# # Shorewall6 version 4 - Action Template # # /etc/shorewall6/action.template # # This file is a template for files with names of the form # /etc/shorewall/action.<action-name> where <action> is an # ACTION defined in /etc/shorewall/actions. # # To define a new action: # # 1. Add the <action name> to /etc/shorewall/actions # 2. Copy this file to /etc/shorewall/action.<action name> # 3. Add the desired rules to that file. # # Please see http://shorewall.net/Actions.html for additional # information. # # Columns are: # # # TARGET ACCEPT, DROP, REJECT, LOG, QUEUE, CONTINUE, a <macro> # or a previously-defined <action> # # ACCEPT -- allow the connection request # DROP -- ignore the request # REJECT -- disallow the request and return an # icmp-unreachable or an RST packet. # LOG -- Simply log the packet and continue. # QUEUE -- Queue the packet to a user-space # application such as p2pwall. # CONTINUE -- Stop processing this action and # return to the point where the # action was invoked. # <action> -- An <action> defined in # /etc/shorewall/actions. # The <action> must appear in that # file BEFORE the one being defined # in this file. # <macro> -- The name of a macro defined in a # file named macro.<macro-name>. If # the macro accepts an action # parameter (Look at the macro # source to see if it has PARAM in # the TARGET column) then the macro # name is followed by "/" and the # action (ACCEPT, DROP, REJECT, ...) # to be substituted for the # parameter. Example: FTP/ACCEPT. # # The TARGET may optionally be followed # by ":" and a syslog log level (e.g, REJECT:info or # ACCEPT:debugging). This causes the packet to be # logged at the specified level. # # The special log level 'none' does not result in logging # but rather exempts the rule from being overridden by a # non-forcing log level when the action is invoked. # # You may also specify ULOG (must be in upper case) as a # log level.This will log to the ULOG target for routing # to a separate log through use of ulogd # (http://www.gnumonks.org/projects/ulogd). # # Actions specifying logging may be followed by a # log tag (a string of alphanumeric characters) # are appended to the string generated by the # LOGPREFIX (in /etc/shorewall/shorewall.conf). # # Example: ACCEPT:info:ftp would include 'ftp ' # at the end of the log prefix generated by the # LOGPREFIX setting. # # SOURCE Source hosts to which the rule applies. # A comma-separated list of subnets # and/or hosts. Hosts may be specified by IP or MAC # address; mac addresses must begin with "~" and must use # "-" as a separator. # # Alternatively, clients may be specified by interface # name. For example, eth1 specifies a # client that communicates with the firewall system # through eth1. This may be optionally followed by # another colon (":") and an IP/MAC/subnet address # enclosed in square brackets. # # DEST Location of destination host. Same as above with # the exception that MAC addresses are not allowed and # that you cannot specify an ipset name in both the # SOURCE and DEST columns. # # PROTO Protocol - Must be "tcp", "tcp:syn", "udp", "icmp", # "ipp2p", "ipp2p:udp", "ipp2p:all", a number, or "all". # "ipp2p*" requires ipp2p match support in your kernel # and ip6tables. # # "tcp:syn" implies "tcp" plus the SYN flag must be # set and the RST, ACK and FIN flags must be reset. # # DEST PORT(S) Destination Ports. A comma-separated list of Port # names (from /etc/services), port numbers or port # ranges; if the protocol is "icmp", this column is # interpreted as the destination icmp-type(s). # # A port range is expressed as <low port>:<high port>. # # This column is ignored if PROTOCOL = all but must be # entered if any of the following fields are supplied. # In that case, it is suggested that this field contain # "-" # # If your kernel contains multi-port match support, then # only a single Netfilter rule will be generated if in # this list and the CLIENT PORT(S) list below: # 1. There are 15 or less ports listed. # 2. No port ranges are included. # Otherwise, a separate rule will be generated for each # port. # # SOURCE PORT(S) (Optional) Port(s) used by the client. If omitted, # any source port is acceptable. Specified as a comma- # separated list of port names, port numbers or port # ranges. # # If you don't want to restrict client ports but need to # specify an ADDRESS in the next column, then place "-" # in this column. # # If your kernel contains multi-port match support, then # only a single Netfilter rule will be generated if in # this list and the DEST PORT(S) list above: # 1. There are 15 or less ports listed. # 2. No port ranges are included. # Otherwise, a separate rule will be generated for each # port. # # RATE LIMIT You may rate-limit the rule by placing a value in # this column: # # <rate>/<interval>[:<burst>] # # where <rate> is the number of connections per # <interval> ("sec" or "min") and <burst> is the # largest burst permitted. If no <burst> is given, # a value of 5 is assumed. There may be no # no whitespace embedded in the specification. # # Example: 10/sec:20 # # USER/GROUP This column may only be non-empty if the SOURCE is # the firewall itself. # # The column may contain: # # [!][<user name or number>][:<group name or number>][+<program name>] # # When this column is non-empty, the rule applies only # if the program generating the output is running under # the effective <user> and/or <group> specified (or is # NOT running under that id if "!" is given). # # Examples: # # joe #program must be run by joe # :kids #program must be run by a member of # #the 'kids' group # !:kids #program must not be run by a member # #of the 'kids' group # ############################################################################### #TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ # PORT PORT(S) DEST LIMIT GROUP