>/etc/shorewall/rules:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT
foo:debug! $FW net</programlisting>
<para>Logging in the invoke <quote>foo</quote> action will be as if
foo had been defined as:</para>
<programlisting>#TARGET SOURCE DEST PROTO DEST PORT(S)
<programlisting>#TARGET SOURCE DEST PROTO DPORT
ACCEPT:debug - - tcp 22
bar:debug</programlisting>
</listitem>
@ -1113,22 +910,22 @@ add_rule $chainref, '-d 224.0.0.0/4 -j DROP';
role="bold">SSHA</emphasis>, and to limit SSH connections to 3 per minute,
use this entry in <filename>/etc/shorewall/rules</filename>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT
Limit:none:SSHA,3,60 net $FW tcp 22</programlisting>
<para>Using Shorewall 4.4.16 or later, you can also invoke the action this
way:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT
Limit(SSHA,3,60):none net $FW tcp 22</programlisting>
<para>If you want dropped connections to be logged at the info level, use
this rule instead:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT
Limit:info:SSHA,3,60 net $FW tcp 22</programlisting>
<para>Shorewall 4.4.16 and later:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
<para>Shorewall 4.4.16 and later:<programlisting>#ACTION SOURCE DEST PROTO DPORT
Limit(SSH,3,60):info net $FW tcp 22</programlisting></para>
<para>To summarize, you pass four pieces of information to the Limit