## Shorewall version 4 - Action Template## /etc/shorewall/action.template##	This file is a template for files with names of the form#	/etc/shorewall/action.<action-name> where <action> is an#	ACTION defined in /etc/shorewall/actions.##	To define a new action:##	1. Add the <action name> to /etc/shorewall/actions#	2. Copy this file to /etc/shorewall/action.<action name>#	3. Add the desired rules to that file.##	Please see http://shorewall.net/Actions.html for additional#	information.## Columns are:###	TARGET		ACCEPT, DROP, REJECT, LOG, QUEUE, CONTINUE, a <macro>#			or a previously-defined <action>##				ACCEPT	 -- allow the connection request#				DROP	 -- ignore the request#				REJECT	 -- disallow the request and return an#					    icmp-unreachable or an RST packet.#				LOG	 -- Simply log the packet and continue.#				QUEUE	 -- Queue the packet to a user-space#					    application such as p2pwall.#				CONTINUE -- Stop processing this action and#					    return to the point where the#					    action was invoked.#				<action> -- An <action> defined in#					    /etc/shorewall/actions.#					    The <action> must appear in that#					    file BEFORE the one being defined#					    in this file.#				<macro>	 -- The name of a macro defined in a#					    file named macro.<macro-name>. If#					    the macro accepts an action#					    parameter (Look at the macro#					    source to see if it has PARAM in#					    the TARGET column) then the macro#					    name is followed by "/" and the#					    action (ACCEPT, DROP, REJECT, ...)#					    to be substituted for the#					    parameter. Example: FTP/ACCEPT.##			The TARGET may optionally be followed#			by ":" and a syslog log level (e.g, REJECT:info or#			ACCEPT:debugging). This causes the packet to be#			logged at the specified level.##			The special log level 'none' does not result in logging#			but rather exempts the rule from being overridden by a#			non-forcing log level when the action is invoked.##			You may also specify ULOG (must be in upper case) as a#			log level.This will log to the ULOG target for routing#			to a separate log through use of ulogd#			(http://www.gnumonks.org/projects/ulogd).##			Actions specifying logging may be followed by a#			log tag (a string of alphanumeric characters)#			are appended to the string generated by the#			LOGPREFIX (in /etc/shorewall/shorewall.conf).##			Example: ACCEPT:info:ftp would include 'ftp '#			at the end of the log prefix generated by the#			LOGPREFIX setting.##	SOURCE		Source hosts to which the rule applies.#			A comma-separated list of subnets#			and/or hosts. Hosts may be specified by IP or MAC#			address; mac addresses must begin with "~" and must use#			"-" as a separator.##			192.168.2.2		Host 192.168.2.2##			155.186.235.0/24	Subnet 155.186.235.0/24##			10.0.0.4-10.0.0.9	Range of IP addresses; your#						kernel and iptables must have#						iprange match support.##			+remote			The name of an ipset prefaced#						by "+". Your kernel and#						iptables must have set match#						support##			+remote[4]		The name of the ipset may#						followed by a number of#						levels of ipset bindings#						enclosed in square brackets.##			192.168.1.1,192.168.1.2#						Hosts 192.168.1.1 and#						192.168.1.2.#			~00-A0-C9-15-39-78	Host with#						MAC address 00:A0:C9:15:39:78.##			Alternatively, clients may be specified by interface#			name. For example, eth1 specifies a#			client that communicates with the firewall system#			through eth1. This may be optionally followed by#			another colon (":") and an IP/MAC/subnet address#			as described above (e.g., eth1:192.168.1.5).##	DEST		Location of destination host. Same as above with#			the exception that MAC addresses are not allowed and#			that you cannot specify an ipset name in both the#			SOURCE and DEST columns.##	PROTO		Protocol - Must be "tcp", "tcp:syn", "udp", "icmp",#			"ipp2p", "ipp2p:udp", "ipp2p:all", a number, or "all".#                       "ipp2p*" requires ipp2p match support in your kernel#                       and iptables.##			"tcp:syn" implies "tcp" plus the SYN flag must be#			set and the RST, ACK and FIN flags must be reset.##	DEST PORT(S)	Destination Ports. A comma-separated list of Port#			names (from /etc/services), port numbers or port#			ranges; if the protocol is "icmp", this column is#			interpreted as the destination icmp-type(s).##			A port range is expressed as <low port>:<high port>.##			This column is ignored if PROTOCOL = all but must be#			entered if any of the following fields are supplied.#			In that case, it is suggested that this field contain#			 "-"##			If your kernel contains multi-port match support, then#			only a single Netfilter rule will be generated if in#			this list and the CLIENT PORT(S) list below:#			1. There are 15 or less ports listed.#			2. No port ranges are included.#			Otherwise, a separate rule will be generated for each#			port.##	SOURCE PORT(S)	(Optional) Port(s) used by the client. If omitted,#			any source port is acceptable. Specified as a comma-#			separated list of port names, port numbers or port#			ranges.##			If you don't want to restrict client ports but need to#			specify an ADDRESS in the next column, then place "-"#			in this column.##			If your kernel contains multi-port match support, then#			only a single Netfilter rule will be generated if in#			this list and the DEST PORT(S) list above:#			1. There are 15 or less ports listed.#			2. No port ranges are included.#			Otherwise, a separate rule will be generated for each#			port.##	RATE LIMIT	You may rate-limit the rule by placing a value in#			this column:##				<rate>/<interval>[:<burst>]##			where <rate> is the number of connections per#			<interval> ("sec" or "min") and <burst> is the#			largest burst permitted. If no <burst> is given,#			a value of 5 is assumed. There may be no#			no whitespace embedded in the specification.##				Example: 10/sec:20##	USER/GROUP	This column may only be non-empty if the SOURCE is#			the firewall itself.##			The column may contain:##	[!][<user name or number>][:<group name or number>][+<program name>]##			When this column is non-empty, the rule applies only#			if the program generating the output is running under#			the effective <user> and/or <group> specified (or is#			NOT running under that id if "!" is given).##			Examples:##				joe	#program must be run by joe#				:kids	#program must be run by a member of#					#the 'kids' group#				!:kids	#program must not be run by a member#					#of the 'kids' group#				+upnpd	#program named upnpd (This feature was#					#removed from Netfilter in kernel#					#version 2.6.14).#################################################################################TARGET	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/#				PORT	PORT(S)	DEST		LIMIT	GROUP#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE