forked from extern/shorewall_code
More action/macro documentation
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
9ba8823011
commit
aba63d5c9b
@ -15,410 +15,7 @@
|
||||
# - All entries in a macro undergo substitution when the macro is
|
||||
# invoked in the rules file.
|
||||
#
|
||||
# - Macros used in action bodies may not invoke other macros.
|
||||
#
|
||||
# The columns in the file are the same as those in the action.template file but
|
||||
# have different restrictions:
|
||||
#
|
||||
# Columns are:
|
||||
#
|
||||
# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE,
|
||||
# LOG, QUEUE, PARAM or an <action> name.
|
||||
#
|
||||
# ACCEPT -- allow the connection request
|
||||
# ACCEPT+ -- like ACCEPT but also excludes the
|
||||
# connection from any subsequent
|
||||
# DNAT[-] or REDIRECT[-] rules
|
||||
# NONAT -- Excludes the connection from any
|
||||
# subsequent DNAT[-] or REDIRECT[-]
|
||||
# rules but doesn't generate a rule
|
||||
# to accept the traffic.
|
||||
# DROP -- ignore the request
|
||||
# REJECT -- disallow the request and return an
|
||||
# icmp-unreachable or an RST packet.
|
||||
# DNAT -- Forward the request to another
|
||||
# system (and optionally another
|
||||
# port).
|
||||
# DNAT- -- Advanced users only.
|
||||
# Like DNAT but only generates the
|
||||
# DNAT iptables rule and not
|
||||
# the companion ACCEPT rule.
|
||||
# SAME -- Similar to DNAT except that the
|
||||
# port may not be remapped and when
|
||||
# multiple server addresses are
|
||||
# listed, all requests from a given
|
||||
# remote system go to the same
|
||||
# server.
|
||||
# SAME- -- Advanced users only.
|
||||
# Like SAME but only generates the
|
||||
# NAT iptables rule and not
|
||||
# the companion ACCEPT rule.
|
||||
# REDIRECT -- Redirect the request to a local
|
||||
# port on the firewall.
|
||||
# REDIRECT-
|
||||
# -- Advanced users only.
|
||||
# Like REDIRET but only generates the
|
||||
# REDIRECT iptables rule and not
|
||||
# the companion ACCEPT rule.
|
||||
#
|
||||
# CONTINUE -- (For experts only). Do not process
|
||||
# any of the following rules for this
|
||||
# (source zone,destination zone). If
|
||||
# The source and/or destination IP
|
||||
# address falls into a zone defined
|
||||
# later in /etc/shorewall/zones, this
|
||||
# connection request will be passed
|
||||
# to the rules defined for that
|
||||
# (those) zone(s).
|
||||
# LOG -- Simply log the packet and continue.
|
||||
# QUEUE -- Queue the packet to a user-space
|
||||
# application such as ftwall
|
||||
# (http://p2pwall.sf.net).
|
||||
# PARAM -- If you code PARAM as the action in
|
||||
# a macro then when you invoke the
|
||||
# macro, you can include the name of
|
||||
# the macro followed by a slash ("/")
|
||||
# and an ACTION (either builtin or
|
||||
# user-defined. All instances of
|
||||
# PARAM in the body of the macro will
|
||||
# be replaced with the ACTION.
|
||||
# <action> -- The name of an action defined in
|
||||
# /usr/share/shorewall/actions.std or
|
||||
# in /etc/shorewall/actions.
|
||||
#
|
||||
# The ACTION may optionally be followed
|
||||
# by ":" and a syslog log level (e.g, REJECT:info or
|
||||
# DNAT:debug). This causes the packet to be
|
||||
# logged at the specified level.
|
||||
#
|
||||
