mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-27 10:03:41 +01:00
b66929a65e
1) Elimination of the "shorewall monitor" command. 2) The /etc/shorewall/ipsec and /etc/shorewall/zones file are combined into a single /etc/shorewall/zones file. This is done in an upwardly-compatible way so that current users can continue to use their existing files. 3) Support has been added for the arp_ignore interface option. 4) DROPINVALID has been removed from shorewall.conf. Behavior is as if DROPINVALID=No was specified. 5) The 'nobogons' option and BOGON_LOG_LEVEL are removed. 6) Error and warning messages have been made easier to spot by using capitalization (e.g., ERROR: and WARNING:). 7) The /etc/shorewall/policy file now contains a new connection policy and a policy for ESTABLISHED packets. Useful for users of snort-inline who want to pass all packets to the QUEUE target. 8) A new 'critical' option has been added to /etc/shorewall/routestopped. Shorewall insures communication between the firewall and 'critical' hosts throughout start, restart, stop and clear. Useful for diskless firewall's with NFS-mounted file systems, LDAP servers, Crossbow, etc. 9) Macros. Macros are very similar to actions but are easier to use, allow parameter substitution and are more efficient. Almost all of the standard actions have been converted to macros in the EXPERIMENTAL branch. 10) The default value of ADD_IP_ALIASES in shorewall.conf is changed to No. 11) If you have 'make' installed on your firewall, then when you use the '-f' option to 'shorewall start' (as happens when you reboot), if your /etc/shorewall/ directory contains files that were modified after Shorewall was last restarted then Shorewall is started using the config files rather than using the saved configuration. git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2409 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
