# # Shorewall version 3.0 - Action Template # # /etc/shorewall/action.template # # This file is a template for files with names of the form # /etc/shorewall/action. where is an # ACTION defined in /etc/shorewall/actions. # # To define a new action: # # 1. Add the to /etc/shorewall/actions # 2. Copy this file to /etc/shorewall/action. # 3. Add the desired rules to that file. # # Please see http://shorewall.net/Actions.html for additional # information. # # Columns are: # # # TARGET ACCEPT, DROP, REJECT, LOG, QUEUE, CONTINUEa # or a previously-defined # # ACCEPT -- allow the connection request # DROP -- ignore the request # REJECT -- disallow the request and return an # icmp-unreachable or an RST packet. # LOG -- Simply log the packet and continue. # QUEUE -- Queue the packet to a user-space # application such as p2pwall. # CONTINUE -- Discontinue processing this action # and return to the point where the # action was invoked. # -- An defined in # /etc/shorewall/actions. # The must appear in that # file BEFORE the one being defined # in this file. # -- The name of a macro defined in a # file named macro.. If # the macro accepts an action # parameter (Look at the macro # source to see if it has PARAM in # the TARGET column) then the macro # name is followed by "/" and the # action (ACCEPT, DROP, REJECT, ...) # to be substituted for the # parameter. Example: FTP/ACCEPT. # # The TARGET may optionally be followed # by ":" and a syslog log level (e.g, REJECT:info or # ACCEPT:debugging). This causes the packet to be # logged at the specified level. # # The special log level 'none' does not result in logging # but rather exempts the rule from being overridden by a # non-forcing log level when the action is invoked. # # You may also specify ULOG (must be in upper case) as a # log level.This will log to the ULOG target for routing # to a separate log through use of ulogd # (http://www.gnumonks.org/projects/ulogd). # # Actions specifying logging may be followed by a # log tag (a string of alphanumeric characters) # are appended to the string generated by the # LOGPREFIX (in /etc/shorewall/shorewall.conf). # # Example: ACCEPT:info:ftp would include 'ftp ' # at the end of the log prefix generated by the # LOGPREFIX setting. # # SOURCE Source hosts to which the rule applies. # A comma-separated list of subnets # and/or hosts. Hosts may be specified by IP or MAC # address; mac addresses must begin with "~" and must use # "-" as a separator. # # 192.168.2.2 Host 192.168.2.2 # # 155.186.235.0/24 Subnet 155.186.235.0/24 # # 10.0.0.4-10.0.0.9 Range of IP addresses; your # kernel and iptables must have # iprange match support. # # +remote The name of an ipset prefaced # by "+". Your kernel and # iptables must have set match # support # # +remote[4] The name of the ipset may # followed by a number of # levels of ipset bindings # enclosed in square brackets. # # 192.168.1.1,192.168.1.2 # Hosts 192.168.1.1 and # 192.168.1.2. # ~00-A0-C9-15-39-78 Host with # MAC address 00:A0:C9:15:39:78. # # Alternatively, clients may be specified by interface # name. For example, eth1 specifies a # client that communicates with the firewall system # through eth1. This may be optionally followed by # another colon (":") and an IP/MAC/subnet address # as described above (e.g., eth1:192.168.1.5). # # DEST Location of destination host. Same as above with # the exception that MAC addresses are not allowed and # that you cannot specify an ipset name in both the # SOURCE and DEST columns. # # PROTO Protocol - Must be "tcp", "udp", "icmp", a number, or # "all". # # DEST PORT(S) Destination Ports. A comma-separated list of Port # names (from /etc/services), port numbers or port # ranges; if the protocol is "icmp", this column is # interpreted as the destination icmp-type(s). # # A port range is expressed as :. # # This column is ignored if PROTOCOL = all but must be # entered if any of the following fields are supplied. # In that case, it is suggested that this field contain # "-" # # If your kernel contains multi-port match support, then # only a single Netfilter rule will be generated if in # this list and the CLIENT PORT(S) list below: # 1. There are 15 or less ports listed. # 2. No port ranges are included. # Otherwise, a separate rule will be generated for each # port. # # SOURCE PORT(S) (Optional) Port(s) used by the client. If omitted, # any source port is acceptable. Specified as a comma- # separated list of port names, port numbers or port # ranges. # # If you don't want to restrict client ports but need to # specify an ADDRESS in the next column, then place "-" # in this column. # # If your kernel contains multi-port match support, then # only a single Netfilter rule will be generated if in # this list and the DEST PORT(S) list above: # 1. There are 15 or less ports listed. # 2. No port ranges are included. # Otherwise, a separate rule will be generated for each # port. # # RATE LIMIT You may rate-limit the rule by placing a value in # this column: # # /[:] # # where is the number of connections per # ("sec" or "min") and is the # largest burst permitted. If no is given, # a value of 5 is assumed. There may be no # no whitespace embedded in the specification. # # Example: 10/sec:20 # # USER/GROUP This column may only be non-empty if the SOURCE is # the firewall itself. # # The column may contain: # # [!][][:][+] # # When this column is non-empty, the rule applies only # if the program generating the output is running under # the effective and/or specified (or is # NOT running under that id if "!" is given). # # Examples: # # joe #program must be run by joe # :kids #program must be run by a member of # #the 'kids' group # !:kids #program must not be run by a member # #of the 'kids' group # +upnpd #program named upnpd (This feature was # #removed from Netfilter in kernel # #version 2.6.14). # ############################################################################### #TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ # PORT PORT(S) DEST LIMIT GROUP #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE