User-defined Actions

1. Add a line to /etc/shorewall/actions that names your new action. Action names must be valid shell variable names as well as valid Netfilter chain names. It is recommended that the name you select for a new action begins with with a capital letter; that way, the name won't conflict with a Shorewall-defined chain name.
   
2. Once you have defined your new action name (ActionName), then copy /etc/shorewall/action.template to /etc/shorewall/action.ActionName (for example, if your new action name is "Foo" then copy /etc/shorewall/action.template to /etc/shorewall/action.foo).
3. Now modify the new file to define the new action.

• TARGET - Must be ACCEPT, DROP, REJECT, LOG, QUEUE or <action> where <action> is a previously-defined action. The TARGET may optionally be followed by a colon (":") and a syslog log level (e.g, REJECT:info or ACCEPT:debugging). This causes the packet to be logged at the specified level. You may also specify ULOG (must be in upper case) as a log level.This will log to the ULOG target for routing to a separate log through use of ulogd (http://www.gnumonks.org/projects/ulogd).
  
  
• SOURCE - Source hosts to which the rule applies. A comma-separated list of subnets and/or hosts. Hosts may be specified by IP or MAC address; mac addresses must begin with "~" and must use "-" as a separator.
  
  Alternatively, clients may be specified by interface name. For example, eth1 specifies a client that communicates with the firewall system through eth1. This may be optionally followed by another colon (":") and an IP/MAC/subnet address as described above (e.g., eth1:192.168.1.5).
  
  
• DEST - Location of Server. Same as above with the exception that MAC addresses are not allowed.
  
  Unlike in the SOURCE column, you may specify a range of up to 256 IP addresses using the syntax <first ip>-<last ip>.
  
  
• PROTO - Protocol - Must be "tcp", "udp", "icmp", a number, or "all".
  
  
• DEST PORT(S) - Destination Ports. A comma-separated list of Port names (from /etc/services), port numbers or port ranges; if the protocol is "icmp", this column is interpreted as the destination icmp-type(s).
  
  A port range is expressed as <low port>:<high port>.
  
  This column is ignored if PROTOCOL = all but must be entered if any of the following ields are supplied. In that case, it is suggested that this field contain "-".
  
  If your kernel contains multi-port match support, then only a single Netfilter rule will be generated if in this list and the CLIENT PORT(S) list below:
  1. There are 15 or less ports listed.
  2. No port ranges are included.
  Otherwise, a separate rule will be generated for each port.
  
  
• RATE LIMIT - You may rate-limit the rule by placing a value in this columN:
  
                                 <rate>/<interval>[:<burst>]
  
  where <rate> is the number of connections per <interval> ("sec" or "min") and <burst> is the largest burst permitted. If no <burst> is given, a value of 5 is assumed. There may be no whitespace embedded in the specification.
  
                                 Example: 10/sec:20

Last Updated 12/09/2003 - Tom Eastep