180 lines
6.4 KiB
Plaintext
180 lines
6.4 KiB
Plaintext
#
|
|
# Shorewall 2.6 /etc/shorewall/action.template
|
|
#
|
|
# This file is a template for files with names of the form
|
|
# /etc/shorewall/action.<action-name> where <action> is an
|
|
# ACTION defined in /etc/shorewall/actions.
|
|
#
|
|
# To define a new action:
|
|
#
|
|
# 1. Add the <action name> to /etc/shorewall/actions
|
|
# 2. Copy this file to /etc/shorewall/action.<action name>
|
|
# 3. Add the desired rules to that file.
|
|
#
|
|
# Please see http://shorewall.net/Actions.html for additional
|
|
# information.
|
|
#
|
|
# Columns are:
|
|
#
|
|
#
|
|
# TARGET ACCEPT, DROP, REJECT, LOG, QUEUE or a
|
|
# previously-defined <action>
|
|
#
|
|
# ACCEPT -- allow the connection request
|
|
# DROP -- ignore the request
|
|
# REJECT -- disallow the request and return an
|
|
# icmp-unreachable or an RST packet.
|
|
# LOG -- Simply log the packet and continue.
|
|
# QUEUE -- Queue the packet to a user-space
|
|
# application such as p2pwall.
|
|
# CONTINUE -- Discontinue processing this action
|
|
# and return to the point where the
|
|
# action was invoked.
|
|
# <action> -- An <action> defined in
|
|
# /etc/shorewall/actions. The <action>
|
|
# must appear in that file BEFORE the
|
|
# one being defined in this file.
|
|
#
|
|
# The TARGET may optionally be followed
|
|
# by ":" and a syslog log level (e.g, REJECT:info or
|
|
# ACCEPT:debugging). This causes the packet to be
|
|
# logged at the specified level.
|
|
#
|
|
# The special log level 'none' does not result in logging
|
|
# but rather exempts the rule from being overridden by a
|
|
# non-forcing log level when the action is invoked.
|
|
#
|
|
# You may also specify ULOG (must be in upper case) as a
|
|
# log level.This will log to the ULOG target for routing
|
|
# to a separate log through use of ulogd
|
|
# (http://www.gnumonks.org/projects/ulogd).
|
|
#
|
|
# Actions specifying logging may be followed by a
|
|
# log tag (a string of alphanumeric characters)
|
|
# are appended to the string generated by the
|
|
# LOGPREFIX (in /etc/shorewall/shorewall.conf).
|
|
#
|
|
# Example: ACCEPT:info:ftp would include 'ftp '
|
|
# at the end of the log prefix generated by the
|
|
# LOGPREFIX setting.
|
|
#
|
|
# SOURCE Source hosts to which the rule applies.
|
|
# A comma-separated list of subnets
|
|
# and/or hosts. Hosts may be specified by IP or MAC
|
|
# address; mac addresses must begin with "~" and must use
|
|
# "-" as a separator.
|
|
#
|
|
# 192.168.2.2 Host 192.168.2.2
|
|
#
|
|
# 155.186.235.0/24 Subnet 155.186.235.0/24
|
|
#
|
|
# 10.0.0.4-10.0.0.9 Range of IP addresses; your
|
|
# kernel and iptables must have
|
|
# iprange match support.
|
|
#
|
|
# +remote The name of an ipset prefaced
|
|
# by "+". Your kernel and
|
|
# iptables must have set match
|
|
# support
|
|
#
|
|
# +remote[4] The name of the ipset may
|
|
# followed by a number of
|
|
# levels of ipset bindings
|
|
# enclosed in square brackets.
|
|
#
|
|
# 192.168.1.1,192.168.1.2
|
|
# Hosts 192.168.1.1 and
|
|
# 192.168.1.2.
|
|
# ~00-A0-C9-15-39-78 Host with
|
|
# MAC address 00:A0:C9:15:39:78.
|
|
#
|
|
# Alternatively, clients may be specified by interface
|
|
# name. For example, eth1 specifies a
|
|
# client that communicates with the firewall system
|
|
# through eth1. This may be optionally followed by
|
|
# another colon (":") and an IP/MAC/subnet address
|
|
# as described above (e.g., eth1:192.168.1.5).
|
|
#
|
|
# DEST Location of destination host. Same as above with the exception that
|
|
# MAC addresses are not allowed and that you cannot specify
|
|
# an ipset name in both the SOURCE and DEST columns.
|
|
#
|
|
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, or
|
|
# "all".
|
|
#
|
|
# DEST PORT(S) Destination Ports. A comma-separated list of Port
|
|
# names (from /etc/services), port numbers or port
|
|
# ranges; if the protocol is "icmp", this column is
|
|
# interpreted as the destination icmp-type(s).
|
|
#
|
|
# A port range is expressed as <low port>:<high port>.
|
|
#
|
|
# This column is ignored if PROTOCOL = all but must be
|
|
# entered if any of the following fields are supplied.
|
|
# In that case, it is suggested that this field contain
|
|
# "-"
|
|
#
|
|
# If your kernel contains multi-port match support, then
|
|
# only a single Netfilter rule will be generated if in
|
|
# this list and the CLIENT PORT(S) list below:
|
|
# 1. There are 15 or less ports listed.
|
|
# 2. No port ranges are included.
|
|
# Otherwise, a separate rule will be generated for each
|
|
# port.
|
|
#
|
|
# SOURCE PORT(S) (Optional) Port(s) used by the client. If omitted,
|
|
# any source port is acceptable. Specified as a comma-
|
|
# separated list of port names, port numbers or port
|
|
# ranges.
|
|
#
|
|
# If you don't want to restrict client ports but need to
|
|
# specify an ADDRESS in the next column, then place "-"
|
|
# in this column.
|
|
#
|
|
# If your kernel contains multi-port match support, then
|
|
# only a single Netfilter rule will be generated if in
|
|
# this list and the DEST PORT(S) list above:
|
|
# 1. There are 15 or less ports listed.
|
|
# 2. No port ranges are included.
|
|
# Otherwise, a separate rule will be generated for each
|
|
# port.
|
|
#
|
|
# RATE LIMIT You may rate-limit the rule by placing a value in
|
|
# this column:
|
|
#
|
|
# <rate>/<interval>[:<burst>]
|
|
#
|
|
# where <rate> is the number of connections per
|
|
# <interval> ("sec" or "min") and <burst> is the
|
|
# largest burst permitted. If no <burst> is given,
|
|
# a value of 5 is assumed. There may be no
|
|
# no whitespace embedded in the specification.
|
|
#
|
|
# Example: 10/sec:20
|
|
#
|
|
# USER/GROUP This column may only be non-empty if the SOURCE is
|
|
# the firewall itself.
|
|
#
|
|
# The column may contain:
|
|
#
|
|
# [!][<user name or number>][:<group name or number>][+<program name>]
|
|
#
|
|
# When this column is non-empty, the rule applies only
|
|
# if the program generating the output is running under
|
|
# the effective <user> and/or <group> specified (or is
|
|
# NOT running under that id if "!" is given).
|
|
#
|
|
# Examples:
|
|
#
|
|
# joe #program must be run by joe
|
|
# :kids #program must be run by a member of
|
|
# #the 'kids' group
|
|
# !:kids #program must not be run by a member
|
|
# #of the 'kids' group
|
|
# +upnpd #program named upnpd
|
|
#
|
|
######################################################################################
|
|
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
|
# PORT PORT(S) LIMIT GROUP
|
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|