mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-21 23:23:13 +01:00
Change 'Common Action' to 'Default Action'
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4477 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
671e5ac94f
commit
46a6163711
@ -101,31 +101,31 @@ ACCEPT - - tcp 135,139,445
|
||||
<listitem>
|
||||
<para>User-defined Actions. These actions are created by end-users.
|
||||
They are listed in the file /etc/shorewall/actions and are defined in
|
||||
action.* files in /etc/shorewall or in another directory
|
||||
listed in your CONFIG_PATH (defined in <ulink
|
||||
action.* files in /etc/shorewall or in another directory listed in
|
||||
your CONFIG_PATH (defined in <ulink
|
||||
url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>).</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Common Actions</title>
|
||||
<title>Default Actions (Formerly Common Actions)</title>
|
||||
|
||||
<para>Shorewall allows the association of a <firstterm>common
|
||||
action</firstterm> with policies. A separate common action may be
|
||||
associated with ACCEPT, DROP and REJECT policies. Common actions provide a
|
||||
way to invoke a set of common rules just before the policy is enforced.
|
||||
Common actions accomplish two goals:</para>
|
||||
<para>Shorewall allows the association of a <firstterm>default
|
||||
action</firstterm> with policies. A separate default action may be
|
||||
associated with ACCEPT, DROP and REJECT policies. Default actions provide
|
||||
a way to invoke a set of common rules just before the policy is enforced.
|
||||
Default actions accomplish two goals:</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>Relieve log congestion. Common actions typically include rules
|
||||
<para>Relieve log congestion. Default actions typically include rules
|
||||
to silently drop or reject traffic that would otherwise be logged when
|
||||
the policy is enforced.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Ensure correct operation. Common actions can also avoid common
|
||||
<para>Ensure correct operation. Default actions can also avoid common
|
||||
pitfalls like dropping connection requests on port TCP port 113. If
|
||||
these connections are dropped (rather than rejected) then you may
|
||||
encounter problems connecting to internet services that utilize the
|
||||
@ -136,23 +136,23 @@ ACCEPT - - tcp 135,139,445
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
|
||||
<para>Shorewall provides common actions for the REJECT and DROP policies.
|
||||
The common action for REJECT is named <firstterm>Reject</firstterm> and
|
||||
the common action for DROP is named <firstterm>Drop</firstterm>. These
|
||||
<para>Shorewall provides default actions for the REJECT and DROP policies.
|
||||
The default action for REJECT is named <firstterm>Reject</firstterm> and
|
||||
the default action for DROP is named <firstterm>Drop</firstterm>. These
|
||||
associations are made through two entries in
|
||||
/usr/share/shorewall/actions.std:</para>
|
||||
|
||||
<programlisting>Drop:DROP #Common Action for DROP policy
|
||||
Reject:REJECT #Common Action for REJECT policy</programlisting>
|
||||
<programlisting>Drop:DROP #Default Action for DROP policy
|
||||
Reject:REJECT #Default Action for REJECT policy</programlisting>
|
||||
|
||||
<para>These may be overridden by entries in your /etc/shorewall/actions
|
||||
file.</para>
|
||||
|
||||
<warning>
|
||||
<para>Entries in the DROP and REJECT common actions <emphasis
|
||||
<para>Entries in the DROP and REJECT default actions <emphasis
|
||||
role="bold">ARE NOT THE CAUSE OF CONNECTION PROBLEMS</emphasis>.
|
||||
Remember — common actions are only invoked immediately before the packet
|
||||
is going to be dropped or rejected anyway!!!</para>
|
||||
Remember — default actions are only invoked immediately before the
|
||||
packet is going to be dropped or rejected anyway!!!</para>
|
||||
</warning>
|
||||
</section>
|
||||
|
||||
@ -180,8 +180,8 @@ Reject:REJECT #Common Action for REJECT policy</programlisting>
|
||||
|
||||
<para>The name of the action may be optionally followed by a colon
|
||||
(<quote>:</quote>) and ACCEPT, DROP or REJECT. When this is done, the
|
||||
named action will become the <emphasis>common action </emphasis>for
|
||||
policies of type ACCEPT, DROP or REJECT respectively. The common
|
||||
named action will become the <emphasis>default action </emphasis>for
|
||||
policies of type ACCEPT, DROP or REJECT respectively. The default
|
||||
action is applied immediately before the policy is enforced (before
|
||||
any logging is done under that policy) and is used mainly to suppress
|
||||
logging of uninteresting traffic which would otherwise clog your logs.
