holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Add default action example

Browse Source
This commit is contained in:
Tom Eastep 2011-05-22 08:02:23 -07:00
parent b844fc3107
commit 57d276f0b3
1 changed files with 50 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
docs/Audit.xml
View File

@ -137,7 +137,7 @@
application of the policy to be audited. Only ACCEPT, DROP and REJECT application of the policy to be audited. Only ACCEPT, DROP and REJECT
policies may be audited.</para> policies may be audited.</para>
<para>Example: </para> <para>Example:</para>
<programlisting>#SOURCE DEST POLICY LOG <programlisting>#SOURCE DEST POLICY LOG
# LEVEL # LEVEL
@ -148,8 +148,8 @@ net fw DROP:audit</programlisting>
</listitem> </listitem>
<listitem> <listitem>
<para> Three new builtin targets that may be used in the rules file, <para>Three new builtin targets that may be used in the rules file, in
in macros and in other actions.</para> macros and in other actions.</para>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
@ -166,7 +166,7 @@ net fw DROP:audit</programlisting>
</itemizedlist> </itemizedlist>
<para>A log level may be supplied with these actions to provide both <para>A log level may be supplied with these actions to provide both
auditing and logging. </para> auditing and logging.</para>
<para>Example:</para> <para>Example:</para>
@ -189,7 +189,7 @@ A_ACCEPT:info loc net ...</programlisting>
</row> </row>
<row> <row>
<entry>MACLIST_DISPOSITION </entry> <entry>MACLIST_DISPOSITION</entry>
<entry>A_DROP, A_REJECT unless MACLIST_TABLE=mangle</entry> <entry>A_DROP, A_REJECT unless MACLIST_TABLE=mangle</entry>
</row> </row>
@ -223,13 +223,56 @@ A_ACCEPT:info loc net ...</programlisting>
an 'audit' parameter which causes all ACCEPT, DROP and REJECTs an 'audit' parameter which causes all ACCEPT, DROP and REJECTs
performed by the action to be audited. This allows creation of audited performed by the action to be audited. This allows creation of audited
versions of the Shorewall-provided default actions (action.Drop and versions of the Shorewall-provided default actions (action.Drop and
action.Reject). </para> action.Reject).</para>
<note> <note>
<para> The builtin actions are those actions listed in the output of <para>The builtin actions are those actions listed in the output of
<command>shorewall show actions</command> whose names begin with a <command>shorewall show actions</command> whose names begin with a
lower-case letter.</para> lower-case letter.</para>
</note> </note>
<para>Here's a version of action.Drop that does auditing:</para>
<programlisting>#TARGET SOURCE DEST PROTO DPORT SPORT
#
# Count packets that come through here
#
COUNT
#
# Reject 'auth'
#
A_REJECT - - tcp
#
# Don't log broadcasts
#
dropBcast(audit)
#
# ACCEPT critical ICMP types
#
AudAllowICMPs - - icmp
#
# Drop packets that are in the INVALID state -- these are usually ICMP packets
# and just confuse people when they appear in the log.
#
dropInvalid(audit)
#
# Drop Microsoft noise so that it doesn't clutter up the log.
#
AudSMB(DROP)
AudDropUPnP
#
# Drop 'newnotsyn' traffic so that it doesn't get logged.
#
dropNotSyn(audit) - - tcp
#
# Drop late-arriving DNS replies. These are just a nuisance and clutter up
# the log.
#
A_DROP - - udp - 53</programlisting>
<para>The 'Aud...' macros would be auditing versions of their standard
macro counterparts (if you are interested in auditing those connection
types).</para>
</listitem> </listitem>
</orderedlist> </orderedlist>
</section> </section>