# You may also specify ULOG (must be in upper case) as a
|
||||
# log level.This will log to the ULOG target for routing
|
||||
# to a separate log through use of ulogd
|
||||
# (http://www.gnumonks.org/projects/ulogd).
|
||||
#
|
||||
# Actions specifying logging may be followed by a
|
||||
# log tag (a string of alphanumeric characters)
|
||||
# are appended to the string generated by the
|
||||
# LOGPREFIX (in /etc/shorewall/shorewall.conf).
|
||||
#
|
||||
# Example: ACCEPT:info:ftp would include 'ftp '
|
||||
# at the end of the log prefix generated by the
|
||||
# LOGPREFIX setting.
|
||||
#
|
||||
# SOURCE Source hosts to which the rule applies. May be a zone
|
||||
# defined in /etc/shorewall/zones, $FW to indicate the
|
||||
# firewall itself, "all", "all+" or "none" If the ACTION
|
||||
# is DNAT or REDIRECT, sub-zones of the specified zone
|
||||
# may be excluded from the rule by following the zone
|
||||
# name with "!' and a comma-separated list of sub-zone
|
||||
# names.
|
||||
#
|
||||
# When "none" is used either in the SOURCE or DEST
|
||||
# column, the rule is ignored.
|
||||
#
|
||||
# When "all" is used either in the SOURCE or DEST column
|
||||
# intra-zone traffic is not affected. When "all+" is
|
||||
# used, intra-zone traffic is affected.
|
||||
#
|
||||
# Except when "all[+]" is specified, clients may be
|
||||
# further restricted to a list of subnets and/or hosts by
|
||||
# appending ":" and a comma-separated list of subnets
|
||||
# and/or hosts. Hosts may be specified by IP or MAC
|
||||
# address; mac addresses must begin with "~" and must use
|
||||
# "-" as a separator.
|
||||
#
|
||||
# Hosts may be specified as an IP address range using the
|
||||
# syntax <low address>-<high address>. This requires that
|
||||
# your kernel and iptables contain iprange match support.
|
||||
# If you kernel and iptables have ipset match support
|
||||
# then you may give the name of an ipset prefaced by "+".
|
||||
# The ipset name may be optionally followed by a number
|
||||
# from 1 to 6 enclosed in square brackets ([]) to
|
||||
# indicate the number of levels of source bindings to be
|
||||
# matched.
|
||||
#
|
||||
# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ
|
||||
#
|
||||
# net:155.186.235.0/24 Subnet 155.186.235.0/24 on the
|
||||
# Internet
|
||||
#
|
||||
# loc:192.168.1.1,192.168.1.2
|
||||
# Hosts 192.168.1.1 and
|
||||
# 192.168.1.2 in the local zone.
|
||||
# loc:~00-A0-C9-15-39-78 Host in the local zone with
|
||||
# MAC address 00:A0:C9:15:39:78.
|
||||
#
|
||||
# net:192.0.2.11-192.0.2.17
|
||||
# Hosts 192.0.2.11-192.0.2.17 in
|
||||
# the net zone.
|
||||
#
|
||||
# Alternatively, clients may be specified by interface
|
||||
# by appending ":" to the zone name followed by the
|
||||
# interface name. For example, loc:eth1 specifies a
|
||||
# client that communicates with the firewall system
|
||||
# through eth1. This may be optionally followed by
|
||||
# another colon (":") and an IP/MAC/subnet address
|
||||
# as described above (e.g., loc:eth1:192.168.1.5).
|
||||
#
|
||||
# DEST Location of Server. May be a zone defined in
|
||||
# /etc/shorewall/zones, $FW to indicate the firewall
|
||||
# itself, "all". "all+" or "none".
|
||||
#
|
||||
# When "none" is used either in the SOURCE or DEST
|
||||
# column, the rule is ignored.
|
