shorewall-5.2.3.4/0000775000000000000000000000000013531077634012374 5ustar rootrootshorewall-5.2.3.4/shorewallrc.default0000664000000000000000000000364313531077634016275 0ustar rootroot# # Default Shorewall 5.2 rc file # BUILD= #Default is to detect the build system HOST=linux #Generic Linux PREFIX=/usr #Top-level directory for shared files, libraries, etc. SHAREDIR=${PREFIX}/share #Directory for arch-neutral files. LIBEXECDIR=${PREFIX}/share #Directory for executable scripts. PERLLIBDIR=${PREFIX}/share/shorewall #Directory to install Shorewall Perl module directory CONFDIR=/etc #Directory where subsystem configurations are installed SBINDIR=/sbin #Directory where system administration programs are installed MANDIR=${PREFIX}/man #Directory where manpages are installed. INITDIR=/etc/init.d #Directory where SysV init scripts are installed. INITFILE=$PRODUCT #Name of the product's installed SysV init script INITSOURCE=init.sh #Name of the distributed file to be installed as the SysV init script ANNOTATED= #If non-zero, annotated configuration files are installed SERVICEDIR= #Directory where .service files are installed (systems running systemd only) SERVICEFILE= #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service SYSCONFFILE= #Name of the distributed file to be installed in $SYSCONFDIR SYSCONFDIR= #Directory where SysV init parameter files are installed SPARSE= #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR VARLIB=/var/lib #Directory where product variable data is stored. VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored. DEFAULT_PAGER= #Pager to use if none specified in shorewall[6].conf shorewall-5.2.3.4/shorewallrc.openwrt0000664000000000000000000000351413531077634016344 0ustar rootroot# # OpenWRT/LEDE Shorewall 5.2 rc file # BUILD= #Default is to detect the build system HOST=openwrt PREFIX=/usr #Top-level directory for shared files, libraries, etc. SHAREDIR=${PREFIX}/share #Directory for arch-neutral files. LIBEXECDIR=${PREFIX}/share #Directory for executable scripts. PERLLIBDIR=${PREFIX}/share/shorewall #Directory to install Shorewall Perl module directory CONFDIR=/etc #Directory where subsystem configurations are installed SBINDIR=/sbin #Directory where system administration programs are installed MANDIR= #Directory where manpages are installed. INITDIR=/etc/init.d #Directory where SysV init scripts are installed. INITFILE=$PRODUCT #Name of the product's installed SysV init script INITSOURCE=init.openwrt.sh #Name of the distributed file to be installed as the SysV init script ANNOTATED= #If non-zero, annotated configuration files are installed SYSCONFDIR=${CONFDIR}/sysconfig #Directory where SysV init parameter files are installed SYSCONFFILE=sysconfig #Name of the distributed file to be installed in $SYSCONFDIR SERVICEDIR= #Directory where .service files are installed (systems running systemd only) SERVICEFILE= #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service SPARSE= #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR VARLIB=/lib #Directory where product variable data is stored. VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored. DEFAULT_PAGER= #Pager to use if none specified in shorewall[6].conf shorewall-5.2.3.4/lib.uninstaller0000664000000000000000000000441113531077634015424 0ustar rootroot# # Shorewall 5.2 -- /usr/share/shorewall/lib.installer # # (c) 2017 - Tom Eastep (teastep@shorewall.net) # (c) 2017 - Matt Darfeuille (matdarf@gmail.com) # # Complete documentation is available at http://shorewall.net # # This program is part of Shorewall. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by the # Free Software Foundation, either version 2 of the license or, at your # option, any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, see . # # The purpose of this library is to hold those functions used by the products uninstaller. # ######################################################################################### fatal_error() { echo " ERROR: $@" >&2 exit 1 } split() { local ifs ifs=$IFS IFS=: set -- $1 echo $* IFS=$ifs } qt() { "$@" >/dev/null 2>&1 } mywhich() { local dir for dir in $(split $PATH); do if [ -x $dir/$1 ]; then return 0 fi done return 2 } remove_file() # $1 = file to remove { if [ -n "$1" ] ; then if [ -f $1 -o -h $1 ] ; then rm -f $1 echo "$1 Removed" fi fi } remove_directory() # $1 = directory to remove { if [ -n "$1" ] ; then if [ -d $1 ] ; then rm -rf $1 echo "$1 Removed" fi fi } remove_file_with_wildcard() # $1 = file with wildcard to remove { if [ -n "$1" ] ; then for f in $1; do if [ -d $f ] ; then rm -rf $f echo "$f Removed" elif [ -f $f -o -h $f ] ; then rm -f $f echo "$f Removed" fi done fi } restore_file() # $1 = file to restore { if [ -f ${1}-shorewall.bkout ]; then if (mv -f ${1}-shorewall.bkout $1); then echo echo "$1 restored" else exit 1 fi fi } shorewall-5.2.3.4/Macros/0000775000000000000000000000000013531060406013605 5ustar rootrootshorewall-5.2.3.4/Macros/macro.VRRP0000664000000000000000000000044513531060406015424 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.VRRP # # This macro handles Virtual Router Redundancy Protocol (VRRP) traffic. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE PARAM SOURCE DEST:224.0.0.18 vrrp shorewall-5.2.3.4/Macros/macro.mDNS0000664000000000000000000000076613531060406015442 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.mDNS # # This macro handles multicast DNS traffic from DEST zone. # It assumes that only the DEST zone sends mDNS queries. # If both zones send queries, use the mDNSbi macro. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST PARAM - 224.0.0.251 udp 5353 PARAM - - udp 1024: 5353 PARAM - 224.0.0.251 2 PARAM DEST SOURCE:224.0.0.251 udp 5353 PARAM DEST SOURCE:224.0.0.251 2 shorewall-5.2.3.4/Macros/macro.MySQL0000664000000000000000000000041113531060406015571 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.MySQL # # This macro handles connections to the MySQL server. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 3306 shorewall-5.2.3.4/Macros/macro.Webmin0000664000000000000000000000037213531060406016053 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.Webmin # # This macro handles Webmin traffic. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 10000 shorewall-5.2.3.4/Macros/macro.RDP0000664000000000000000000000044113531060406015254 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.RDP # # This macro handles Microsoft RDP (Remote Desktop) traffic. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - udp 3389 PARAM - - tcp 3389 shorewall-5.2.3.4/Macros/macro.Telnets0000664000000000000000000000050613531060406016247 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.Telnets # # This macro handles Telnet over SSL (TLS) traffic. # For traffic over the internet, SSH might be more practical. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDIST RATE USER PARAM - - tcp 992 shorewall-5.2.3.4/Macros/macro.Mail0000664000000000000000000000104513531060406015512 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.Mail # # This macro handles SMTP (email secure and insecure) traffic. # It's the aggregate of macro.SMTP, macro.SMTPS, macro.MSA. # # Note: This macro handles traffic between an MUA (Email client) # and an MTA (mail server) or between MTAs. It does not enable # reading of email via POP3 or IMAP. For those you need to use # the POP3 or IMAP macros. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER SMTP SMTPS MSA shorewall-5.2.3.4/Macros/macro.POP3S0000664000000000000000000000046313531060406015477 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.POP3S # # This macro handles encrypted POP3 traffic. # For plaintext POP3, see macro.POP3. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 995 # Secure POP3 shorewall-5.2.3.4/Macros/macro.ONCRPC0000664000000000000000000000062713531060406015621 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.ONCRPC # # This macro handles ONC RCP traffic (for rpcbind on Linux, etc). # ############################################################################################################################################################## #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH HELPER PARAM - - tcp,udp 111 shorewall-5.2.3.4/Macros/macro.BitTorrent0000664000000000000000000000070613531060406016727 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.BitTorrent # # This macro handles BitTorrent traffic for BitTorrent 3.1 and earlier. # # If you are running BitTorrent 3.2 or later, you should use the # BitTorrent32 macro. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 6881:6889 # # It may also be necessary to allow UDP traffic: # PARAM - - udp 6881 shorewall-5.2.3.4/Macros/macro.IPFS-gateway0000664000000000000000000000045613531060406017035 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.IPFS-gateway # # This macro handles the IPFS gateway to HTTP. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 8080 shorewall-5.2.3.4/Macros/macro.L2TP0000664000000000000000000000052113531060406015347 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.L2TP # # This macro (bidirectional) handles Layer 2 Tunneling Protocol traffic. # (RFC 2661) # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - udp 1701 # L2TP PARAM DEST SOURCE udp 1701 # L2TP shorewall-5.2.3.4/Macros/macro.BitcoinZMQ0000664000000000000000000000067713531060406016621 0ustar rootroot# # Shorewall --/usr/share/shorewall/macro.BitcoinZMQ # # Macro for handling Bitcoin ZMQ traffic # See https://github.com/bitcoin/bitcoin/blob/master/doc/zmq.md # ############################################################################################################################################################## #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH HELPER PARAM - - tcp 28332 shorewall-5.2.3.4/Macros/macro.IPsecah0000664000000000000000000000067713531060406016156 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.IPsecah # # This macro (bidirectional) handles IPsec authentication (AH) traffic. # This is insecure. You should use ESP with encryption for security. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - udp 500 500 # IKE PARAM - - 51 # AH PARAM DEST SOURCE udp 500 500 # IKE PARAM DEST SOURCE 51 # AH shorewall-5.2.3.4/Macros/macro.IPsecnat0000664000000000000000000000065613531060406016345 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.IPsecnat # # This macro (bidirectional) handles IPsec traffic and Nat-Traversal # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - udp 500 # IKE PARAM - - udp 4500 # NAT-T PARAM - - 50 # ESP PARAM DEST SOURCE udp 500 # IKE PARAM DEST SOURCE udp 4500 # NAT-T PARAM DEST SOURCE 50 # ESP shorewall-5.2.3.4/Macros/macro.ICQ0000664000000000000000000000042613531060406015246 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.ICQ # # This macro handles ICQ, now called AOL Instant Messenger (or AIM). # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 5190 shorewall-5.2.3.4/Macros/macro.ILO0000664000000000000000000000104113531060406015247 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.ILO # # This macro handles console redirection with HP ILO 2+, # Use this macro to open access to your ILO interface from management # workstations. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 3002 # Raw serial data PARAM - - tcp 9300 # Shared Remote Console PARAM - - tcp 17988 # Virtual Media PARAM - - tcp 17990 # Console Replay HTTP HTTPS RDP SSH Telnet # Remote Console/Telnet shorewall-5.2.3.4/Macros/macro.FreeIPA0000664000000000000000000000043613531060406016046 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.FreeIPA # # This macro handles FreeIPA server traffic. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER DNS HTTP HTTPS Kerberos Kpasswd LDAP LDAPS NTP shorewall-5.2.3.4/Macros/macro.TorControl0000664000000000000000000000061713531060406016741 0ustar rootroot# # Shorewall --/usr/share/shorewall/macro.TorControl # # Macro for handling Tor Controller Applications traffic # ############################################################################################################################################################## #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH HELPER PARAM - - tcp 9051 shorewall-5.2.3.4/Macros/macro.Tor0000664000000000000000000000057613531060406015404 0ustar rootroot# # Shorewall --/usr/share/shorewall/macro.Tor # # Macro for handling Tor Onion Network traffic # ############################################################################################################################################################## #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH HELPER PARAM - - tcp 9001 shorewall-5.2.3.4/Macros/macro.TorBrowserBundle0000664000000000000000000000065113531060406020074 0ustar rootroot# # Shorewall --/usr/share/shorewall/macro.TorBrowserBundle # # Macro for handling Tor Onion Network traffic provided by Tor Browser Bundle # ############################################################################################################################################################## #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH HELPER PARAM - - tcp 9150 shorewall-5.2.3.4/Macros/macro.IPFS-swarm0000664000000000000000000000050413531060406016517 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.IPFS-swarm # # This macro handles IPFS data traffic (the connection to IPFS swarm). # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 4001 shorewall-5.2.3.4/Macros/macro.SMTPS0000664000000000000000000000047113531060406015540 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.SMTPS # # This macro handles legacy SMTP over SSL (TLS) traffic. # You should configure SMTP STARTTLS instead. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 465 shorewall-5.2.3.4/Macros/macro.RedisCluster0000664000000000000000000000040713531060406017241 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.RedisCluster # # This macro handles Redis Cluster traffic. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 16379 shorewall-5.2.3.4/Macros/macro.TFTP0000664000000000000000000000067413531060406015414 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.TFTP # # This macro handles Trivial File Transfer Protocol (TFTP) # Because TFTP lacks all security you should not enable it over Internet. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER ?if ( __CT_TARGET && ! $AUTOHELPERS && __TFTP_HELPER ) PARAM - - udp 69 { helper=tftp } ?else PARAM - - udp 69 ?endif shorewall-5.2.3.4/Macros/macro.Trcrt0000664000000000000000000000052513531060406015730 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.Trcrt # # This macro handles ICMP and UDP Traceroute (UDP for up to 30 hops). # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - udp 33434:33524 # UDP Traceroute PARAM - - icmp 8 # ICMP Traceroute shorewall-5.2.3.4/Macros/macro.Teredo0000664000000000000000000000042113531060406016047 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.Teredo # # This macro handles Teredo IPv6 over UDP tunneling traffic. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - udp 3544 shorewall-5.2.3.4/Macros/macro.Telnet0000664000000000000000000000050213531060406016060 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.Telnet # # This macro handles Telnet traffic. # For traffic over the internet, telnet is inappropriate; use SSH instead. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 23 shorewall-5.2.3.4/Macros/macro.Zabbix0000664000000000000000000000061313531060406016047 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.Zabbix # # This macro handles Zabbix monitoring software traffic from server to agent # and trap traffic from agent to zabbix server. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 10050 # zabbix_agent PARAM DEST SOURCE tcp 10051 # zabbix_trap shorewall-5.2.3.4/Macros/macro.Squid0000664000000000000000000000040113531060406015710 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.Squid # # This macro handles Squid web proxy traffic. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 3128 shorewall-5.2.3.4/Macros/macro.Gnutella0000664000000000000000000000042013531060406016377 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.Gnutella # # This macro handles Gnutella traffic. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 6346 PARAM - - udp 6346 shorewall-5.2.3.4/Macros/macro.Jabberd0000664000000000000000000000041513531060406016161 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.Jabberd # # This macro handles Jabberd intercommunication traffic # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 5269 shorewall-5.2.3.4/Macros/macro.SVN0000664000000000000000000000042713531060406015301 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.SVN # # This macro handles connections to the Subversion server (svnserve). # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 3690 shorewall-5.2.3.4/Macros/macro.Time0000664000000000000000000000057413531060406015534 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.Time # # This macro handles Time protocol (RFC868). # Unless you are supporting extremely old hardware or software, # you shouldn't be using this. NTP is a superior alternative. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 37 shorewall-5.2.3.4/Macros/macro.RIPbi0000664000000000000000000000046513531060406015602 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.RIPbi # # This macro (bidirectional) handles Routing Information Protocol (RIP). # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - udp 520 PARAM DEST SOURCE udp 520 shorewall-5.2.3.4/Macros/macro.Kerberos0000664000000000000000000000041413531060406016403 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.Kerberos # # This macro handles Kerberos traffic. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 88 PARAM - - udp 88 shorewall-5.2.3.4/Macros/macro.Munin0000664000000000000000000000042513531060406015717 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.Munin # # This macro handles Munin networked resource monitoring traffic. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 4949 shorewall-5.2.3.4/Macros/macro.SMTP0000664000000000000000000000072213531060406015414 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.SMTP # # This macro handles SMTP (email) traffic. # For deprecated SMTP encrypted over SSL (TLS), use macro.SMTPS. # Note that STARTTLS can be used over the standard STMP port, so the use of # this macro doesn't necessarily imply the use of an insecure connection. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 25 shorewall-5.2.3.4/Macros/macro.Webcache0000664000000000000000000000043613531060406016334 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.WebCache # # This macro handles Web Caches and Dansguardian traffic. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 8080 shorewall-5.2.3.4/Macros/macro.Whois0000664000000000000000000000037713531060406015730 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.Whois # # This macro handles whois (nicname) traffic. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 43 shorewall-5.2.3.4/Macros/macro.OSPF0000664000000000000000000000040013531060406015371 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.OSPF # # This macro handles OSPF multicast traffic. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - 89 # OSPF shorewall-5.2.3.4/Macros/macro.DNS0000664000000000000000000000040313531060406015251 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.DNS # # This macro handles DNS traffic. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - udp 53 PARAM - - tcp 53 shorewall-5.2.3.4/Macros/macro.Submission0000664000000000000000000000040513531060406016762 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.Submission # # This macro handles mail message submission (MSA) traffic. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MSA shorewall-5.2.3.4/Macros/macro.ActiveDir0000664000000000000000000000270413531060406016505 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.ActiveDir # # This macro handles ports for Samba 4 Active Directory Service. # You can copy this file to /etc/shorewall[6]/ and comment out the ports you # do not want open. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 389 #LDAP services PARAM - - udp 389 PARAM - - tcp 636 #LDAP SSL PARAM - - tcp 3268 #LDAP GC PARAM - - tcp 3269 #LDAP GC SSL PARAM - - tcp 88 #Kerberos PARAM - - udp 88 # Use macro.DNS for DNS sevice PARAM - - tcp 445 #Replication, User and Computer Authentication, Group Policy, Trusts PARAM - - udp 445 # Use macro.SMTP for Mail service PARAM - - tcp 135 #RPC, EPM PARAM - - tcp 5722 #RPC, DFSR (SYSVOL) PARAM - - udp 123 #Windows Time PARAM - - tcp 464 #Kerberosb change/set password PARAM - - udp 464 PARAM - - udp 138 #DFS, Group Policy PARAM - - tcp 9389 #SOAP PARAM - - tcp 2535 #MADCAP PARAM - - udp 2535 PARAM - - udp 137 #NetLogon, NetBIOS Name Resolution PARAM - - tcp 139 #DFSN, NetBIOS Session Service, NetLogon shorewall-5.2.3.4/Macros/macro.DAAP0000664000000000000000000000055613531060406015343 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.DAAP # # This macro handles DAAP (Digital Audio Access Protocol) traffic. # The protocol is used by iTunes, Rythmbox and other similar daemons. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 3689 PARAM - - udp 3689 shorewall-5.2.3.4/Macros/macro.Xymon0000664000000000000000000000036713531060406015750 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.Xymon # # This macro handles Xymon traffic. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 1984 shorewall-5.2.3.4/Macros/macro.RNDC0000664000000000000000000000042613531060406015360 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.RNDC # # This macro handles BIND remote management protocol (RNDC) traffic. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 953 shorewall-5.2.3.4/Macros/macro.IPIP0000664000000000000000000000045513531060406015375 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.IPIP # # This macro (bidirectional) handles IPIP capsulation traffic # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - 94 # IPIP PARAM DEST SOURCE 94 # IPIP shorewall-5.2.3.4/Macros/macro.RedisSecure0000664000000000000000000000041613531060406017046 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.RedisSecure # # This macro handles Redis Secure (SSL/TLS) traffic. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 6380 shorewall-5.2.3.4/Macros/macro.AMQP0000664000000000000000000000041013531060406015361 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.AMQP # # This macro handles AMQP traffic. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 5672 PARAM - - udp 5672 shorewall-5.2.3.4/Macros/macro.SSH0000664000000000000000000000040013531060406015257 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.SSH # # This macro handles secure shell (SSH) traffic. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 22 shorewall-5.2.3.4/Macros/macro.POP30000664000000000000000000000044513531060406015354 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.POP3 # # This macro handles plaintext POP3 traffic. # For encrypted POP3, see macro.POP3S. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 110 shorewall-5.2.3.4/Macros/macro.Razor0000664000000000000000000000041713531060406015727 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.Razor # # This macro handles traffic for the Razor Antispam System # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER ACCEPT - - tcp 2703 shorewall-5.2.3.4/Macros/macro.Amanda0000664000000000000000000000145413531060406016015 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.Amanda # # This macro handles connections required by the AMANDA backup system # to back up remote nodes. It does not provide the ability to restore # files from those nodes. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER ?if ( __CT_TARGET && ! $AUTOHELPERS && __AMANDA_HELPER ) PARAM - - udp 10080 { helper=amanda } ?else PARAM - - udp 10080 ?endif PARAM - - tcp 10080 # # You may also need this rule. With AMANDA 2.4.4 on Linux kernel 2.6, # it should not be necessary to use this. The ip_conntrack_amanda # kernel module should be loaded (via /etc/shorewall/modules) on all # systems which need to pass AMANDA traffic through netfilter. #PARAM - - tcp 50000:50100 # shorewall-5.2.3.4/Macros/macro.A_DropDNSrep0000664000000000000000000000044513531060406017053 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.A_DropDNSrep # # This macro audits and drops DNS UDP replies. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER ?COMMENT Late DNS Replies A_DROP - - udp - 53 shorewall-5.2.3.4/Macros/macro.BGP0000664000000000000000000000037213531060406015242 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.BGP # # This macro handles BGP4 traffic. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 179 # BGP4 shorewall-5.2.3.4/Macros/macro.Tinc0000664000000000000000000000045613531060406015532 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.Tinc # # This macro handles tinc VPN traffic. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - udp 655 PARAM - - tcp 655 shorewall-5.2.3.4/Macros/macro.VNCL0000664000000000000000000000044113531060406015371 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.VNCL # # This macro handles VNC traffic from Vncservers to Vncviewers in listen mode. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 5500 shorewall-5.2.3.4/Macros/macro.NTPbrd0000664000000000000000000000077513531060406015772 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.NTPbrd # # This macro handles NTP traffic including replies to Broadcast NTP traffic. # # It is recommended only to use this where the source host is trusted - # otherwise it opens up a large hole in your firewall because # Netfilter doesn't track connections for broadcast traffic. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - udp 123 PARAM - - udp 1024: 123 shorewall-5.2.3.4/Macros/macro.Cockpit0000664000000000000000000000062313531060406016225 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.Cockpit # # This macro handles Time protocol (RFC868). # Unless you are supporting extremely old hardware or software, # you shouldn't be using this. NTP is a superior alternative. # # By Eric Teeter ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 9090 shorewall-5.2.3.4/Macros/macro.MSSQL0000664000000000000000000000043013531060406015524 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.MSSQL # # This macro handles MSSQL (Microsoft SQL Server) # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 1433 PARAM - - udp 1434 shorewall-5.2.3.4/Macros/macro.OpenVPN0000664000000000000000000000037313531060406016120 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.OpenVPN # # This macro handles OpenVPN traffic. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - udp 1194 shorewall-5.2.3.4/Macros/macro.NTP0000664000000000000000000000044113531060406015270 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.NTP # # This macro handles NTP traffic. # For broadcast NTP traffic, use NTPbrd Macro. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - udp 123 shorewall-5.2.3.4/Macros/macro.DropUPnP0000664000000000000000000000045313531060406016301 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.DropUPnP # # This macro silently drops UPnP probes on UDP port 1900 # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER ?COMMENT UPnP DEFAULT DROP PARAM - - udp 1900 shorewall-5.2.3.4/Macros/macro.Syslog0000664000000000000000000000041213531060406016105 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.Syslog # # This macro handles syslog traffic. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - udp 514 PARAM - - tcp 514 shorewall-5.2.3.4/Macros/macro.TorSocks0000664000000000000000000000060113531060406016374 0ustar rootroot# # Shorewall --/usr/share/shorewall/macro.TorSocks # # Macro for handling Tor Socks Proxy traffic # ############################################################################################################################################################## #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH HELPER PARAM - - tcp 9050 shorewall-5.2.3.4/Macros/macro.Web0000664000000000000000000000046613531060406015353 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.Web # # This macro handles WWW traffic (secure and insecure). # You should use macro.HTTP and macro.HTTPS instead. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER HTTP HTTPS shorewall-5.2.3.4/Macros/macro.NTPbi0000664000000000000000000000041613531060406015605 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.NTPbi # # This macro handles bi-directional NTP (for NTP peers). # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER NTP NTP DEST SOURCE shorewall-5.2.3.4/Macros/macro.PostgreSQL0000664000000000000000000000042313531060406016632 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.PostgreSQL # # This macro handles connections to the PostgreSQL server. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 5432 shorewall-5.2.3.4/Macros/macro.Distcc0000664000000000000000000000043213531060406016040 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.Distcc # # This macro handles connections to the Distributed Compiler service. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 3632 shorewall-5.2.3.4/Macros/macro.GRE0000664000000000000000000000046613531060406015253 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.GRE # # This macro (bidirectional) handles Generic Routing Encapsulation (GRE). # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - 47 # GRE PARAM DEST SOURCE 47 # GRE shorewall-5.2.3.4/Macros/macro.SixXS0000664000000000000000000000122013531060406015641 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.SixXS # # This macro handles SixXS - An IPv6 Deployment and Tunnel Broker # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER # Used for retrieving the tunnel information (eg by AICCU) PARAM - - tcp 3874 # Used for signaling where the current IPv4 endpoint # of the tunnel is and that it is alive PARAM - - udp 3740 # Used for tunneling IPv6 over IPv4 (static + heartbeat tunnels) PARAM - - 41 # Used for tunneling IPv6 over IPv4 (AYIYA # tunnels)(5072 is official port, 8374 is used in the beta) PARAM - - udp 5072,8374 shorewall-5.2.3.4/Macros/macro.NNTP0000664000000000000000000000045613531060406015414 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.NNTP # # This macro handles plaintext NNTP traffic (Usenet). # For encrypted NNTP, see macro.NNTPS. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 119 shorewall-5.2.3.4/Macros/macro.NNTPS0000664000000000000000000000045613531060406015537 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.NNTPS # # This macro handles encrypted NNTP traffic (Usenet). # For plaintext NNTP, see macro.NNTP. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 563 shorewall-5.2.3.4/Macros/macro.SIP0000664000000000000000000000053313531060406015264 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.SIP # # This macro handles SIP traffic. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER ?if ( __CT_TARGET && ! $AUTOHELPERS && __SIP_HELPER ) PARAM - - udp 5060 { helper=sip } ?else PARAM - - udp 5060 ?endif shorewall-5.2.3.4/Macros/macro.SMB0000664000000000000000000000130713531060406015252 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.SMB # # This macro handles Microsoft SMB traffic. # You need to invoke this macro in both directions. # Beware! This rule opens a lot of ports, and could possibly be used to # compromise your firewall if not used with care. You should only allow SMB # traffic between hosts you fully trust. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - udp 135,445 ?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER ) PARAM - - udp 137 { helper=netbios-ns } PARAM - - udp 138:139 ?else PARAM - - udp 137:139 ?endif PARAM - - udp 1024: 137 PARAM - - tcp 135,139,445 shorewall-5.2.3.4/Macros/macro.Goto-Meeting0000664000000000000000000000051013531060406017122 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.Goto-Meeting # # This macro handles Citrix/Goto Meeting. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 8200 # Goto Meeting only needed outbound HTTP HTTPS shorewall-5.2.3.4/Macros/macro.Rdate0000664000000000000000000000073413531060406015673 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.Rdate # # This macro handles remote time retrieval (rdate). # Unless you are supporting extremely old hardware or software, # you shouldn't be using this. NTP is a superior alternative. # And even if you need to use rfc 868 Time protocol you should # use Time macro instead. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 37 shorewall-5.2.3.4/Macros/macro.IMAPS0000664000000000000000000000052213531060406015500 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.IMAPS # # This macro handles SSL (TLS) IMAP traffic. # For plaintext (not recommended) and STARTLS (recommended) IMAP see # macro.IMAP. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 993 shorewall-5.2.3.4/Macros/macro.SPAMD0000664000000000000000000000040313531060406015471 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.SPAMD # # This macro handles SpamAssassin SPAMD traffic. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 783 shorewall-5.2.3.4/Macros/macro.DHCPfwd0000664000000000000000000000051013531060406016043 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.DHCPfwd # # This macro (bidirectional) handles forwarded DHCP traffic # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - udp 67:68 67:68 # DHCP PARAM DEST SOURCE udp 67:68 67:68 # DHCP shorewall-5.2.3.4/Macros/macro.A_DropUPnP0000664000000000000000000000044413531060406016541 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.A_DropUPnP # # This macro audits and drops UPnP probes on UDP port 1900. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER ?COMMENT UPnP A_DROP - - udp 1900 shorewall-5.2.3.4/Macros/macro.BitTorrent320000664000000000000000000000055513531060406017076 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.BitTorrent32 # # This macro handles BitTorrent traffic for BitTorrent 3.2 and later. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 6881:6999 # # It may also be necessary to allow UDP traffic: # PARAM - - udp 6881 shorewall-5.2.3.4/Macros/macro.Citrix0000664000000000000000000000061013531060406016067 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.Citrix # # This macro handles Citrix/ICA traffic (ICA, ICA Browser, CGP a.k.a. # ICA Session Reliability) # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 1494 # ICA PARAM - - udp 1604 # ICA Browser PARAM - - tcp 2598 # CGP Session Reliabilty shorewall-5.2.3.4/Macros/macro.Finger0000664000000000000000000000047513531060406016050 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.Finger # # This macro handles Finger protocol. # You should not generally open your finger information to internet. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 79 shorewall-5.2.3.4/Macros/macro.Redis0000664000000000000000000000036713531060406015704 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.Redis # # This macro handles Redis traffic. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 6379 shorewall-5.2.3.4/Macros/macro.SSDP0000664000000000000000000000042013531060406015375 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.SSDP # # This macro handles SSDP (used by DLNA/UPnP) client traffic. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - udp 1900 shorewall-5.2.3.4/Macros/macro.Rsync0000664000000000000000000000041013531060406015721 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.Rsync # # This macro handles connections to the rsync server. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 873 shorewall-5.2.3.4/Macros/macro.LDAP0000664000000000000000000000111113531060406015342 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.LDAP # # This macro handles plaintext LDAP traffic. For encrypted LDAP # traffic, see macro.LDAPS. Use of LDAPS is recommended (and is # required by some directory services) if you want to do user # authentication over LDAP. Note that some LDAP implementations # support initiating TLS connections via the plaintext LDAP port. # Consult your LDAP server documentation for details. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 389 shorewall-5.2.3.4/Macros/macro.QUIC0000664000000000000000000000042013531060406015365 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.QUIC # # This macro handles QUIC (Quick UDP Internet Connections). # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - udp 80,443 shorewall-5.2.3.4/Macros/macro.IRC0000664000000000000000000000056113531060406015247 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.IRC # # This macro handles IRC traffic (Internet Relay Chat). # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER ?if ( __CT_TARGET && ! $AUTOHELPERS && __IRC_HELPER ) PARAM - - tcp 6667 { helper=irc } ?else PARAM - - tcp 6667 ?endif shorewall-5.2.3.4/Macros/macro.ICPV20000664000000000000000000000042313531060406015452 0ustar rootroot# # Shorewall - /usr/share/shorewall/macro.ICPV2 # # This macro handles Internet Cache Protocol V2 (Squid) traffic. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - udp 3130 shorewall-5.2.3.4/Macros/macro.Apcupsd0000664000000000000000000000037313531060406016232 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.Apcupsd # # This macro handles apcupsd traffic. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 3551 shorewall-5.2.3.4/Macros/macro.JabberSecure0000664000000000000000000000044613531060406017170 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.JabberSecure # # This macro handles deprecated Jabber (SSL) traffic. Use STARTTLS instead. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 5223 shorewall-5.2.3.4/Macros/macro.IPFS-API0000664000000000000000000000047613531060406016007 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.IPFS-API # # This macro handles IPFS API port (commands for the IPFS daemon). # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 5001 shorewall-5.2.3.4/Macros/macro.HTTP0000664000000000000000000000040313531060406015404 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.HTTP # # This macro handles plaintext HTTP (WWW) traffic. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 80 shorewall-5.2.3.4/Macros/macro.Printer0000664000000000000000000000041113531060406016247 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.Printer # # This macro handles Line Printer protocol printing. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 515 shorewall-5.2.3.4/Macros/macro.Rfc19180000664000000000000000000000054413531060406015670 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.Rfc1918 # # This macro handles SOURCE or ORIGDEST address reserved by RFC 1918. # ############################################################################### #ACTION SOURCE DEST PARAM SOURCE:10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 DEST PARAM SOURCE DEST { origdest=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 } shorewall-5.2.3.4/Macros/macro.HKP0000664000000000000000000000042013531060406015246 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.HKP # # This macro handles OpenPGP HTTP keyserver protocol traffic. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 11371 shorewall-5.2.3.4/Macros/macro.MSA0000664000000000000000000000042213531060406015246 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.MSA # # This macro handles mail message submission agent (MSA) traffic. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 587 shorewall-5.2.3.4/Macros/macro.Jetdirect0000664000000000000000000000040313531060406016542 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.Jetdirect # # This macro handles HP Jetdirect printing. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 9100 shorewall-5.2.3.4/Macros/macro.Ping0000664000000000000000000000037313531060406015530 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.Ping # # This macro handles ICMP 'ping' requests. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - icmp 8 shorewall-5.2.3.4/Macros/macro.TorDirectory0000664000000000000000000000060213531060406017257 0ustar rootroot# # Shorewall --/usr/share/shorewall/macro.TorDirectory # # Macro for handling Tor Directory traffic # ############################################################################################################################################################## #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH HELPER PARAM - - tcp 9030 shorewall-5.2.3.4/Macros/macro.MSNP0000664000000000000000000000041513531060406015405 0ustar rootroot# # Shorewall - /usr/share/shorewall/macro.MSNP # # This macro handles MSNP (MicroSoft Notification Protocol) # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 1863 shorewall-5.2.3.4/Macros/macro.DCC0000664000000000000000000000051113531060406015216 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.DCC # # This macro handles DCC (Distributed Checksum Clearinghouse) traffic. # DCC is a distributed spam filtering mechanism. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - udp 6277 shorewall-5.2.3.4/Macros/macro.Edonkey0000664000000000000000000000177313531060406016236 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.Edonkey # # This macro handles Edonkey traffic. # # http://www.portforward.com/english/routers/port_forwarding/2wire/1000s/eDonkey.htm # says to use udp 5737 rather than 4665. # # http://www.amule.org/wiki/index.php/FAQ_ed2k says this: # # 4661 TCP (outgoing) Port, on which a server listens for connection # (defined by server). # # 4665 UDP (outgoing) used for global server searches and global source # queries. This is always Server TCP port (in this case 4661) + 4. # # 4662 TCP (outgoing and incoming) Client to client transfers. # # 4672 UDP (outgoing and incoming) Extended eMule protocol, Queue # Rating, File Reask Ping # # 4711 TCP WebServer listening port. # # 4712 TCP External Connection port. Used to communicate aMule with other # applications such as aMule WebServer or aMuleCMD. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 4662 PARAM - - udp 4665 shorewall-5.2.3.4/Macros/macro.CVS0000664000000000000000000000040613531060406015263 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.CVS # # This macro handles connections to the CVS pserver. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 2401 shorewall-5.2.3.4/Macros/IPFS-swarm0000664000000000000000000000050413531060406015417 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.IPFS-swarm # # This macro handles IPFS data traffic (the connection to IPFS swarm). # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 4001 shorewall-5.2.3.4/Macros/macro.LDAPS0000664000000000000000000000111213531060406015466 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.LDAPS # # This macro handles encrypted LDAP traffic. For plaintext LDAP # traffic, see macro.LDAP. Use of LDAPS is recommended (and is # required by some directory services) if you want to do user # authentication over LDAP. Note that some LDAP implementations # support initiating TLS connections via the plaintext LDAP port. # Consult your LDAP server documentation for details. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 636 shorewall-5.2.3.4/Macros/macro.IMAP0000664000000000000000000000046213531060406015360 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.IMAP # # This macro handles plaintext and STARTTLS IMAP traffic. # For SSL (TLS) IMAP, see macro.IMAPS. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 143 shorewall-5.2.3.4/Macros/macro.Sieve0000664000000000000000000000041013531060406015676 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.Sieve # # This macro handles sieve aka ManageSieve protocol. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 4190 shorewall-5.2.3.4/Macros/macro.A_AllowICMPs0000664000000000000000000000054513531060406017006 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.A_AllowICMPs # # This macro audits and accepts needed ICMP types. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE ?COMMENT Needed ICMP types A_ACCEPT - - icmp fragmentation-needed A_ACCEPT - - icmp time-exceeded shorewall-5.2.3.4/Macros/macro.PCA0000664000000000000000000000042113531060406015230 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.PCA # # This macro handles PCAnywere (tm) traffic. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - udp 5632 PARAM - - tcp 5631 shorewall-5.2.3.4/Macros/macro.MongoDB0000664000000000000000000000041213531060406016112 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.MongoDB # # This macro handles MongoDB Daemon/Router traffic. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 27017 shorewall-5.2.3.4/Macros/macro.HTTPS0000664000000000000000000000040513531060406015531 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.HTTPS # # This macro handles HTTPS (WWW over TLS) traffic. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 443 shorewall-5.2.3.4/Macros/macro.GNUnet0000664000000000000000000000052313531060406015770 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.GNUnet # # This macro handles GNUnet (secure peer-to-peer networking) traffic. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 2086 PARAM - - udp 2086 PARAM - - tcp 1080 PARAM - - udp 1080 shorewall-5.2.3.4/Macros/macro.Puppet0000664000000000000000000000044313531060406016106 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.Puppet # # This macro handles client-to-server for the Puppet configuration management. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 8140 shorewall-5.2.3.4/Macros/macro.SANE0000664000000000000000000000141413531060406015356 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.SANE # # This macro handles SANE network scanning. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER ?if ( __CT_TARGET && ! $AUTOHELPERS && __SANE_HELPER ) PARAM - - tcp 6566 { helper=sane } ?else PARAM - - tcp 6566 ?endif # # Kernels 2.6.23+ has nf_conntrack_sane module which will handle # sane data connection. If you need these, copy this file to /etc/shorewall # and remove comments from one of the entries below. # # If you don't have sane conntracking support you need to open whole dynamic # port range. # # This is for normal linux 2.4+ #PARAM - - tcp 32768:61000 # This is generic rule for any os running saned. #PARAM - - tcp 1024: shorewall-5.2.3.4/Macros/macro.IPP0000664000000000000000000000040713531060406015261 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.IPP # # This macro handles Internet Printing Protocol (IPP). # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 631 shorewall-5.2.3.4/Macros/macro.SNMP0000664000000000000000000000062713531060406015412 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.SNMP # # This macro handles SNMP traffic. # Note: To allow SNMP Traps, use the SNMPTrap macro. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER ?if ( __CT_TARGET && ! $AUTOHELPERS && __SNMP_HELPER ) PARAM - - udp 161 { helper=snmp } ?else PARAM - - udp 161 ?endif shorewall-5.2.3.4/Macros/macro.Jabber0000664000000000000000000000037113531060406016016 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.Jabber # # This macro handles Jabber traffic. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 5222 shorewall-5.2.3.4/Macros/macro.template0000664000000000000000000000563413531060406016453 0ustar rootroot# # Shorewall --/usr/share/shorewall/macro.template # # Macro files are similar to action files with the following exceptions: # # - A macro file is not processed unless the marcro that it defines is # referenced in the /etc/shorewall/rules file or in an action # definition file. # # - Macros are translated directly into one or more rules whereas # actions become their own chain. # # - All entries in a macro undergo substitution when the macro is # invoked in the rules file. # # Columns are the same as in /etc/shorewall/rules. # A few examples should help show how Macros work. # # /etc/shorewall/macro.FwdFTP: # # #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE # DNAT - - tcp 21 # # /etc/shorewall/rules: # # #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE # FwdFTP net loc:192.168.1.5 # # The result is equivalent to: # # #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE # DNAT net loc:192.168.1.5 tcp 21 # # The substitution rules are as follows: # # ACTION column If in the invocation of the macro, the macro # name is followed by slash ("/") and a second # name, the second name is substituted for each # entry in the macro whose ACTION is PARAM # # For example, if macro FOO is invoked as # FOO/ACCEPT then when expanding macro.FOO, # Shorewall will substitute ACCEPT in each # entry in macro.FOO whose ACTION column # contains PARAM. PARAM may be optionally # followed by a colon and a log level. # # You may also follow the # # Any logging specified when the macro is # invoked is applied to each entry in the macros. # # SOURCE and DEST If the column in the macro is empty then the # columns value in the rules file is used. If the column # in the macro is non-empty then any value in # the rules file is appended with a ":" # separator. # # Example: ####################################################### # #ACTION SOURCE DEST PROTO DPORT # macro.FTP File PARAM net loc tcp 21 # rules File FTP(DNAT) - 192.168.1.5 # Result DNAT net loc:192.168.1.5 tcp 21 # # Remaining Any value in the rules file REPLACES the value # columns given in the macro file. # # Multiple parameters may be passed to a macro. Within this file, $1 refers # to the first parameter, $2 to the second an so on. $1 is a synonym for # PARAM but may be used anywhere in the file whereas PARAM may only be used # in the ACTION column. # # You can specify default values for parameters by using DEFAULT or DEFAULTS # entry: # # DEFAULTS ,,... # ####################################################################################################### # DO NOT REMOVE THE FOLLOWING LINE ############################################################################################################################################################## #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH HELPER shorewall-5.2.3.4/Macros/macro.VNC0000664000000000000000000000042013531060406015252 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.VNC # # This macro handles VNC traffic for VNC display's 0 - 9. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 5900:5909 shorewall-5.2.3.4/Macros/macro.IPMI0000664000000000000000000000171513531060406015372 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.IPMI # # This macro handles IPMI console redirection with RMCP protocol. # Tested to work with with Asus (AMI), # Dell DRAC5+ (Avocent), and Supermicro (Aten or AMI). # Use this macro to open access to your IPMI interface from management # workstations. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 623 # RMCP PARAM - - udp 623 # RMCP PARAM - - tcp 3668,3669 # Virtual Media, Secure (Dell) PARAM - - tcp 5120,5122,5123 # CD,FD,HD (Asus, Aten) PARAM - - tcp 5900,5901 # Remote Console (Aten, Dell) PARAM - - tcp 7578 # Remote Console (AMI) PARAM - - tcp 8889 # WS-MAN HTTP Telnet SNMP # TLS/secure ports PARAM - - tcp 3520 # Remote Console (Redfish) PARAM - - tcp 3669 # Virtual Media (Dell) PARAM - - tcp 5124,5126,5127 # CD,FD,HD (AMI) PARAM - - tcp 7582 # Remote Console (AMI) HTTPS SSH # Serial over Lan shorewall-5.2.3.4/Macros/macro.SMBBI0000664000000000000000000000072013531060406015463 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.SMBBI # # This macro (bidirectional) handles Microsoft SMB traffic. # # Beware! This macro opens a lot of ports, and could possibly be used # to compromise your firewall if not used with care. You should only # allow SMB traffic between hosts you fully trust. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER SMB SMB DEST SOURCE shorewall-5.2.3.4/Macros/macro.Rwhois0000664000000000000000000000041113531060406016077 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.Rwhois # # This macro handles Remote Who Is (rwhois) traffic. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 4321 shorewall-5.2.3.4/Macros/macro.JAP0000664000000000000000000000063113531060406015242 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.JAP # # This macro handles JAP Anon Proxy Mix server traffic. # It is NOT for people trying to browse anonymously! # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 8080 # HTTP port PARAM - - tcp 6544 # HTTP port PARAM - - tcp 6543 # InfoService port HTTPS SSH shorewall-5.2.3.4/Macros/macro.JabberPlain0000664000000000000000000000042613531060406017003 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.JabberPlain # # This macro is deprecated - use of macro.Jabber instead is recommended. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER Jabber shorewall-5.2.3.4/Macros/macro.PPtP0000664000000000000000000000061213531060406015452 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.PPtP Macro # # This macro handles PPTP traffic. NOTE: PPTP protocol is insecure. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER GRE ?if ( __CT_TARGET && ! $AUTOHELPERS && __PPTP_HELPER ) PARAM - - tcp 1723 { helper=pptp } ?else PARAM - - tcp 1723 ?endif shorewall-5.2.3.4/Macros/macro.RedisSentinel0000664000000000000000000000041113531060406017374 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.RedisSentinel # # This macro handles Redis Sentinel traffic. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 26379 shorewall-5.2.3.4/Macros/macro.BitcoinRPC0000664000000000000000000000057613531060406016574 0ustar rootroot# # Shorewall --/usr/share/shorewall/macro.BitcoinRPC # # Macro for handling Bitcoin RPC traffic # ############################################################################################################################################################## #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH HELPER PARAM - - tcp 8332 shorewall-5.2.3.4/Macros/macro.Auth0000664000000000000000000000037513531060406015536 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.Auth # # This macro handles Auth (identd) traffic. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 113 shorewall-5.2.3.4/Macros/macro.IPPbrd0000664000000000000000000000057313531060406015755 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.IPPbrd # # This macro handles Internet Printing Protocol (IPP) broadcasts. # If you also need to handle TCP 631 connections in the opposite # direction, use the IPPserver Macro # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - udp 631 shorewall-5.2.3.4/Macros/macro.SSDPserver0000664000000000000000000000050113531060406016624 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.SSDPserver # # This macro handles SSDP (used by DLNA/UPnP) server bidirectional traffic. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - udp 1900 PARAM DEST SOURCE udp - 1900 shorewall-5.2.3.4/Macros/macro.FTP0000664000000000000000000000052713531060406015265 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.FTP # # This macro handles FTP traffic. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER ?if ( __CT_TARGET && ! $AUTOHELPERS && __FTP_HELPER ) PARAM - - tcp 21 { helper=ftp } ?else PARAM - - tcp 21 ?endif shorewall-5.2.3.4/Macros/macro.Bitcoin0000664000000000000000000000057313531060406016224 0ustar rootroot# # Shorewall --/usr/share/shorewall/macro.Bitcoin # # Macro for handling Bitcoin P2P traffic # ############################################################################################################################################################## #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH HELPER PARAM - - tcp 8333 shorewall-5.2.3.4/Macros/macro.WUDO0000664000000000000000000000042213531060406015404 0ustar rootroot # Shorewall -- /usr/share/shorewall/macro.WUDO # # This macro handles WUDO (Windows Update Delivery Optimization) # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 7680 shorewall-5.2.3.4/Macros/macro.SMBswat0000664000000000000000000000044213531060406016150 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.SMBswat # # This macro handles connections to the Samba Web Administration Tool (SWAT). # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 901 shorewall-5.2.3.4/Macros/macro.SNMPtrap0000664000000000000000000000036513531060406016300 0ustar rootroot# # Shorewall - /usr/share/shorewall/macro.SNMPtrap # # This macro handles SNMP traps. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - udp 162 shorewall-5.2.3.4/Macros/macro.mDNSbi0000664000000000000000000000065413531060406015751 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.mDNSbi # # This macro handles bidirectional multicast DNS traffic # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST PARAM - 224.0.0.251 udp 5353 PARAM - - udp 1024: 5353 PARAM - 224.0.0.251 2 PARAM DEST SOURCE:224.0.0.251 udp 5353 PARAM DEST SOURCE udp 1024: 5353 PARAM DEST SOURCE:224.0.0.251 2 shorewall-5.2.3.4/Macros/macro.Git0000664000000000000000000000036313531060406015355 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.Git # # This macro handles Git traffic. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 9418 shorewall-5.2.3.4/Macros/macro.IPsec0000664000000000000000000000054513531060406015637 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.IPsec # # This macro (bidirectional) handles IPsec traffic # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - udp 500 500 # IKE PARAM - - 50 # ESP PARAM DEST SOURCE udp 500 500 # IKE PARAM DEST SOURCE 50 # ESP shorewall-5.2.3.4/Macros/macro.IPPserver0000664000000000000000000000167213531060406016515 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.IPPserver # # This macro handles Internet Printing Protocol (IPP), indicating # that DEST is a printing server for SOURCE. The macro allows # print queue broadcasts from the server to the client, and # printing connections from the client to the server. # # Example usage on a single-interface firewall which is a print client: # # IPPserver(ACCEPT) $FW net # # Example for a two-interface firewall which acts as a print server for loc: # # IPPserver(ACCEPT) loc $FW # # NOTE: If you want both to serve requests for local printers and listen to # requests for remote printers (i.e. your CUPS server is also a client), # you need to apply the rule twice, e.g. # # IPPserver(ACCEPT) loc $FW # IPPserver(ACCEPT) $FW loc # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM SOURCE DEST tcp 631 PARAM DEST SOURCE udp 631 shorewall-5.2.3.4/Macros/macro.Kpasswd0000664000000000000000000000042613531060406016246 0ustar rootroot# # Shorewall -- /usr/share/shorewall/macro.Kpasswd # # This macro handles Kerberos "passwd" traffic. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 464 PARAM - - udp 464 shorewall-5.2.3.4/known_problems.txt0000664000000000000000000000534313531077634016201 0ustar rootroot1) On systems running Upstart, shorewall-init cannot reliably secure the firewall before interfaces are brought up. 2) The 'enable', 'reenable' and 'disable' commands do not work correctly in configurations with USE_DEFAULT_RT=No and optional providers listed in the DUPLICATE column. 3) While the 'ip' utility now accepts IPv6 routes with multiple 'nexthop' destinations, these routes are not balanced. They are rather instantiated as a sequence of single routes with different metrics. Furthermore, the 'ip route replace' command fails on such routes. Beginning with Shorewall6 5.0.15, the generated script uses a "delete..add.." sequence on these routes rather than a single "replace" command. 4) If more than one zone is excluded in a policy file entry, an error similar to the following is raised: ERROR: 'all' is not allowed in a source zone list /etc/shorewall/policy (line 8) Corrected in Shorewall 5.2.3.1 5) Shorewall 5.2 automatically converts and existing 'masq' file to an equivalent 'snat' file. Regrettably, Shorewall 5.2.3 broke that automatic update, such that the following error message was issued: Use of uninitialized value $Shorewall::Nat::rawcurrentline in pattern match (m//) at /usr/share/shorewall/Shorewall/Nat.pm line 511, <$currentfile> line nnn. and the generted 'masq' file contains only initial comments. Workaround: After upgrading to 5.2.3, issue this command: 'shorewall[6] update' Corrected in 5.2.3.2. 6) If an ipset is listed in the SPORT column, the compiler raises an error similar to: ERROR: Invalid ipset name () /etc/shorewall/rules (line 44) Corrected in 5.2.3.3. 7) If multi-queue NFQUEUE (e.g., NFQUEUE(0:1) ) is used as a policy, an error such as the following is incorrectly raised. ERROR: Invalid policy (NFQUEUE(0) /etc/shorewall/policy (line 15) Corrected in 5.2.3.4. 8) If multi-queue NFQUEUE( e.g., NFQUEUE(0:1,bypass) ) is passed to a macro, an error such as the following is incorrectly raised: ERROR: Invalid ACTION (PARAM:1c,bypass))) /usr/share/shorewall/macro.BitTorrent (line 12) from /etc/shorewall/rules (line 40) Corrected in 5.2.3.4. 9) If shorewall[6].conf doesn't set AUTOMAKE, the 'update' command will produce a new file with 'AUTOMAKE=Yes'. This results in an unexpected change of behavior. Corrected in 5.2.3.4. 10) Shorewall-rules(5) incorrectly states that the 'bypass' option to NFQUEUE causes the rule to be silently bypassed if there is no application attached to the queue. The actual behavior is that the rule acts like ACCEPT. Corrected in 5.2.3.4. shorewall-5.2.3.4/shorewallrc.debian.systemd0000664000000000000000000000307413531077634017560 0ustar rootroot# # Debian Shorewall 5.2 rc file # BUILD= #Default is to detect the build system HOST=debian PREFIX=/usr #Top-level directory for shared files, libraries, etc. SHAREDIR=${PREFIX}/share #Directory for arch-neutral files. LIBEXECDIR=${PREFIX}/share #Directory for executable scripts. PERLLIBDIR=${PREFIX}/share/shorewall #Directory to install Shorewall Perl module directory CONFDIR=/etc #Directory where subsystem configurations are installed SBINDIR=/sbin #Directory where system administration programs are installed MANDIR=${PREFIX}/share/man #Directory where manpages are installed. INITDIR= #Directory where SysV init scripts are installed. INITFILE= #Name of the product's installed SysV init script INITSOURCE=init.debian.sh #Name of the distributed file to be installed as the SysV init script ANNOTATED= #If non-empty, annotated configuration files are installed SYSCONFFILE=default.debian.systemd #Name of the distributed file to be installed in $SYSCONFDIR SERVICEFILE=$PRODUCT.service.debian #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service SYSCONFDIR=/etc/default #Directory where SysV init parameter files are installed SERVICEDIR=/lib/systemd/system #Directory where .service files are installed (systems running systemd only) SPARSE=Yes #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR VARLIB=/var/lib #Directory where product variable data is stored. VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored. DEFAULT_PAGER=/usr/bin/less #Pager to use if none specified in shorewall[6].conf shorewall-5.2.3.4/shorewallrc.debian.sysvinit0000664000000000000000000000353213531077634017757 0ustar rootroot# # Debian Shorewall 5.2 rc file # BUILD= #Default is to detect the build system HOST=debian PREFIX=/usr #Top-level directory for shared files, libraries, etc. SHAREDIR=${PREFIX}/share #Directory for arch-neutral files. LIBEXECDIR=${PREFIX}/share #Directory for executable scripts. PERLLIBDIR=${PREFIX}/share/shorewall #Directory to install Shorewall Perl module directory CONFDIR=/etc #Directory where subsystem configurations are installed SBINDIR=/sbin #Directory where system administration programs are installed MANDIR=${PREFIX}/share/man #Directory where manpages are installed. INITDIR=/etc/init.d #Directory where SysV init scripts are installed. INITFILE=$PRODUCT #Name of the product's installed SysV init script INITSOURCE=init.debian.sh #Name of the distributed file to be installed as the SysV init script ANNOTATED= #If non-zero, annotated configuration files are installed SYSCONFFILE=default.debian.sysvinit #Name of the distributed file to be installed in $SYSCONFDIR SERVICEFILE= #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service SYSCONFDIR=/etc/default #Directory where SysV init parameter files are installed SERVICEDIR= #Directory where .service files are installed (systems running systemd only) SPARSE=Yes #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR VARLIB=/var/lib #Directory where product variable data is stored. VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored. DEFAULT_PAGER=/usr/bin/less #Pager to use if none specified in shorewall[6].conf shorewall-5.2.3.4/manpages/0000775000000000000000000000000013531100013014141 5ustar rootrootshorewall-5.2.3.4/manpages/shorewall-ecn.50000664000000000000000000000445513453771250017026 0ustar rootroot'\" t .\" Title: shorewall-ecn .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 .\" Date: 04/11/2019 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" .TH "SHOREWALL\-ECN" "5" "04/11/2019" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" ecn \- Shorewall ECN file .SH "SYNOPSIS" .HP \w'\fB/etc/shorewall/ecn\fR\ 'u \fB/etc/shorewall/ecn\fR .SH "DESCRIPTION" .PP IPv4 only\&. .PP Use this file to list the destinations for which you want to disable ECN (Explicit Congestion Notification)\&. Use of this file is deprecated in favor of ECN rules in \m[blue]\fBshorewall\-mangle\fR\m[]\&\s-2\u[1]\d\s+2(8)\&. .PP The columns in the file are as follows\&. .PP \fBINTERFACE\fR \- \fIinterface\fR .RS 4 Interface through which host(s) communicate with the firewall .RE .PP \fBHOST(S)\fR (Optional) \- [\fB\-\fR|\fIaddress\-or\-address\-range\fR[\fB,\fR\fIaddress\-or\-address\-range\fR]\&.\&.\&.] .RS 4 Comma\-separated list of host and/or network addresses\&. If left empty or supplied as "\-", 0\&.0\&.0\&.0/0 is assumed\&. If your kernel and iptables include iprange match support then IP address ranges are also permitted\&. .RE .SH "FILES" .PP /etc/shorewall/ecn .SH "SEE ALSO" .PP shorewall(8) .SH "NOTES" .IP " 1." 4 shorewall-mangle .RS 4 \%http://www.shorewall.org/manpages/shorewall-mangle.html .RE shorewall-5.2.3.4/manpages/shorewall-params.50000664000000000000000000000732413453771271017545 0ustar rootroot'\" t .\" Title: shorewall-params .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 .\" Date: 04/11/2019 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" .TH "SHOREWALL\-PARAMS" "5" "04/11/2019" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" params \- Shorewall parameters file .SH "SYNOPSIS" .HP \w'\fB/etc/shorewall[6]/params\fR\ 'u \fB/etc/shorewall[6]/params\fR .SH "DESCRIPTION" .PP Assign any shell variables that you need in this file\&. The file is always processed by /bin/sh so the full range of shell capabilities may be used\&. .PP It is suggested that variable names begin with an upper case letter to distinguish them from variables used internally within the Shorewall programs .PP The following variable names must be avoided\&. Those in \fBbold font\fR must be avoided in all Shorewall versions; those in regular font must be avoided in versions prior to 4\&.4\&.8\&. .RS 4 \fBAny option from \fR\fB\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[1]\d\s+2\fR\fB (5)\fR .RE .RS 4 \fBCOMMAND\fR .RE .RS 4 \fBCONFDIR\fR .RE .RS 4 DEBUG .RE .RS 4 ECHO_E .RE .RS 4 ECHO_N .RE .RS 4 EXPORT .RE .RS 4 FAST .RE .RS 4 FILEMODE .RE .RS 4 HOSTNAME .RE .RS 4 IPT_OPTIONS .RE .RS 4 NOROUTES .RE .RS 4 PREVIEW .RE .RS 4 PRODUCT .RE .RS 4 PROFILE .RE .RS 4 PURGE .RE .RS 4 RECOVERING .RE .RS 4 RESTOREPATH .RE .RS 4 RING_BELL .RE .RS 4 \fBSHAREDIR\fR .RE .RS 4 \fBAny name beginning with SHOREWALL_ or SW_\fR .RE .RS 4 STOPPING .RE .RS 4 TEST .RE .RS 4 TIMESTAMP .RE .RS 4 USE_VERBOSITY .RE .RS 4 \fBVARDIR\fR .RE .RS 4 VERBOSE .RE .RS 4 VERBOSE_OFFSET .RE .RS 4 VERSION .RE .PP Example params file: .sp .if n \{\ .RS 4 .\} .nf NET_IF=eth0 NET_BCAST=130\&.252\&.100\&.255 NET_OPTIONS=routefilter .fi .if n \{\ .RE .\} .PP Example \m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[2]\d\s+2(5) file\&. .sp .if n \{\ .RS 4 .\} .nf ZONE INTERFACE BROADCAST OPTIONS net $NET_IF $NET_BCAST $NET_OPTIONS .fi .if n \{\ .RE .\} .PP This is the same as if the interfaces file had contained: .sp .if n \{\ .RS 4 .\} .nf ZONE INTERFACE BROADCAST OPTIONS net eth0 130\&.252\&.100\&.255 routefilter .fi .if n \{\ .RE .\} .SH "FILES" .PP /etc/shorewall/params .PP /etc/shorewall6/params .SH "SEE ALSO" .PP \m[blue]\fBhttp://www\&.shorewall\&.net/configuration_file_basics\&.htm#Variables\fR\m[]\&\s-2\u[3]\d\s+2 .PP shorewall(8) .SH "NOTES" .IP " 1." 4 shorewall.conf .RS 4 \%http://www.shorewall.org/manpages/shorewall.conf.html .RE .IP " 2." 4 shorewall-interfaces .RS 4 \%http://www.shorewall.org/manpages/shorewall-interfaces.html .RE .IP " 3." 4 http://www.shorewall.net/configuration_file_basics.htm#Variables .RS 4 \%http://www.shorewall.org/configuration_file_basics.htm#Variables .RE shorewall-5.2.3.4/manpages/shorewall-tcpri.50000664000000000000000000001341113453771312017371 0ustar rootroot'\" t .\" Title: shorewall-tcpri .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 .\" Date: 04/11/2019 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" .TH "SHOREWALL\-TCPRI" "5" "04/11/2019" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" tcpri \- Shorewall file .SH "SYNOPSIS" .HP \w'\fB/etc/shorewall[6]/tcpri\fR\ 'u \fB/etc/shorewall[6]/tcpri\fR .SH "DESCRIPTION" .PP This file is used to specify the priority of traffic for simple traffic shaping (TC_ENABLED=Simple in \m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[1]\d\s+2(5))\&. The priority band of each packet is determined by the \fBlast\fR entry that the packet matches\&. If a packet doesn\*(Aqt match any entry in this file, then its priority will be determined by its TOS field\&. The default mapping is as follows but can be changed by setting the TC_PRIOMAP option in \m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[1]\d\s+2(5)\&. .sp .if n \{\ .RS 4 .\} .nf TOS Bits Means Linux Priority BAND \-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\- 0x0 0 Normal Service 0 Best Effort 2 0x2 1 Minimize Monetary Cost 1 Filler 3 0x4 2 Maximize Reliability 0 Best Effort 2 0x6 3 mmc+mr 0 Best Effort 2 0x8 4 Maximize Throughput 2 Bulk 3 0xa 5 mmc+mt 2 Bulk 3 0xc 6 mr+mt 2 Bulk 3 0xe 7 mmc+mr+mt 2 Bulk 3 0x10 8 Minimize Delay 6 Interactive 1 0x12 9 mmc+md 6 Interactive 1 0x14 10 mr+md 6 Interactive 1 0x16 11 mmc+mr+md 6 Interactive 1 0x18 12 mt+md 4 Int\&. Bulk 2 0x1a 13 mmc+mt+md 4 Int\&. Bulk 2 0x1c 14 mr+mt+md 4 Int\&. Bulk 2 0x1e 15 mmc+mr+mt+md 4 Int\&. Bulk 2 .fi .if n \{\ .RE .\} .PP The columns in the file are as follows\&. .PP \fBBAND\fR \- {\fB1\fR|\fB2\fR|\fB3\fR} .RS 4 Classifies matching traffic as High Priority (1), Medium Priority (2) or Low Priority (3)\&. For those interfaces listed in \m[blue]\fBshorewall\-tcinterfaces\fR\m[]\&\s-2\u[2]\d\s+2(5), Priority 2 traffic will be deferred so long and there is Priority 1 traffic queued and Priority 3 traffic will be deferred so long as there is Priority 1 or Priority 2 traffic to send\&. .RE .PP \fBPROTO\fR \- \fIprotocol\fR[,\&.\&.\&.] .RS 4 Optional\&. The name or number of an IPv4 \fIprotocol\fR\&. .sp Beginning with Shorewall 4\&.5\&.12, this column can accept a comma\-separated list of protocols\&. .RE .PP PORT(S) \- \fIport\fR [,\&.\&.\&.] .RS 4 Optional\&. May only be given if the the PROTO is TCP (6), UDP (17), DCCP (33), SCTP (132) or UDPLITE (136)\&. A list of one or more port numbers or service names from /etc/services\&. Port ranges of the form \fIlowport\fR:\fIhighport\fR may also be included\&. .RE .PP ADDRESS \- [\fIaddress\fR] .RS 4 Optional\&. The IP or MAC address that the traffic originated from\&. MAC addresses must be given in Shorewall format\&. If this column contains an address, then the PROTO, PORT(S) and INTERFACE column must be empty ("\-")\&. .RE .PP INTERFACE \- [\fIinterface\fR] .RS 4 Optional\&. The logical name of an \fIinterface\fR that traffic arrives from\&. If given, the PROTO, PORT(S) and ADDRESS columns must be empty ("\-")\&. .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBNote\fR .ps -1 .br INTERFACE classification of packets occurs before classification by PROTO/PORT(S)/ADDRESS\&. So it is highly recommended to place entries that specify INTERFACE at the top of the file so that the rule about \fIlast entry matches\fR is preserved\&. .sp .5v .RE .RE .PP \fBHELPER\fR \- [\fIhelper\fR] .RS 4 Optional\&. Names a Netfilter protocol helper module such as ftp, sip, amanda, etc\&. A packet will match if it was accepted by the named helper module\&. You can also append "\-" and a port number to the helper module name (e\&.g\&., ftp\-21) to specify the port number that the original connection was made on\&. .RE .SH "FILES" .PP /etc/shorewall/tcpri .PP /etc/shorewall6/tcpri .SH "SEE ALSO" .PP \m[blue]\fBhttp://www\&.shorewall\&.net/configuration_file_basics\&.htm#Pairs\fR\m[]\&\s-2\u[3]\d\s+2 .PP prio(8), shorewall(8) .SH "NOTES" .IP " 1." 4 shorewall.conf .RS 4 \%http://www.shorewall.org/manpages/shorewall.conf.html .RE .IP " 2." 4 shorewall-tcinterfaces .RS 4 \%http://www.shorewall.org/manpages/shorewall-tcinterfaces.html .RE .IP " 3." 4 http://www.shorewall.net/configuration_file_basics.htm#Pairs .RS 4 \%http://www.shorewall.org/configuration_file_basics.htm#Pairs .RE shorewall-5.2.3.4/manpages/shorewall-blrules.50000664000000000000000000002053213453771241017723 0ustar rootroot'\" t .\" Title: shorewall-blrules .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 .\" Date: 04/11/2019 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" .TH "SHOREWALL\-BLRULES" "5" "04/11/2019" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" blrules \- shorewall Blacklist file .SH "SYNOPSIS" .HP \w'\fB/etc/shorewall[6]/blrules\fR\ 'u \fB/etc/shorewall[6]/blrules\fR .SH "DESCRIPTION" .PP This file is used to perform blacklisting and whitelisting\&. .PP Rules in this file are applied depending on the setting of BLACKLIST in \m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[1]\d\s+2(5)\&. .PP The format of rules in this file is the same as the format of rules in \m[blue]\fBshorewall\-rules (5)\fR\m[]\&\s-2\u[2]\d\s+2\&. The difference in the two files lies in the ACTION (first) column\&. .PP \fBACTION\- {\fR\fB\fBACCEPT\fR\fR\fB|BLACKLIST|blacklog|CONTINUE|DROP|A_DROP|REJECT|A_REJECT|\fR\fB\fBWHITELIST\fR\fR\fB|\fR\fB\fBLOG\fR\fR\fB|\fR\fB\fBQUEUE\fR\fR\fB|\fR\fB\fBNFQUEUE\fR\fR\fB[\fR\fB\fB(\fR\fR\fB\fIqueuenumber\fR\fR\fB\fB)\fR\fR\fB]\fR\fB\fB|[?]COMMENT\fR\fR\fB|\fR\fB\fIaction\fR\fR\fB|\fR\fB\fImacro\fR\fR\fB[\fR\fB\fB(\fR\fR\fB\fItarget\fR\fR\fB\fB)\fR\fR\fB]}\fR\fB\fB[:\fR\fR\fB{\fR\fB\fIlog\-level\fR\fR\fB|\fR\fB\fBnone\fR\fR\fB}[\fR\fB\fB\fB!\fR\fR\fR\fB][\fR\fB\fB:\fR\fR\fB\fItag\fR\fR\fB]]\fR .RS 4 Specifies the action to be taken if the packet matches the rule\&. Must be one of the following\&. .PP \fBBLACKLIST\fR .RS 4 Added in Shorewall 4\&.5\&.3\&. This is actually a macro that expands as follows: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} If BLACKLIST_LOGLEVEL is specified in \m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[1]\d\s+2(5), then the macro expands to \fBblacklog\fR\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} Otherwise it expands to the action specified for BLACKLIST_DISPOSITION in \m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[1]\d\s+2(5)\&. .RE .RE .PP \fBblacklog\fR .RS 4 May only be used if BLACKLIST_LOGLEVEL is specified in \m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[1]\d\s+2(5)\&. Logs, audits (if specified) and applies the BLACKLIST_DISPOSITION specified in \m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[1]\d\s+2 (5)\&. .RE .PP \fBACCEPT|CONTINUE|WHITELIST\fR .RS 4 Exempt the packet from the remaining rules in this file\&. .RE .PP \fBDROP\fR .RS 4 Ignore the packet\&. .RE .PP A_DROP .RS 4 Audited version of DROP\&. Requires AUDIT_TARGET support in the kernel and ip6tables\&. .RE .PP \fBREJECT\fR .RS 4 disallow the packet and return an icmp\-unreachable or an RST packet\&. .RE .PP A_REJECT .RS 4 Audited versions of REJECT\&. Require AUDIT_TARGET support in the kernel and ip6tables\&. .RE .PP \fBLOG\fR .RS 4 Simply log the packet and continue with the next rule\&. .RE .PP \fBQUEUE\fR .RS 4 Queue the packet to a user\-space application such as ftwall (http://p2pwall\&.sf\&.net)\&. The application may reinsert the packet for further processing\&. .RE .PP \fBNFLOG\fR[(\fInflog\-parameters\fR)] .RS 4 queues matching packets to a back end logging daemon via a netlink socket then continues to the next rule\&. See \m[blue]\fBshorewall\-logging(5)\fR\m[]\&\s-2\u[3]\d\s+2\&. .RE .PP \fBNFQUEUE\fR .RS 4 Queues the packet to a user\-space application using the nfnetlink_queue mechanism\&. If a \fIqueuenumber\fR is not specified, queue zero (0) is assumed\&. .RE .PP \fB?COMMENT\fR .RS 4 The rest of the line will be attached as a comment to the Netfilter rule(s) generated by the following entries\&. The comment will appear delimited by "/* \&.\&.\&. */" in the output of "shorewall show "\&. To stop the comment from being attached to further rules, simply include ?COMMENT on a line by itself\&. .RE .PP \fIaction\fR .RS 4 The name of an \fIaction\fR declared in \m[blue]\fBshorewall\-actions\fR\m[]\&\s-2\u[4]\d\s+2(5) or in /usr/share/shorewall/actions\&.std\&. .RE .PP \fImacro\fR .RS 4 The name of a macro defined in a file named macro\&.\fImacro\fR\&. If the macro accepts an action parameter (Look at the macro source to see if it has PARAM in the TARGET column) then the \fImacro\fR name is followed by the parenthesized \fItarget\fR (\fBACCEPT\fR, \fBDROP\fR, \fBREJECT\fR, \&.\&.\&.) to be substituted for the parameter\&. .sp Example: FTP(ACCEPT)\&. .RE .sp The \fBACTION\fR may optionally be followed by ":" and a syslog log level (e\&.g, REJECT:info or Web(ACCEPT):debug)\&. This causes the packet to be logged at the specified level\&. .sp If the \fBACTION\fR names an \fIaction\fR declared in \m[blue]\fBshorewall\-actions\fR\m[]\&\s-2\u[4]\d\s+2(5) or in /usr/share/shorewall/actions\&.std then: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} If the log level is followed by "!\*(Aq then all rules in the action are logged at the log level\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} If the log level is not followed by "!" then only those rules in the action that do not specify logging are logged at the specified level\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} The special log level \fBnone!\fR suppresses logging by the action\&. .RE .sp You may also specify \fBNFLOG\fR (must be in upper case) as a log level\&.This will log to the NFLOG target for routing to a separate log through use of ulogd (\m[blue]\fBshorewall\-logging\&.htm\fR\m[]\&\s-2\u[3]\d\s+2)\&. .sp Actions specifying logging may be followed by a log tag (a string of alphanumeric characters) which is appended to the string generated by the LOGPREFIX (in \m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[1]\d\s+2(5))\&. .RE .PP For the remaining columns, see \m[blue]\fBshorewall\-rules (5)\fR\m[]\&\s-2\u[2]\d\s+2\&. .SH "EXAMPLES" .PP IPv4 Example 1: .RS 4 Drop 6to4 packets from the net\&. .sp .if n \{\ .RS 4 .\} .nf DROP net:192\&.88\&.99\&.1 all .fi .if n \{\ .RE .\} .RE .PP IPv4 Example 2: .RS 4 Don\*(Aqt subject packets from 70\&.90\&.191\&.120/29 to the remaining rules in the file\&. .sp .if n \{\ .RS 4 .\} .nf WHITELIST net:70\&.90\&.191\&.120/29 all .fi .if n \{\ .RE .\} .RE .PP IPv6 Example 1: .RS 4 Drop Teredo packets from the net\&. .sp .if n \{\ .RS 4 .\} .nf DROP net:[2001::/32] all .fi .if n \{\ .RE .\} .RE .PP IPv6 Example 2: .RS 4 Don\*(Aqt subject packets from 2001:DB8::/64 to the remaining rules in the file\&. .sp .if n \{\ .RS 4 .\} .nf WHITELIST net:[2001:DB8::/64] all .fi .if n \{\ .RE .\} .RE .SH "FILES" .PP /etc/shorewall/blrules .PP /etc/shorewall6/blrules .SH "SEE ALSO" .PP \m[blue]\fBhttp://www\&.shorewall\&.net/blacklisting_support\&.htm\fR\m[]\&\s-2\u[5]\d\s+2 .PP \m[blue]\fBhttp://www\&.shorewall\&.net/configuration_file_basics\&.htm#Pairs\fR\m[]\&\s-2\u[6]\d\s+2 .PP shorewall(8) .SH "NOTES" .IP " 1." 4 shorewall.conf .RS 4 \%http://www.shorewall.org/manpages/shorewall.conf.html .RE .IP " 2." 4 shorewall-rules (5) .RS 4 \%http://www.shorewall.org/manpages/shorewall-rules.html .RE .IP " 3." 4 shorewall-logging(5) .RS 4 \%http://www.shorewall.orgshorewall-logging.html .RE .IP " 4." 