diff --git a/Shorewall6/action.template b/Shorewall6/action.template index f421e81b6..ff0fbadb2 100644 --- a/Shorewall6/action.template +++ b/Shorewall6/action.template @@ -1,5 +1,5 @@ # -# Shorewall6 version 4 - Action Template +# Shorewall version 4 - Action Template # # /etc/shorewall6/action.template # @@ -16,157 +16,11 @@ # Please see http://shorewall.net/Actions.html for additional # information. # -# Columns are: +# Columns are the same as in /etc/shorewall6/rules. # -# -# TARGET ACCEPT, DROP, REJECT, LOG, QUEUE, CONTINUE, a -# or a previously-defined -# -# ACCEPT -- allow the connection request -# DROP -- ignore the request -# REJECT -- disallow the request and return an -# icmp-unreachable or an RST packet. -# LOG -- Simply log the packet and continue. -# QUEUE -- Queue the packet to a user-space -# application such as p2pwall. -# CONTINUE -- Stop processing this action and -# return to the point where the -# action was invoked. -# -- An defined in -# /etc/shorewall/actions. -# The must appear in that -# file BEFORE the one being defined -# in this file. -# -- The name of a macro defined in a -# file named macro.. If -# the macro accepts an action -# parameter (Look at the macro -# source to see if it has PARAM in -# the TARGET column) then the macro -# name is followed by "/" and the -# action (ACCEPT, DROP, REJECT, ...) -# to be substituted for the -# parameter. Example: FTP/ACCEPT. -# -# The TARGET may optionally be followed -# by ":" and a syslog log level (e.g, REJECT:info or -# ACCEPT:debugging). This causes the packet to be -# logged at the specified level. -# -# The special log level 'none' does not result in logging -# but rather exempts the rule from being overridden by a -# non-forcing log level when the action is invoked. -# -# You may also specify ULOG (must be in upper case) as a -# log level.This will log to the ULOG target for routing -# to a separate log through use of ulogd -# (http://www.gnumonks.org/projects/ulogd). -# -# Actions specifying logging may be followed by a -# log tag (a string of alphanumeric characters) -# are appended to the string generated by the -# LOGPREFIX (in /etc/shorewall/shorewall.conf). -# -# Example: ACCEPT:info:ftp would include 'ftp ' -# at the end of the log prefix generated by the -# LOGPREFIX setting. -# -# SOURCE Source hosts to which the rule applies. -# A comma-separated list of subnets -# and/or hosts. Hosts may be specified by IP or MAC -# address; mac addresses must begin with "~" and must use -# "-" as a separator. -# -# Alternatively, clients may be specified by interface -# name. For example, eth1 specifies a -# client that communicates with the firewall system -# through eth1. This may be optionally followed by -# another colon (":") and an IP/MAC/subnet address -# enclosed in square brackets. -# -# DEST Location of destination host. Same as above with -# the exception that MAC addresses are not allowed and -# that you cannot specify an ipset name in both the -# SOURCE and DEST columns. -# -# PROTO Protocol - Must be "tcp", "tcp:syn", "udp", "icmp", -# "ipp2p", "ipp2p:udp", "ipp2p:all", a number, or "all". -# "ipp2p*" requires ipp2p match support in your kernel -# and ip6tables. -# -# "tcp:syn" implies "tcp" plus the SYN flag must be -# set and the RST, ACK and FIN flags must be reset. -# -# DEST PORT(S) Destination Ports. A comma-separated list of Port -# names (from /etc/services), port numbers or port -# ranges; if the protocol is "icmp", this column is -# interpreted as the destination icmp-type(s). -# -# A port range is expressed as :. -# -# This column is ignored if PROTOCOL = all but must be -# entered if any of the following fields are supplied. -# In that case, it is suggested that this field contain -# "-" -# -# If your kernel contains multi-port match support, then -# only a single Netfilter rule will be generated if in -# this list and the CLIENT PORT(S) list below: -# 1. There are 15 or less ports listed. -# 2. No port ranges are included. -# Otherwise, a separate rule will be generated for each -# port. -# -# SOURCE PORT(S) (Optional) Port(s) used by the client. If omitted, -# any source port is acceptable. Specified as a comma- -# separated list of port names, port numbers or port -# ranges. -# -# If you don't want to restrict client ports but need to -# specify an ADDRESS in the next column, then place "-" -# in this column. -# -# If your kernel contains multi-port match support, then -# only a single Netfilter rule will be generated if in -# this list and the DEST PORT(S) list above: -# 1. There are 15 or less ports listed. -# 2. No port ranges are included. -# Otherwise, a separate rule will be generated for each -# port. -# -# RATE LIMIT You may rate-limit the rule by placing a value in -# this column: -# -# /[:] -# -# where is the number of connections per -# ("sec" or "min") and is the -# largest burst permitted. If no is given, -# a value of 5 is assumed. There may be no -# no whitespace embedded in the specification. -# -# Example: 10/sec:20 -# -# USER/GROUP This column may only be non-empty if the SOURCE is -# the firewall itself. -# -# The column may contain: -# -# [!][][:][+] -# -# When this column is non-empty, the rule applies only -# if the program generating the output is running under -# the effective and/or specified (or is -# NOT running under that id if "!" is given). -# -# Examples: -# -# joe #program must be run by joe -# :kids #program must be run by a member of -# #the 'kids' group -# !:kids #program must not be run by a member -# #of the 'kids' group -# -############################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP +####################################################################################################### +# DO NOT REMOVE THE FOLLOWING LINE +FORMAT 2 +#################################################################################################################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS +# PORT PORT(S) DEST LIMIT GROUP