diff --git a/Shorewall-docs/User_defined_Actions.html b/Shorewall-docs/User_defined_Actions.html deleted file mode 100755 index 8a0ebb564..000000000 --- a/Shorewall-docs/User_defined_Actions.html +++ /dev/null @@ -1,117 +0,0 @@ - - - - - User-defined Actions - - - -

User-defined Actions

-
-Prior to Shorewall version 1.4.9, rules in /etc/shorewall/rules were -limited to those defined by Netfilter (ACCEPT, DROP, REJECT, etc.). -Beginning with Shorewall version 1.4.9, users may use sequences of -these elementary operations to define more complex actions.
-
-To define a new action:
-
    -
  1. Add a line to /etc/shorewall/actions that names your new action. -Action names must be valid shell variable names as well as valid -Netfilter chain names. It is recommended that the name you select for a -new action begins with with a capital letter; that way, the name won't -conflict with a Shorewall-defined chain name.
    -
    2. -
  2. Once you have defined your new action name (ActionName), then -copy /etc/shorewall/action.template to /etc/shorewall/action.ActionName -(for example, if your new action name is "Foo" then copy -/etc/shorewall/action.template to /etc/shorewall/action.foo).
    3. -
  3. Now modify the new file to define the new action.
    4. -
-Columns in the action.template file are as follows.
-
- -Example:
-
-/etc/shorewall/actions:
-
-LogAndAccept
-
-/etc/shorewall/action.LogAndAccept
-
-LOG:info
-ACCEPT
-

Last Updated 12/09/2003 - Tom Eastep

-Copyright2001, 2002, 2003 Thomas M. Eastep.
- - diff --git a/Shorewall-docs/User_defined_Actions.xml b/Shorewall-docs/User_defined_Actions.xml new file mode 100755 index 000000000..25bd955c2 --- /dev/null +++ b/Shorewall-docs/User_defined_Actions.xml @@ -0,0 +1,162 @@ + + +
+ + + + User-defined Actions + + + + Tom + + Eastep + + + + 2003-12-09 + + + 2001 + + 2002 + + 2003 + + Thomas M. Eastep + + + + Permission is granted to copy, distribute and/or modify this + document under the terms of the GNU Free Documentation License, Version + 1.2 or any later version published by the Free Software Foundation; with + no Invariant Sections, with no Front-Cover, and with no Back-Cover + Texts. A copy of the license is included in the section entitled + GNU Free Documentation License. + + + + Prior to Shorewall version 1.4.9, rules in /etc/shorewall/rules were + limited to those defined by Netfilter (ACCEPT, DROP, REJECT, etc.). + Beginning with Shorewall version 1.4.9, users may use sequences of these + elementary operations to define more complex actions. + + To define a new action: + + + + Add a line to /etc/shorewall/actions that names your new action. + Action names must be valid shell variable names as well as valid + Netfilter chain names. It is recommended that the name you select for a + new action begins with with a capital letter; that way, the name + won't conflict with a Shorewall-defined chain name. + + + + Once you have defined your new action name (ActionName), then copy + /etc/shorewall/action.template to /etc/shorewall/action.ActionName (for + example, if your new action name is "Foo" then copy + /etc/shorewall/action.template to /etc/shorewall/action.foo). + + + + Now modify the new file to define the new action. + + + + Columns in the action.template file are as follows: + + + + TARGET - Must be ACCEPT, DROP, REJECT, LOG, QUEUE or + <action> where <action> is a previously-defined action. + The TARGET may optionally be followed by a colon (":") and a + syslog log level (e.g, REJECT:info or ACCEPT:debugging). This causes the + packet to be logged at the specified level. You may also specify ULOG + (must be in upper case) as a log level.This will log to the ULOG target + for routing to a separate log through use of ulogd + (http://www.gnumonks.org/projects/ulogd). + + + + SOURCE - Source hosts to which the rule applies. A comma-separated + list of subnets and/or hosts. Hosts may be specified by IP or MAC + address; mac addresses must begin with "~" and must use + "-" as a separator. + + Alternatively, clients may be specified by interface name. For + example, eth1 specifies a client that communicates with the firewall + system through eth1. This may be optionally followed by another colon + (":") and an IP/MAC/subnet address as described above (e.g., + eth1:192.168.1.5). + + + + DEST - Location of Server. Same as above with the exception that + MAC addresses are not allowed. + + Unlike in the SOURCE column, you may specify a range of up to 256 + IP addresses using the syntax <first ip>-<last ip>. + + + + + PROTO - Protocol - Must be "tcp", "udp", + "icmp", a number, or "all". + + + + DEST PORT(S) - Destination Ports. A comma-separated list of Port + names (from /etc/services), port numbers or port ranges; if the protocol + is "icmp", this column is interpreted as the destination + icmp-type(s). + + A port range is expressed as <low port>:<high + port>. + + This column is ignored if PROTOCOL = all but must be entered if + any of the following ields are supplied. In that case, it is suggested + that this field contain "-". + + If your kernel contains multi-port match support, then only a + single Netfilter rule will be generated if in this list and the CLIENT + PORT(S) list below: + + + + There are 15 or less ports listed. + + + + No port ranges are included. + + + + Otherwise, a separate rule will be generated for each port. + + + + RATE LIMIT - You may rate-limit the rule by placing a value in + this column: + + <rate>/<interval>[:<burst>]where + <rate> is the number of connections per <interval> + ("sec" or "min") and <burst> is the largest + burst permitted. If no <burst> is given, a value of 5 is + assumed. There may be no whitespace embedded in the specification. + + Example: 10/sec:20 + + + + Example: + + /etc/shorewall/actions: + + LogAndAccept/etc/shorewall/action.LogAndAccept LOG:info + ACCEPT + + +
\ No newline at end of file