mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-25 09:03:30 +01:00
Change 'Common Action' to 'Default Action'
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4477 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
671e5ac94f
commit
46a6163711
@ -101,31 +101,31 @@ ACCEPT - - tcp 135,139,445
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>User-defined Actions. These actions are created by end-users.
|
<para>User-defined Actions. These actions are created by end-users.
|
||||||
They are listed in the file /etc/shorewall/actions and are defined in
|
They are listed in the file /etc/shorewall/actions and are defined in
|
||||||
action.* files in /etc/shorewall or in another directory
|
action.* files in /etc/shorewall or in another directory listed in
|
||||||
listed in your CONFIG_PATH (defined in <ulink
|
your CONFIG_PATH (defined in <ulink
|
||||||
url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>).</para>
|
url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</orderedlist>
|
</orderedlist>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
<title>Common Actions</title>
|
<title>Default Actions (Formerly Common Actions)</title>
|
||||||
|
|
||||||
<para>Shorewall allows the association of a <firstterm>common
|
<para>Shorewall allows the association of a <firstterm>default
|
||||||
action</firstterm> with policies. A separate common action may be
|
action</firstterm> with policies. A separate default action may be
|
||||||
associated with ACCEPT, DROP and REJECT policies. Common actions provide a
|
associated with ACCEPT, DROP and REJECT policies. Default actions provide
|
||||||
way to invoke a set of common rules just before the policy is enforced.
|
a way to invoke a set of common rules just before the policy is enforced.
|
||||||
Common actions accomplish two goals:</para>
|
Default actions accomplish two goals:</para>
|
||||||
|
|
||||||
<orderedlist>
|
<orderedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Relieve log congestion. Common actions typically include rules
|
<para>Relieve log congestion. Default actions typically include rules
|
||||||
to silently drop or reject traffic that would otherwise be logged when
|
to silently drop or reject traffic that would otherwise be logged when
|
||||||
the policy is enforced.</para>
|
the policy is enforced.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Ensure correct operation. Common actions can also avoid common
|
<para>Ensure correct operation. Default actions can also avoid common
|
||||||
pitfalls like dropping connection requests on port TCP port 113. If
|
pitfalls like dropping connection requests on port TCP port 113. If
|
||||||
these connections are dropped (rather than rejected) then you may
|
these connections are dropped (rather than rejected) then you may
|
||||||
encounter problems connecting to internet services that utilize the
|
encounter problems connecting to internet services that utilize the
|
||||||
@ -136,23 +136,23 @@ ACCEPT - - tcp 135,139,445
|
|||||||
</listitem>
|
</listitem>
|
||||||
</orderedlist>
|
</orderedlist>
|
||||||
|
|
||||||
<para>Shorewall provides common actions for the REJECT and DROP policies.
|
<para>Shorewall provides default actions for the REJECT and DROP policies.
|
||||||
The common action for REJECT is named <firstterm>Reject</firstterm> and
|
The default action for REJECT is named <firstterm>Reject</firstterm> and
|
||||||
the common action for DROP is named <firstterm>Drop</firstterm>. These
|
the default action for DROP is named <firstterm>Drop</firstterm>. These
|
||||||
associations are made through two entries in
|
associations are made through two entries in
|
||||||
/usr/share/shorewall/actions.std:</para>
|
/usr/share/shorewall/actions.std:</para>
|
||||||
|
|
||||||
<programlisting>Drop:DROP #Common Action for DROP policy
|
<programlisting>Drop:DROP #Default Action for DROP policy
|
||||||
Reject:REJECT #Common Action for REJECT policy</programlisting>
|
Reject:REJECT #Default Action for REJECT policy</programlisting>
|
||||||
|
|
||||||
<para>These may be overridden by entries in your /etc/shorewall/actions
|
<para>These may be overridden by entries in your /etc/shorewall/actions
|
||||||
file.</para>
|
file.</para>
|
||||||
|
|
||||||
<warning>
|
<warning>
|
||||||
<para>Entries in the DROP and REJECT common actions <emphasis
|
<para>Entries in the DROP and REJECT default actions <emphasis
|
||||||
role="bold">ARE NOT THE CAUSE OF CONNECTION PROBLEMS</emphasis>.
|
role="bold">ARE NOT THE CAUSE OF CONNECTION PROBLEMS</emphasis>.