||||
#
|
||||
# When "all" is used either in the SOURCE or DEST column
|
||||
# intra-zone traffic is not affected. When "all+" is
|
||||
# used, intra-zone traffic is affected.
|
||||
#
|
||||
# Except when "all[+]" is specified, the server may be
|
||||
# further restricted to a particular subnet, host or
|
||||
# interface by appending ":" and the subnet, host or
|
||||
# interface. See above.
|
||||
#
|
||||
# Restrictions:
|
||||
#
|
||||
# 1. MAC addresses are not allowed.
|
||||
# 2. In DNAT rules, only IP addresses are
|
||||
# allowed; no FQDNs or subnet addresses
|
||||
# are permitted.
|
||||
# 3. You may not specify both an interface and
|
||||
# an address.
|
||||
#
|
||||
# Like in the SOURCE column, you may specify a range of
|
||||
# up to 256 IP addresses using the syntax
|
||||
# <first ip>-<last ip>. When the ACTION is DNAT or DNAT-,
|
||||
# the connections will be assigned to addresses in the
|
||||
# range in a round-robin fashion.
|
||||
#
|
||||
# If you kernel and iptables have ipset match support
|
||||
# then you may give the name of an ipset prefaced by "+".
|
||||
# The ipset name may be optionally followed by a number
|
||||
# from 1 to 6 enclosed in square brackets ([]) to
|
||||
# indicate the number of levels of destination bindings
|
||||
# to be matched. Only one of the SOURCE and DEST columns
|
||||
# may specify an ipset name.
|
||||
#
|
||||
# The port that the server is listening on may be
|
||||
# included and separated from the server's IP address by
|
||||
# ":". If omitted, the firewall will not modifiy the
|
||||
# destination port. A destination port may only be
|
||||
# included if the ACTION is DNAT or REDIRECT.
|
||||
#
|
||||
# Example: loc:192.168.1.3:3128 specifies a local
|
||||
# server at IP address 192.168.1.3 and listening on port
|
||||
# 3128. The port number MUST be specified as an integer
|
||||
# and not as a name from /etc/services.
|
||||
#
|
||||
# if the ACTION is REDIRECT, this column needs only to
|
||||
# contain the port number on the firewall that the
|
||||
# request should be redirected to.
|
||||
#
|
||||
# PROTO Protocol - Must be "tcp", "tcp:syn", "udp", "icmp",
|
||||
# "ipp2p", "ipp2p:udp", "ipp2p:all" a number, or "all".
|
||||
# "ipp2p*" requires ipp2p match support in your kernel
|
||||
# and iptables.
|
||||
#
|
||||
# "tcp:syn" implies "tcp" plus the SYN flag must be
|
||||
# set and the RST,ACK and FIN flags must be reset.
|
||||
#
|
||||
# DEST PORT(S) Destination Ports. A comma-separated list of Port
|
||||
# names (from /etc/services), port numbers or port
|
||||
# ranges; if the protocol is "icmp", this column is
|
||||
# interpreted as the destination icmp-type(s).
|
||||
#
|
||||
# If the protocol is ipp2p*, this column is interpreted
|
||||
# as an ipp2p option without the leading "--" (example
|
||||
# "bit" for bit-torrent). If no port is given, "ipp2p" is
|
||||
# assumed.
|
||||
#
|
||||
# A port range is expressed as <low port>:<high port>.
|
||||
#
|
||||
# This column is ignored if PROTOCOL = all but must be
|
||||
# entered if any of the following ields are supplied.
|
||||
# In that case, it is suggested that this field contain
|
||||
# "-"
|
||||
#
|
||||
# If your kernel contains multi-port match support, then
|
||||
# only a single Netfilter rule will be generated if in
|