4 shorewall-actions .RS 4 \%http://www.shorewall.org/manpages/shorewall-actions.html .RE .IP " 5." 4 http://www.shorewall.net/blacklisting_support.htm .RS 4 \%http://www.shorewall.org/blacklisting_support.htm .RE .IP " 6." 4 http://www.shorewall.net/configuration_file_basics.htm#Pairs .RS 4 \%http://www.shorewall.org/configuration_file_basics.htm#Pairs .RE shorewall-5.2.3.4/manpages/shorewall-mangle.50000664000000000000000000013252713453771263017532 0ustar rootroot'\" t .\" Title: shorewall-mangle .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 .\" Date: 04/11/2019 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" .TH "SHOREWALL\-MANGLE" "5" "04/11/2019" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" mangle \- Shorewall Packet marking/mangling rules file .SH "SYNOPSIS" .HP \w'\fB/etc/shorewall[6]/mangle\fR\ 'u \fB/etc/shorewall[6]/mangle\fR .SH "DESCRIPTION" .PP This file was introduced in Shorewall 4\&.6\&.0 and replaces \m[blue]\fBshorewall\-tcrules(5)\fR\m[]\&\s-2\u[1]\d\s+2\&. This file is only processed by the compiler if: .PP Entries in this file cause packets to be marked as a means of classifying them for traffic control or policy routing\&. .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBImportant\fR .ps -1 .br .PP Unlike rules in the \m[blue]\fBshorewall\-rules\fR\m[]\&\s-2\u[2]\d\s+2(5) file, evaluation of rules in this file will continue after a match\&. So the final mark for each packet will be the one assigned by the LAST tcrule that matches\&. .PP If you use multiple internet providers with the \*(Aqtrack\*(Aq option, in /etc/shorewall/providers be sure to read the restrictions at \m[blue]\fBhttp://www\&.shorewall\&.net/MultiISP\&.html\fR\m[]\&\s-2\u[3]\d\s+2\&. .sp .5v .RE .PP The columns in the file are as follows (where the column name is followed by a different name in parentheses, the different name is used in the alternate specification syntax)\&. .PP \fBACTION\fR \- \fIcommand\fR[(\fIparameters\fR)][:\fIchain\-designator\fR] .RS 4 The \fIchain\-designator \fRindicates the Netfilter chain that the entry applies to and may be one of the following: .PP P .RS 4 PREROUTING chain\&. .RE .PP F .RS 4 FORWARD chain\&. .RE .PP T .RS 4 POSTROUTING chain\&. .RE .PP I .RS 4 INPUT chain\&. .RE .PP NP .RS 4 PREROUTING chain in the nat table\&. .RE .PP NI .RS 4 INPUT chain in the nat table\&. .RE .PP NO .RS 4 OUTPUT chain in the nat table\&. .RE .PP NT .RS 4 POSTROUTING chain in the nat table\&. .RE .sp The nat table designators were added in Shorewall 5\&.2\&.1\&. When a nat table designator is given, only the CONNMARK, MARK, SAVE and RESTORE commands may be used\&. .sp Unless otherwise specified for the particular \fIcommand\fR, the default chain is PREROUTING when MARK_IN_FORWARD_CHAIN=No in \m[blue]\fBshorewall\&.conf(5)\fR\m[]\&\s-2\u[4]\d\s+2, and FORWARD when MARK_IN_FORWARD_CHAIN=Yes\&. .sp A \fIchain\-designator\fR may not be specified if the SOURCE or DEST columns begin with \*(Aq$FW\*(Aq\&. When the SOURCE is $FW, the generated rule is always placed in the OUTPUT chain\&. If DEST is \*(Aq$FW\*(Aq, then the rule is placed in the INPUT chain\&. Additionally, a \fIchain\-designator\fR may not be specified in an action body\&. .sp Where a command takes parameters, those parameters are enclosed in parentheses ("(\&.\&.\&.\&.)") and separated by commas\&. .sp The \fIcommand\fR may be one of the following\&. .PP \fB\fIaction\fR\fR\fB[([\fR\fB\fIparam\fR\fR\fB[,\&.\&.\&.])]\fR .RS 4 Added in Shorewall 5\&.0\&.7\&. \fIaction\fR must be an action declared with the \fBmangle\fR option in \m[blue]\fBshorewall\-actions(5)\fR\m[]\&\s-2\u[5]\d\s+2\&. If the action accepts parameters, they are specified as a comma\-separated list within parentheses following the \fIaction\fR name\&. .RE .PP \fBADD(\fR\fB\fIipset\fR\fR\fB:\fR\fB\fIflags\fR\fR\fB)\fR .RS 4 Added in Shorewall 4\&.6\&.7\&. Causes addresses and/or port numbers to be added to the named \fIipset\fR\&. The \fIflags\fR specify the address or tuple to be added to the set and must match the type of ipset involved\&. For example, for an iphash ipset, either the SOURCE or DESTINATION address can be added using \fIflags\fR \fBsrc\fR or \fBdst\fR respectively (see the \-A command in ipset (8))\&. .sp ADD is non\-terminating\&. Even if a packet matches the rule, it is passed on to the next rule\&. .RE .PP \fBCHECKSUM\fR .RS 4 Compute and fill in the checksum in a packet that lacks a checksum\&. This is particularly useful if you need to work around old applications, such as dhcp clients, that do not work well with checksum offloads, but you don\*(Aqt want to disable checksum offload in your device\&. .sp Requires \*(AqChecksum Target\*(Aq support in your kernel and iptables\&. .RE .PP \fBCLASSIFY(\fR\fB\fIclassid\fR\fR\fB)\fR .RS 4 A classification Id (classid) is of the form \fImajor\fR:\fIminor\fR where \fImajor\fR and \fIminor\fR are integers\&. Corresponds to the \*(Aqclass\*(Aq specification in these traffic shaping modules: .sp .if n \{\ .RS 4 .\} .nf atm cbq dsmark pfifo_fast htb prio .fi .if n \{\ .RE .\} .sp Classification occurs in the POSTROUTING chain except when the \fBSOURCE\fR is \fB$FW\fR[:\fIaddress\fR] in which case classification occurs in the OUTPUT chain\&. .sp When using Shorewall\*(Aqs built\-in traffic shaping tool, the \fImajor\fR class is the device number (the first device in \m[blue]\fBshorewall\-tcdevices\fR\m[]\&\s-2\u[6]\d\s+2(5) is major class 1, the second device is major class 2, and so on) and the \fIminor\fR class is the class\*(Aqs MARK value in \m[blue]\fBshorewall\-tcclasses\fR\m[]\&\s-2\u[7]\d\s+2(5) preceded by the number 1 (MARK 1 corresponds to minor class 11, MARK 5 corresponds to minor class 15, MARK 22 corresponds to minor class 122, etc\&.)\&. .RE .PP \fB?COMMENT\fR .RS 4 The rest of the line will be attached as a comment to the Netfilter rule(s) generated by the following entries\&. The comment will appear delimited by "/* \&.\&.\&. */" in the output of \fBshorewall show mangle\fR .sp To stop the comment from being attached to further rules, simply include ?COMMENT on a line by itself\&. .RE .PP \fBCONMARK({mark|range})\fR .RS 4 Identical to MARK with the exception that the mark is assigned to connection to which the packet belongs is marked rather than to the packet itself\&. .RE .PP \fBCONTINUE\fR .RS 4 Don\*(Aqt process any more marking rules in the table\&. .sp Currently, CONTINUE may not be used with \fIexclusion\fR (see the SOURCE and DEST columns below); that restriction will be removed when iptables/Netfilter provides the necessary support\&. .RE .PP \fBDEL(\fR\fB\fIipset\fR\fR\fB:\fR\fB\fIflags\fR\fR\fB)\fR .RS 4 Added in Shorewall 4\&.6\&.7\&. Causes an entry to be deleted from the named \fIipset\fR\&. The \fIflags\fR specify the address or tuple to be deleted from the set and must match the type of ipset involved\&. For example, for an iphash ipset, either the SOURCE or DESTINATION address can be deleted using \fIflags\fR \fBsrc\fR or \fBdst\fR respectively (see the \-D command in ipset (8))\&. .sp DEL is non\-terminating\&. Even if a packet matches the rule, it is passed on to the next rule\&. .RE .PP \fBDIVERT\fR .RS 4 Two DIVERT rule should precede the TPROXY rule and should select DEST PORT tcp 80 and SOURCE PORT tcp 80 respectively (assuming that tcp port 80 is being proxied)\&. DIVERT avoids sending packets to the TPROXY target once a socket connection to Squid3 has been established by TPROXY\&. DIVERT marks the packet with a unique mark and exempts it from any rules that follow\&. .RE .PP \fBDIVERTHA\fR .RS 4 Added in Shorewall 5\&.0\&.4\&. To setup the HAProxy configuration described at \m[blue]\fBhttp://www\&.loadbalancer\&.org/blog/setting\-up\-haproxy\-with\-transparent\-mode\-on\-centos\-6\-x\fR\m[], place this entry in \m[blue]\fBshorewall\-providers(5)\fR\m[]\&\s-2\u[8]\d\s+2: .sp .if n \{\ .RS 4 .\} .nf #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY TProxy 1 \- \- lo \- tproxy .fi .if n \{\ .RE .\} .sp and use this DIVERTHA entry: .sp .if n \{\ .RS 4 .\} .nf #ACTION SOURCE DEST PROTO DPORT SPORT USER TEST LENGTH TOS CONNBYTES HELPER PROBABILITY DSCP DIVERTHA \- \- tcp .fi .if n \{\ .RE .\} .RE .PP \fBDROP\fR .RS 4 Causes matching packets to be discarded\&. .RE .PP \fBDSCP\fR(\fIdscp\fR) .RS 4 Sets the Differentiated Services Code Point field in the IP header\&. The \fIdscp\fR value may be given as an even number (hex or decimal) or as the name of a DSCP class\&. Valid class names and their associated hex numeric values are: .sp .if n \{\ .RS 4 .\} .nf CS0 => 0x00 CS1 => 0x08 CS2 => 0x10 CS3 => 0x18 CS4 => 0x20 CS5 => 0x28 CS6 => 0x30 CS7 => 0x38 BE => 0x00 AF11 => 0x0a AF12 => 0x0c AF13 => 0x0e AF21 => 0x12 AF22 => 0x14 AF23 => 0x16 AF31 => 0x1a AF32 => 0x1c AF33 => 0x1e AF41 => 0x22 AF42 => 0x24 AF43 => 0x26 EF => 0x2e .fi .if n \{\ .RE .\} .sp To indicate more than one class, add their hex values together and specify the result\&. By default, DSCP rules are placed in the POSTROUTING chain\&. .RE .PP \fBECN\fR .RS 4 Added in Shorewall 5\&.0\&.6 as an alternative to entries in \m[blue]\fBshorewall\-ecn(5)\fR\m[]\&\s-2\u[9]\d\s+2\&. If a PROTO is specified, it must be \*(Aqtcp\*(Aq (6)\&. If no PROTO is supplied, TCP is assumed\&. This action causes all ECN bits in the TCP header to be cleared\&. .RE .PP \fBIMQ\fR(\fInumber\fR) .RS 4 Specifies that the packet should be passed to the IMQ identified by \fInumber\fR\&. Requires IMQ Target support in your kernel and iptables\&. .RE .PP \fBINLINE\fR[(\fIaction\fR)] .RS 4 Allows you to place your own ip[6]tables matches at the end of the line following a semicolon (";") (deprecated) or two semicolons (";;") (preferred since Shoreall 5\&.0\&.0)\&. If an \fIaction\fR is specified, the compiler proceeds as if that \fIaction\fR had been specified in this column\&. If no action is specified, then you may include your own jump ("\-j \fItarget\fR [\fIoption\fR] \&.\&.\&.") after any matches specified at the end of the rule\&. If the target is not one known to Shorewall, then it must be defined as a builtin action in \m[blue]\fBshorewall\-actions\fR\m[]\&\s-2\u[10]\d\s+2 (5)\&. .sp The following rules are equivalent: .sp .if n \{\ .RS 4 .\} .nf 2:P eth0 \- tcp 22 INLINE(MARK(2)):P eth0 \- tcp 22 INLINE(MARK(2)):P eth0 \- ;; \-p tcp INLINE eth0 \- tcp 22 ;; \-j MARK \-\-set\-mark 2 INLINE eth0 \- ;; \-p tcp \-j MARK \-\-set\-mark 2 .fi .if n \{\ .RE .\} .RE .PP \fBIPMARK\fR .RS 4 Assigns a mark to each matching packet based on the either the source or destination IP address\&. By default, it assigns a mark value equal to the low\-order 8 bits of the source address\&. Default values are: .RS 4 src .RE .RS 4 \fImask1\fR = 0xFF .RE .RS 4 \fImask2\fR = 0x00 .RE .RS 4 \fIshift\fR = 0 .RE \*(Aqsrc\*(Aq and \*(Aqdst\*(Aq specify whether the mark is to be based on the source or destination address respectively\&. The selected address is first shifted to the right by \fIshift\fR bits\&. The result is then LANDed with \fImask1\fR then LORed with \fIma\fR\fI\fIs\fR\fR\fIk2\fR\&. .sp In a sense, the IPMARK target is more like an IPCLASSIFY target in that the mark value is later interpreted as a class ID\&. A packet mark is 32 bits wide; so is a class ID\&. The class occupies the high\-order 16 bits and the class occupies the low\-order 16 bits\&. So the class ID 1:4ff (remember that class IDs are always in hex) is equivalent to a mark value of 0x104ff\&. Remember that Shorewall uses the interface number as the number where the first interface in tcdevices has number 1, the second has number 2, and so on\&. .sp The IPMARK target assigns a mark to each matching packet based on the either the source or destination IP address\&. By default, it assigns a mark value equal to the low\-order 8 bits of the source address\&. The syntax is as follows: \fBIPMARK\fR[([{\fBsrc\fR|\fBdst\fR}][,[\fImask1\fR][,[\fImask2\fR][,[\fIshift\fR]]]])] Default values are: .RS 4 \fBsrc\fR .RE .RS 4 \fImask1\fR = 0xFF .RE .RS 4 \fImask2\fR = 0x00 .RE .RS 4 \fIshift\fR = 0 .RE \fBsrc\fR and \fBdst\fR specify whether the mark is to be based on the source or destination address respectively\&. The selected address is first shifted right by \fIshift\fR, then LANDed with \fImask1\fR and then LORed with \fImask2\fR\&. The \fIshift\fR argument is intended to be used primarily with IPv6 addresses\&. .sp Example: IPMARK(src,0xff,0x10100) .RS 4 Suppose that the source IP address is 192\&.168\&.4\&.3 = 0xc0a80403; then .RE .RS 4 0xc0a80403 >> 0 = 0xc0a80403 .RE .RS 4 0xc0a80403 LAND 0xFF = 0x03 .RE .RS 4 0x03 LOR 0x10100 = 0x10103 or class ID 1:103 .RE It is important to realize that, while class IDs are composed of a \fImajor\fR and a \fIminor\fR value, the set of values must be unique\&. That is, the same numeric value cannot be used as both a \fImajor\fR and a \fIminor\fR number for the same interface unless class nesting occurs (which is not currently possible with Shorewall)\&. You should keep this in mind when deciding how to map IP addresses to class IDs\&. .sp For example, suppose that your internal network is 192\&.168\&.1\&.0/29 (host IP addresses 192\&.168\&.1\&.1 \- 192\&.168\&.1\&.6)\&. Your first notion might be to use IPMARK(src,0xFF,0x10000) so as to produce class IDs 1:1 through 1:6\&. But 1:1 is an invalid class ID since the \fImajor\fR and \fIminor\fR classes are equal\&. So you might choose instead to use IPMARK(src,0xFF,0x10100) as in the example above so that all of your \fIminor\fR classes will have a value > 256\&. .RE .PP \fBIP6TABLES({\fR\fB\fItarget\fR\fR\fB [\fR\fB\fIoption\fR\fR\fB \&.\&.\&.])\fR .RS 4 IPv6 only\&. .sp This action allows you to specify an iptables target with options (e\&.g\&., \*(AqIP6TABLES(MARK \-\-set\-xmark 0x01/0xff)\*(Aq\&. If the target is not one recognized by Shorewall, the following error message will be issued: .RS 4 ERROR: Unknown target (\fItarget\fR) .RE This error message may be eliminated by adding the \fItarget\fR as a builtin action in \m[blue]\fBshorewall\-actions(5)\fR\m[]\&\s-2\u[10]\d\s+2\&. .RE .PP \fBIPTABLES({\fR\fB\fItarget\fR\fR\fB [\fR\fB\fIoption\fR\fR\fB \&.\&.\&.])\fR .RS 4 IPv4 only\&. .sp This action allows you to specify an iptables target with options (e\&.g\&., \*(AqIPTABLES(MARK \-\-set\-xmark 0x01/0xff)\*(Aq\&. If the target is not one recognized by Shorewall, the following error message will be issued: .RS 4 ERROR: Unknown target (\fItarget\fR) .RE This error message may be eliminated by adding the \fItarget\fR as a builtin action in \m[blue]\fBshorewall\-actions(5)\fR\m[]\&\s-2\u[10]\d\s+2\&. .RE .PP \fBMARK({\fR\fB\fImark\fR\fR\fB|\fR\fB\fIrange\fR\fR\fB})\fR .RS 4 where \fImark\fR is a packet mark value\&. .sp Normally will set the mark value\&. If preceded by a vertical bar ("|"), the mark value will be logically ORed with the current mark value to produce a new mark value\&. If preceded by an ampersand ("&"), will be logically ANDed with the current mark value to produce a new mark value\&. .sp Both "|" and "&" require Extended MARK Target support in your kernel and iptables\&. .sp The mark value may be optionally followed by "/" and a mask value (used to determine those bits of the connection mark to actually be set)\&. When a mask is specified, the result of logically ANDing the mark value with the mask must be the same as the mark value\&. .sp A mark \fIrange\fR is a pair of integers separated by a dash ("\-")\&. .sp May be optionally followed by a slash ("/") and a mask and requires the Statistics Match capability in iptables and kernel\&. Marks in the specified range are assigned to packets on a round\-robin fashion\&. .sp When a mask is specified, the result of logically ANDing each mark value with the mask must be the same as the mark value\&. The least significant bit in the mask is used as an increment\&. For example, if \*(Aq0x200\-0x400/0xff00\*(Aq is specified, then the assigned mark values are 0x200, 0x300 and 0x400 in equal proportions\&. If no mask is specified, then ( 2 ** MASK_BITS ) \- 1 is assumed (MASK_BITS is set in \m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[4]\d\s+2(5))\&. .RE .PP \fBNFLOG\fR[(\fInflog\-parameters\fR)] .RS 4 Added in Shorewall 5\&.0\&.9\&. Logs matching packets using NFLOG\&. The \fInflog\-parameters\fR are a comma\-separated list of up to 3 numbers: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} The first number specifies the netlink group (0\-65535)\&. If omitted (e\&.g\&., NFLOG(,0,10)) then a value of 0 is assumed\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} The second number specifies the maximum number of bytes to copy\&. If omitted, 0 (no limit) is assumed\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} The third number specifies the number of log messages that should be buffered in the kernel before they are sent to user space\&. The default is 1\&. .RE .RE .PP \fBRESTORE\fR[(\fImask\fR)] .RS 4 Restore the packet\*(Aqs mark from the connection\*(Aqs mark using the supplied mask if any\&. Your kernel and iptables must include CONNMARK support\&. .RE .PP \fBSAME[(\fR\fB\fItimeout\fR\fR\fB)]\fR .RS 4 Some websites run applications that require multiple connections from a client browser\&. Where multiple \*(Aqbalanced\*(Aq providers are configured, this can lead to problems when some of the connections are routed through one provider and some through another\&. The SAME target allows you to work around that problem\&. SAME may be used in the PREROUTING and OUTPUT chains\&. When used in PREROUTING, it causes matching connections from an individual local system to all use the same provider\&. For example: .sp .if n \{\ .RS 4 .\} .nf #ACTION SOURCE DEST PROTO DPORT SAME:P 192\&.168\&.1\&.0/24 0\&.0\&.0\&.0/0 tcp 80,443 .fi .if n \{\ .RE .\} .sp If a host in 192\&.168\&.1\&.0/24 attempts a connection on TCP port 80 or 443 and it has sent a packet on either of those ports in the last five minutes then the new connection will use the same provider as the connection over which that last packet was sent\&. .sp When used in the OUTPUT chain, it causes all matching connections to an individual remote system to all use the same provider\&. For example: .sp .if n \{\ .RS 4 .\} .nf #ACTION SOURCE DEST PROTO DPORT SAME $FW 0\&.0\&.0\&.0/0 tcp 80,443 .fi .if n \{\ .RE .\} .sp The optional \fItimeout\fR parameter was added in Shorewall 4\&.6\&.7 and specifies a number of seconds \&. When not specified, a value of 300 seconds (5 minutes) is assumed\&. If the firewall attempts a connection on TCP port 80 or 443 and it has sent a packet on either of those ports in the last \fItimeout\fR seconds to the same remote system then the new connection will use the same provider as the connection over which that last packet was sent\&. .RE .PP \fBSAVE[(\fR\fB\fI\fImask\fR\fR\fI)\fR\fR\fB] \fR .RS 4 Save the packet\*(Aqs mark to the connection\*(Aqs mark using the supplied mask if any\&. Your kernel and iptables must include CONNMARK support\&. .RE .PP \fBTCPMSS\fR([\fImss\fR[,\fIipsec\fR]]) .RS 4 Added in Shorewall 5\&.1\&.9\&. This target only applies to TCP traffic and alters the MSS value in SYN packets\&. It may be used in the FORWARD and POSTROUTING chains; the default is FORWARD\&. .sp The \fImss\fR parameter may be either \fBpmtu\fR or an integer in the range 500:65533\&. The value \fBpmtu\fR automatically clamps the MSS value to (path_MTU \- 40 for IPv4; \-60 for IPv6)\&. This may not function as desired where asymmetric routes with differing path MTU exist \(em the kernel uses the path MTU which it would use to send packets from itself to the source and destination IP addresses\&. Prior to Linux 2\&.6\&.25, only the path MTU to the destination IP address was considered by this option; subsequent kernels also consider the path MTU to the source IP address\&. If an integer is given, the MSS option is set to the specified value\&. If the MSS of the packet is already lower than \fImss\fR, it will not be increased (from Linux 2\&.6\&.25 onwards) to avoid more problems with hosts relying on a proper MSS\&. If \fImss\fR is omitted, \fBpmtu\fR is assumed\&. .sp The \fIipsec\fR parameter determines whether the rule applies to IPSEC traffic (\fBipsec\fR is passed), non\-IPSEC traffic (\fBnone\fR is passed) or both (\fBall\fR is passed)\&. If omitted, \fBall\fR is assumed\&. .RE .PP \fBTOS\fR(\fItos\fR[/\fImask\fR]) .RS 4 Sets the Type of Service field in the IP header\&. The \fItos\fR value may be given as an number (hex or decimal) or as the name of a TOS type\&. Valid type names and their associated hex numeric values are: .sp .if n \{\ .RS 4 .\} .nf Minimize\-Delay => 0x10, Maximize\-Throughput => 0x08, Maximize\-Reliability => 0x04, Minimize\-Cost => 0x02, Normal\-Service => 0x00 .fi .if n \{\ .RE .\} .sp To indicate more than one class, add their hex values together and specify the result\&. .sp When \fItos\fR is given as a number, it may be optionally followed by \*(Aq/\*(Aq and a \fImask\fR\&. When no \fImask\fR is given, the value 0xff is assumed\&. When \fItos\fR is given as a type name, the \fImask\fR 0x3f is assumed\&. .sp The action performed is to zero out the bits specified by the \fImask\fR, then set the bits specified by \fItos\fR\&. .RE .PP \fBTPROXY\fR([\fIport\fR[,\fIaddress\fR]]) .RS 4 Transparently redirects a packet without altering the IP header\&. Requires a tproxy provider to be defined in \m[blue]\fBshorewall\-providers\fR\m[]\&\s-2\u[8]\d\s+2(5)\&. .sp There are three parameters to TPROXY \- neither is required: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \fIport\fR \- the port on which the proxy server is listening\&. If omitted, the original destination port\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \fIaddress\fR \- a local (to the firewall) IP address on which the proxy server is listening\&. If omitted, the IP address of the interface on which the request arrives\&. .RE .RE .PP \fBTTL\fR([\fB\-\fR|\fB+\fR]\fInumber\fR) .RS 4 If \fB+\fR is included, packets matching the rule will have their TTL incremented by \fInumber\fR\&. Similarly, if \fB\-\fR is included, matching packets have their TTL decremented by \fInumber\fR\&. If neither \fB+\fR nor \fB\-\fR is given, the TTL of matching packets is set to \fInumber\fR\&. The valid range of values for \fInumber\fR is 1\-255\&. .RE .RE .PP \fBSOURCE \- {\-|\fR\fB\fIsource\-spec\fR\fR\fB[,\&.\&.\&.]}\fR .RS 4 where \fIsource\-spec\fR is one of: .PP [!]\fIinterface\fR .RS 4 where \fIinterface\fR is the logical name of an \fIinterface\fR defined in \m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[11]\d\s+2(5)\&. Matches packets entering the firewall from the named interface\&. May not be used in CLASSIFY rules or in rules using the :T chain qualifier\&. .sp Beginning with Shorweall 5\&.2\&.1, the \fIinterface\fR may be preceded with \*(Aq!\*(Aq which matches all interfaces except the one specified\&. .RE .PP \fIaddress\fR[,\&.\&.\&.][\fIexclusion\fR] .RS 4 where \fIaddress\fR is: A host or network IP address\&. .sp The name of an ipset preceded by a plus sign ("+")\&. .sp A MAC address in Shorewall format (preceded by a tilde ("~") and using dash ("\-") as a separator (e\&.g\&., ~00\-A0\-C9\-15\-39\-78)\&. Matches traffic whose source IP address matches one of the listed addresses and that does not match an address listed in the \fIexclusion\fR (see \m[blue]\fBshorewall\-exclusion\fR\m[]\&\s-2\u[12]\d\s+2(5))\&. .sp \fBThis form will not match traffic that originates on the firewall itself unless either or the :T chain qualifier is used in the ACTION column\&.\fR .RE .PP [!]\fIinterface\fR:\fIaddress\fR,[\&.\&.\&.][\fIexclusion\fR] .RS 4 This form combines the preceding two forms and matches when both the incoming interface and source IP address match\&. .sp Beginning with Shorweall 5\&.2\&.1, the \fIinterface\fR may be preceded with \*(Aq!\*(Aq which matches all interfaces except the one specified\&. .RE .PP [!]\fIinterface\fR:\fIexclusion\fR .RS 4 This form matches packets arriving through the named \fIinterface\fR and whose source IP address does not match any of the addresses in the \fIexclusion\fR\&. .sp Beginning with Shorweall 5\&.2\&.1, the \fIinterface\fR may be preceded with \*(Aq!\*(Aq which matches all interfaces except the one specified\&. .RE .PP $FW .RS 4 Matches packets originating on the firewall system\&. May not be used with a chain qualifier (:P, :F, etc\&.) in the ACTION column\&. .RE .PP $FW:\fIaddress\fR[,\&.\&.\&.][\fIexclusion\fR] .RS 4 where \fIaddress\fR is as above (MAC addresses are not permitted)\&. Matches packets originating on the firewall and whose source IP address matches one of the listed addresses and does not match any address listed in the \fIexclusion\fR\&. May not be used with a chain qualifier (:P, :F, etc\&.) in the ACTION column\&. .RE .PP $FW:\fIexclusion\fR .RS 4 Matches traffic originating on the firewall, provided that the source IP address does not match any address listed in the \fIexclusion\fR\&. .RE .sp Beginning with Shorewall 5\&.1\&.0, multiple \fIsource_spec\fRs, separated by commas, may be given provided that the following alternative forms are used: (\fIaddress\fR[,\&.\&.\&.][\fIexclusion\fR]) .sp \fIinterface\fR:(\fIaddress\fR[,\&.\&.\&.][\fIexclusion\fR]) .sp \fIinterface\fR:(\fIexclusion\fR) .sp $FW:(\fIaddress\fR[,\&.\&.\&.][\fIexclusion\fR]) .sp $FW:(\fIexclusion\fR) .RE .PP \fBDEST \- {\-|\fR\fB\fIdest\-spec\fR\fR\fB[,\&.\&.\&.]}\fR .RS 4 where \fIdest\-spec\fR is one of: .PP \fIinterface\fR .RS 4 where \fIinterface\fR is the logical name of an interface defined in \m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[11]\d\s+2(5)\&. Matches packets leaving the firewall through the named interface\&. May not be used in the PREROUTING chain (:P in the mark column or no chain qualifier and MARK_IN_FORWARD_CHAIN=No in \m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[13]\d\s+2 (5))\&. .RE .PP \fIaddress\fR[,\&.\&.\&.][\fIexclusion\fR] .RS 4 where \fIaddress\fR is: A host or network IP address\&. .sp The name of an ipset preceded by a plus sign ("+")\&. .sp A MAC address in Shorewall format (preceded by a tilde ("~") and using dash ("\-") as a separator (e\&.g\&., ~00\-A0\-C9\-15\-39\-78)\&. Matches traffic whose destination IP address matches one of the listed addresses and that does not match an address listed in the \fIexclusion\fR (see \m[blue]\fBshorewall\-exclusion\fR\m[]\&\s-2\u[12]\d\s+2(5))\&. .RE .PP \fIinterface\fR:\fIaddress\fR,[\&.\&.\&.][\fIexclusion\fR] .RS 4 This form combines the preceding two forms and matches when both the outgoing interface and destination IP address match\&. May not be used in the PREROUTING chain (:P in the mark column or no chain qualifier and MARK_IN_FORWARD_CHAIN=No in \m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[13]\d\s+2 (5))\&. .RE .PP \fIinterface\fR:\fIexclusion\fR .RS 4 This form matches packets leaving through the named \fIinterface\fR and whose destination IP address does not match any of the addresses in the \fIexclusion\fR\&. May not be used in the PREROUTING chain (:P in the mark column or no chain qualifier and MARK_IN_FORWARD_CHAIN=No in \m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[13]\d\s+2 (5))\&. .RE .PP $FW .RS 4 Matches packets originating on the firewall system\&. May not be used with a chain qualifier (:P, :F, etc\&.) in the ACTION column\&. .RE .PP $FW:\fIaddress\fR[,\&.\&.\&.][\fIexclusion\fR] .RS 4 where \fIaddress\fR is as above (MAC addresses are not permitted)\&. Matches packets destined for the firewall and whose destination IP address matches one of the listed addresses and does not match any address listed in the \fIexclusion\fR\&. May not be used with a chain qualifier (:P, :F, etc\&.) in the ACTION column\&. .RE .PP $FW:\fIexclusion\fR .RS 4 Matches traffic destined for the firewall, provided that the destination IP address does not match any address listed in the \fIexclusion\fR\&. .RE .sp Beginning with Shorewall 5\&.1\&.0, multiple \fIdest_spec\fRs, separated by commas, may be given provided that the following alternative forms are used: (\fIaddress\fR[,\&.\&.\&.][\fIexclusion\fR]) .sp \fIinterface\fR:(\fIaddress\fR[,\&.\&.\&.][\fIexclusion\fR]) .sp \fIinterface\fR:(\fIexclusion\fR) .sp $FW:(\fIaddress\fR[,\&.\&.\&.][\fIexclusion\fR]) .sp $FW:(\fIexclusion\fR) .RE .PP \fBPROTO\fR \- {\fB\-\fR|\fB{tcp:[!]syn\fR|\fBipp2p\fR|\fBipp2p:udp\fR|\fBipp2p:all\fR|\fIprotocol\-number\fR|\fIprotocol\-name\fR|\fBall}[,\&.\&.\&.]}\fR .RS 4 See \m[blue]\fBshorewall\-rules(5)\fR\m[]\&\s-2\u[2]\d\s+2 for details\&. .sp Beginning with Shorewall 4\&.5\&.12, this column can accept a comma\-separated list of protocols\&. .RE .PP \fBDPORT\fR\- {\fB\-\fR|\fIport\-name\-number\-or\-range\fR[\fB,\fR\fIport\-name\-number\-or\-range\fR]\&.\&.\&.|+\fIipset\fR} .RS 4 Optional destination Ports\&. A comma\-separated list of Port names (from services(5)), \fIport number\fRs or \fIport range\fRs; if the protocol is \fBicmp\fR, this column is interpreted as the destination icmp\-type(s)\&. ICMP types may be specified as a numeric type, a numeric type and code separated by a slash (e\&.g\&., 3/4), or a typename\&. See \m[blue]\fBhttp://www\&.shorewall\&.net/configuration_file_basics\&.htm#ICMP\fR\m[]\&\s-2\u[14]\d\s+2\&. .sp If the protocol is \fBipp2p\fR, this column is interpreted as an ipp2p option without the leading "\-\-" (example \fBbit\fR for bit\-torrent)\&. If no PORT is given, \fBipp2p\fR is assumed\&. .sp An entry in this field requires that the PROTO column specify icmp (1), tcp (6), udp (17), sctp (132) or udplite (136)\&. Use \*(Aq\-\*(Aq if any of the following field is supplied\&. .sp Beginning with Shorewall 4\&.6\&.0, an \fIipset\fR name can be specified in this column\&. This is intended to be used with bitmap:port ipsets\&. .sp This column was formerly named DEST PORT(S)\&. .RE .PP \fBSPORT\fR \- {\fB\-\fR|\fIport\-name\-number\-or\-range\fR[\fB,\fR\fIport\-name\-number\-or\-range\fR]\&.\&.\&.|+\fIipset\fR} .RS 4 Optional source port(s)\&. If omitted, any source port is acceptable\&. Specified as a comma\-separated list of port names, port numbers or port ranges\&. .sp An entry in this field requires that the PROTO column specify tcp (6), udp (17), sctp (132) or udplite (136)\&. Use \*(Aq\-\*(Aq if any of the following fields is supplied\&. .sp Beginning with Shorewall 4\&.5\&.15, you may place \*(Aq=\*(Aq in this column, provided that the DPORT column is non\-empty\&. This causes the rule to match when either the source port or the destination port in a packet matches one of the ports specified in DEST PORTS(S)\&. Use of \*(Aq=\*(Aq requires multi\-port match in your iptables and kernel\&. .sp Beginning with Shorewall 4\&.6\&.0, an \fIipset\fR name can be specified in this column\&. This is intended to be used with bitmap:port ipsets\&. .sp This column was formerly labelled SOURCE PORT(S)\&. .RE .PP \fBUSER\fR \- [\fB!\fR][\fIuser\-name\-or\-number\fR][\fB:\fR\fIgroup\-name\-or\-number\fR][\fB+\fR\fIprogram\-name\fR] .RS 4 This optional column may only be non\-empty if the SOURCE is the firewall itself\&. .sp When this column is non\-empty, the rule applies only if the program generating the output is running under the effective \fIuser\fR and/or \fIgroup\fR specified (or is NOT running under that id if "!" is given)\&. .sp Examples: .PP joe .RS 4 program must be run by joe .RE .PP :kids .RS 4 program must be run by a member of the \*(Aqkids\*(Aq group .RE .PP !:kids .RS 4 program must not be run by a member of the \*(Aqkids\*(Aq group .RE .PP +upnpd .RS 4 #program named upnpd .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBImportant\fR .ps -1 .br The ability to specify a program name was removed from Netfilter in kernel version 2\&.6\&.14\&. .sp .5v .RE .RE .RE .PP \fBTEST\fR \- [\fB!\fR]\fIvalue\fR[/\fImask\fR][\fB:C\fR] .RS 4 Optional \- Defines a test on the existing packet or connection mark\&. The rule will match only if the test returns true\&. .sp If you don\*(Aqt want to define a test but need to specify anything in the following columns, place a "\-" in this field\&. .PP ! .RS 4 Inverts the test (not equal) .RE .PP \fIvalue\fR .RS 4 Value of the packet or connection mark\&. .RE .PP \fImask\fR .RS 4 A mask to be applied to the mark before testing\&. .RE .PP \fB:C\fR .RS 4 Designates a connection mark\&. If omitted, the packet mark\*(Aqs value is tested\&. .RE .RE .PP \fBLENGTH\fR \- [\fIlength\fR|[\fImin\fR]\fB:\fR[\fImax\fR]] .RS 4 Optional \- packet payload length\&. This field, if present allow you to match the length of a packet payload (Layer 4 data ) against a specific value or range of values\&. You must have iptables length support for this to work\&. A range is specified in the form \fImin\fR:\fImax\fR where either \fImin\fR or \fImax\fR (but not both) may be omitted\&. If \fImin\fR is omitted, then 0 is assumed; if \fImax\fR is omitted, than any packet that is \fImin\fR or longer will match\&. .RE .PP \fBTOS\fR \- \fItos\fR .RS 4 Type of service\&. Either a standard name, or a numeric value to match\&. .sp .if n \{\ .RS 4 .\} .nf \fBMinimize\-Delay\fR (16) \fBMaximize\-Throughput\fR (8) \fBMaximize\-Reliability\fR (4) \fBMinimize\-Cost\fR (2) \fBNormal\-Service\fR (0) .fi .if n \{\ .RE .\} .RE .PP \fBCONNBYTES\fR \- [!]\fImin\fR:[\fImax\fR[:{\fBO\fR|\fBR\fR|\fBB\fR}[:{\fBB\fR|\fBP\fR|\fBA\fR}]]] .RS 4 Optional connection Bytes; defines a byte or packet range that the connection must fall within in order for the rule to match\&. .sp A packet matches if the the packet/byte count is within the range defined by \fImin\fR and \fImax\fR (unless ! is given in which case, a packet matches if the packet/byte count is not within the range)\&. \fImin\fR is an integer which defines the beginning of the byte/packet range\&. \fImax\fR is an integer which defines the end of the byte/packet range; if omitted, only the beginning of the range is checked\&. The first letter gives the direction which the range refers to:\fBO\fR \- The original direction of the connection\&. .sp \- The opposite direction from the original connection\&. .sp \fBB\fR \- The total of both directions\&. .sp If omitted, \fBB\fR is assumed\&. .sp The second letter determines what the range refers to\&.\fBB\fR \- Bytes .sp \fBP\fR \- Packets .sp \fBA\fR \- Average packet size\&.If omitted, \fBB\fR is assumed\&. .RE .PP \fBHELPER \- \fR\fIhelper\fR .RS 4 Names a Netfilter protocol helper module such as \fBftp\fR, \fBsip\fR, \fBamanda\fR, etc\&. A packet will match if it was accepted by the named helper module\&. .sp Example: Mark all FTP data connections with mark 4: .sp .if n \{\ .RS 4 .\} .nf #ACTION SOURCE DEST PROTO DPORT SPORT USER TEST LENGTH TOS CONNBYTES HELPER 4:T 0\&.0\&.0\&.0/0 0\&.0\&.0\&.0/0 TCP \- \- \- \- \- \- \- ftp .fi .if n \{\ .RE .\} .RE .PP \fBPROBABILITY\fR \- [\fIprobability\fR] .RS 4 Added in Shorewall 4\&.5\&.0\&. When non\-empty, requires the Statistics Match capability in your kernel and ip6tables and causes the rule to match randomly but with the given \fIprobability\fR\&. The \fIprobability\fR is a number 0 < \fIprobability\fR <= 1 and may be expressed at up to 8 decimal points of precision\&. .RE .PP \fBDSCP \-\fR [[!]\fIdscp\fR] .RS 4 Added in Shorewall 4\&.5\&.1\&. When non\-empty, match packets whose Differentiated Service Code Point field matches the supplied value (when \*(Aq!\*(Aq is given, the rule matches packets whose DSCP field does not match the supplied value)\&. The \fIdscp\fR value may be given as an even number (hex or decimal) or as the name of a DSCP class\&. Valid class names and their associated hex numeric values are: .sp .if n \{\ .RS 4 .\} .nf CS0 => 0x00 CS1 => 0x08 CS2 => 0x10 CS3 => 0x18 CS4 => 0x20 CS5 => 0x28 CS6 => 0x30 CS7 => 0x38 BE => 0x00 AF11 => 0x0a AF12 => 0x0c AF13 => 0x0e AF21 => 0x12 AF22 => 0x14 AF23 => 0x16 AF31 => 0x1a AF32 => 0x1c AF33 => 0x1e AF41 => 0x22 AF42 => 0x24 AF43 => 0x26 EF => 0x2e .fi .if n \{\ .RE .\} .RE .PP \fBSTATE\fR \-\- {\fBNEW\fR|\fBRELATED\fR|\fBESTABLISHED\fR|\fBINVALID\fR} [,\&.\&.\&.] .RS 4 The rule will only match if the packet\*(Aqs connection is in one of the listed states\&. .RE .PP \fBTIME\fR \- \fItimeelement\fR[&\fItimeelement\fR\&.\&.\&.] .RS 4 Added in Shorewall 4\&.6\&.2\&. .sp May be used to limit the rule to a particular time period each day, to particular days of the week or month, or to a range defined by dates and times\&. Requires time match support in your kernel and ip6tables\&. .sp \fItimeelement\fR may be: .PP timestart=\fIhh\fR:\fImm\fR[:\fIss\fR] .RS 4 Defines the starting time of day\&. .RE .PP timestop=\fIhh\fR:\fImm\fR[:\fIss\fR] .RS 4 Defines the ending time of day\&. .RE .PP contiguous .RS 4 Added in Shoreawll 5\&.0\&.12\&. When \fBtimestop\fR is smaller than \fBtimestart\fR value, match this as a single time period instead of distinct intervals\&. .RE .PP utc .RS 4 Times are expressed in Greenwich Mean Time\&. .RE .PP localtz .RS 4 Deprecated by the Netfilter team in favor of \fBkerneltz\fR\&. Times are expressed in Local Civil Time (default)\&. .RE .PP kerneltz .RS 4 Added in Shorewall 4\&.5\&.2\&. Times are expressed in Local Kernel Time (requires iptables 1\&.4\&.12 or later)\&. .RE .PP weekdays=ddd[,ddd]\&.\&.\&. .RS 4 where \fIddd\fR is one of \fBMon\fR, \fBTue\fR, \fBWed\fR, \fBThu\fR, \fBFri\fR, \fBSat\fR or \fBSun\fR .RE .PP monthdays=dd[,dd],\&.\&.\&. .RS 4 where \fIdd\fR is an ordinal day of the month .RE .PP datestart=\fIyyyy\fR[\-\fImm\fR[\-\fIdd\fR[\fBT\fR\fIhh\fR[:\fImm\fR[:\fIss\fR]]]]] .RS 4 Defines the starting date and time\&. .RE .PP datestop=\fIyyyy\fR[\-\fImm\fR[\-\fIdd\fR[\fBT\fR\fIhh\fR[:\fImm\fR[:\fIss\fR]]]]] .RS 4 Defines the ending date and time\&. .RE .RE .PP \fBSWITCH \- [!]\fR\fB\fIswitch\-name\fR\fR\fB[={0|1}]\fR .RS 4 Added in Shorewall 5\&.1\&.0 and allows enabling and disabling the rule without requiring \fBshorewall restart\fR\&. .sp The rule is enabled if the value stored in /proc/net/nf_condition/\fIswitch\-name\fR is 1\&. The rule is disabled if that file contains 0 (the default)\&. If \*(Aq!\*(Aq is supplied, the test is inverted such that the rule is enabled if the file contains 0\&. .sp Within the \fIswitch\-name\fR, \*(Aq@0\*(Aq and \*(Aq@{0}\*(Aq are replaced by the name of the chain to which the rule is a added\&. The \fIswitch\-name\fR (after \*(Aq@\&.\&.\&.\*(Aq expansion) must begin with a letter and be composed of letters, decimal digits, underscores or hyphens\&. Switch names must be 30 characters or less in length\&. .sp Switches are normally \fBoff\fR\&. To turn a switch \fBon\fR: .RS 4 \fBecho 1 > /proc/net/nf_condition/\fR\fB\fIswitch\-name\fR\fR .RE To turn it \fBoff\fR again: .RS 4 \fBecho 0 > /proc/net/nf_condition/\fR\fB\fIswitch\-name\fR\fR .RE Switch settings are retained over \fBshorewall restart\fR\&. .sp When the \fIswitch\-name\fR is followed by \fB=0\fR or \fB=1\fR, then the switch is initialized to off or on respectively by the \fBstart\fR command\&. Other commands do not affect the switch setting\&. .RE .SH "EXAMPLE" .PP IPv4 Example 1: .RS 4 Mark all ICMP echo traffic with packet mark 1\&. Mark all peer to peer traffic with packet mark 4\&. .sp This is a little more complex than otherwise expected\&. Since the ipp2p module is unable to determine all packets in a connection are P2P packets, we mark the entire connection as P2P if any of the packets are determined to match\&. .sp We assume packet/connection mark 0 means unclassified\&. .sp .if n \{\ .RS 4 .\} .nf #ACTION SOURCE DEST PROTO DPORT SPORT USER TEST MARK(1):T 0\&.0\&.0\&.0/0 0\&.0\&.0\&.0/0 icmp echo\-request MARK(1):T 0\&.0\&.0\&.0/0 0\&.0\&.0\&.0/0 icmp echo\-reply RESTORE:T 0\&.0\&.0\&.0/0 0\&.0\&.0\&.0/0 all \- \- \- 0 CONTINUE:T 0\&.0\&.0\&.0/0 0\&.0\&.0\&.0/0 all \- \- \- !0 MARK(4):T 0\&.0\&.0\&.0/0 0\&.0\&.0\&.0/0 ipp2p:all SAVE:T 0\&.0\&.0\&.0/0 0\&.0\&.0\&.0/0 all \- \- \- !0 .fi .if n \{\ .RE .\} .sp If a packet hasn\*(Aqt been classified (packet mark is 0), copy the connection mark to the packet mark\&. If the packet mark is set, we\*(Aqre done\&. If the packet is P2P, set the packet mark to 4\&. If the packet mark has been set, save it to the connection mark\&. .RE .PP IPv4 Example 2: .RS 4 SNAT outgoing connections on eth0 from 192\&.168\&.1\&.0/24 in round\-robin fashion between addresses 1\&.1\&.1\&.1, 1\&.1\&.1\&.3, and 1\&.1\&.1\&.9 (Shorewall 4\&.5\&.9 and later)\&. .sp .if n \{\ .RS 4 .\} .nf /etc/shorewall/mangle: #ACTION SOURCE DEST PROTO DPORT SPORT USER TEST CONNMARK(1\-3):F 192\&.168\&.1\&.0/24 eth0 ; state=NEW /etc/shorewall/snat: #ACTION SOURCE DEST \&.\&.\&. SNAT(1\&.1\&.1\&.1) eth0:192\&.168\&.1\&.0/24 \- { mark=1:C } SNAT(1\&.1\&.1\&.3) eth0:192\&.168\&.1\&.0/24 \- { mark=2:C } SNAT(1\&.1\&.1\&.4) eth0:192\&.168\&.1\&.0/24 \- { mark=3:C } .fi .if n \{\ .RE .\} .RE .PP IPv6 Example 1: .RS 4 Mark all ICMP echo traffic with packet mark 1\&. Mark all peer to peer traffic with packet mark 4\&. .sp This is a little more complex than otherwise expected\&. Since the ipp2p module is unable to determine all packets in a connection are P2P packets, we mark the entire connection as P2P if any of the packets are determined to match\&. .sp We assume packet/connection mark 0 means unclassified\&. .sp .if n \{\ .RS 4 .\} .nf #ACTION SOURCE DEST PROTO DPORT SPORT USER TEST MARK(1):T ::/0 ::/0 icmp echo\-request MARK(1):T ::/0 ::/0 icmp echo\-reply RESTORE:T ::/0 ::/0 all \- \- \- 0 CONTINUE:T ::/0 ::/0 all \- \- \- !0 MARK(4):T ::/0 ::/0 ipp2p:all SAVE:T ::/0 ::/0 all \- \- \- !0 .fi .if n \{\ .RE .\} .sp If a packet hasn\*(Aqt been classified (packet mark is 0), copy the connection mark to the packet mark\&. If the packet mark is set, we\*(Aqre done\&. If the packet is P2P, set the packet mark to 4\&. If the packet mark has been set, save it to the connection mark\&. .RE .SH "FILES" .PP /etc/shorewall/mangle .PP /etc/shorewall6/mangle .SH "SEE ALSO" .PP \m[blue]\fBhttp://www\&.shorewall\&.net/traffic_shaping\&.htm\fR\m[]\&\s-2\u[15]\d\s+2 .PP \m[blue]\fBhttp://www\&.shorewall\&.net/MultiISP\&.html\fR\m[]\&\s-2\u[3]\d\s+2 .PP \m[blue]\fBhttp://www\&.shorewall\&.net/PacketMarking\&.html\fR\m[]\&\s-2\u[16]\d\s+2 .PP \m[blue]\fBhttp://www\&.shorewall\&.net/configuration_file_basics\&.htm#Pairs\fR\m[]\&\s-2\u[17]\d\s+2 .PP shorewall(8) .SH "NOTES" .IP " 1." 4 shorewall-tcrules(5) .RS 4 \%http://www.shorewall.org/manpages/shorewall-tcrules.html .RE .IP " 2." 4 shorewall-rules .RS 4 \%http://www.shorewall.org/manpages/shorewall-rules.html .RE .IP " 3." 4 http://www.shorewall.net/MultiISP.html .RS 4 \%http://www.shorewall.org/MultiISP.html .RE .IP " 4." 4 shorewall.conf(5) .RS 4 \%http://www.shorewall.org/manpages/shorewall.conf.html .RE .IP " 5." 4 shorewall-actions(5) .RS 4 \%http://www.shorewall.orgmanpages/shorewall-actions.html .RE .IP " 6." 4 shorewall-tcdevices .RS 4 \%http://www.shorewall.org/manpages/shorewall-tcdevices.html .RE .IP " 7." 4 shorewall-tcclasses .RS 4 \%http://www.shorewall.org/manpages/shorewall-tcclasses.html .RE .IP " 8." 4 shorewall-providers(5) .RS 4 \%http://www.shorewall.org/manpages/shorewall-providers.html .RE .IP " 9." 4 shorewall-ecn(5) .RS 4 \%http://www.shorewall.org/manpages/shorewall-ecn.html .RE .IP "10." 4 shorewall-actions .RS 4 \%http://www.shorewall.org/manpages/shorewall-actions.html .RE .IP "11." 4 shorewall-interfaces .RS 4 \%http://www.shorewall.org/manpages/shorewall-interfaces.html .RE .IP "12." 4 shorewall-exclusion .RS 4 \%http://www.shorewall.org/manpages/shorewall-exclusion.html .RE .IP "13." 4 shorewall.conf .RS 4 \%http://www.shorewall.org/manpages/shorewall.conf .RE .IP "14." 4 http://www.shorewall.net/configuration_file_basics.htm#ICMP .RS 4 \%http://www.shorewall.org/configuration_file_basics.htm#ICMP .RE .IP "15." 4 http://www.shorewall.net/traffic_shaping.htm .RS 4 \%http://www.shorewall.org/traffic_shaping.htm .RE .IP "16." 4 http://www.shorewall.net/PacketMarking.html .RS 4 \%http://www.shorewall.org/PacketMarking.html .RE .IP "17." 4 http://www.shorewall.net/configuration_file_basics.htm#Pairs .RS 4 \%http://www.shorewall.org/configuration_file_basics.htm#Pairs .RE shorewall-5.2.3.4/manpages/shorewall-providers.50000664000000000000000000004140313453771273020275 0ustar rootroot'\" t .\" Title: shorewall-providers .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 .\" Date: 04/11/2019 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" .TH "SHOREWALL\-PROVIDERS" "5" "04/11/2019" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" providers \- Shorewall Providers file .SH "SYNOPSIS" .HP \w'\fB/etc/shorewall/providers\fR\ 'u \fB/etc/shorewall/providers\fR .SH "DESCRIPTION" .PP This file is used to define additional routing tables\&. You will want to define an additional table if: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} You have connections to more than one ISP or multiple connections to the same ISP .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} You run Squid as a transparent proxy on a host other than the firewall\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} You have other requirements for policy routing\&. .RE .PP Each entry in the file defines a single routing table\&. .PP If you wish to omit a column entry but want to include an entry in the next column, use "\-" for the omitted entry\&. .PP The columns in the file are as follows\&. .PP \fBNAME\fR \- \fIname\fR .RS 4 The provider \fIname\fR\&. Must be a valid shell variable name\&. The names \*(Aqlocal\*(Aq, \*(Aqmain\*(Aq, \*(Aqdefault\*(Aq and \*(Aqunspec\*(Aq are reserved and may not be used as provider names\&. .RE .PP \fBNUMBER\fR \- \fInumber\fR .RS 4 The provider number \-\- a number between 1 and 15\&. Each provider must be assigned a unique value\&. .RE .PP \fBMARK\fR (Optional) \- \fIvalue\fR .RS 4 A FWMARK \fIvalue\fR used in your \m[blue]\fBshorewall\-mangle(5)\fR\m[]\&\s-2\u[1]\d\s+2 file to direct packets to this provider\&. .sp If PROVIDER_OFFSET is non\-zero in \m[blue]\fBshorewall\&.conf(5)\fR\m[]\&\s-2\u[2]\d\s+2, then the value must be a multiple of 2^^PROVIDER_OFFSET\&. In all cases, the number of significant bits may not exceed PROVIDER_OFFSET + PROVIDER_BITS\&. .RE .PP \fBDUPLICATE\fR \- \fIrouting\-table\-name\fR .RS 4 The name of an existing table to duplicate to create this routing table\&. May be \fBmain\fR or the name of a previously listed provider\&. You may select only certain entries from the table to copy by using the COPY column below\&. This column should contain a dash ("\-\*(Aq) when USE_DEFAULT_RT=Yes in \m[blue]\fBshorewall\&.conf(5)\fR\m[]\&\s-2\u[2]\d\s+2\&. .RE .PP \fBINTERFACE\fR \- \fIinterface\fR[:\fIaddress\fR] .RS 4 The name of the network interface to the provider\&. Must be listed in \m[blue]\fBshorewall\-interfaces(5)\fR\m[]\&\s-2\u[3]\d\s+2\&. In general, that interface should not have the \fBproxyarp\fR or \fBproxyndp\fR option specified unless \fBloose\fR is given in the OPTIONS column of this entry\&. .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBImportant\fR .ps -1 .br For IPv6, if the interface is an Ethernet device and an IP address is supplied, it should be the upstream router\*(Aqs link\-level address, not its global address\&. .sp .5v .RE Where more than one provider is serviced through a single interface, the \fIinterface\fR must be followed by a colon and the IP \fIaddress\fR of the interface that is supplied by the associated provider\&. .RE .PP \fBGATEWAY\fR \- {\fB\-\fR|\fIaddress\fR[,\fImac\fR]|\fBdetect|none\fR} .RS 4 The IP address of the provider\*(Aqs gateway router\&. Beginning with Shorewall 4\&.6\&.2, you may also specify the MAC address of the gateway when there are multiple providers serviced through the same interface\&. When the MAC is not specified, Shorewall will detect the MAC during firewall start or restart\&. .sp You can enter \fBdetect\fR here and Shorewall will attempt to detect the gateway automatically\&. .sp Beginning with Shorewall 5\&.0\&.6, you may also enter \fBnone\fR\&. This causes creation of a routing table with no default route in it\&. .sp For PPP devices, you may omit this column\&. .RE .PP \fBOPTIONS\fR (Optional) \- [\fB\-\fR|\fIoption\fR[\fB,\fR\fIoption\fR]\&.\&.\&.] .RS 4 A comma\-separated list selected from the following\&. The order of the options is not significant but the list may contain no embedded white\-space\&. .PP autosrc .RS 4 Added in Shorewall 4\&.5\&.17\&. Causes a host route to the provider\*(Aqs gateway router to be added to the provider\*(Aqs routing table\&. This is the default behavior unless overridden by a following \fBnoautosrc\fR option\&. .RE .PP \fBtrack\fR .RS 4 If specified, inbound connections on this interface are to be tracked so that responses may be routed back out this same interface\&. .sp You want to specify \fBtrack\fR if internet hosts will be connecting to local servers through this provider\&. .sp Beginning with Shorewall 4\&.4\&.3, \fBtrack\fR defaults to the setting of the TRACK_PROVIDERS option in \m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[2]\d\s+2 (5)\&. If you set TRACK_PROVIDERS=Yes and want to override that setting for an individual provider, then specify \fBnotrack\fR (see below)\&. .RE .PP \fBbalance[=\fR\fB\fIweight\fR\fR\fB]\fR .RS 4 The providers that have \fBbalance\fR specified will get outbound traffic load\-balanced among them\&. By default, all interfaces with \fBbalance\fR specified will have the same weight (1)\&. You can change the weight of an interface by specifying \fBbalance=\fR\fIweight\fR where \fIweight\fR is the weight of the route out of this interface\&. .sp Prior to Shorewall 5\&.1\&.1, when USE_DEFAULT_RT=Yes, \fBbalance=1\fR is assumed unless the \fBfallback\fR, \fBloose\fR, \fBload\fR or \fBtproxy\fR option is specified\&. Beginning with Shorewall 5\&.1\&.1, when BALANCE_PROVIDERS=Yes, \fBbalance=1\fR is assumed unless the \fBfallback\fR, \fBloose\fR, \fBload\fR or \fBtproxy\fR option is specified\&.I .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBCaution\fR .ps -1 .br In IPV6, the \fBbalance\fR option does not cause balanced default routes to be created; it rather causes a sequence of default routes with different metrics to be created\&. .sp .5v .RE .RE .PP \fBloose\fR .RS 4 Shorewall normally adds a routing rule for each IP address on an interface which forces traffic whose source is that IP address to be sent using the routing table for that interface\&. Setting \fBloose\fR prevents creation of such rules on this interface\&. .RE .PP \fBload=\fR\fB\fIprobability\fR\fR .RS 4 Added in Shorewall 4\&.6\&.0\&. This option provides an alternative method of load balancing based on probabilities\&. Providers to be balanced are given a \fIprobability\fR (a number 0 > n >= 1) with up to 8 digits to the right of the decimal point\&. Beginning with Shorewall 4\&.6\&.10, a warning is issued if the sum of the probabilities is not 1\&.00000000\&. .RE .PP \fBnoautosrc\fR .RS 4 Added in Shorewall 4\&.5\&.17\&. Prevents the addition of a host route to the provider\*(Aqs gateway router from being added to the provider\*(Aqs routing table\&. This option must be used with caution as it can cause start and restart failures\&. .RE .PP \fBnotrack\fR .RS 4 Added in Shorewall 4\&.4\&.3\&. When specified, turns off \fBtrack\fR\&. .RE .PP \fBoptional (deprecated for use with providers that do not share an interface)\fR .RS 4 If the interface named in the INTERFACE column is not up and configured with an IPv4 address then ignore this provider\&. If not specified, the value of the \fBoptional\fR option for the INTERFACE in \m[blue]\fBshorewall\-interfaces(5)\fR\m[]\&\s-2\u[3]\d\s+2 is assumed\&. Use of that option is preferred to this one, unless an \fIaddress\fR is provider in the INTERFACE column\&. .RE .PP \fBprimary\fR .RS 4 Added in Shorewall 4\&.6\&.6, \fBprimary\fR is equivalent to \fBbalance=1\fR and is preferred when the remaining providers specify \fBfallback\fR or \fBtproxy\fR\&. .RE .PP \fBsrc=\fR\fIsource\-address\fR .RS 4 Specifies the source address to use when routing to this provider and none is known (the local client has bound to the 0 address)\&. May not be specified when an \fIaddress\fR is given in the INTERFACE column\&. If this option is not used, Shorewall substitutes the primary IP address on the interface named in the INTERFACE column\&. .RE .PP \fBmtu=\fR\fInumber\fR .RS 4 Specifies the MTU when forwarding through this provider\&. If not given, the MTU of the interface named in the INTERFACE column is assumed\&. .RE .PP \fBfallback[=\fR\fB\fIweight\fR\fR\fB]\fR .RS 4 Indicates that a default route through the provider should be added to the default routing table (table 253)\&. If a \fIweight\fR is given, a balanced route is added with the weight of this provider equal to the specified \fIweight\fR\&. If the option is given without a \fIweight\fR, an separate default route is added through the provider\*(Aqs gateway; the route has a metric equal to the provider\*(Aqs NUMBER\&. .sp Prior to Shorewall 4\&.4\&.24, the option is ignored with a warning message if USE_DEFAULT_RT=Yes in shorewall\&.conf\&. .