forked from extern/shorewall_code
118 lines
4.9 KiB
HTML
118 lines
4.9 KiB
HTML
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||
|
|
<html>
|
||
|
|
<head>
|
||
|
|
<meta http-equiv="content-type"
|
||
|
|
content="text/html; charset=ISO-8859-1">
|
||
|
|
<title>User-defined Actions</title>
|
||
|
|
<meta name="author" content="Tom EAstep">
|
||
|
|
</head>
|
||
|
|
<body>
|
||
|
|
<h1 style="text-align: center;">User-defined Actions</h1>
|
||
|
|
<br>
|
||
|
|
Prior to Shorewall version 1.4.9, rules in /etc/shorewall/rules were
|
||
|
|
limited to those defined by Netfilter (ACCEPT, DROP, REJECT, etc.).
|
||
|
|
Beginning with Shorewall version 1.4.9, users may use sequences of
|
||
|
|
these elementary operations to define more complex actions.<br>
|
||
|
|
<br>
|
||
|
|
To define a new action:<br>
|
||
|
|
<ol>
|
||
|
|
<li>Add a line to /etc/shorewall/actions that names your new action.
|
||
|
|
Action names must be valid shell variable names as well as valid
|
||
|
|
Netfilter chain names. It is recommended that the name you select for a
|
||
|
|
new action begins with with a capital letter; that way, the name won't
|
||
|
|
conflict with a Shorewall-defined chain name.<br>
|
||
|
|
</li>
|
||
|
|
<li>Once you have defined your new action name (ActionName), then
|
||
|
|
copy /etc/shorewall/action.template to /etc/shorewall/action.ActionName
|
||
|
|
(for example, if your new action name is "Foo" then copy
|
||
|
|
/etc/shorewall/action.template to /etc/shorewall/action.foo).</li>
|
||
|
|
<li>Now modify the new file to define the new action.</li>
|
||
|
|
</ol>
|
||
|
|
Columns in the action.template file are as follows.<br>
|
||
|
|
<br>
|
||
|
|
<ul>
|
||
|
|
<li>TARGET - Must be ACCEPT, DROP, REJECT, LOG, QUEUE or
|
||
|
|
<action> where <action> is a previously-defined action. The
|
||
|
|
TARGET may optionally be followed by a colon (":") and a syslog log
|
||
|
|
level (e.g, REJECT:info or ACCEPT:debugging). This causes the packet to
|
||
|
|
be logged at the specified level. You may also specify ULOG (must be in
|
||
|
|
upper case) as a log level.This will log to the ULOG target for routing
|
||
|
|
to a separate log through use of ulogd
|
||
|
|
(http://www.gnumonks.org/projects/ulogd).<br>
|
||
|
|
<br>
|
||
|
|
</li>
|
||
|
|
<li>SOURCE - Source hosts to which the rule applies. A
|
||
|
|
comma-separated list of subnets and/or hosts. Hosts may be specified by
|
||
|
|
IP or MAC address; mac addresses must begin with "~" and must use "-"
|
||
|
|
as a separator.<br>
|
||
|
|
<br>
|
||
|
|
Alternatively, clients may be specified by interface name. For example,
|
||
|
|
eth1 specifies a client that communicates with the firewall system
|
||
|
|
through eth1. This may be optionally followed by another colon (":")
|
||
|
|
and an IP/MAC/subnet address as described above (e.g.,
|
||
|
|
eth1:192.168.1.5).<br>
|
||
|
|
<br>
|
||
|
|
</li>
|
||
|
|
<li>DEST - Location of Server. Same as above with the exception that
|
||
|
|
MAC addresses are not allowed.<br>
|
||
|
|
<br>
|
||
|
|
Unlike in the SOURCE column, you may specify a range of up to 256 IP
|
||
|
|
addresses using the syntax <<span style="font-style: italic;">first
|
||
|
|
ip</span>>-<<span style="font-style: italic;">last ip</span>>.<br>
|
||
|
|
<br>
|
||
|
|
</li>
|
||
|
|
<li>PROTO - Protocol - Must be "tcp", "udp", "icmp", a number, or
|
||
|
|
"all".<br>
|
||
|
|
<br>
|
||
|
|
</li>
|
||
|
|
<li>DEST PORT(S) - Destination Ports. A comma-separated list of Port
|
||
|
|
names (from /etc/services), port numbers or port ranges; if the
|
||
|
|
protocol is "icmp", this column is interpreted as the destination
|
||
|
|
icmp-type(s).<br>
|
||
|
|
<br>
|
||
|
|
A port range is expressed as <<span style="font-style: italic;">low
|
||
|
|
port</span>>:<<span style="font-style: italic;">high port</span>>.<br>
|
||
|
|
<br>
|
||
|
|
This column is ignored if PROTOCOL = all but must be entered if any of
|
||
|
|
the following ields are supplied. In that case, it is suggested that
|
||
|
|
this field contain "-".<br>
|
||
|
|
<br>
|
||
|
|
If your kernel contains multi-port match support, then only a single
|
||
|
|
Netfilter rule will be generated if in this list and the CLIENT PORT(S)
|
||
|
|
list below:<br>
|
||
|
|
1. There are 15 or less ports listed.<br>
|
||
|
|
2. No port ranges are included.<br>
|
||
|
|
Otherwise, a separate rule will be generated for each port.<br>
|
||
|
|
<br>
|
||
|
|
</li>
|
||
|
|
<li>RATE LIMIT - You may rate-limit the rule by placing a value in
|
||
|
|
this columN:<br>
|
||
|
|
<br>
|
||
|
|
|
||
|
|
<rate>/<interval>[:<burst>]<br>
|
||
|
|
<br>
|
||
|
|
where <rate> is the number of connections per <interval>
|
||
|
|
("sec" or "min") and <burst> is the largest burst permitted. If
|
||
|
|
no <burst> is given, a value of 5 is assumed. There may be no
|
||
|
|
whitespace embedded in the specification.<br>
|
||
|
|
<br>
|
||
|
|
|
||
|
|
Example: 10/sec:20</li>
|
||
|
|
</ul>
|
||
|
|
Example:<br>
|
||
|
|
<br>
|
||
|
|
/etc/shorewall/actions:<br>
|
||
|
|
<br>
|
||
|
|
LogAndAccept<br>
|
||
|
|
<br>
|
||
|
|
/etc/shorewall/action.LogAndAccept<br>
|
||
|
|
<br>
|
||
|
|
LOG:info<br>
|
||
|
|
ACCEPT<br>
|
||
|
|
<p align="left"><font size="2">Last Updated 12/09/2003 - <a
|
||
|
|
href="file:///Z:/Shorewall-docs/support.htm">Tom Eastep</a></font></p>
|
||
|
|
<a href="file:///Z:/Shorewall-docs/copyright.htm"><font size="2">Copyright</font>
|
||
|
|
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
|
||
|
|
</body>
|
||
|
|
</html>
|