||||
# this list and the CLIENT PORT(S) list below:
|
||||
# 1. There are 15 or less ports listed.
|
||||
# 2. No port ranges are included.
|
||||
# Otherwise, a separate rule will be generated for each
|
||||
# port.
|
||||
#
|
||||
# SOURCE PORT(S) (Optional) Port(s) used by the client. If omitted,
|
||||
# any source port is acceptable. Specified as a comma-
|
||||
# separated list of port names, port numbers or port
|
||||
# ranges.
|
||||
#
|
||||
# If you don't want to restrict client ports but need to
|
||||
# specify an ORIGINAL DEST in the next column, then
|
||||
# place "-" in this column.
|
||||
#
|
||||
# If your kernel contains multi-port match support, then
|
||||
# only a single Netfilter rule will be generated if in
|
||||
# this list and the DEST PORT(S) list above:
|
||||
# 1. There are 15 or less ports listed.
|
||||
# 2. No port ranges are included.
|
||||
# Otherwise, a separate rule will be generated for each
|
||||
# port.
|
||||
#
|
||||
# ORIGINAL Original destination IP address. Must be omitted (
|
||||
# DEST or '-') if the macro is to be used from within
|
||||
# an action. See 'man shorewall-rules'.
|
||||
#
|
||||
# RATE LIMIT You may rate-limit the rule by placing a value in
|
||||
# this column:
|
||||
#
|
||||
# <rate>/<interval>[:<burst>]
|
||||
#
|
||||
# where <rate> is the number of connections per
|
||||
# <interval> ("sec" or "min") and <burst> is the
|
||||
# largest burst permitted. If no <burst> is given,
|
||||
# a value of 5 is assumed. There may be no
|
||||
# no whitespace embedded in the specification.
|
||||
#
|
||||
# Example: 10/sec:20
|
||||
#
|
||||
# USER/GROUP This column may only be non-empty if the SOURCE is
|
||||
# the firewall itself.
|
||||
#
|
||||
# The column may contain:
|
||||
#
|
||||
# [!][<user name or number>][:<group name or number>][+<program name>]
|
||||
#
|
||||
# When this column is non-empty, the rule applies only
|
||||
# if the program generating the output is running under
|
||||
# the effective <user> and/or <group> specified (or is
|
||||
# NOT running under that id if "!" is given).
|
||||
#
|
||||
# Examples:
|
||||
#
|
||||
# joe #program must be run by joe
|
||||
# :kids #program must be run by a member of
|
||||
# #the 'kids' group
|
||||
# !:kids #program must not be run by a member
|
||||
# #of the 'kids' group
|
||||
# +upnpd #program named upnpd (This feature was
|
||||
# #removed from Netfilter in kernel
|
||||
# #version 2.6.14).
|
||||
#
|
||||
# MARK Specifies a MARK value to match. Must be empty or
|
||||
# '-' if the macro is to be used within an action.
|
||||
#
|
||||
# [!]value[/mask][:C]
|
||||
#
|
||||
# Defines a test on the existing packet or connection
|
||||
# mark. The rule will match only if the test returns
|
||||
# true.
|
||||
#
|
||||
# If you don't want to define a test but need to
|
||||
# specify anything in the following columns,
|
||||
# place a "-" in this field.
|
||||
#
|
||||
# !
|
||||
#
|
||||
# Inverts the test (not equal)
|
||||
#
|
||||
# value
|
||||
#
|
||||
# Value of the packet or connection mark.
|
||||
#
|
||||
# mask
|
||||
#
|
||||
# A mask to be applied to the mark before
|
||||
# testing.
|
||||
#
|
||||
# :C
|
||||
#
|
||||
# Designates a connection mark. If omitted, the
|
||||
# packet mark's value is tested.
|
||||
#
|