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBCaution\fR .ps -1 .br In IPV6, specifying the \fBfallback\fR option on multiple providers does not cause balanced fallback routes to be created; it rather causes a sequence of fallback routes with different metrics to be created\&. .sp .5v .RE .RE .PP \fBtproxy\fR .RS 4 Added in Shorewall 4\&.5\&.4\&. Used for supporting the TPROXY action in shorewall\-mangle(5)\&. See \m[blue]\fBhttp://www\&.shorewall\&.net/Shorewall_Squid_Usage\&.html\fR\m[]\&\s-2\u[4]\d\s+2\&. When specified, the MARK, DUPLICATE and GATEWAY columns should be empty, INTERFACE should be set to \*(Aqlo\*(Aq and \fBtproxy\fR should be the only OPTION\&. Only one \fBtproxy\fR provider is allowed\&. .RE .PP \fBhostroute\fR .RS 4 Added in Shorewall 4\&.5\&.21\&. This is the default behavior that results in a host route to the defined \fBGATEWAY\fR being inserted into the main routing table and into the provider\*(Aqs routing table\&. \fBhostroute\fR is required for older distributions but \fBnohostroute\fR (below) is appropriate for recent distributions\&. \fBhostroute\fR may interfere with Zebra\*(Aqs ability to add routes on some distributions such as Debian 7\&. This option defaults to on when BALANCE_PROVIDERS=Yes, in \m[blue]\fBshorewall\&.conf(5)\fR\m[]\&\s-2\u[2]\d\s+2\&. .RE .PP \fBnohostroute\fR .RS 4 Added in Shorewall 4\&.5\&.21\&. nohostroute inhibits addition of a host route to the defined \fBGATEWAY\fR being inserted into the main routing table and into the provider\*(Aqs routing table\&. \fBnohostroute\fR is not appropriate for older distributions but is appropriate for recent distributions\&. \fBnohostroute\fR allows Zebra\*(Aqs to correctly add routes on some distributions such as Debian 7\&. This option defaults to off when BALANCE_PROVIDERS=Yes, in \m[blue]\fBshorewall\&.conf(5)\fR\m[]\&\s-2\u[2]\d\s+2\&. .RE .PP \fBpersistent\fR .RS 4 Added in Shorewall 5\&.0\&.2 and alters the behavior of the \fBdisable\fR command: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} The provider\*(Aqs routing table still contains the apprioriate default route\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} Unless the \fBnoautosrc\fR option is specified, routing rules are generated to route traffic from the interfaces address(es) out of the provider\*(Aqs routing table\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} Persistent routing rules in \m[blue]\fBshorewall\-rtrules(5)\fR\m[]\&\s-2\u[5]\d\s+2 are present\&. .RE .sp .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBNote\fR .ps -1 .br The generated script will attempt to reenable a disabled persistent provider during execution of the \fBstart\fR, \fBrestart\fR and \fBreload\fR commands\&. When \fBpersistent\fR is not specified, only the \fBenable\fR and \fBreenable\fR commands can reenable the provider\&. .sp .5v .RE .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBImportant\fR .ps -1 .br RESTORE_DEFAULT_ROUTE=Yes in shorewall[6]\&.conf is not recommended when the \fBpersistent\fR option is used, as restoring default routes to the main routing table can prevent link status monitors such as foolsm from correctly detecting non\-working providers\&. .sp .5v .RE .RE .RE .PP \fBCOPY\fR \- [{\fBnone\fR|\fIinterface\fR\fB[,\fR\fIinterface\fR]\&.\&.\&.}] .RS 4 A comma\-separated list of other interfaces on your firewall\&. Wildcards specified using an asterisk ("*") are permitted (e\&.g\&., tun* )\&. Usually used only when DUPLICATE is \fBmain\fR\&. Only copy routes through INTERFACE and through interfaces listed here\&. If you only wish to copy routes through INTERFACE, enter \fBnone\fR in this column\&. .sp Beginning with Shorewall 4\&.5\&.17, blackhole, unreachable and prohibit routes are no longer copied by default but may be copied by including \fBblackhole\fR,\fBunreachable\fR and \fBprohibit\fR respectively in the COPY list\&. .RE .SH "EXAMPLES" .PP IPv4 Example 1: .RS 4 You run squid in your DMZ on IP address 192\&.168\&.2\&.99\&. Your DMZ interface is eth2 .sp .if n \{\ .RS 4 .\} .nf #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS Squid 1 1 \- eth2 192\&.168\&.2\&.99 \- .fi .if n \{\ .RE .\} .RE .PP IPv4 Example 2: .RS 4 eth0 connects to ISP 1\&. The IP address of eth0 is 206\&.124\&.146\&.176 and the ISP\*(Aqs gateway router has IP address 206\&.124\&.146\&.254\&. .sp eth1 connects to ISP 2\&. The IP address of eth1 is 130\&.252\&.99\&.27 and the ISP\*(Aqs gateway router has IP address 130\&.252\&.99\&.254\&. .sp eth2 connects to a local network\&. .sp .if n \{\ .RS 4 .\} .nf #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY ISP1 1 1 main eth0 206\&.124\&.146\&.254 track,balance eth2 ISP2 2 2 main eth1 130\&.252\&.99\&.254 track,balance eth2 .fi .if n \{\ .RE .\} .RE .PP IPv6 Example 1: .RS 4 You run squid in your DMZ on IP address 2002:ce7c:92b4:1::2\&. Your DMZ interface is eth2 .sp .if n \{\ .RS 4 .\} .nf #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS Squid 1 1 \- eth2 2002:ce7c:92b4:1::2 \- .fi .if n \{\ .RE .\} .RE .PP IPv6 Example 2: .RS 4 eth0 connects to ISP 1\&. The ISP\*(Aqs gateway router has IP address 2001:ce7c:92b4:1::2\&. .sp eth1 connects to ISP 2\&. The ISP\*(Aqs gateway router has IP address 2001:d64c:83c9:12::8b\&. .sp eth2 connects to a local network\&. .sp .if n \{\ .RS 4 .\} .nf #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY ISP1 1 1 main eth0 2001:ce7c:92b4:1::2 track eth2 ISP2 2 2 main eth1 2001:d64c:83c9:12::8b track eth2 .fi .if n \{\ .RE .\} .RE .SH "FILES" .PP /etc/shorewall/providers .PP /etc/shorewall6/providers .SH "SEE ALSO" .PP \m[blue]\fBhttp://www\&.shorewall\&.net/MultiISP\&.html\fR\m[]\&\s-2\u[6]\d\s+2 .PP \m[blue]\fBhttp://www\&.shorewall\&.net/configuration_file_basics\&.htm#Pairs\fR\m[]\&\s-2\u[7]\d\s+2 .PP shorewall(8) .SH "NOTES" .IP " 1." 4 shorewall-mangle(5) .RS 4 \%http://www.shorewall.org/manpages/shorewall-mangle.html .RE .IP " 2." 4 shorewall.conf(5) .RS 4 \%http://www.shorewall.org/manpages/shorewall.conf.html .RE .IP " 3." 4 shorewall-interfaces(5) .RS 4 \%http://www.shorewall.org/manpages/shorewall-interfaces.html .RE .IP " 4." 4 http://www.shorewall.net/Shorewall_Squid_Usage.html .RS 4 \%http://www.shorewall.org/Shorewall_Squid_Usage.html .RE .IP " 5." 4 shorewall-rtrules(5) .RS 4 \%http://www.shorewall.orgshorewall-rtrules.html .RE .IP " 6." 4 http://www.shorewall.net/MultiISP.html .RS 4 \%http://www.shorewall.org/MultiISP.html .RE .IP " 7." 4 http://www.shorewall.net/configuration_file_basics.htm#Pairs .RS 4 \%http://www.shorewall.org/configuration_file_basics.htm#Pairs .RE shorewall-5.2.3.4/manpages/shorewall-conntrack.50000664000000000000000000004705413453771247020253 0ustar rootroot'\" t .\" Title: shorewall6-conntrack .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 .\" Date: 04/11/2019 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" .TH "SHOREWALL6\-CONNTRAC" "5" "04/11/2019" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" conntrack \- shorewall conntrack file .SH "SYNOPSIS" .HP \w'\fB/etc/shorewall[6]/conntrack\fR\ 'u \fB/etc/shorewall[6]/conntrack\fR .SH "DESCRIPTION" .PP The original intent of the \fBnotrack\fR file was to exempt certain traffic from Netfilter connection tracking\&. Traffic matching entries in the file were not to be tracked\&. .PP The role of the file was expanded in Shorewall 4\&.4\&.27 to include all rules that can be added in the Netfilter \fBraw\fR table\&. In 4\&.5\&.7, the file\*(Aqs name was changed to \fBconntrack\fR\&. .PP The file supports three different column layouts: FORMAT 1, FORMAT 2, and FORMAT 3 with FORMAT 1 being the default\&. The three differ as follows: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} in FORMAT 2 and 3, there is an additional leading ACTION column\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} in FORMAT 3, the SOURCE column accepts no zone name; rather the ACTION column allows a SUFFIX that determines the chain(s) that the generated rule will be added to\&. .RE .PP When an entry in the following form is encountered, the format of the following entries are assumed to be of the specified \fIformat\fR\&. .RS 4 \fB?FORMAT\fR \fIformat\fR .RE .PP where \fIformat\fR is either \fB1\fR,\fB2\fR or \fB3\fR\&. .PP Format 3 was introduced in Shorewall 4\&.5\&.10\&. .PP Comments may be attached to Netfilter rules generated from entries in this file through the use of ?COMMENT lines\&. These lines begin with ?COMMENT; the remainder of the line is treated as a comment which is attached to subsequent rules until another ?COMMENT line is found or until the end of the file is reached\&. To stop adding comments to rules, use a line containing only ?COMMENT\&. .PP The columns in the file are as follows (where the column name is followed by a different name in parentheses, the different name is used in the alternate specification syntax)\&. .PP \fBACTION\fR \- {\fBNOTRACK\fR|\fBCT\fR:\fBhelper\fR:\fIname\fR[(\fIarg\fR=\fIval\fR[,\&.\&.\&.])|\fBCT:ctevents:\fR\fB\fIevent\fR\fR\fB[,\&.\&.\&.]|CT:expevents:new\fR\fB|CT:notrack\fR|DROP|LOG|ULOG(\fIulog\-parameters\fR):NFLOG(\fInflog\-parameters\fR)|IP[6]TABLES(\fItarget\fR)}[\fIlog\-level\fR[:\fIlog\-tag\fR]][:\fIchain\-designator\fR] .RS 4 This column is only present when FORMAT >= 2\&. Values other than NOTRACK or DROP require CT Targetsupport in your iptables and kernel\&. .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \fBNOTRACK\fR or \fBCT:notrack\fR .sp Disables connection tracking for this packet\&. If a \fIlog\-level\fR is specified, the packet will also be logged at that level\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \fBCT:helper\fR:\fIname\fR .sp Attach the helper identified by the \fIname\fR to this connection\&. This is more flexible than loading the conntrack helper with preset ports\&. If a \fIlog\-level\fR is specified, the packet will also be logged at that level\&. Beginning with Shorewall 4\&.6\&.10, the helper name is optional .sp At this writing, the available helpers are: .PP amanda .RS 4 Requires that the amanda netfilter helper is present\&. .RE .PP ftp .RS 4 Requires that the FTP netfilter helper is present\&. .RE .PP irc .RS 4 Requires that the IRC netfilter helper is present\&. .RE .PP netbios\-ns .RS 4 Requires that the netbios_ns (sic) helper is present\&. .RE .PP RAS and Q\&.931 .RS 4 These require that the H323 netfilter helper is present\&. .RE .PP pptp .RS 4 Requires that the pptp netfilter helper is present\&. .RE .PP sane .RS 4 Requires that the SANE netfilter helper is present\&. .RE .PP sip .RS 4 Requires that the SIP netfilter helper is present\&. .RE .PP snmp .RS 4 Requires that the SNMP netfilter helper is present\&. .RE .PP tftp .RS 4 Requires that the TFTP netfilter helper is present\&. .RE .sp May be followed by an option list of \fIarg\fR=\fIval\fR pairs in parentheses: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \fBctevents\fR=\fIevent\fR[,\&.\&.\&.] .sp Only generate the specified conntrack events for this connection\&. Possible event types are: \fBnew\fR, \fBrelated\fR, \fBdestroy\fR, \fBreply\fR, \fBassured\fR, \fBprotoinfo\fR, \fBhelper\fR, \fBmark\fR (this is connection mark, not packet mark), \fBnatseqinfo\fR, and \fBsecmark\fR\&. If more than one \fIevent\fR is listed, the \fIevent\fR list must be enclosed in parentheses (e\&.g\&., ctevents=(new,related))\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \fBexpevents\fR\fB=new\fR .sp Only generate a \fBnew\fR expectation events for this connection\&. .RE .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} ctevents:\fIevent\fR[,\&.\&.\&.] .sp Added in Shorewall 4\&.6\&.10\&. Only generate the specified conntrack events for this connection\&. Possible event types are: \fBnew\fR, \fBrelated\fR, \fBdestroy\fR, \fBreply\fR, \fBassured\fR, \fBprotoinfo\fR, \fBhelper\fR, \fBmark\fR (this is connection mark, not packet mark), \fBnatseqinfo\fR, and \fBsecmark\fR\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} expevents=new .sp Added in Shorewall 4\&.6\&.10\&. Only generate \fBnew\fR expectation events for this connection\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \fBDROP\fR .sp Added in Shorewall 4\&.5\&.10\&. Silently discard the packet\&. If a \fIlog\-level\fR is specified, the packet will also be logged at that level\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \fBIP6TABLES\fR(\fItarget\fR) .sp IPv6 only\&. .sp Added in Shorewall 4\&.6\&.0\&. Allows you to specify any iptables \fItarget\fR with target options (e\&.g\&., "IP6TABLES(AUDIT \-\-type drop)")\&. If the target is not one recognized by Shorewall, the following error message will be issued: .RS 4 ERROR: Unknown target (\fItarget\fR) .RE This error message may be eliminated by adding \fItarget\fR as a builtin action in \m[blue]\fBshorewall\-actions\fR\m[]\&\s-2\u[1]\d\s+2(5)\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \fBIPTABLES\fR(\fItarget\fR) .sp IPv4 only\&. .sp Added in Shorewall 4\&.6\&.0\&. Allows you to specify any iptables \fItarget\fR with target options (e\&.g\&., "IPTABLES(AUDIT \-\-type drop)")\&. If the target is not one recognized by Shorewall, the following error message will be issued: .RS 4 ERROR: Unknown target (\fItarget\fR) .RE This error message may be eliminated by adding \fItarget\fR as a builtin action in \m[blue]\fBshorewall\-actions\fR\m[]\&\s-2\u[1]\d\s+2(5)\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \fBLOG\fR .sp Added in Shoreawll 4\&.6\&.0\&. Logs the packet using the specified \fIlog\-level\fR and\fI log\-tag \fR(if any)\&. If no log\-level is specified, then \*(Aqinfo\*(Aq is assumed\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \fBNFLOG\fR .sp Added in Shoreawll 4\&.6\&.0\&. Queues the packet to a backend logging daemon using the NFLOG netfilter target with the specified \fInflog\-parameters\fR\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \fBULOG\fR .sp IPv4 only\&. Added in Shoreawll 4\&.6\&.0\&. Queues the packet to a backend logging daemon using the ULOG netfilter target with the specified \fIulog\-parameters\fR\&. .RE .sp When FORMAT = 1, this column is not present and the rule is processed as if NOTRACK had been entered in this column\&. .sp Beginning with Shorewall 4\&.5\&.10, when FORMAT = 3, this column can end with a colon followed by a \fIchain\-designator\fR\&. The \fIchain\-designator\fR can be one of the following: .PP P .RS 4 The rule is added to the raw table PREROUTING chain\&. This is the default if no \fIchain\-designator\fR is present\&. .RE .PP O .RS 4 The rule is added to the raw table OUTPUT chain\&. .RE .PP PO or OP .RS 4 The rule is added to the raw table PREROUTING and OUTPUT chains\&. .RE .RE .PP SOURCE (formats 1 and 2) \(en {\fIzone\fR[:\fIinterface\fR][:\fIaddress\-list\fR]} .RS 4 where \fIzone\fR is the name of a zone, \fIinterface\fR is an interface to that zone, and \fIaddress\-list\fR is a comma\-separated list of addresses (may contain exclusion \- see \m[blue]\fBshorewall\-exclusion\fR\m[]\&\s-2\u[2]\d\s+2 (5))\&. .sp Beginning with Shorewall 4\&.5\&.7, \fBall\fR can be used as the \fIzone\fR name to mean all zones\&. .sp Beginning with Shorewall 4\&.5\&.10, \fBall\-\fR can be used as the \fIzone\fR name to mean all off\-firewall zones\&. .RE .PP SOURCE (format 3 prior to Shorewall 5\&.1\&.0) \(en {\-|\fIinterface\fR[:\fIaddress\-list\fR]|\fIaddress\-list\fR} .RS 4 Where \fIinterface\fR is an interface to that zone, and \fIaddress\-list\fR is a comma\-separated list of addresses (may contain exclusion \- see \m[blue]\fBshorewall\-exclusion\fR\m[]\&\s-2\u[2]\d\s+2 (5))\&. .RE .PP \fBSOURCE (format 3 on Shorewall 5\&.1\&.0 and later) \- {\-|[\fR\fB\fIsource\-spec\fR\fR\fB[,\&.\&.\&.]]}\fR .RS 4 where \fIsource\-spec\fR is one of the following: .PP \fIinterface\fR .RS 4 Where interface is the logical name of an interface defined in \m[blue]\fBshorewall\-interface\fR\m[]\&\s-2\u[3]\d\s+2(5)\&. .RE .PP \fIaddress\fR[,\&.\&.\&.][\fIexclusion\fR] .RS 4 where \fIaddress\fR may be: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} A host or network IP address\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} A MAC address in Shorewall format (preceded by a tilde ("~") and using dash ("\-") as a separator\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} The name of an ipset preceded by a plus sign ("+")\&. See \m[blue]\fBshorewall\-ipsets\fR\m[]\&\s-2\u[4]\d\s+2(5)\&. .RE .sp \fIexclusion\fR is described in \m[blue]\fBshorewall\-exclusion\fR\m[]\&\s-2\u[2]\d\s+2(5)\&. .RE .PP \fIinterface\fR:\fIaddress\fR[,\&.\&.\&.][\fIexclusion\fR] .RS 4 This form combines the preceding two and requires that both the incoming interface and source address match\&. .RE .PP \fIexclusion\fR .RS 4 See \m[blue]\fBshorewall\-exclusion\fR\m[]\&\s-2\u[2]\d\s+2 (5) .RE .sp Beginning with Shorewall 5\&.1\&.0, multiple \fIsource\-spec\fRs separated by commas may be specified provided that the following alternative forms are used: (\fIaddress\fR[,\&.\&.\&.][\fIexclusion\fR]) .sp \fIinterface\fR:(\fIaddress\fR[,\&.\&.\&.][\fIexclusion\fR]) .sp (\fIexclusion\fR) .RE .PP DEST (Prior to Shorewall 5\&.1\&.0) \(en {\-|\fIinterface\fR[:\fIaddress\-list\fR]|\fIaddress\-list\fR} .RS 4 where \fIaddress\-list\fR is a comma\-separated list of addresses (may contain exclusion \- see \m[blue]\fBshorewall\-exclusion\fR\m[]\&\s-2\u[2]\d\s+2 (5))\&. .RE .PP \fBDEST (Shorewall 5\&.1\&.0 and later) \- {\-|\fR\fB\fIdest\-spec\fR\fR\fB[,\&.\&.\&.]}\fR .RS 4 where \fIdest\-spec\fR is one of the following: .PP \fIinterface\fR .RS 4 Where interface is the logical name of an interface defined in \m[blue]\fBshorewall\-interface\fR\m[]\&\s-2\u[3]\d\s+2(5)\&. .RE .PP \fIaddress\fR[,\&.\&.\&.][\fIexclusion\fR] .RS 4 where \fIaddress\fR may be: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} A host or network IP address\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} A MAC address in Shorewall format (preceded by a tilde ("~") and using dash ("\-") as a separator\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} The name of an ipset preceded by a plus sign ("+")\&. See \m[blue]\fBshorewall\-ipsets\fR\m[]\&\s-2\u[4]\d\s+2(5)\&. .RE .sp \fIexclusion\fR is described in \m[blue]\fBshorewall\-exclusion\fR\m[]\&\s-2\u[2]\d\s+2(5)\&. .RE .PP \fIinterface\fR:\fIaddress\fR[,\&.\&.\&.][\fIexclusion\fR] .RS 4 This form combines the preceding two and requires that both the outgoing interface and destination address match\&. .RE .PP \fIexclusion\fR .RS 4 See \m[blue]\fBshorewall\-exclusion\fR\m[]\&\s-2\u[2]\d\s+2 (5) .RE .sp Beginning with Shorewall 5\&.1\&.0, multiple source\-specs separated by commas may be specified provided that the following alternative forms are used: (\fIaddress\fR[,\&.\&.\&.][\fIexclusion\fR]) .sp \fIinterface\fR:(\fIaddress\fR[,\&.\&.\&.][\fIexclusion\fR]) .sp (\fIexclusion\fR) .RE .PP PROTO \(en \fIprotocol\-name\-or\-number\fR[,\&.\&.\&.] .RS 4 A protocol name from /etc/protocols or a protocol number\&. tcp and 6 may be optionally followed by \fB:syn \fRto match only the SYN packet (first packet in the three\-way handshake)\&. .sp Beginning with Shorewall 4\&.5\&.12, this column can accept a comma\-separated list of protocols and either \fBproto\fR or \fBprotos\fR is accepted in the alternate input format\&. .sp Beginning with Shorewall 5\&.1\&.11, when \fBtcp\fR or \fB6\fR is specified and the ACTION is \fBCT\fR, the compiler will default to \fB:syn\fR\&. If you wish the rule to match packets with any valid combination of TCP flags, you may specify \fBtcp:all\fR or \fB6:all\fR\&. .RE .PP DPORT \- port\-number/service\-name\-list .RS 4 A comma\-separated list of port numbers and/or service names from /etc/services\&. May also include port ranges of the form \fIlow\-port\fR:\fIhigh\-port\fR if your kernel and iptables include port range support\&. .sp This column was formerly labelled DEST PORT(S)\&. .RE .PP SPORT \- port\-number/service\-name\-list .RS 4 A comma\-separated list of port numbers and/or service names from /etc/services\&. May also include port ranges of the form \fIlow\-port\fR:\fIhigh\-port\fR if your kernel and iptables include port range support\&. .sp Beginning with Shorewall 4\&.5\&.15, you may place \*(Aq=\*(Aq in this column, provided that the DPORT column is non\-empty\&. This causes the rule to match when either the source port or the destination port in a packet matches one of the ports specified in DPORT\&. Use of \*(Aq=\*(Aq requires multi\-port match in your iptables and kernel\&. .sp This column was formerly labelled SOURCE PORT(S)\&. .RE .PP USER \(en [\fIuser\fR][:\fIgroup\fR] .RS 4 This column was formerly named USER/GROUP and may only be specified if the SOURCE \fIzone\fR is $FW\&. Specifies the effective user id and or group id of the process sending the traffic\&. .RE .PP \fBSWITCH \- [!]\fR\fB\fIswitch\-name\fR\fR\fB[={0|1}]\fR .RS 4 Added in Shorewall 4\&.5\&.10 and allows enabling and disabling the rule without requiring \fBshorewall restart\fR\&. .sp The rule is enabled if the value stored in /proc/net/nf_condition/\fIswitch\-name\fR is 1\&. The rule is disabled if that file contains 0 (the default)\&. If \*(Aq!\*(Aq is supplied, the test is inverted such that the rule is enabled if the file contains 0\&. .sp Within the \fIswitch\-name\fR, \*(Aq@0\*(Aq and \*(Aq@{0}\*(Aq are replaced by the name of the chain to which the rule is a added\&. The \fIswitch\-name\fR (after \*(Aq\&.\&.\&.\*(Aq expansion) must begin with a letter and be composed of letters, decimal digits, underscores or hyphens\&. Switch names must be 30 characters or less in length\&. .sp Switches are normally \fBoff\fR\&. To turn a switch \fBon\fR: .RS 4 \fBecho 1 > /proc/net/nf_condition/\fR\fB\fIswitch\-name\fR\fR .RE To turn it \fBoff\fR again: .RS 4 \fBecho 0 > /proc/net/nf_condition/\fR\fB\fIswitch\-name\fR\fR .RE Switch settings are retained over \fBshorewall restart\fR\&. .sp When the \fIswitch\-name\fR is followed by \fB=0\fR or \fB=1\fR, then the switch is initialized to off or on respectively by the \fBstart\fR command\&. Other commands do not affect the switch setting\&. .RE .SH "EXAMPLE" .PP IPv4 Example 1: .sp .if n \{\ .RS 4 .\} .nf #ACTION SOURCE DEST PROTO DPORT SPORT USER CT:helper:ftp(expevents=new) fw \- tcp 21 .fi .if n \{\ .RE .\} .PP IPv4 Example 2 (Shorewall 4\&.5\&.10 or later): .PP Drop traffic to/from all zones to IP address 1\&.2\&.3\&.4 .sp .if n \{\ .RS 4 .\} .nf ?FORMAT 2 #ACTION SOURCE DEST PROTO DPORT SPORT USER DROP all\-:1\&.2\&.3\&.4 \- DROP all 1\&.2\&.3\&.4 .fi .if n \{\ .RE .\} .PP or .sp .if n \{\ .RS 4 .\} .nf ?FORMAT 3 #ACTION SOURCE DEST PROTO DPORT SPORT USER DROP:P 1\&.2\&.3\&.4 \- DROP:PO \- 1\&.2\&.3\&.4 .fi .if n \{\ .RE .\} .PP IPv6 Example 1: .PP Use the FTP helper for TCP port 21 connections from the firewall itself\&. .sp .if n \{\ .RS 4 .\} .nf FORMAT 2 #ACTION SOURCE DEST PROTO DPORT SPORT USER CT:helper:ftp(expevents=new) fw \- tcp 21 .fi .if n \{\ .RE .\} .PP IPv6 Example 2 (Shorewall 4\&.5\&.10 or later): .PP Drop traffic to/from all zones to IP address 2001:1\&.2\&.3::4 .sp .if n \{\ .RS 4 .\} .nf FORMAT 2 #ACTION SOURCE DEST PROTO DPORT SPORT USER DROP all\-:2001:1\&.2\&.3::4 \- DROP all 2001:1\&.2\&.3::4 .fi .if n \{\ .RE .\} .PP or .sp .if n \{\ .RS 4 .\} .nf FORMAT 3 #ACTION SOURCE DEST PROTO DPORT SPORT USER DROP:P 2001:1\&.2\&.3::4 \- DROP:PO \- 2001:1\&.2\&.3::4 .fi .if n \{\ .RE .\} .SH "FILES" .PP /etc/shorewall/conntrack .PP /etc/shorewall6/conntrack .SH "SEE ALSO" .PP \m[blue]\fBhttp://www\&.shorewall\&.net/configuration_file_basics\&.htm#Pairs\fR\m[]\&\s-2\u[5]\d\s+2 .PP shorewall(8) .SH "NOTES" .IP " 1." 4 shorewall-actions .RS 4 \%http://www.shorewall.org/manpages/shorewall-actions.html .RE .IP " 2." 4 shorewall-exclusion .RS 4 \%http://www.shorewall.org/manpages/shorewall-exclusion.html .RE .IP " 3." 4 shorewall-interface .RS 4 \%http://www.shorewall.orgshorewall-interfaces.html .RE .IP " 4." 4 shorewall-ipsets .RS 4 \%http://www.shorewall.orgshorewall-ipsets.html .RE .IP " 5." 4 http://www.shorewall.net/configuration_file_basics.htm#Pairs .RS 4 \%http://www.shorewall.org/configuration_file_basics.htm#Pairs .RE shorewall-5.2.3.4/manpages/shorewall-interfaces.50000664000000000000000000007355513453771256020421 0ustar rootroot'\" t .\" Title: shorewall-interfaces .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 .\" Date: 04/11/2019 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" .TH "SHOREWALL\-INTERFACE" "5" "04/11/2019" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" interfaces \- Shorewall interfaces file .SH "SYNOPSIS" .HP \w'\fB/etc/shorewall[6]/interfaces\fR\ 'u \fB/etc/shorewall[6]/interfaces\fR .SH "DESCRIPTION" .PP The interfaces file serves to define the firewall\*(Aqs network interfaces to Shorewall\&. The order of entries in this file is not significant in determining zone composition\&. .PP Beginning with Shorewall 4\&.5\&.3, the interfaces file supports two different formats: .PP FORMAT 1 (default \- deprecated) .RS 4 There is a BROADCAST column which can be used to specify the broadcast address associated with the interface\&. .RE .PP FORMAT 2 .RS 4 The BROADCAST column is omitted\&. .RE .PP The format is specified by a line as follows: .PP \fB?FORMAT {1|2}\fR .PP The columns in the file are as follows\&. .PP \fBZONE\fR \- \fIzone\-name\fR .RS 4 Zone for this interface\&. Must match the name of a zone declared in /etc/shorewall/zones\&. You may not list the firewall zone in this column\&. .sp If the interface serves multiple zones that will be defined in the \m[blue]\fBshorewall\-hosts\fR\m[]\&\s-2\u[1]\d\s+2(5) file, you should place "\-" in this column\&. .sp If there are multiple interfaces to the same zone, you must list them in separate entries\&. .sp Example: .sp .if n \{\ .RS 4 .\} .nf #ZONE INTERFACE BROADCAST loc eth1 \- loc eth2 \- .fi .if n \{\ .RE .\} .RE .PP \fBINTERFACE\fR \- \fIinterface\fR\fB[:\fR\fIport\fR\fB]\fR .RS 4 Logical name of interface\&. Each interface may be listed only once in this file\&. You may NOT specify the name of a "virtual" interface (e\&.g\&., eth0:0) here; see \m[blue]\fBhttp://www\&.shorewall\&.net/FAQ\&.htm#faq18\fR\m[]\&\s-2\u[2]\d\s+2\&. If the \fBphysical\fR option is not specified, then the logical name is also the name of the actual interface\&. .sp You may use wildcards here by specifying a prefix followed by the plus sign ("+")\&. For example, if you want to make an entry that applies to all PPP interfaces, use \*(Aqppp+\*(Aq; that would match ppp0, ppp1, ppp2, \&... .sp When using Shorewall versions before 4\&.1\&.4, care must be exercised when using wildcards where there is another zone that uses a matching specific interface\&. See \m[blue]\fBshorewall\-nesting\fR\m[]\&\s-2\u[3]\d\s+2(5) for a discussion of this problem\&. .sp Shorewall allows \*(Aq+\*(Aq as an interface name, but that usage is deprecated\&. A better approach is to specify \*(Aq\fBphysical\fR=+\*(Aq in the OPTIONS column (see below)\&. .sp There is no need to define the loopback interface (lo) in this file\&. .sp If a \fIport\fR is given, then the \fIinterface\fR must have been defined previously with the \fBbridge\fR option\&. The OPTIONS column may not contain the following options when a \fIport\fR is given\&. .RS 4 arp_filter .RE .RS 4 arp_ignore .RE .RS 4 bridge .RE .RS 4 log_martians .RE .RS 4 mss .RE .RS 4 optional .RE .RS 4 proxyarp .RE .RS 4 required .RE .RS 4 routefilter .RE .RS 4 sourceroute .RE .RS 4 upnp .RE .RS 4 wait .RE Beginning with Shorewall 4\&.5\&.17, if you specify a zone for the \*(Aqlo\*(Aq interface, then that zone must be defined as type \fBlocal\fR in \m[blue]\fBshorewall6\-zones\fR\m[]\&\s-2\u[4]\d\s+2(5)\&. .RE .PP \fBBROADCAST\fR (Optional) \- {\fB\-\fR|\fBdetect\fR|\fIaddress\fR[,\fIaddress\fR]\&.