FirewallBuilder

Accept:

Allows the packet through the firewall. No subsequent rules are applied. This action has no parameters.

Deny:

Silently drops the packet. No subsequent rules are applied. This action has no parameters.

Reject:

The packet is dropped and the firewall reacts to the packet in the way you specify; for example, the firewall can send a TCP RST message or one of a number of ICMP messages. No subsequent rules are applied. This action has one parameter: when you select Reject as the action, the action dialog automatically opens for you to specify the response to be sent. Figure 7.5 shows the supported responses for the Reject action.

Figure 7.5. Responses for the Reject Action

Accounting:

Counts packets matching the rule, but makes no decision on the packet. Even if the packet matches, the inspection process continues with subsequent rules. For iptables this action has one parameter which is the name of the rule chain that will be created. Traffic that matches this rule will have a target of the defined accounting user chain. In this case the traffic is neither accepted nor denied, so in order for the traffic to be passed through the firewall another rule must be defined with the Action set to Accept.

Queue:

Supported only for iptables and ipfw target platforms. Passes the packet to a user-space process for inspection. It is translated into QUEUE for iptables and the divert for ipfw. This action has no parameters.

Custom:

Supported for iptables, ipf, and ipfw target platforms. Allows you to specify an abitrary string, for example defining iptables module 'recent' parameters as shown in Section 5.3.6. This action has one parameter: when you select Custom as the action, the action dialog automatically opens for you to specify the custom string.

Branch:

Supported only for iptables and PF target platforms, which provide suitable syntax for allowing control to return to the higher-level rule set if the branch cannot make a final decision about the packet. Used to branch to a different rule set. For iptables, this action is translated into a user-defined chain. The name of the chain is the name of the Policy rule set object that the branch jumps to. For PF, this action is translated into an anchor with the same name as the Policy rule set that the branch jumps to. This action has one parameter: when you select Branch as the action, the action dialog automatically opens for you with a drop area to drag-and-drop the Policy rule set which will be branched to.

Continue:

Continue is, essentially, an empty action. You can use this option when you want to assign an option, such as logging or packet marking, to a matched packet but take no other action in that rule. This action has no parameters.

On iptables systems, using just the Continue action results generates a rule that has no -j target defined. If the action is set to Continue and the logging option has been applied, the generated rule has the -j LOG target set.