Documentos de Académico
Documentos de Profesional
Documentos de Cultura
Actions
Tom Eastep
Copyright 2005, 2007, 2008, 2009, 2010, 2012, 2013 Thomas M. Eastep
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free
Documentation License, Version 1.2 or any later version published by the Free Software Foundation;
with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is
included in the section entitled GNU Free Documentation License.
2013/02/14
Table of Contents
What are Shorewall Actions?
Default Actions (Formerly Common Actions)
Defining your own Actions
Shorewall 4.4.16 and Later.
Shorewall 4.4.15 and Earlier.
Actions and Logging
Using Embedded Perl in an Action
Creating an Action using an Extension Script (deprecated in favor of BEGIN PERL ... END PERL)
Limiting Per-IP Connection Rate using the Limit Action
How Limit is Implemented
Caution
This article applies to Shorewall 4.3 and later. If you are running a version of
Shorewall earlier than Shorewall 4.3.5 then please see the documentation for
that release.
Actions
files in
file that describes
what the action does. As an example, here is the definition of the AllowSMB standard action from
Shorewall version 2.2.
#
# Shorewall 2.2 /usr/share/shorewall/action.AllowSMB
#
#
Allow Microsoft SMB traffic. You need to invoke this action in
#
both directions.
#
######################################################################################
#TARGET SOURCE
DEST
PROTO
DEST
SOURCE
RATE
USER/
#
PORT
PORT(S)
LIMIT
GROUP
ACCEPT
udp
135,445
ACCEPT
udp
137:139
ACCEPT
udp
1024:
137
ACCEPT
tcp
135,139,445
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
If you wish to modify one of the standard actions, do not modify the definition in
/usr/share/shorewall . Rather, copy the file to /etc/shorewall (or somewhere else on your
CONFIG_PATH) and modify the copy.
Standard Actions have been largely replaced by macros .
3. User-defined Actions. These actions are created by end-users. They are listed in the file
/etc/shorewall/actions and are defined in action.* files in /etc/shorewall or in another directory
listed in your CONFIG_PATH (defined in /etc/shorewall/shorewall.conf ).
Important
Entries in the DROP and REJECT default actions ARE NOT THE CAUSE OF
CONNECTION PROBLEMS. Remember default actions are only invoked immediately
before the packet is going to be dropped or rejected anyway!!!
Beginning with Shorewall 4.4.21, the standard Drop and Reject options are parameterized. Each has five
parameters as follows:
ACTION PARAMETER VALUE
DEFAULT
Either '-' or 'audit'. 'audit' causes auditing by the
http://shorewall.net/Actions.html[2013-03-15 12:31:07 ]
Actions
Drop
Drop
Drop
Reject
Reject
Reject
Both
Both
Either '-' or 'audit'. 'audit' causes auditing by the builtin actions invoked by Drop
REJECT or A_REJECT
Determines what to do with Auth requests
depending on the setting of
parameter 1
REJECT or A_REJECT
Determines what to do with SMB
depending on the setting of
parameter 1
ACCEPT or A_ACCEPT
Determines what to do with accepted critical
depending on the setting of
ICMP packets.
parameter 1
Determines what to do with late-arriving DNS
DROP or A_DROP depending on
replies (source port 53) or UPnP (udp port
the setting of parameter 1.
1900).
REJECT or A_REJECT
depending on the setting of
parameter 1
DROP or A_DROP depending on
the setting of parameter 1
Actions
Beginning with Shorewall 4.5.11, the preferred format is as shown below, and the above format is
deprecated.
?FORMAT 2
When using Shorewall 4.4.16 or later, there are no restrictions regarding which targets can be used
within your action.
The SOURCE and DEST columns in the action file may not include zone names; those are given when
the action is invoked.
Additionally, it is possible to pass parameters to an action, when it is invoked in the rules file or in
another action.
