forked from extern/shorewall_code
Update action.template for 4.4.16
This commit is contained in:
parent
94faafd662
commit
6506fe8cb7
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall6 version 4 - Action Template
|
||||
# Shorewall version 4 - Action Template
|
||||
#
|
||||
# /etc/shorewall6/action.template
|
||||
#
|
||||
@ -16,157 +16,11 @@
|
||||
# Please see http://shorewall.net/Actions.html for additional
|
||||
# information.
|
||||
#
|
||||
# Columns are:
|
||||
# Columns are the same as in /etc/shorewall6/rules.
|
||||
#
|
||||
#
|
||||
# TARGET ACCEPT, DROP, REJECT, LOG, QUEUE, CONTINUE, a <macro>
|
||||
# or a previously-defined <action>
|
||||
#
|
||||
# ACCEPT -- allow the connection request
|
||||
# DROP -- ignore the request
|
||||
# REJECT -- disallow the request and return an
|
||||
# icmp-unreachable or an RST packet.
|
||||
# LOG -- Simply log the packet and continue.
|
||||
# QUEUE -- Queue the packet to a user-space
|
||||
# application such as p2pwall.
|
||||
# CONTINUE -- Stop processing this action and
|
||||
# return to the point where the
|
||||
# action was invoked.
|
||||
# <action> -- An <action> defined in
|
||||
# /etc/shorewall/actions.
|
||||
# The <action> must appear in that
|
||||
# file BEFORE the one being defined
|
||||
# in this file.
|
||||
# <macro> -- The name of a macro defined in a
|
||||
# file named macro.<macro-name>. If
|
||||
# the macro accepts an action
|
||||
# parameter (Look at the macro
|
||||
# source to see if it has PARAM in
|
||||
# the TARGET column) then the macro
|
||||
# name is followed by "/" and the
|
||||
# action (ACCEPT, DROP, REJECT, ...)
|
||||
# to be substituted for the
|
||||
# parameter. Example: FTP/ACCEPT.
|
||||
#
|
||||
# The TARGET may optionally be followed
|
||||
# by ":" and a syslog log level (e.g, REJECT:info or
|
||||
# ACCEPT:debugging). This causes the packet to be
|
||||
# logged at the specified level.
|
||||
#
|
||||
# The special log level 'none' does not result in logging
|
||||
# but rather exempts the rule from being overridden by a
|
||||
# non-forcing log level when the action is invoked.
|
||||
#
|
||||
# You may also specify ULOG (must be in upper case) as a
|
||||
# log level.This will log to the ULOG target for routing
|
||||
# to a separate log through use of ulogd
|
||||
# (http://www.gnumonks.org/projects/ulogd).
|
||||
#
|
||||
# Actions specifying logging may be followed by a
|
||||
# log tag (a string of alphanumeric characters)
|
||||
# are appended to the string generated by the
|
||||
# LOGPREFIX (in /etc/shorewall/shorewall.conf).
|
||||
#
|
||||
# Example: ACCEPT:info:ftp would include 'ftp '
|
||||
# at the end of the log prefix generated by the
|
||||
# LOGPREFIX setting.
|
||||
#
|
||||
# SOURCE Source hosts to which the rule applies.
|
||||
# A comma-separated list of subnets
|
||||
# and/or hosts. Hosts may be specified by IP or MAC
|
||||
# address; mac addresses must begin with "~" and must use
|
||||
# "-" as a separator.
|
||||
#
|
||||
# Alternatively, clients may be specified by interface
|
||||
# name. For example, eth1 specifies a
|
||||
# client that communicates with the firewall system
|
||||
# through eth1. This may be optionally followed by
|
||||
# another colon (":") and an IP/MAC/subnet address
|
||||
# enclosed in square brackets.
|
||||
#
|
||||
# DEST Location of destination host. Same as above with
|
||||
# the exception that MAC addresses are not allowed and
|
||||
# that you cannot specify an ipset name in both the
|
||||
# SOURCE and DEST columns.
|
||||
#
|