\&.\&.} .RS 4 Only available if FORMAT 1\&. .sp If you use the special value \fBdetect\fR, Shorewall will detect the broadcast address(es) for you if your iptables and kernel include Address Type Match support\&. .sp If your iptables and/or kernel lack Address Type Match support then you may list the broadcast address(es) for the network(s) to which the interface belongs\&. For P\-T\-P interfaces, this column is left blank\&. If the interface has multiple addresses on multiple subnets then list the broadcast addresses as a comma\-separated list\&. .sp If you don\*(Aqt want to give a value for this column but you want to enter a value in the OPTIONS column, enter \fB\-\fR in this column\&. .RE .PP \fBOPTIONS\fR (Optional) \- [\fIoption\fR[\fB,\fR\fIoption\fR]\&.\&.\&.] .RS 4 A comma\-separated list of options from the following list\&. The order in which you list the options is not significant but the list should have no embedded white\-space\&. .PP \fBaccept_ra\fR[={0|1|2}] .RS 4 IPv6 only; added in Shorewall 4\&.5\&.16\&. Values are: .PP 0 .RS 4 Do not accept Router Advertisements\&. .RE .PP 1 .RS 4 Accept Route Advertisements if forwarding is disabled\&. .RE .PP 2 .RS 4 Overrule forwarding behavior\&. Accept Route Advertisements even if forwarding is enabled\&. .RE .sp If the option is specified without a value, then the value 1 is assumed\&. .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBNote\fR .ps -1 .br This option does not work with a wild\-card \fBphysical\fR name (e\&.g\&., eth0\&.+)\&. Beginning with Shorewall 5\&.1\&.10, If this option is specified, a warning is issued and the option is ignored\&. .sp .5v .RE .RE .PP \fBarp_filter[={0|1}]\fR .RS 4 IPv4 only\&. If specified, this interface will only respond to ARP who\-has requests for IP addresses configured on the interface\&. If not specified, the interface can respond to ARP who\-has requests for IP addresses on any of the firewall\*(Aqs interface\&. The interface must be up when Shorewall is started\&. .sp Only those interfaces with the \fBarp_filter\fR option will have their setting changed; the value assigned to the setting will be the value specified (if any) or 1 if no value is given\&. .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBNote\fR .ps -1 .br This option does not work with a wild\-card \fBphysical\fR name (e\&.g\&., eth0\&.+)\&. Beginning with Shorewall 5\&.1\&.10, If this option is specified, a warning is issued and the option is ignored\&. .sp .5v .RE .RE .PP \fBarp_ignore\fR[=\fInumber\fR] .RS 4 IPv4 only\&. If specified, this interface will respond to arp requests based on the value of \fInumber\fR (defaults to 1)\&. .sp 1 \- reply only if the target IP address is local address configured on the incoming interface .sp 2 \- reply only if the target IP address is local address configured on the incoming interface and the sender\*(Aqs IP address is part from same subnet on this interface\*(Aqs address .sp 3 \- do not reply for local addresses configured with scope host, only resolutions for global and link .sp 4\-7 \- reserved .sp 8 \- do not reply for all local addresses .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBNote\fR .ps -1 .br This option does not work with a wild\-card \fBphysical\fR name (e\&.g\&., eth0\&.+)\&. Beginning with Shorewall 5\&.1\&.10, If this option is specified, a warning is issued and the option is ignored\&. .sp .5v .RE .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBWarning\fR .ps -1 .br Do not specify \fBarp_ignore\fR for any interface involved in \m[blue]\fBProxy ARP\fR\m[]\&\s-2\u[5]\d\s+2\&. .sp .5v .RE .RE .PP \fBblacklist\fR .RS 4 Checks packets arriving on this interface against the \m[blue]\fBshorewall\-blacklist\fR\m[]\&\s-2\u[6]\d\s+2(5) file\&. .sp Beginning with Shorewall 4\&.4\&.13: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} If a \fIzone\fR is given in the ZONES column, then the behavior is as if \fBblacklist\fR had been specified in the IN_OPTIONS column of \m[blue]\fBshorewall\-zones\fR\m[]\&\s-2\u[7]\d\s+2(5)\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} Otherwise, the option is ignored with a warning: \fBWARNING: The \*(Aqblacklist\*(Aq option is ignored on multi\-zone interfaces\fR .RE .RE .PP \fBbridge\fR .RS 4 Designates the interface as a bridge\&. Beginning with Shorewall 4\&.4\&.7, setting this option also sets \fBrouteback\fR\&. .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBNote\fR .ps -1 .br If you have a bridge that you don\*(Aqt intend to define bport zones on, then it is best to omit this option and simply specify \fBrouteback\fR\&. .sp .5v .RE .RE .PP \fBdbl={none|src|dst|src\-dst}\fR .RS 4 Added in Shorewall 5\&.0\&.10\&. This option defined whether or not dynamic blacklisting is applied to packets entering the firewall through this interface and whether the source address and/or destination address is to be compared against the ipset\-based dynamic blacklist (DYNAMIC_BLACKLIST=ipset\&.\&.\&. in \m[blue]\fBshorewall\&.conf(5)\fR\m[]\&\s-2\u[8]\d\s+2)\&. The default is determine by the setting of DYNAMIC_BLACKLIST: .PP DYNAMIC_BLACKLIST=No .RS 4 Default is \fBnone\fR (e\&.g\&., no dynamic blacklist checking)\&. .RE .PP DYNAMIC_BLACKLIST=Yes .RS 4 Default is \fBsrc\fR (e\&.g\&., the source IP address is checked)\&. .RE .PP DYNAMIC_BLACKLIST=ipset[\-only] .RS 4 Default is \fBsrc\fR\&. .RE .PP DYNAMIC_BLACKLIST=ipset[\-only],src\-dst\&.\&.\&. .RS 4 Default is \fBsrc\-dst\fR (e\&.g\&., the source IP addresses in checked against the ipset on input and the destination IP address is checked against the ipset on packets originating from the firewall and leaving through this interface)\&. .RE .sp The normal setting for this option will be \fBdst\fR or \fBnone\fR for internal interfaces and \fBsrc\fR or \fBsrc\-dst\fR for Internet\-facing interfaces\&. .RE .PP \fBdestonly\fR .RS 4 Added in Shorewall 4\&.5\&.17\&. Causes the compiler to omit rules to handle traffic from this interface\&. .RE .PP \fBdhcp\fR .RS 4 Specify this option when any of the following are true: .sp .RS 4 .ie n \{\ \h'-04' 1.\h'+01'\c .\} .el \{\ .sp -1 .IP " 1." 4.2 .\} the interface gets its IP address via DHCP .RE .sp .RS 4 .ie n \{\ \h'-04' 2.\h'+01'\c .\} .el \{\ .sp -1 .IP " 2." 4.2 .\} the interface is used by a DHCP server running on the firewall .RE .sp .RS 4 .ie n \{\ \h'-04' 3.\h'+01'\c .\} .el \{\ .sp -1 .IP " 3." 4.2 .\} the interface has a static IP but is on a LAN segment with lots of DHCP clients\&. .RE .sp .RS 4 .ie n \{\ \h'-04' 4.\h'+01'\c .\} .el \{\ .sp -1 .IP " 4." 4.2 .\} the interface is a \m[blue]\fBsimple bridge\fR\m[]\&\s-2\u[9]\d\s+2 with a DHCP server on one port and DHCP clients on another port\&. .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBNote\fR .ps -1 .br If you use \m[blue]\fBShorewall\-perl for firewall/bridging\fR\m[]\&\s-2\u[10]\d\s+2, then you need to include DHCP\-specific rules in \m[blue]\fBshorewall\-rules\fR\m[]\&\s-2\u[11]\d\s+2(5)\&. DHCP uses UDP ports 67 and 68\&. .sp .5v .RE .RE .sp This option allows DHCP datagrams to enter and leave the interface\&. .RE .PP \fBforward\fR[={0|1}] .RS 4 IPv6 only Sets the /proc/sys/net/ipv6/conf/interface/forwarding option to the specified value\&. If no value is supplied, then 1 is assumed\&. .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBNote\fR .ps -1 .br This option does not work with a wild\-card \fBphysical\fR name (e\&.g\&., eth0\&.+)\&. Beginning with Shorewall 5\&.1\&.10, If this option is specified, a warning is issued and the option is ignored\&. .sp .5v .RE .RE .PP \fBignore[=1]\fR .RS 4 When specified, causes the generated script to ignore up/down events from Shorewall\-init for this device\&. Additionally, the option exempts the interface from hairpin filtering\&. When \*(Aq=1\*(Aq is omitted, the ZONE column must contain \*(Aq\-\*(Aq and \fBignore\fR must be the only OPTION\&. .sp Beginning with Shorewall 4\&.5\&.5, may be specified as \*(Aq\fBignore=1\fR\*(Aq which only causes the generated script to ignore up/down events from Shorewall\-init; hairpin filtering is still applied\&. In this case, the above restrictions on the ZONE and OPTIONS columns are lifted\&. .RE .PP \fBloopback\fR .RS 4 Added in Shorewall 4\&.6\&.6\&. Designates the interface as the loopback interface\&. This option is assumed if the interface\*(Aqs physical name is \*(Aqlo\*(Aq\&. Only one interface man have the \fBloopback\fR option specified\&. .RE .PP \fBlogmartians[={0|1}]\fR .RS 4 IPv4 only\&. Turn on kernel martian logging (logging of packets with impossible source addresses\&. It is strongly suggested that if you set \fBroutefilter\fR on an interface that you also set \fBlogmartians\fR\&. Even if you do not specify the \fBroutefilter\fR option, it is a good idea to specify \fBlogmartians\fR because your distribution may have enabled route filtering without you knowing it\&. .sp Only those interfaces with the \fBlogmartians\fR option will have their setting changed; the value assigned to the setting will be the value specified (if any) or 1 if no value is given\&. .sp To find out if route filtering is set on a given \fIinterface\fR, check the contents of /proc/sys/net/ipv4/conf/\fIinterface\fR/rp_filter \- a non\-zero value indicates that route filtering is enabled\&. .sp Example: .sp .if n \{\ .RS 4 .\} .nf teastep@lists:~$ \fBcat /proc/sys/net/ipv4/conf/eth0/rp_filter \fR 1 teastep@lists:~$ .fi .if n \{\ .RE .\} .sp .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBNote\fR .ps -1 .br This option does not work with a wild\-card \fBphysical\fR name (e\&.g\&., eth0\&.+)\&. Beginning with Shorewall 5\&.1\&.10, If this option is specified, a warning is issued and the option is ignored\&. .sp .5v .RE This option may also be enabled globally in the \m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[8]\d\s+2(5) file\&. .RE .PP \fBmaclist\fR .RS 4 Connection requests from this interface are compared against the contents of \m[blue]\fBshorewall\-maclist\fR\m[]\&\s-2\u[12]\d\s+2(5)\&. If this option is specified, the interface must be an Ethernet NIC and must be up before Shorewall is started\&. .RE .PP \fB\fBmss\fR\fR\fB=\fR\fInumber\fR .RS 4 Added in Shorewall 4\&.0\&.3\&. Causes forwarded TCP SYN packets entering or leaving on this interface to have their MSS field set to the specified \fInumber\fR\&. .RE .PP \fBnets=(\fR\fB\fInet\fR\fR\fB[,\&.\&.\&.])\fR .RS 4 Limit the zone named in the ZONE column to only the listed networks\&. The parentheses may be omitted if only a single \fInet\fR is given (e\&.g\&., nets=192\&.168\&.1\&.0/24)\&. Limited broadcast to the zone is supported\&. Beginning with Shorewall 4\&.4\&.1, multicast traffic to the zone is also supported\&. .RE .PP \fBnets=dynamic\fR .RS 4 Defines the zone as dynamic\&. Requires ipset match support in your iptables and kernel\&. See \m[blue]\fBhttp://www\&.shorewall\&.net/Dynamic\&.html\fR\m[]\&\s-2\u[13]\d\s+2 for further information\&. .RE .PP \fBnodbl\fR .RS 4 Added in Shorewall 5\&.0\&.8\&. When specified, dynamic blacklisting is disabled on the interface\&. Beginning with Shorewall 5\&.0\&.10, \fBnodbl\fR is equivalent to \fBdbl=none\fR\&. .RE .PP \fBnosmurfs\fR .RS 4 IPv4 only\&. Filter packets for smurfs (packets with a broadcast address as the source)\&. .sp Smurfs will be optionally logged based on the setting of SMURF_LOG_LEVEL in \m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[8]\d\s+2(5)\&. After logging, the packets are dropped\&. .RE .PP \fBoptional\fR .RS 4 When \fBoptional\fR is specified for an interface, Shorewall will be silent when: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} a /proc/sys/net/ipv[46]/conf/ entry for the interface cannot be modified (including for proxy ARP or proxy NDP)\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} The first address of the interface cannot be obtained\&. .RE .sp May not be specified with \fBrequired\fR\&. .RE .PP \fBphysical\fR=\fB\fIname\fR\fR .RS 4 Added in Shorewall 4\&.4\&.4\&. When specified, the interface or port name in the INTERFACE column is a logical name that refers to the name given in this option\&. It is useful when you want to specify the same wildcard port name on two or more bridges\&. See \m[blue]\fBhttp://www\&.shorewall\&.net/bridge\-Shorewall\-perl\&.html#Multiple\fR\m[]\&\s-2\u[14]\d\s+2\&. .sp If the \fIinterface\fR name is a wildcard name (ends with \*(Aq+\*(Aq), then the physical \fIname\fR must also end in \*(Aq+\*(Aq\&. The physical \fIname\fR may end in \*(Aq+\*(Aq (or be exactly \*(Aq+\*(Aq) when the \fIinterface\fR name is not a wildcard name\&. .sp If \fBphysical\fR is not specified, then it\*(Aqs value defaults to the \fIinterface\fR name\&. .RE .PP \fBproxyarp[={0|1}]\fR .RS 4 IPv4 only\&. Sets /proc/sys/net/ipv4/conf/\fIinterface\fR/proxy_arp\&. Do NOT use this option if you are employing Proxy ARP through entries in \m[blue]\fBshorewall\-proxyarp\fR\m[]\&\s-2\u[15]\d\s+2(5)\&. This option is intended solely for use with Proxy ARP sub\-networking as described at: \m[blue]\fBhttp://tldp\&.org/HOWTO/Proxy\-ARP\-Subnet/index\&.html\&.\fR\m[]\&\s-2\u[16]\d\s+2 .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBNote\fR .ps -1 .br This option does not work with a wild\-card \fBphysical\fR name (e\&.g\&., eth0\&.+)\&. Beginning with Shorewall 5\&.1\&.10, If this option is specified, a warning is issued and the option is ignored\&. .sp .5v .RE Only those interfaces with the \fBproxyarp\fR option will have their setting changed; the value assigned to the setting will be the value specified (if any) or 1 if no value is given\&. .RE .PP \fBproxyndp\fR[={0|1}] .RS 4 IPv6 only\&. Sets /proc/sys/net/ipv6/conf/\fIinterface\fR/proxy_ndp\&. .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBNote\fR .ps -1 .br This option does not work with a wild\-card \fBphysical\fR name (e\&.g\&., eth0\&.+)\&. Beginning with Shorewall 5\&.1\&.10, If this option is specified, a warning is issued and the option is ignored\&. .sp .5v .RE Only those interfaces with the \fBproxyndp\fR option will have their setting changed; the value assigned to the setting will be the value specified (if any) or 1 if no value is given\&. .RE .PP \fBrequired\fR .RS 4 Added in Shorewall 4\&.4\&.10\&. If this option is set, the firewall will fail to start if the interface is not usable\&. May not be specified together with \fBoptional\fR\&. .RE .PP \fBrouteback[={0|1}]\fR .RS 4 If specified, indicates that Shorewall should include rules that allow traffic arriving on this interface to be routed back out that same interface\&. This option is also required when you have used a wildcard in the INTERFACE column if you want to allow traffic between the interfaces that match the wildcard\&. .sp Beginning with Shorewall 4\&.4\&.20, if you specify this option, then you should also specify either \fBsfilter\fR (see below) or \fBroutefilter\fR on all interfaces (see below)\&. .sp Beginning with Shorewall 4\&.5\&.18, you may specify this option to explicitly reset (e\&.g\&., \fBrouteback=0\fR)\&. This can be used to override Shorewall\*(Aqs default setting for bridge devices which is \fBrouteback=1\fR\&. .RE .PP \fBroutefilter[={0|1|2}]\fR .RS 4 IPv4 only\&. Turn on kernel route filtering for this interface (anti\-spoofing measure)\&. .sp Only those interfaces with the \fBroutefilter\fR option will have their setting changes; the value assigned to the setting will be the value specified (if any) or 1 if no value is given\&. .sp The value 2 is only available with Shorewall 4\&.4\&.5\&.1 and later when the kernel version is 2\&.6\&.31 or later\&. It specifies a loose form of reverse path filtering\&. .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBNote\fR .ps -1 .br This option does not work with a wild\-card \fBphysical\fR name (e\&.g\&., eth0\&.+)\&. Beginning with Shorewall 5\&.1\&.10, If this option is specified, a warning is issued and the option is ignored\&. .sp .5v .RE This option can also be enabled globally via the ROUTE_FILTER option in the \m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[8]\d\s+2(5) file\&. .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBImportant\fR .ps -1 .br If ROUTE_FILTER=Yes in \m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[8]\d\s+2(5), or if your distribution sets net\&.ipv4\&.conf\&.all\&.rp_filter=1 in /etc/sysctl\&.conf, then setting \fBroutefilter\fR=0 in an \fIinterface\fR entry will not disable route filtering on that \fIinterface\fR! The effective setting for an \fIinterface\fR is the maximum of the contents of /proc/sys/net/ipv4/conf/all/rp_filter and the routefilter setting specified in this file (/proc/sys/net/ipv4/conf/\fIinterface\fR/rp_filter)\&. .sp .5v .RE .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBNote\fR .ps -1 .br There are certain cases where \fBroutefilter\fR cannot be used on an interface: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} If USE_DEFAULT_RT=Yes in \m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[8]\d\s+2(5) and the interface is listed in \m[blue]\fBshorewall\-providers\fR\m[]\&\s-2\u[17]\d\s+2(5)\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} If there is an entry for the interface in \m[blue]\fBshorewall\-providers\fR\m[]\&\s-2\u[17]\d\s+2(5) that doesn\*(Aqt specify the \fBbalance\fR option\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} If IPSEC is used to allow a road\-warrior to have a local address, then any interface through which the road\-warrior might connect cannot specify \fBroutefilter\fR\&. .RE .sp .5v .RE Beginning with Shorewall 5\&.1\&.1, when \fBroutefilter\fR is set to a non\-zero value, the \fBlogmartians\fR option is also implicitly set\&. If you actually want route filtering without logging, then you must also specify \fBlogmartians=0\fR after \fBroutefilter\fR\&. .RE .PP \fBrpfilter\fR .RS 4 Added in Shorewall 4\&.5\&.7\&. This is an anti\-spoofing measure that requires the \*(AqRPFilter Match\*(Aq capability in your iptables and kernel\&. It provides a more efficient alternative to the \fBsfilter\fR option below\&. It performs a function similar to \fBroutefilter\fR (see above) but works with Multi\-ISP configurations that do not use balanced routes\&. .RE .PP \fBsfilter=(\fR\fB\fInet\fR\fR\fB[,\&.\&.\&.])\fR .RS 4 Added in Shorewall 4\&.4\&.20\&. This option provides an anti\-spoofing alternative to \fBroutefilter\fR on interfaces where that option cannot be used, but where the \fBrouteback\fR option is required (on a bridge, for example)\&. On these interfaces, \fBsfilter\fR should list those local networks that are connected to the firewall through other interfaces\&. .RE .PP \fBsourceroute[={0|1}]\fR .RS 4 If this option is not specified for an interface, then source\-routed packets will not be accepted from that interface unless it has been explicitly enabled via sysconf\&. Only set this option to 1 (enable source routing) if you know what you are doing\&. This might represent a security risk and is usually unneeded\&. .sp Only those interfaces with the \fBsourceroute\fR option will have their setting changed; the value assigned to the setting will be the value specified (if any) or 1 if no value is given\&. .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBNote\fR .ps -1 .br This option does not work with a wild\-card \fBphysical\fR name (e\&.g\&., eth0\&.+)\&. Beginning with Shorewall 5\&.1\&.10, If this option is specified, a warning is issued and the option is ignored\&. .sp .5v .RE .RE .PP \fBtcpflags[={0|1}]\fR .RS 4 Packets arriving on this interface are checked for certain illegal combinations of TCP flags\&. Packets found to have such a combination of flags are handled according to the setting of TCP_FLAGS_DISPOSITION after having been logged according to the setting of TCP_FLAGS_LOG_LEVEL\&. .sp Beginning with Shorewall 4\&.6\&.0, tcpflags=1 is the default\&. To disable this option, specify tcpflags=0\&. .RE .PP \fBunmanaged\fR .RS 4 Added in Shorewall 4\&.5\&.18\&. Causes all traffic between the firewall and hosts on the interface to be accepted\&. When this option is given: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} The ZONE column must contain \*(Aq\-\*(Aq\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} Only the following other options are allowed with \fBunmanaged\fR: .RS 4 \fBarp_filter\fR .RE .RS 4 \fBarp_ignore\fR .RE .RS 4 \fBignore\fR .RE .RS 4 \fBroutefilter\fR .RE .RS 4 \fBoptional\fR .RE .RS 4 \fBphysical\fR .RE .RS 4 \fBroutefilter\fR .RE .RS 4 \fBproxyarp\fR .RE .RS 4 \fBproxyudp\fR .RE .RS 4 \fBsourceroute\fR .RE .RE .RE .PP \fBupnp\fR .RS 4 Incoming requests from this interface may be remapped via UPNP (upnpd)\&. See \m[blue]\fBhttp://www\&.shorewall\&.net/UPnP\&.html\fR\m[]\&\s-2\u[18]\d\s+2\&. Supported in IPv4 and in IPv6 in Shorewall 5\&.1\&.4 and later\&. .RE .PP \fBupnpclient\fR .RS 4 This option is intended for laptop users who always run Shorewall on their system yet need to run UPnP\-enabled client apps such as Transmission (BitTorrent client)\&. The option causes Shorewall to detect the default gateway through the interface and to accept UDP packets from that gateway\&. Note that, like all aspects of UPnP, this is a security hole so use this option at your own risk\&. Supported in IPv4 and in IPv6 in Shorewall 5\&.1\&.4 and later\&. .RE .PP \fBwait\fR=\fIseconds\fR .RS 4 Added in Shorewall 4\&.4\&.10\&. Causes the generated script to wait up to \fIseconds\fR seconds for the interface to become usable before applying the \fBrequired\fR or \fBoptional\fR options\&. .RE .RE .SH "EXAMPLE" .PP IPv4 Example 1: .RS 4 Suppose you have eth0 connected to a DSL modem and eth1 connected to your local network and that your local subnet is 192\&.168\&.1\&.0/24\&. The interface gets its IP address via DHCP from subnet 206\&.191\&.149\&.192/27\&. You have a DMZ with subnet 192\&.168\&.2\&.0/24 using eth2\&. Your iptables and/or kernel do not support "Address Type Match" and you prefer to specify broadcast addresses explicitly rather than having Shorewall detect them\&. .sp Your entries for this setup would look like: .sp .if n \{\ .RS 4 .\} .nf ?FORMAT 1 #ZONE INTERFACE BROADCAST OPTIONS net eth0 206\&.191\&.149\&.223 dhcp loc eth1 192\&.168\&.1\&.255 dmz eth2 192\&.168\&.2\&.255 .fi .if n \{\ .RE .\} .RE .PP Example 2: .RS 4 The same configuration without specifying broadcast addresses is: .sp .if n \{\ .RS 4 .\} .nf ?FORMAT 2 #ZONE INTERFACE OPTIONS net eth0 dhcp loc eth1 dmz eth2 .fi .if n \{\ .RE .\} .RE .PP Example 3: .RS 4 You have a simple dial\-in system with no Ethernet connections\&. .sp .if n \{\ .RS 4 .\} .nf ?FORMAT 2 #ZONE INTERFACE OPTIONS net ppp0 \- .fi .if n \{\ .RE .\} .RE .PP Example 4 (Shorewall 4\&.4\&.9 and later): .RS 4 You have a bridge with no IP address and you want to allow traffic through the bridge\&. .sp .if n \{\ .RS 4 .\} .nf ?FORMAT 2 #ZONE INTERFACE OPTIONS \- br0 bridge .fi .if n \{\ .RE .\} .RE .SH "FILES" .PP /etc/shorewall/interfaces .PP /etc/shorewall6/interfaces .SH "SEE ALSO" .PP \m[blue]\fBhttp://www\&.shorewall\&.net/configuration_file_basics\&.htm#Pairs\fR\m[]\&\s-2\u[19]\d\s+2 .PP shorewall(8) .SH "NOTES" .IP " 1." 4 shorewall-hosts .RS 4 \%http://www.shorewall.org/manpages/shorewall-hosts.html .RE .IP " 2." 4 http://www.shorewall.net/FAQ.htm#faq18 .RS 4 \%http://www.shorewall.org/FAQ.htm#faq18 .RE .IP " 3." 4 shorewall-nesting .RS 4 \%http://www.shorewall.org/manpages/shorewall-nesting.html .RE .IP " 4." 4 shorewall6-zones .RS 4 \%http://www.shorewall.org/manpages6/shorewall6-zones.html .RE .IP " 5." 4 Proxy ARP .RS 4 \%http://www.shorewall.org/ProxyARP.htm .RE .IP " 6." 4 shorewall-blacklist .RS 4 \%http://www.shorewall.org/manpages/shorewall-blacklist.html .RE .IP " 7." 4 shorewall-zones .RS 4 \%http://www.shorewall.org/manpages/shorewall-zones.html .RE .IP " 8." 4 shorewall.conf(5) .RS 4 \%http://www.shorewall.org/manpages/shorewall.conf.html .RE .IP " 9." 4 simple bridge .RS 4 \%http://www.shorewall.org/SimpleBridge.html .RE .IP "10." 4 Shorewall-perl for firewall/bridging .RS 4 \%http://www.shorewall.org/bridge-Shorewall-perl.html .RE .IP "11." 4 shorewall-rules .RS 4 \%http://www.shorewall.org/manpages/shorewall-rules.html .RE .IP "12." 4 shorewall-maclist .RS 4 \%http://www.shorewall.org/manpages/shorewall-maclist.html .RE .IP "13." 4 http://www.shorewall.net/Dynamic.html .RS 4 \%http://www.shorewall.org/Dynamic.html .RE .IP "14." 4 http://www.shorewall.net/bridge-Shorewall-perl.html#Multiple .RS 4 \%http://www.shorewall.org/bridge-Shorewall-perl.html#Multiple .RE .IP "15." 4 shorewall-proxyarp .RS 4 \%http://www.shorewall.org/manpages/shorewall-proxyarp.html .RE .IP "16." 4 http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html. .RS 4 \%http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html .RE .IP "17." 4 shorewall-providers .RS 4 \%http://www.shorewall.org/manpages/shorewall-providers.html .RE .IP "18." 4 http://www.shorewall.net/UPnP.html .RS 4 \%http://www.shorewall.org/UPnP.html .RE .IP "19." 4 http://www.shorewall.net/configuration_file_basics.htm#Pairs .RS 4 \%http://www.shorewall.org/configuration_file_basics.htm#Pairs .RE shorewall-5.2.3.4/manpages/shorewall-accounting.50000664000000000000000000004430313453771235020412 0ustar rootroot'\" t .\" Title: shorewall-accounting .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 .\" Date: 04/11/2019 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" .TH "SHOREWALL\-ACCOUNTIN" "5" "04/11/2019" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" accounting \- Shorewall Accounting file .SH "SYNOPSIS" .HP \w'\fB/etc/shorewall[6]/accounting\fR\ 'u \fB/etc/shorewall[6]/accounting\fR .SH "DESCRIPTION" .PP Accounting rules exist simply to count packets and bytes in categories that you define in this file\&. You may display these rules and their packet and byte counters using the \fBshorewall show accounting\fR command\&. .PP Beginning with Shorewall 4\&.4\&.18, the accounting structure can be created with three root chains: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \fBaccountin\fR: Rules that are valid in the \fBINPUT\fR chain (may not specify an output interface)\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \fBaccountout\fR: Rules that are valid in the OUTPUT chain (may not specify an input interface or a MAC address)\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \fBaccounting\fR: Other rules\&. .RE .PP The new structure is enabled by sectioning the accounting file in a manner similar to the \m[blue]\fBrules file\fR\m[]\&\s-2\u[1]\d\s+2\&. The sections are \fBINPUT\fR, \fBOUTPUT\fR and \fBFORWARD\fR and must appear in that order (although any of them may be omitted)\&. The first non\-commentary record in the accounting file must be a section header when sectioning is used\&. .