Tom Eastep 2003-01-29 2003-2004 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License. Prior to Shorewall version 1.4.9, rules in /etc/shorewall/rules were limited to those defined by Netfilter (ACCEPT, DROP, REJECT, etc.). Beginning with Shorewall version 1.4.9, users may use sequences of these elementary operations to define more complex actions. To define a new action: Add a line to /etc/shorewall/actions that names your new action. Action names must be valid shell variable names as well as valid Netfilter chain names. It is recommended that the name you select for a new action begins with with a capital letter; that way, the name won't conflict with a Shorewall-defined chain name. Once you have defined your new action name (ActionName), then copy /etc/shorewall/action.template to /etc/shorewall/action.ActionName (for example, if your new action name is Foo then copy /etc/shorewall/action.template to /etc/shorewall/action.Foo). Now modify the new file to define the new action. Columns in the action.template file are as follows: TARGET - Must be ACCEPT, DROP, REJECT, LOG, QUEUE or <action> where <action> is a previously-defined action (that is, it must precede the action being defined in this file in your /etc/shorewall/actions file). The TARGET may optionally be followed by a colon (:) and a syslog log level (e.g, REJECT:info or ACCEPT:debugging). This causes the packet to be logged at the specified level. You may also specify ULOG (must be in upper case) as a log level.This will log to the ULOG target for routing to a separate log through use of ulogd (http://www.gnumonks.org/projects/ulogd). SOURCE - Source hosts to which the rule applies. A comma-separated list of subnets and/or hosts. Hosts may be specified by IP or MAC address; mac addresses must begin with ~ and must use - as a separator. Alternatively, clients may be specified by interface name. For example, eth1 specifies a client that communicates with the firewall system through eth1. This may be optionally followed by another colon (:) and an IP/MAC/subnet address as described above (e.g., eth1:192.168.1.5). DEST - Location of Server. Same as above with the exception that MAC addresses are not allowed. Unlike in the SOURCE column, you may specify a range of up to 256 IP addresses using the syntax <first ip>-<last ip>. PROTO - Protocol - Must be tcp, udp, icmp, a number, or all. DEST PORT(S) - Destination Ports. A comma-separated list of Port names (from /etc/services), port numbers or port ranges; if the protocol is icmp, this column is interpreted as the destination icmp-type(s). A port range is expressed as <low port>:<high port>. This column is ignored if PROTOCOL = all but must be entered if any of the following ields are supplied. In that case, it is suggested that this field contain -. If your kernel contains multi-port match support, then only a single Netfilter rule will be generated if in this list and in the CLIENT PORT(S) list below: There are 15 or less ports listed. No port ranges are included. Otherwise, a separate rule will be generated for each port. SOURCE PORT(S) - Port(s) used by the client. If omitted, any source port is acceptable. Specified as a comma-separated list of port names, port numbers or port ranges. If you don't want to restrict client ports but need to specify an ADDRESS in the next column, then place "-" in this column. If your kernel contains multi-port match support, then only a single Netfilter rule will be generated if in this list and in the DEST PORT(S) list above: There are 15 or less ports listed. No port ranges are included. Otherwise, a separate rule will be generated for each port. RATE LIMIT - You may rate-limit the rule by placing a value in this column: <rate>/<interval>[:<burst>]where <rate> is the number of connections per <interval> (sec or min) and <burst> is the largest burst permitted. If no <burst> is given, a value of 5 is assumed. There may be no whitespace embedded in the specification. Example: 10/sec:20 Example: /etc/shorewall/actions: LogAndAccept/etc/shorewall/action.LogAndAccept LOG:info ACCEPT