|
||||||
Remember — common actions are only invoked immediately before the packet
|
Remember — default actions are only invoked immediately before the
|
||||||
is going to be dropped or rejected anyway!!!</para>
|
packet is going to be dropped or rejected anyway!!!</para>
|
||||||
</warning>
|
</warning>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
@ -180,8 +180,8 @@ Reject:REJECT #Common Action for REJECT policy</programlisting>
|
|||||||
|
|
||||||
<para>The name of the action may be optionally followed by a colon
|
<para>The name of the action may be optionally followed by a colon
|
||||||
(<quote>:</quote>) and ACCEPT, DROP or REJECT. When this is done, the
|
(<quote>:</quote>) and ACCEPT, DROP or REJECT. When this is done, the
|
||||||
named action will become the <emphasis>common action </emphasis>for
|
named action will become the <emphasis>default action </emphasis>for
|
||||||
policies of type ACCEPT, DROP or REJECT respectively. The common
|
policies of type ACCEPT, DROP or REJECT respectively. The default
|
||||||
action is applied immediately before the policy is enforced (before
|
action is applied immediately before the policy is enforced (before
|
||||||
any logging is done under that policy) and is used mainly to suppress
|
any logging is done under that policy) and is used mainly to suppress
|
||||||
logging of uninteresting traffic which would otherwise clog your logs.
|
logging of uninteresting traffic which would otherwise clog your logs.
|
||||||
|
@ -64,8 +64,8 @@
|
|||||||
<para>Beginning with Shorewall-2.0.0-Beta1, the name of the action may
|
<para>Beginning with Shorewall-2.0.0-Beta1, the name of the action may
|
||||||
be optionally followed by a colon (<quote>:</quote>) and ACCEPT, DROP
|
be optionally followed by a colon (<quote>:</quote>) and ACCEPT, DROP
|
||||||
or REJECT. When this is done, the named action will become the
|
or REJECT. When this is done, the named action will become the
|
||||||
<emphasis>common action </emphasis>for policies of type ACCEPT, DROP
|
<emphasis>default action </emphasis>for policies of type ACCEPT, DROP
|
||||||
or REJECT respectively. The common action is applied immediately
|
or REJECT respectively. The default action is applied immediately
|
||||||
before the policy is enforced (before any logging is done under that
|
before the policy is enforced (before any logging is done under that
|
||||||
policy) and is used mainly to suppress logging of uninteresting
|
policy) and is used mainly to suppress logging of uninteresting
|
||||||
traffic which would otherwise clog your logs. The same policy name can
|
traffic which would otherwise clog your logs. The same policy name can
|
||||||
@ -397,7 +397,7 @@ AllowFTP loc $FW</programlisting>
|
|||||||
class="directory">/etc/shorewall and modify</filename> it to suit your
|
class="directory">/etc/shorewall and modify</filename> it to suit your
|
||||||
needs. The next <command>shorewall restart</command> will cause your
|
needs. The next <command>shorewall restart</command> will cause your
|
||||||
action to be installed in place of the standard one. In particular, if you
|
action to be installed in place of the standard one. In particular, if you
|
||||||
want to modify the common actions <quote>Drop</quote> or
|
want to modify the default actions <quote>Drop</quote> or
|
||||||
<quote>Reject</quote>, simply copy <filename>action.Drop</filename> or
|
<quote>Reject</quote>, simply copy <filename>action.Drop</filename> or
|
||||||
<filename>Action.Reject</filename> to <filename
|
<filename>Action.Reject</filename> to <filename
|
||||||
class="directory">/etc/shorewall</filename> and modify that copy as
|
class="directory">/etc/shorewall</filename> and modify that copy as
|
||||||
@ -415,22 +415,22 @@ AllowFTP loc $FW</programlisting>
|
|||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section id="Common">
|
<section id="Common">
|
||||||
<title>Common Actions</title>
|
<title>Default Actions (Formerly Common Actions)</title>
|
||||||
|
|
||||||
<para>Also beginning with Shorewall version 2.2.0-Beta1, when an ACCEPT,
|
<para>Also beginning with Shorewall version 2.2.0-Beta1, when an ACCEPT,
|
||||||
DROP or REJECT policy is about to be enforced, a <firstterm>common
|
DROP or REJECT policy is about to be enforced, a <firstterm>default
|
||||||
action</firstterm> can first be invoked. In /etc/shorewall/actions.std are
|
action</firstterm> can first be invoked. In /etc/shorewall/actions.std are
|
||||||
found these two entries:</para>
|
found these two entries:</para>
|
||||||
|
|
||||||
<programlisting>Drop:DROP #Common Action for DROP policy
|
<programlisting>Drop:DROP #Default Action for DROP policy
|
||||||
Reject:REJECT #Common Action for REJECT policy</programlisting>
|
Reject:REJECT #Default Action for REJECT policy</programlisting>
|
||||||
|
|
||||||
<para>These entries designate the action named <firstterm>Drop</firstterm>
|
<para>These entries designate the action named <firstterm>Drop</firstterm>
|
||||||
as the common action for DROP policies and the common action
|
as the default action for DROP policies and the default action
|
||||||
<firstterm>Reject</firstterm> as the common action for REJECT
|
<firstterm>Reject</firstterm> as the default action for REJECT
|
||||||
policies.</para>
|
policies.</para>
|
||||||
|
|
||||||
<para>The purpose of common actions is:</para>
|
<para>The purpose of default actions is:</para>
|
||||||
|
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -448,7 +448,7 @@ Reject:REJECT #Common Action for REJECT policy</programlisting>
|
|||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
||||||
<para>It should be stressed that <emphasis role="bold">the common actions
|
<para>It should be stressed that <emphasis role="bold">the default actions
|
||||||
do not cause any traffic to be dropped or rejected that isn't about to be
|
do not cause any traffic to be dropped or rejected that isn't about to be
|
||||||
dropped or rejected anyway</emphasis> (remember that these actions are
|
dropped or rejected anyway</emphasis> (remember that these actions are
|
||||||
invoked just before the connection request is going to be dropped or
|
invoked just before the connection request is going to be dropped or
|
||||||
|
@ -5,7 +5,7 @@
|
|||||||
<!--$Id$-->
|
<!--$Id$-->
|
||||||
|
|
||||||
<articleinfo>
|
<articleinfo>
|
||||||
<title>Extension Scripts and Common Actions</title>
|
<title>Extension Scripts and Default Actions</title>
|
||||||
|
|
||||||
<authorgroup>
|
<authorgroup>
|
||||||
<author>
|
<author>
|
||||||
@ -101,7 +101,7 @@
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>refresh -- invoked while the firewall is being refreshed but
|
<para>refresh -- invoked while the firewall is being refreshed but
|
||||||
before the common and/or blacklst chains have been rebuilt.</para>
|
before the blacklst chains have been rebuilt.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -274,11 +274,11 @@
|
|||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
||||||
<para>You can also define a <emphasis>common action</emphasis> to be
|
<para>You can also define a <emphasis>default action</emphasis> to be
|
||||||
performed immediately before a policy of ACCEPT, DROP or REJECT is applied.
|
performed immediately before a policy of ACCEPT, DROP or REJECT is applied.
|
||||||
Separate <ulink url="Actions.html">actions</ulink> can be assigned to each
|
Separate <ulink url="Actions.html">actions</ulink> can be assigned to each
|
||||||
policy type so for example you can have a different common action for DROP
|
policy type so for example you can have a different default action for DROP
|
||||||
and REJECT policies. The most common usage of common actions is to silently
|
and REJECT policies. The most common usage of default actions is to silently
|
||||||
drop traffic that you don't wish to have logged by the policy.</para>
|
drop traffic that you don't wish to have logged by the policy.</para>
|
||||||
|
|
||||||
<para>As released, Shorewall defines a number of actions which are cataloged
|
<para>As released, Shorewall defines a number of actions which are cataloged
|
||||||
@ -297,7 +297,7 @@ Reject:REJECT</programlisting>
|
|||||||
|
|
||||||
<para>You can override these defaults with entries in your
|
<para>You can override these defaults with entries in your
|
||||||
/etc/shorewall/actions file. For example, if that file were to contain
|
/etc/shorewall/actions file. For example, if that file were to contain
|
||||||
<quote>MyDrop:DROP</quote> then the common action for DROP policies would
|
<quote>MyDrop:DROP</quote> then the default action for DROP policies would
|
||||||
become <quote>MyDrop</quote>.</para>
|
become <quote>MyDrop</quote>.</para>
|
||||||
|
|
||||||
<para>One final note. The chain created to perform an action has the same
|
<para>One final note. The chain created to perform an action has the same
|
||||||
|
@ -258,7 +258,7 @@ dmz ipv4</programlisting>
|
|||||||
If no rule in that file matches the connection request then the first
|
If no rule in that file matches the connection request then the first
|
||||||
policy in <filename>/etc/shorewall/policy</filename> that matches the
|
policy in <filename>/etc/shorewall/policy</filename> that matches the
|
||||||
request is applied after the request is passed to the appropriate <ulink
|
request is applied after the request is passed to the appropriate <ulink
|
||||||
url="Actions.html">common action</ulink> (if any).</para>
|
url="Actions.html">default action</ulink> (if any).</para>
|
||||||
|
|
||||||
<para>Prior to Shorewall 2.2.0, the default
|
<para>Prior to Shorewall 2.2.0, the default
|
||||||
<filename>/etc/shorewall/policy</filename> file had the following
|
<filename>/etc/shorewall/policy</filename> file had the following
|
||||||
@ -947,7 +947,7 @@ loc eth2 detect</programlisting>
|
|||||||
netmask 255.255.255.248.</para>
|
netmask 255.255.255.248.</para>
|
||||||
</example>
|
</example>
|
||||||
|
|
||||||
<para> /sbin/shorewall supports an ipcalc command that automatically
|
<para>/sbin/shorewall supports an ipcalc command that automatically
|
||||||
calculates information about a [sub]network.</para>
|
calculates information about a [sub]network.</para>
|
||||||
|
|
||||||
<example>
|
<example>
|
||||||
|
Loading…
Reference in New Issue
Block a user