||||
# CONNLIMIT Must be empty or '-' if the macro is to be used within
|
||||
# an action.
|
||||
#
|
||||
# [!]limit[:mask]
|
||||
#
|
||||
# May be used to limit the number of simultaneous
|
||||
# connections from each individual host to limit
|
||||
# connections. Requires connlimit match in your kernel
|
||||
# and iptables. While the limit is only checked on rules
|
||||
# specifying CONNLIMIT, the number of current connections
|
||||
# is calculated over all current connections from the
|
||||
# SOURCE host. By default, the limit is applied to each
|
||||
# host but can be made to apply to networks of hosts by
|
||||
# specifying a mask. The mask specifies the width of a
|
||||
# VLSM mask to be applied to the source address; the
|
||||
# number of current connections is then taken over all
|
||||
# hosts in the subnet source-address/mask. When ! is
|
||||
# specified, the rule matches when the number of
|
||||
# connection exceeds the limit.
|
||||
#
|
||||
# TIME Must be empty or '-' if the macro is to be used within
|
||||
# an action.
|
||||
#
|
||||
#
|
||||
# <timeelement>[&...]
|
||||
#
|
||||
# timeelement may be:
|
||||
#
|
||||
# timestart=hh:mm[:ss]
|
||||
#
|
||||
# Defines the starting time of day.
|
||||
#
|
||||
# timestop=hh:mm[:ss]
|
||||
#
|
||||
# Defines the ending time of day.
|
||||
#
|
||||
# utc
|
||||
#
|
||||
# Times are expressed in Greenwich Mean
|
||||
# Time.
|
||||
#
|
||||
# localtz
|
||||
#
|
||||
# Times are expressed in Local Civil Time
|
||||
# (default).
|
||||
#
|
||||
# weekdays=ddd[,ddd]...
|
||||
#
|
||||
# where ddd is one of Mon, Tue, Wed, Thu,
|
||||
# Fri, Sat or Sun
|
||||
#
|
||||
# monthdays=dd[,dd],...
|
||||
#
|
||||
# where dd is an ordinal day of the month#
|
||||
#
|
||||
# datestart=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
|
||||
#
|
||||
# Defines the starting date and time.
|
||||
#
|
||||
# datestop=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
|
||||
#
|
||||
# Defines the ending date and time.
|
||||
#
|
||||
# HEADERS [any:|exactly:]<header list>
|
||||
#
|
||||
# where <header list> is a comma-separated list of headers from the following:
|
||||
#
|
||||
#
|
||||
# Long Name Short Name Number
|
||||
# --------------------------------------
|
||||
# auth ah 50
|
||||
# esp esp 51
|
||||
# hop-by-hop hop 0
|
||||
# route ipv6-route 41
|
||||
# frag ipv6-frag 44
|
||||
# none ipv6-nonxt 59
|
||||
# protocol proto 255
|
||||
#
|
||||
# If 'any:' is specified, the rule will match if any of the listed
|
||||
# headers are present. If 'exactly:' is specified, the will match
|
||||
# packets that exactly include all specified headers. If neither is
|
||||
# given, 'any:' is assumed.
|
||||
#
|
||||
#
|
||||
# Columns are the same as in /etc/shorewall/rules.
|
||||
# A few examples should help show how Macros work.
|
||||
#
|
||||
# /etc/shorewall/macro.FwdFTP:
|
||||
@ -477,6 +74,6 @@
|
||||
#######################################################################################################
|
||||
# DO NOT REMOVE THE FOLLOWING LINE
|
||||
FORMAT 2
|
||||
#######################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ ORIGINAL
|
||||
# PORT(S) PORT(S) DEST LIMIT GROUP DEST
|
||||
####################################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