|
||||
|
@ -64,8 +64,8 @@
|
||||
<para>Beginning with Shorewall-2.0.0-Beta1, the name of the action may
|
||||
be optionally followed by a colon (<quote>:</quote>) and ACCEPT, DROP
|
||||
or REJECT. When this is done, the named action will become the
|
||||
<emphasis>common action </emphasis>for policies of type ACCEPT, DROP
|
||||
or REJECT respectively. The common action is applied immediately
|
||||
<emphasis>default action </emphasis>for policies of type ACCEPT, DROP
|
||||
or REJECT respectively. The default action is applied immediately
|
||||
before the policy is enforced (before any logging is done under that
|
||||
policy) and is used mainly to suppress logging of uninteresting
|
||||
traffic which would otherwise clog your logs. The same policy name can
|
||||
@ -397,7 +397,7 @@ AllowFTP loc $FW</programlisting>
|
||||
class="directory">/etc/shorewall and modify</filename> it to suit your
|
||||
needs. The next <command>shorewall restart</command> will cause your
|
||||
action to be installed in place of the standard one. In particular, if you
|
||||
want to modify the common actions <quote>Drop</quote> or
|
||||
want to modify the default actions <quote>Drop</quote> or
|
||||
<quote>Reject</quote>, simply copy <filename>action.Drop</filename> or
|
||||
<filename>Action.Reject</filename> to <filename
|
||||
class="directory">/etc/shorewall</filename> and modify that copy as
|
||||
@ -415,22 +415,22 @@ AllowFTP loc $FW</programlisting>
|
||||
</section>
|
||||
|
||||
<section id="Common">
|
||||
<title>Common Actions</title>
|
||||
<title>Default Actions (Formerly Common Actions)</title>
|
||||
|
||||
<para>Also beginning with Shorewall version 2.2.0-Beta1, when an ACCEPT,
|
||||
DROP or REJECT policy is about to be enforced, a <firstterm>common
|
||||
DROP or REJECT policy is about to be enforced, a <firstterm>default
|
||||
action</firstterm> can first be invoked. In /etc/shorewall/actions.std are
|
||||
found these two entries:</para>
|
||||
|
||||
<programlisting>Drop:DROP #Common Action for DROP policy
|
||||
Reject:REJECT #Common Action for REJECT policy</programlisting>
|
||||
<programlisting>Drop:DROP #Default Action for DROP policy
|
||||
Reject:REJECT #Default Action for REJECT policy</programlisting>
|
||||
|
||||
<para>These entries designate the action named <firstterm>Drop</firstterm>
|
||||
as the common action for DROP policies and the common action
|
||||
<firstterm>Reject</firstterm> as the common action for REJECT
|
||||
as the default action for DROP policies and the default action
|
||||
<firstterm>Reject</firstterm> as the default action for REJECT
|
||||
policies.</para>
|
||||
|
||||
<para>The purpose of common actions is:</para>
|
||||
<para>The purpose of default actions is:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
@ -448,7 +448,7 @@ Reject:REJECT #Common Action for REJECT policy</programlisting>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>It should be stressed that <emphasis role="bold">the common actions
|
||||
<para>It should be stressed that <emphasis role="bold">the default actions
|
||||
do not cause any traffic to be dropped or rejected that isn't about to be
|
||||
dropped or rejected anyway</emphasis> (remember that these actions are
|
||||
invoked just before the connection request is going to be dropped or
|
||||
|
@ -5,7 +5,7 @@
|
||||
<!--$Id$-->
|
||||
|
||||
<articleinfo>
|
||||
<title>Extension Scripts and Common Actions</title>
|
||||
<title>Extension Scripts and Default Actions</title>
|
||||
|
||||
<authorgroup>
|
||||
<author>
|
||||
@ -101,7 +101,7 @@
|
||||
|
||||
<listitem>
|
||||
<para>refresh -- invoked while the firewall is being refreshed but
|
||||
before the common and/or blacklst chains have been rebuilt.</para>
|
||||
before the blacklst chains have been rebuilt.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -274,11 +274,11 @@
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>You can also define a <emphasis>common action</emphasis> to be
|
||||
<para>You can also define a <emphasis>default action</emphasis> to be
|
||||
performed immediately before a policy of ACCEPT, DROP or REJECT is applied.
|
||||
Separate <ulink url="Actions.html">actions</ulink> can be assigned to each
|
||||
policy type so for example you can have a different common action for DROP
|
||||
and REJECT policies. The most common usage of common actions is to silently
|
||||
policy type so for example you can have a different default action for DROP
|
||||
and REJECT policies. The most common usage of default actions is to silently
|
||||
drop traffic that you don't wish to have logged by the policy.</para>
|
||||
|
||||
<para>As released, Shorewall defines a number of actions which are cataloged
|
||||
@ -297,7 +297,7 @@ Reject:REJECT</programlisting>
|
||||
|
||||
<para>You can override these defaults with entries in your
|
||||
/etc/shorewall/actions file. For example, if that file were to contain
|
||||
<quote>MyDrop:DROP</quote> then the common action for DROP policies would
|
||||
<quote>MyDrop:DROP</quote> then the default action for DROP policies would
|
||||
become <quote>MyDrop</quote>.</para>
|
||||
|
||||
<para>One final note. The chain created to perform an action has the same
|
||||
|
@ -258,7 +258,7 @@ dmz ipv4</programlisting>
|
||||
If no rule in that file matches the connection request then the first
|
||||
policy in <filename>/etc/shorewall/policy</filename> that matches the
|
||||
request is applied after the request is passed to the appropriate <ulink
|
||||
url="Actions.html">common action</ulink> (if any).</para>
|
||||
url="Actions.html">default action</ulink> (if any).</para>
|
||||
|
||||
<para>Prior to Shorewall 2.2.0, the default
|
||||
<filename>/etc/shorewall/policy</filename> file had the following
|
||||
@ -947,7 +947,7 @@ loc eth2 detect</programlisting>
|
||||
netmask 255.255.255.248.</para>
|
||||
</example>
|
||||
|
||||
<para> /sbin/shorewall supports an ipcalc command that automatically
|
||||
<para>/sbin/shorewall supports an ipcalc command that automatically
|
||||
calculates information about a [sub]network.</para>
|
||||
|
||||
<example>
|
||||
|
Loading…
Reference in New Issue
Block a user