Here's a trivial example:
/etc/shorewall/action.A:
#TARGET
#
FORMAT 2
$1
SOURCE
DEST
PROTO
DEST
SOURCE ORIGINAL
PORT(S) PORT(S) DEST
tcp
80
PROTO
DEST
SOURCE ORIGINAL
PORT(S) PORT(S) DEST
1.2.3.4
/etc/shorewall/rules:
#TARGET
#
SOURCE
DEST
A(REDIRECT)
net
fw
SOURCE
DEST
PROTO
net
tcp
DEST
SOURCE ORIGINAL
PORT(S) PORT(S) DEST
80
1.2.3.4
where def1 is the default value for the first parameter, def2 is the default value for the second
parameter and so on. You can specify an empty default using '-' (e.g. DEFAULTS DROP,-,audit).
http://shorewall.net/Actions.html[2013-03-15 12:31:07 ]
Actions
For additional information about actions, see the Action Variables section of the Configuration Basics
article.
where <rate> is the number of connections per <interval > (sec or min) and <burst > is the
largest burst permitted. If no <burst > is given, a value of 5 is assumed. There may be no
whitespace embedded in the specification.
Example: 10/sec:20
USER/GROUP - For output rules (those with the firewall as their source), you may control
connections based on the effective UID and/or GID of the process requesting the connection. This
column can contain any of the following:
http://shorewall.net/Actions.html[2013-03-15 12:31:07 ]
Actions
Note: If your /etc/shorewall/actions file doesn't have an indication where to place the comment, put
the # in column 21.
/etc/shorewall/action.LogAndAccept
LOG:info
ACCEPT
Placing a comment on the line causes the comment to appear in the output of the shorewall show
actions command.
To use your action, in /etc/shorewall/rules you might do something like:
#ACTION
SOURCE
LogAndAccept loc
DEST
$FW
PROTO
tcp
DEST PORT(S)
22
http://shorewall.net/Actions.html[2013-03-15 12:31:07 ]
Actions
SOURCE
-
DEST
-
PROTO
tcp
DEST PORT(S)
22
DEST
net
PROTO
DEST PORT(S)
/etc/shorewall/rules:
#ACTION
foo:debug
SOURCE
$FW
Logging in the invoke foo action will be as if foo had been defined as:
#TARGET
SOURCE
ACCEPT:debug bar:info
DEST
-
PROTO
tcp
DEST PORT(S)
22
2. If you follow the log level with ! then logging will be set at that level for all rules recursively
invoked by the action.
Example:
/etc/shorewall/action.foo
#TARGET
ACCEPT
bar:info
SOURCE
-
DEST
-
PROTO
tcp
DEST PORT(S)
22
DEST
net
PROTO
DEST PORT(S)
/etc/shorewall/rules:
#ACTION
foo:debug!
SOURCE
$FW
Logging in the invoke foo action will be as if foo had been defined as:
#TARGET
SOURCE
ACCEPT:debug bar:debug
DEST
-
PROTO
tcp
DEST PORT(S)
22
Actions
parameters are passed by including a DEFAULTS line prior to the embedded Perl.
Shorewall::Config::set_action_param( $ordinal , $value )
Set the value of parameter $ordinal to $value. Care must be take when using this function such
that for a given set of parameters actually passed to the action, the same rules are created. That is
because the compiler assumes that all invocations of an action with the same parameters, log level
and log tag can share the same action chain.
Shorewall::Config::get_action_chain()
This function returns a reference to the chain table entry for the current action chain.
Shorewall::Config::get_action_logging()
Returns a two-element list containing the the log level and log tag specified when the action was
invoked. Note that you must use this function rather than @loglevel and @logtag within embedded
Perl, as the compiler does not expand Shorewall Variables within embedded Perl (or embedded
shell).
Shorewall::Chains::add_rule( $chainre f, $rule [, $expandports ] )
This function adds a rule to a chain. As of Shoreall 4.5.13, it is deprecated in favor of
Shorewall::Rules::perl_action_helper(). Arguments are:
$chainref
The matches and target for the rule that you want added.
$expandports
(optional)
This optional argument is for compiler-internal use only. Either omit it or pass a false value.
Warning
Do not call this function in a inline action. Use perl_action_helper() instead (see
below).