|
@ -16,184 +16,11 @@
|
||||
# Please see http://shorewall.net/Actions.html for additional
|
||||
# information.
|
||||
#
|
||||
# Columns are:
|
||||
# Columns are the same as in /etc/shorewall/rules.
|
||||
#
|
||||
#
|
||||
# TARGET ACCEPT, DROP, REJECT, LOG, QUEUE, CONTINUE, a <macro>
|
||||
# or a previously-defined <action>
|
||||
#
|
||||
# ACCEPT -- allow the connection request
|
||||
# DROP -- ignore the request
|
||||
# REJECT -- disallow the request and return an
|
||||
# icmp-unreachable or an RST packet.
|
||||
# LOG -- Simply log the packet and continue.
|
||||
# QUEUE -- Queue the packet to a user-space
|
||||
# application such as p2pwall.
|
||||
# CONTINUE -- Stop processing this action and
|
||||
# return to the point where the
|
||||
# action was invoked.
|
||||
# <action> -- An <action> defined in
|
||||
# /etc/shorewall/actions.
|
||||
# The <action> must appear in that
|
||||
# file BEFORE the one being defined
|
||||
# in this file.
|
||||
# <macro> -- The name of a macro defined in a
|
||||
# file named macro.<macro-name>. If
|
||||
# the macro accepts an action
|
||||
# parameter (Look at the macro
|
||||
# source to see if it has PARAM in
|
||||
# the TARGET column) then the macro
|
||||
# name is followed by "/" and the
|
||||
# action (ACCEPT, DROP, REJECT, ...)
|
||||
# to be substituted for the
|
||||
# parameter. Example: FTP/ACCEPT.
|
||||
#
|
||||
# The TARGET may optionally be followed
|
||||
# by ":" and a syslog log level (e.g, REJECT:info or
|
||||
# ACCEPT:debugging). This causes the packet to be
|
||||
# logged at the specified level.
|
||||
#
|
||||
# The special log level 'none' does not result in logging
|
||||
# but rather exempts the rule from being overridden by a
|
||||
# non-forcing log level when the action is invoked.
|
||||
#
|
||||
# You may also specify ULOG (must be in upper case) as a
|
||||
# log level.This will log to the ULOG target for routing
|
||||
# to a separate log through use of ulogd
|
||||
# (http://www.gnumonks.org/projects/ulogd).
|
||||
#
|
||||
# Actions specifying logging may be followed by a
|
||||
# log tag (a string of alphanumeric characters)
|
||||
# are appended to the string generated by the
|
||||
# LOGPREFIX (in /etc/shorewall/shorewall.conf).
|
||||
#
|
||||
# Example: ACCEPT:info:ftp would include 'ftp '
|
||||
# at the end of the log prefix generated by the
|
||||
# LOGPREFIX setting.
|
||||
#
|
||||
# SOURCE Source hosts to which the rule applies.
|
||||
# A comma-separated list of subnets
|
||||
# and/or hosts. Hosts may be specified by IP or MAC
|
||||
# address; mac addresses must begin with "~" and must use
|
||||
# "-" as a separator.
|
||||
#
|
||||
# 192.168.2.2 Host 192.168.2.2
|
||||
#
|
||||
# 155.186.235.0/24 Subnet 155.186.235.0/24
|
||||
#
|
||||
# 10.0.0.4-10.0.0.9 Range of IP addresses; your
|
||||
# kernel and iptables must have
|
||||
# iprange match support.
|
||||
#
|
||||
# +remote The name of an ipset prefaced
|
||||
# by "+". Your kernel and
|
||||
# iptables must have set match
|
||||
# support
|
||||
#
|
||||
# +remote[4] The name of the ipset may
|
||||
# followed by a number of
|
||||
# levels of ipset bindings
|
||||
# enclosed in square brackets.
|
||||
#
|
||||
# 192.168.1.1,192.168.1.2
|
||||
# Hosts 192.168.1.1 and
|
||||
# 192.168.1.2.
|
||||
# ~00-A0-C9-15-39-78 Host with
|
||||
# MAC address 00:A0:C9:15:39:78.
|
||||
#
|
||||
# Alternatively, clients may be specified by interface
|
||||
# name. For example, eth1 specifies a
|
||||
# client that communicates with the firewall system
|
||||
# through eth1. This may be optionally followed by
|
||||
# another colon (":") and an IP/MAC/subnet address
|
||||
# as described above (e.g., eth1:192.168.1.5).
|
||||
#
|
||||
# DEST Location of destination host. Same as above with
|
||||
# the exception that MAC addresses are not allowed and
|
||||
# that you cannot specify an ipset name in both the
|
||||
# SOURCE and DEST columns.
|
||||
#
|
||||
# PROTO Protocol - Must be "tcp", "tcp:syn", "udp", "icmp",
|
||||
# "ipp2p", "ipp2p:udp", "ipp2p:all", a number, or "all".
|
||||
# "ipp2p*" requires ipp2p match support in your kernel
|
||||
# and iptables.
|
||||
#
|
||||
# "tcp:syn" implies "tcp" plus the SYN flag must be
|
||||
# set and the RST, ACK and FIN flags must be reset.
|
||||
#
|
||||
# DEST PORT(S) Destination Ports. A comma-separated list of Port
|
||||
# names (from /etc/services), port numbers or port
|
||||
# ranges; if the protocol is "icmp", this column is
|
||||
# interpreted as the destination icmp-type(s).
|
||||
#
|
||||
# A port range is expressed as <low port>:<high port>.
|
||||
#
|
||||
# This column is ignored if PROTOCOL = all but must be
|