||||
# PROTO Protocol - Must be "tcp", "tcp:syn", "udp", "icmp",
|
||||
# "ipp2p", "ipp2p:udp", "ipp2p:all", a number, or "all".
|
||||
# "ipp2p*" requires ipp2p match support in your kernel
|
||||
# and ip6tables.
|
||||
#
|
||||
# "tcp:syn" implies "tcp" plus the SYN flag must be
|
||||
# set and the RST, ACK and FIN flags must be reset.
|
||||
#
|
||||
# DEST PORT(S) Destination Ports. A comma-separated list of Port
|
||||
# names (from /etc/services), port numbers or port
|
||||
# ranges; if the protocol is "icmp", this column is
|
||||
# interpreted as the destination icmp-type(s).
|
||||
#
|
||||
# A port range is expressed as <low port>:<high port>.
|
||||
#
|
||||
# This column is ignored if PROTOCOL = all but must be
|
||||
# entered if any of the following fields are supplied.
|
||||
# In that case, it is suggested that this field contain
|
||||
# "-"
|
||||
#
|
||||
# If your kernel contains multi-port match support, then
|
||||
# only a single Netfilter rule will be generated if in
|
||||
# this list and the CLIENT PORT(S) list below:
|
||||
# 1. There are 15 or less ports listed.
|
||||
# 2. No port ranges are included.
|
||||
# Otherwise, a separate rule will be generated for each
|
||||
# port.
|
||||
#
|
||||
# SOURCE PORT(S) (Optional) Port(s) used by the client. If omitted,
|
||||
# any source port is acceptable. Specified as a comma-
|
||||
# separated list of port names, port numbers or port
|
||||
# ranges.
|
||||
#
|
||||
# If you don't want to restrict client ports but need to
|
||||
# specify an ADDRESS in the next column, then place "-"
|
||||
# in this column.
|
||||
#
|
||||
# If your kernel contains multi-port match support, then
|
||||
# only a single Netfilter rule will be generated if in
|
||||
# this list and the DEST PORT(S) list above:
|
||||
# 1. There are 15 or less ports listed.
|
||||
# 2. No port ranges are included.
|
||||
# Otherwise, a separate rule will be generated for each
|
||||
# port.
|
||||
#
|
||||
# RATE LIMIT You may rate-limit the rule by placing a value in
|
||||
# this column:
|
||||
#
|
||||
# <rate>/<interval>[:<burst>]
|
||||
#
|
||||
# where <rate> is the number of connections per
|
||||
# <interval> ("sec" or "min") and <burst> is the
|
||||
# largest burst permitted. If no <burst> is given,
|
||||
# a value of 5 is assumed. There may be no
|
||||
# no whitespace embedded in the specification.
|
||||
#
|
||||
# Example: 10/sec:20
|
||||
#
|
||||
# USER/GROUP This column may only be non-empty if the SOURCE is
|
||||
# the firewall itself.
|
||||
#
|
||||
# The column may contain:
|
||||
#
|
||||
# [!][<user name or number>][:<group name or number>][+<program name>]
|
||||
#
|
||||
# When this column is non-empty, the rule applies only
|
||||
# if the program generating the output is running under
|
||||
# the effective <user> and/or <group> specified (or is
|
||||
# NOT running under that id if "!" is given).
|
||||
#
|
||||
# Examples:
|
||||
#
|
||||
# joe #program must be run by joe
|
||||
# :kids #program must be run by a member of
|
||||
# #the 'kids' group
|
||||
# !:kids #program must not be run by a member
|
||||
# #of the 'kids' group
|
||||
#
|
||||
###############################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
|
||||
#######################################################################################################
|
||||
# DO NOT REMOVE THE FOLLOWING LINE
|
||||
FORMAT 2
|
||||
####################################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
|
Loading…
Reference in New Issue
Block a user