Shorewall::Chains::log_rule_limit( $level, $chainref , $chain, $disposition, $limit, $tag , $command ,
$matches )
This function adds a logging rule to a chain. As of Shoreall 4.5.13, it is deprecated in favor of
Shorewall::Rules::perl_action_helper(). Arguments are:
$level
Either a syslog level or a ULOG or NFLOG target expression (e.g., "NFLOG(1,0,1)"). Specifies
how you want the logging done.
$chainref
The value you want substituted for the first %s formatting directive in the LOGFORMAT
setting in /etc/shorewall/shorewall.conf .
$disposition
http://shorewall.net/Actions.html[2013-03-15 12:31:07 ]
Actions
This is the value substituted for the second '%s' formatting directive in the LOGFORMAT
setting in /etc/shorewall/shorewall.conf .
$limit
If you want to use the default limit set in LOGLIMIT ( /etc/shorewall/shorewall.conf ), you
can specify your own '-limit' match. Otherwise, if you want to use the default, pass 0 or "". If
you want the rule to be unlimited, pass '-'.
$tag
Log tag.
$command
Pass 'add' here, unless you want the rule to be inserted at the front of the chain.
$matches
Zero or more iptables matches that limit when logging will occur. If this parameter is other
than the empty string, the last character must be a space.
Shorewall::Chains::allow::optimize( $chainref )
This allows the passed action chain to be optimized away (jumps to the chain are replaced by the
chain's rule(s)). The chainref argument is usually obtained from get_action_chain() described
above.
Shorewall::Rules::perl_action_helper( $target, $matches )
This function adds a rule to the current chain. For a regular action, the chain will be an action
chain; for an inline action, the chain is determined by the invoking rule.
To use this function, you must include:
use Shorewall::Rules;
Arguments are:
$target
The target of the rule. Legal values are anything that can appear in the TARGET column of in
an action body and may include log level, tag, and parameters.
$matches
ip[6]tables matches to be included in the rule. When called in an inline action, these matches
are augmented by matches generated by the invoking rule.
Note
This function has additional optional arguments which are used internally by
Shorewall standard actions. Their number and behavior is likely to change in future
Shorewall releases.
For an example of using these services, look at the standard action
/usr/share/shorewall/action.TCPFlags.
Actions
There may be cases where you wish to create a chain with rules that can't be constructed using the
tools defined in the action.template . In that case, you can use an extension script.
Note
If you actually need an action to drop broadcast packets, use the dropBcast standard
action rather than create one like this.
Example1.An action to drop all broadcast packets
If you define an action acton and you have an /etc/shorewall/acton script, the rules compiler sets
lexical variables as follows:
$chainref is a reference to the chain-table entry for the chain where your rules are to be placed.
$level is the log level. If false, no logging was specified.
$tag is the log tag.
@params is the list of parameter values (Shorewall 4.4.16 and later). 'Omitted' parameters
contain '-'.
Example:
/etc/shorewall/actions
DropBcasts
/etc/shorewall/action.DropBcasts
# This file is empty
/etc/shorewall/DropBcasts
use Shorewall::Chains;
if ( $level ne '' ) {
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -m addrtype -dst-type BROADCAST ';
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4
';
}
add_rule $chainref, '-m addrtype --dst-type BROADCAST -j DROP';
add_rule $chainref, '-d 224.0.0.0/4 -j DROP';
1;
http://shorewall.net/Actions.html[2013-03-15 12:31:07 ]
Actions
SOURCE
net
DEST
$FW
PROTO
tcp
DEST PORT(S)
22
Using Shorewall 4.4.16 or later, you can also invoke the action this way:
#ACTION
Limit(SSHA,3,60):none
SOURCE
net
DEST
$FW
PROTO
tcp
DEST PORT(S)
22
If you want dropped connections to be logged at the info level, use this rule instead:
#ACTION
Limit:info:SSHA,3,60
SOURCE
net
DEST
$FW
PROTO
tcp
DEST PORT(S)
22
DEST
$FW
PROTO
tcp
DEST PORT(S)
22
SOURCE
net
http://shorewall.net/Actions.html[2013-03-15 12:31:07 ]
Actions
1;
[1]
AUTH is actually pretty silly on today's Internet but it's amazing how many servers still employ it.
http://shorewall.net/Actions.html[2013-03-15 12:31:07 ]