||||
# entered if any of the following fields are supplied.
|
||||
# In that case, it is suggested that this field contain
|
||||
# "-"
|
||||
#
|
||||
# If your kernel contains multi-port match support, then
|
||||
# only a single Netfilter rule will be generated if in
|
||||
# this list and the CLIENT PORT(S) list below:
|
||||
# 1. There are 15 or less ports listed.
|
||||
# 2. No port ranges are included.
|
||||
# Otherwise, a separate rule will be generated for each
|
||||
# port.
|
||||
#
|
||||
# SOURCE PORT(S) (Optional) Port(s) used by the client. If omitted,
|
||||
# any source port is acceptable. Specified as a comma-
|
||||
# separated list of port names, port numbers or port
|
||||
# ranges.
|
||||
#
|
||||
# If you don't want to restrict client ports but need to
|
||||
# specify an ADDRESS in the next column, then place "-"
|
||||
# in this column.
|
||||
#
|
||||
# If your kernel contains multi-port match support, then
|
||||
# only a single Netfilter rule will be generated if in
|
||||
# this list and the DEST PORT(S) list above:
|
||||
# 1. There are 15 or less ports listed.
|
||||
# 2. No port ranges are included.
|
||||
# Otherwise, a separate rule will be generated for each
|
||||
# port.
|
||||
#
|
||||
# RATE LIMIT You may rate-limit the rule by placing a value in
|
||||
# this column:
|
||||
#
|
||||
# <rate>/<interval>[:<burst>]
|
||||
#
|
||||
# where <rate> is the number of connections per
|
||||
# <interval> ("sec" or "min") and <burst> is the
|
||||
# largest burst permitted. If no <burst> is given,
|
||||
# a value of 5 is assumed. There may be no
|
||||
# no whitespace embedded in the specification.
|
||||
#
|
||||
# Example: 10/sec:20
|
||||
#
|
||||
# USER/GROUP This column may only be non-empty if the SOURCE is
|
||||
# the firewall itself.
|
||||
#
|
||||
# The column may contain:
|
||||
#
|
||||
# [!][<user name or number>][:<group name or number>][+<program name>]
|
||||
#
|
||||
# When this column is non-empty, the rule applies only
|
||||
# if the program generating the output is running under
|
||||
# the effective <user> and/or <group> specified (or is
|
||||
# NOT running under that id if "!" is given).
|
||||
#
|
||||
# Examples:
|
||||
#
|
||||
# joe #program must be run by joe
|
||||
# :kids #program must be run by a member of
|
||||
# #the 'kids' group
|
||||
# !:kids #program must not be run by a member
|
||||
# #of the 'kids' group
|
||||
# +upnpd #program named upnpd (This feature was
|
||||
# #removed from Netfilter in kernel
|
||||
# #version 2.6.14).
|
||||
#
|
||||
###############################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
|
||||
#######################################################################################################
|
||||
# DO NOT REMOVE THE FOLLOWING LINE
|
||||
FORMAT 2
|
||||
####################################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
|
@ -6,8 +6,8 @@
|
||||
# The manpage is also online at
|
||||
# http://www.shorewall.net/manpages/shorewall-rules.html
|
||||
#
|
||||
####################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME
|
||||
####################################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
#SECTION ESTABLISHED
|
||||
#SECTION RELATED
|
||||
|
@ -213,8 +213,15 @@ ACCEPT - - tcp 135,139,445
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
|
||||
<para>Columns in the <filename>action.template</filename> file are as
|
||||
follows:</para>
|
||||
<para><emphasis role="bold">Beginning with Shorewall 4.4.16, the columns
|
||||
in action.template are the same as those in <ulink
|
||||
url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5).
|
||||
</emphasis>The first non-commentary line in the template must be</para>
|
||||
|
||||
<programlisting>FORMAT 2</programlisting>
|
||||
|
||||
<para>Prior to 4.4.16, columns in the <filename>action.template</filename>
|
||||
file were as follows:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
|
@ -277,7 +277,15 @@ ACCEPT fw loc tcp 135,139,445</programlisting>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
|
||||
<para>Columns in the macro.template file are as follows:</para>
|
||||
<para><emphasis role="bold">Beginning with Shorewall 4.4.16, the columns
|
||||
in macro.template are the same as those in <ulink
|
||||
url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5).
|
||||
</emphasis>The first non-commentary line in the template must be</para>
|
||||
|
||||
<programlisting>FORMAT 2</programlisting>
|
||||
|
||||
<para>Before 4.4.16, columns in the macro.template file were as
|
||||
follows:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
|
Loading…
Reference in New Issue
Block a user