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBWarning\fR .ps -1 .br .PP If sections are not used, the Shorewall rules compiler cannot detect certain violations of netfilter restrictions\&. These violations can result in run\-time errors such as the following: .PP \fBiptables\-restore v1\&.4\&.13: Can\*(Aqt use \-o with INPUT\fR .sp .5v .RE .PP Beginning with Shorewall 4\&.4\&.20, the ACCOUNTING_TABLE setting was added to shorewall\&.conf and shorewall6\&.conf\&. That setting determines the Netfilter table (filter or mangle) where the accounting rules are added\&. When ACCOUNTING_TABLE=mangle is specified, the available sections are \fBPREROUTING\fR, \fBINPUT\fR, \fBOUTPUT\fR, \fBFORWARD\fR and \fBPOSTROUTING\fR\&. .PP Section headers have the form: .PP \fB?SECTION\fR \fIsection\-name\fR .PP When sections are enabled: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} A jump to a user\-defined accounting chain must appear before entries that add rules to that chain\&. This eliminates loops and unreferenced chains\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} An output interface may not be specified in the \fBPREROUTING\fR and \fBINPUT\fR sections\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} In the \fBOUTPUT\fR and \fBPOSTROUTING\fR sections: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} An input interface may not be specified .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} Jumps to a chain defined in the \fBINPUT\fR or \fBPREROUTING\fR sections that specifies an input interface are prohibited .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} MAC addresses may not be used .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} Jump to a chain defined in the \fBINPUT\fR or \fBPREROUTING\fR section that specifies a MAC address are prohibited\&. .RE .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} The default value of the CHAIN column is: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \fBaccountin\fR in the \fBINPUT\fR section .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \fBaccountout\fR in the \fBOUTPUT\fR section .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \fBaccountfwd\fR in the \fBFORWARD\fR section .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \fBaccountpre\fR in the \fBPREROUTING\fR section .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \fBaccountpost\fR in the \fBPOSTROUTING\fR section .RE .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} Traffic addressed to the firewall goes through the rules defined in the INPUT section\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} Traffic originating on the firewall goes through the rules defined in the OUTPUT section\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} Traffic being forwarded through the firewall goes through the rules from the FORWARD sections\&. .RE .PP The columns in the file are as follows (where the column name is followed by a different name in parentheses, the different name is used in the alternate specification syntax): .PP \fBACTION\fR \- {\fBCOUNT\fR|\fBDONE\fR|\fIchain\fR[:\fB{COUNT\fR|JUMP}]|ACCOUNT(\fItable\fR,\fInetwork\fR)|[?]COMMENT \fIcomment\fR} .RS 4 What to do when a matching packet is found\&. .PP \fBCOUNT\fR .RS 4 Simply count the match and continue with the next rule .RE .PP \fBDONE\fR .RS 4 Count the match and don\*(Aqt attempt to match any other accounting rules in the chain specified in the \fBCHAIN\fR column\&. .RE .PP \fIchain\fR[\fB:\fR\fBCOUNT\fR] .RS 4 Where \fIchain\fR is the name of a chain; shorewall will create the chain automatically if it doesn\*(Aqt already exist\&. If a second chain is mentioned in the CHAIN column, then a jump from this second chain to \fIchain\fR is created\&. If no chain is named in the CHAIN column, then a jump from the default chain to \fIchain\fR is created\&. If \fB:COUNT\fR is included, a counting rule matching this entry will be added to \fIchain\fR\&. The \fIchain\fR may not exceed 29 characters in length and may be composed of letters, digits, dash (\*(Aq\-\*(Aq) and underscore (\*(Aq_\*(Aq)\&. .RE .PP \fIchain\fR:JUMP .RS 4 Like the previous option without the \fB:COUNT\fR part\&. .RE .PP \fBACCOUNT(\fR\fItable\fR,\fInetwork\fR\fB)\fR .RS 4 This action implements per\-IP accounting and was added in Shorewall 4\&.4\&.17\&. Requires the \fIACCOUNT Target\fR capability in your iptables and kernel (see the output of \fBshorewall show capabilities\fR)\&. .PP \fItable\fR .RS 4 is the name of an accounting table (you choose the name)\&. All rules specifying the same name will have their per\-IP counters accumulated in the same table\&. .RE .PP \fInetwork\fR .RS 4 is an IPv4 \fBnetwork\fR in CIDR notation (e\&.g\&., 192\&.168\&.1\&.0/24)\&. The network can be as large as a /8 (class A)\&. .RE .sp One nice feature of per\-IP accounting is that the counters survive \fBshorewall restart\fR\&. This has a downside, however\&. If you change the network associated with an accounting table, then you must \fBshorewall stop; shorewall start\fR to have a successful restart (counters will be cleared)\&. .sp The counters in a \fItable\fR are printed using the \fBiptaccount\fR utility\&. For a command synopsis, type: .sp \fBiptaccount \-\-help\fR .sp As of February 2011, the ACCOUNT Target capability and the iptaccount utility are only available when \m[blue]\fBxtables\-addons\fR\m[]\&\s-2\u[2]\d\s+2 is installed\&. See \m[blue]\fBhttp://www\&.shorewall\&.net/Accounting\&.html#perIP\fR\m[]\&\s-2\u[3]\d\s+2 for additional information\&. .RE .PP \fBINLINE\fR .RS 4 Added in Shorewall 4\&.5\&.16\&. Allows free form iptables matches to be specified following a \*(Aq;\*(Aq\&. In the generated iptables rule(s), the free form matches will follow any matches that are generated by the column contents\&. .RE .PP \fBNFACCT\fR({\fIobject\fR[!]}[,\&.\&.\&.]) .RS 4 Added in Shorewall 4\&.5\&.7\&. Provides a form of accounting that survives \fBshorewall stop/shorewall\fR start and \fBshorewall restart\fR\&. Requires the NFaccnt Match capability in your kernel and iptables\&. \fIobject\fR names an nfacct object (see man nfaccnt(8))\&. Multiple rules can specify the same \fIobject\fR; all packets that match any of the rules increment the packet and bytes count of the object\&. .sp Prior to Shorewall 4\&.5\&.16, only one \fIobject\fR could be specified\&. Beginning with Shorewall 4\&.5\&.16, an arbitrary number of objects may be given\&. .sp With Shorewall 4\&.5\&.16 or later, an nfacct \fIobject\fR in the list may optionally be followed by \fB!\fR to indicate that the nfacct \fIobject\fR will be incremented unconditionally for each packet\&. When \fB!\fR is omitted, the \fIobject\fR will be incremented only if all of the matches in the rule succeed\&. .RE .PP \fBNFLOG\fR[(nflog\-parameters)] \- Added in Shorewall\-4\&.4\&.20\&. .RS 4 Causes each matching packet to be sent via the currently loaded logging back\-end (usually nfnetlink_log) where it is available to accounting daemons through a netlink socket\&. .RE .PP \fB?COMMENT\fR .RS 4 The remainder of the line is treated as a comment which is attached to subsequent rules until another COMMENT line is found or until the end of the file is reached\&. To stop adding comments to rules, use a line with only the word ?COMMENT\&. .RE .RE .PP \fBCHAIN\fR \- {\fB\-\fR|\fIchain\fR} .RS 4 The name of a \fIchain\fR\&. If specified as \fB\-\fR the \fBaccounting\fR chain is assumed when the file is un\-sectioned\&. When the file is sectioned, the default is one of accountin, accountout, etc\&. depending on the section\&. This is the chain where the accounting rule is added\&. The \fIchain\fR will be created if it doesn\*(Aqt already exist\&. The \fIchain\fR may not exceed 29 characters in length\&. .RE .PP \fBSOURCE\fR \- {\fB\-\fR|\fBany\fR|\fBall\fR|\fIinterface\fR|\fIinterface\fR\fB:\fR\fIaddress\fR|\fIaddress\fR} .RS 4 Packet Source\&. .sp The name of an \fIinterface\fR, an \fIaddress\fR (host or net) or an \fIinterface\fR name followed by ":" and a host or net \fIaddress\fR\&. An ipset name is also accepted as an \fIaddress\fR\&. .RE .PP \fBDEST\fR \- {\fB\-\fR|\fBany\fR|\fBall\fR|\fIinterface\fR|\fIinterface\fR\fB:\fR\fIaddress\fR|\fIaddress\fR} .RS 4 This column was formerly named DESTINATION\&. .sp Packet Destination\&. .sp Format same as \fBSOURCE\fR column\&. .RE .PP \fBPROTO\fR \- {\fB\-\fR|\fB{any\fR|\fBall\fR|\fIprotocol\-name\fR|\fIprotocol\-number\fR|\fBipp2p\fR[\fB:\fR{\fBudp\fR|\fBall\fR}]}[,\&.\&.\&.]} .RS 4 This column was formerly named PROTOCOL .sp A \fIprotocol\-name\fR (from protocols(5)), a \fIprotocol\-number\fR, \fBipp2p\fR, \fBipp2p:udp\fR or \fBipp2p:all\fR .sp Beginning with Shorewall 4\&.5\&.12, this column can accept a comma\-separated list of protocols\&. .RE .PP \fBDPORT\fR \- {\fB\-\fR|\fBany\fR|\fBall\fR|\fIipp2p\-option\fR|\fIport\-name\-or\-number\fR[,\fIport\-name\-or\-number\fR]\&.\&.\&.} .RS 4 Destination Port number\&. Service name from services(5) or \fIport number\fR\&. May only be specified if the protocol is TCP (6), UDP (17), DCCP (33), SCTP (132) or UDPLITE (136)\&. .sp You may place a comma\-separated list of port names or numbers in this column if your kernel and iptables include multi\-port match support\&. .sp If the PROTOCOL is \fBipp2p\fR then this column must contain an \fIipp2p\-option\fR ("iptables \-m ipp2p \-\-help") without the leading "\-\-"\&. If no option is given in this column, \fBipp2p\fR is assumed\&. .sp This column was formerly named DEST PORT(S)\&. .RE .PP \fBSPORT\fR \- {\fB\-\fR|\fBany\fR|\fBall\fR|\fIport\-name\-or\-number\fR[,\fIport\-name\-or\-number\fR]\&.\&.\&.} .RS 4 Service name from services(5) or \fIport number\fR\&. May only be specified if the protocol is TCP (6), UDP (17), DCCP (33), SCTP (132) or UDPLITE (136)\&. .sp You may place a comma\-separated list of port numbers in this column if your kernel and iptables include multi\-port match support\&. .sp Beginning with Shorewall 4\&.5\&.15, you may place \*(Aq=\*(Aq in this column, provided that the DEST PORT(S) column is non\-empty\&. This causes the rule to match when either the source port or the destination port in a packet matches one of the ports specified in DPORT\&. Use of \*(Aq=\*(Aq requires multi\-port match in your iptables and kernel\&. .sp This column was formerly labelled SOURCE PORT(S)\&. .RE .PP \fBUSER\fR \- [\fB!\fR][\fIuser\-name\-or\-number\fR][\fB:\fR\fIgroup\-name\-or\-number\fR][\fB+\fR\fIprogram\-name\fR] .RS 4 This column was formerly named USER/GROUP and may only be non\-empty if the \fBCHAIN\fR is \fBOUTPUT\fR\&. .sp When this column is non\-empty, the rule applies only if the program generating the output is running under the effective \fIuser\fR and/or \fIgroup\fR specified (or is NOT running under that id if "!" is given)\&. .sp Examples: .PP joe .RS 4 program must be run by joe .RE .PP :kids .RS 4 program must be run by a member of the \*(Aqkids\*(Aq group .RE .PP !:kids .RS 4 program must not be run by a member of the \*(Aqkids\*(Aq group .RE .PP +upnpd .RS 4 #program named upnpd .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBImportant\fR .ps -1 .br The ability to specify a program name was removed from Netfilter in kernel version 2\&.6\&.14\&. .sp .5v .RE .RE .RE .PP \fBMARK\fR \- [\fB!\fR]\fIvalue\fR[/\fImask\fR][\fB:C\fR] .RS 4 Defines a test on the existing packet or connection mark\&. The rule will match only if the test returns true\&. .sp If you don\*(Aqt want to define a test but need to specify anything in the following columns, place a "\-" in this field\&. .PP ! .RS 4 Inverts the test (not equal) .RE .PP \fIvalue\fR .RS 4 Value of the packet or connection mark\&. .RE .PP \fImask\fR .RS 4 A mask to be applied to the mark before testing\&. .RE .PP \fB:C\fR .RS 4 Designates a connection mark\&. If omitted, the packet mark\*(Aqs value is tested\&. .RE .RE .PP \fBIPSEC \- \fR\fB\fIoption\-list\fR\fR\fB (Optional \- Added in Shorewall 4\&.4\&.13 but broken until 4\&.5\&.4\&.1 )\fR .RS 4 The option\-list consists of a comma\-separated list of options from the following list\&. Only packets that will be encrypted or have been decrypted via an SA that matches these options will have their source address changed\&. .PP \fBreqid=\fR\fInumber\fR .RS 4 where \fInumber\fR is specified using setkey(8) using the \*(Aqunique:\fInumber\fR option for the SPD level\&. .RE .PP \fBspi=\fR .RS 4 where \fInumber\fR is the SPI of the SA used to encrypt/decrypt packets\&. .RE .PP \fBproto=\fR\fBah\fR|\fBesp\fR|\fBipcomp\fR .RS 4 IPSEC Encapsulation Protocol .RE .PP \fBmss=\fR\fInumber\fR .RS 4 sets the MSS field in TCP packets .RE .PP \fBmode=\fR\fBtransport\fR|\fBtunnel\fR .RS 4 IPSEC mode .RE .PP \fBtunnel\-src=\fR\fIaddress\fR[/\fImask\fR] .RS 4 only available with mode=tunnel .RE .PP \fBtunnel\-dst=\fR\fIaddress\fR[/\fImask\fR] .RS 4 only available with mode=tunnel .RE .PP \fBstrict\fR .RS 4 Means that packets must match all rules\&. .RE .PP \fBnext\fR .RS 4 Separates rules; can only be used with strict .RE .PP \fByes\fR or \fBipsec\fR .RS 4 When used by itself, causes all traffic that will be encrypted/encapsulated or has been decrypted/un\-encapsulated to match the rule\&. .RE .PP \fBno\fR or \fBnone\fR .RS 4 When used by itself, causes all traffic that will not be encrypted/encapsulated or has been decrypted/un\-encapsulated to match the rule\&. .RE .PP \fBin\fR .RS 4 May only be used in the FORWARD section and must be the first or the only item the list\&. Indicates that matching packets have been decrypted in input\&. .RE .PP \fBout\fR .RS 4 May only be used in the FORWARD section and must be the first or the only item in the list\&. Indicates that matching packets will be encrypted on output\&. .RE .sp If this column is non\-empty and sections are not used, then: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} A chain NAME appearing in the ACTION column must be a chain branched either directly or indirectly from the \fBaccipsecin\fR or \fBaccipsecout\fR chain\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} The CHAIN column must contain either \fBaccipsecin\fR or \fBaccipsecout\fR or a chain branched either directly or indirectly from those chains\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} These rules will NOT appear in the \fBaccounting\fR chain\&. .RE .RE .PP In all of the above columns except \fBACTION\fR and \fBCHAIN\fR, the values \fB\-\fR, \fBany\fR and \fBall\fR may be used as wildcard\*(Aqgs\&. Omitted trailing columns are also treated as wildcard\*(Aqg\&. .SH "FILES" .PP /etc/shorewall/accounting .PP /etc/shorewall6/accounting .SH "SEE ALSO" .PP \m[blue]\fBshorewall\-logging(5)\fR\m[]\&\s-2\u[4]\d\s+2 .PP \m[blue]\fBhttp://www\&.shorewall\&.net/configuration_file_basics\&.htm#Pairs\fR\m[]\&\s-2\u[5]\d\s+2 .PP shorewall(8) .SH "NOTES" .IP " 1." 4 rules file .RS 4 \%http://www.shorewall.org/manpages/shorewall-rules.html .RE .IP " 2." 4 xtables-addons .RS 4 \%http://xtables-addons.sourceforge.net/ .RE .IP " 3." 4 http://www.shorewall.net/Accounting.html#perIP .RS 4 \%http://www.shorewall.org/Accounting.html#perIP .RE .IP " 4." 4 shorewall-logging(5) .RS 4 \%http://www.shorewall.orgshorewall-logging.htm .RE .IP " 5." 4 http://www.shorewall.net/configuration_file_basics.htm#Pairs .RS 4 \%http://www.shorewall.org/configuration_file_basics.htm#Pairs .RE shorewall-5.2.3.4/manpages/shorewall-names.50000664000000000000000000002745213453771265017374 0ustar rootroot'\" t .\" Title: shorewall-names .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 .\" Date: 04/11/2019 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" .TH "SHOREWALL\-NAMES" "5" "04/11/2019" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" names \- Shorewall object names .SH "DESCRIPTION" .PP When you define an object in Shorewall (\m[blue]\fBZone\fR\m[]\&\s-2\u[1]\d\s+2, Logical Interface, \m[blue]\fBipsets\fR\m[]\&\s-2\u[2]\d\s+2, \m[blue]\fBActions\fR\m[]\&\s-2\u[3]\d\s+2, etc\&., you give it a name\&. Shorewall names start with a letter and consist of letters, digits or underscores ("_")\&. Except for Zone names, Shorewall does not impose a limit on name length\&. .PP When an ipset is referenced, the name must be preceded by a plus sign ("+")\&. .PP The last character of an interface may also be a plus sign to indicate a wildcard name\&. .PP Physical interface names match names shown by \*(Aqip link ls\*(Aq; if the name includes an at sign ("@"), do not include that character or any character that follows\&. For example, "sit1@NONE" is referred to as simply \*(Aqsit1"\&. .SH "ZONE AND CHAIN NAMES" .PP For a pair of zones, Shorewall creates two Netfilter chains; one for connections in each direction\&. The names of these chains are formed by separating the names of the two zones by either "2" or "\-"\&. .PP Example: Traffic from zone A to zone B would go through chain A2B (think "A to B") or "A\-B"\&. .PP In Shorewall 4\&.6, the default separator is "\-" but you can override that by setting ZONE_SEPARATOR="2" in \m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[4]\d\s+2 (5)\&. .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBNote\fR .ps -1 .br .PP Prior to Shorewall 4\&.6, the default separator was "2"\&. .sp .5v .RE .PP Zones themselves have names that begin with a letter and are composed of letters, numerals, and "_"\&. The maximum length of a name is dependent on the setting of LOGFORMAT in \m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[4]\d\s+2 (5)\&. See \m[blue]\fBshorewall\-zones\fR\m[]\&\s-2\u[1]\d\s+2 (5) for details\&. .SH "USING DNS NAMES" .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBCaution\fR .ps -1 .br .PP I personally recommend strongly against using DNS names in Shorewall configuration files\&. If you use DNS names and you are called out of bed at 2:00AM because Shorewall won\*(Aqt start as a result of DNS problems then don\*(Aqt say that you were not forewarned\&. .sp .5v .RE .PP Host addresses in Shorewall configuration files may be specified as either IP addresses or DNS Names\&. .PP DNS names in iptables rules aren\*(Aqt nearly as useful as they first appear\&. When a DNS name appears in a rule, the iptables utility resolves the name to one or more IP addresses and inserts those addresses into the rule\&. So changes in the DNS\->IP address relationship that occur after the firewall has started have absolutely no effect on the firewall\*(Aqs rule set\&. .PP For some sites, using DNS names is very risky\&. Here\*(Aqs an example: .sp .if n \{\ .RS 4 .\} .nf teastep@ursa:~$ dig pop\&.gmail\&.com ; <<>> DiG 9\&.4\&.2\-P1 <<>> pop\&.gmail\&.com ;; global options: printcmd ;; Got answer: ;; \->>HEADER<<\- opcode: QUERY, status: NOERROR, id: 1774 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 7, ADDITIONAL: 0 ;; QUESTION SECTION: ;pop\&.gmail\&.com\&. IN A ;; ANSWER SECTION: pop\&.gmail\&.com\&. \fB300\fR IN CNAME gmail\-pop\&.l\&.google\&.com\&. gmail\-pop\&.l\&.google\&.com\&. \fB300\fR IN A 209\&.85\&.201\&.109 gmail\-pop\&.l\&.google\&.com\&. \fB300\fR IN A 209\&.85\&.201\&.111 .fi .if n \{\ .RE .\} .PP Note that the TTL is 300 \-\- 300 seconds is only 5 minutes\&. So five minutes later, the answer may change! .PP So this rule may work for five minutes then suddently stop working: .sp .if n \{\ .RS 4 .\} .nf #ACTION SOURCE DEST PROTO DPORT POP(ACCEPT) loc net:pop\&.gmail\&.com .fi .if n \{\ .RE .\} .PP There are two options in \m[blue]\fBshorewall[6]\&.conf(5)\fR\m[]\&\s-2\u[4]\d\s+2 that affect the use of DNS names in Shorewall[6] config files: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} DEFER_DNS_RESOLUTION \- When set to No, DNS names are resolved at compile time; when set to Yes, DNS Names are resolved at runtime\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} AUTOMAKE \- When set to Yes, \fBstart\fR, \fBrestart\fR and \fBreload\fR only result in compilation if one of the files on the CONFIG_PATH has changed since the the last compilation\&. .RE .PP So by setting AUTOMAKE=Yes, and DEFER_DNS_RESOLUTION=No, compilation will only take place at boot time if a change had been make to the config but no \fBrestart\fR or \fBreload\fR had taken place\&. This is clearly spelled out in the shorewall\&.conf manpage\&. So with these settings, so long as a \*(Aqreload\*(Aq or \*(Aqrestart\*(Aq takes place after the Shorewall configuration is changes, there should be no DNS\-related problems at boot time\&. .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBImportant\fR .ps -1 .br .PP When DEFER_DNS_RESOLUTION=No and AUTOMAKE=Yes and a DNS change makes it necessary to recompile an existing firewall script, the \fB\-c\fR option must be used with the \fBreload\fR or \fBrestart\fR command to force recompilation\&. .sp .5v .RE .PP If your firewall rules include DNS names then, even if DEFER_DNS_RESOLUTION=No and AUTOMAKE=Yes: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} If your /etc/resolv\&.confis wrong then your firewall may not start\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} If your /etc/nsswitch\&.conf is wrong then your firewall may not start\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} If your Name Server(s) is(are) down then your firewall may not start\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} If your startup scripts try to start your firewall before starting your DNS server then your firewall may not start\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} Factors totally outside your control (your ISP\*(Aqs router is down for example), can prevent your firewall from starting\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} You must bring up your network interfaces prior to starting your firewall, or the firewall may not start\&. .RE .PP Each DNS name must be fully qualified and include a minimum of two periods (although one may be trailing)\&. This restriction is imposed by Shorewall to insure backward compatibility with existing configuration files\&. .PP \fBExample\ \&1.\ \&Valid DNS Names\fR .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} mail\&.shorewall\&.net .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} shorewall\&.net\&. (note the trailing period)\&. .RE .PP \fBExample\ \&2.\ \&Invalid DNS Names\fR .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} mail (not fully qualified) .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} shorewall\&.net (only one period) .RE .PP DNS names may not be used as: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} The server address in a DNAT rule (/etc/shorewall/rules file) .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} In the ADDRESS column of an entry in /etc/shorewall/masq\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} In the /etc/shorewall/nat file\&. .RE .PP These restrictions are imposed by Netfilter and not by Shorewall\&. .SH "LOGICAL INTERFACE NAMES" .PP When dealing with a complex configuration, it is often awkward to use physical interface names in the Shorewall configuration\&. .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} You need to remember which interface is which\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} If you move the configuration to another firewall, the interface names might not be the same\&. .RE .PP Beginning with Shorewall 4\&.4\&.4, you can use logical interface names which are mapped to the actual interface using the \fBphysical\fR option in \m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[5]\d\s+2 (5)\&. .PP Here is an example: .sp .if n \{\ .RS 4 .\} .nf #ZONE INTERFACE OPTIONS net \fBCOM_IF \fR dhcp,blacklist,tcpflags,optional,upnp,routefilter=0,nosmurfs,logmartians=0,\fBphysical=eth0\fR net \fBEXT_IF\fR dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartians=0,proxyarp=1,\fBphysical=eth2\fR loc \fBINT_IF \fR dhcp,logmartians=1,routefilter=1,tcpflags,nets=172\&.20\&.1\&.0/24,\fBphysical=eth1\fR dmz \fBVPS_IF \fR logmartians=1,routefilter=0,routeback,\fBphysical=venet0\fR loc \fBTUN_IF\fR \fBphysical=tun+\fR .fi .if n \{\ .RE .\} .PP In this example, COM_IF is a logical interface name that refers to Ethernet interface eth0, EXT_IF is a logical interface name that refers to Ethernet interface eth2, and so on\&. .PP Here are a couple of more files from the same configuration: .PP \m[blue]\fBshorewall\-masq\fR\m[]\&\s-2\u[6]\d\s+2 (5): .sp .if n \{\ .RS 4 .\} .nf #INTERFACE SOURCE ADDRESS COMMENT Masquerade Local Network \fBCOM_IF\fR 0\&.0\&.0\&.0/0 \fBEXT_IF \fR !206\&.124\&.146\&.0/24 206\&.124\&.146\&.179:persistent .fi .if n \{\ .RE .\} .PP \m[blue]\fBshorewall\-providers\fR\m[]\&\s-2\u[7]\d\s+2 (5) .sp .if n \{\ .RS 4 .\} .nf #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY Avvanta 1 0x10000 main \fBEXT_IF \fR 206\&.124\&.146\&.254 loose,fallback \fBINT_IF,VPS_IF,TUN_IF\fR Comcast 2 0x20000 main \fBCOM_IF\fR detect balance \fBINT_IF,VPS_IF,TUN_IF\fR .fi .if n \{\ .RE .\} .PP Note in particular that Shorewall translates TUN_IF to tun* in the COPY column\&. .SH "NOTES" .IP " 1." 4 Zone .RS 4 \%http://www.shorewall.orgmanpages/shorewall-zones.html .RE .IP " 2." 4 ipsets .RS 4 \%http://www.shorewall.orgipsets.html .RE .IP " 3." 4 Actions .RS 4 \%http://www.shorewall.orgActions.html .RE .IP " 4." 4 shorewall.conf .RS 4 \%http://www.shorewall.orgmanpages/shorewall.conf.html .RE .IP " 5." 4 shorewall-interfaces .RS 4 \%http://www.shorewall.orgmanpages/shorewall-interfaces.html .RE .IP " 6." 4 shorewall-masq .RS 4 \%http://www.shorewall.orgmanpages/shorewall-masq.html .RE .IP " 7." 4 shorewall-providers .RS 4 \%http://www.shorewall.orgmanpages/shorewall-providers.html .RE shorewall-5.2.3.4/manpages/shorewall-rtrules.50000664000000000000000000001413213453771277017763 0ustar rootroot'\" t .\" Title: shorewall-rtrules .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 .\" Date: 04/11/2019 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" .TH "SHOREWALL\-RTRULES" "5" "04/11/2019" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" rtrules \- Shorewall Routing Rules file .SH "SYNOPSIS" .HP \w'\fB/etc/shorewall[6]/rtrules\fR\ 'u \fB/etc/shorewall[6]/rtrules\fR .SH "DESCRIPTION" .PP Entries in this file cause traffic to be routed to one of the providers listed in \m[blue]\fBshorewall\-providers\fR\m[]\&\s-2\u[1]\d\s+2(5)\&. .PP The columns in the file are as follows\&. .PP \fBSOURCE\fR (Optional) \- {\fB\-\fR|[&]\fIinterface\fR|\fIaddress\fR|\fIinterface\fR:\fIaddress\fR} .RS 4 An ip \fIaddress\fR (network or host) that matches the source IP address in a packet\&. May also be specified as an \fIinterface\fR name optionally followed by ":" and an address\&. If the device \fBlo\fR is specified, the packet must originate from the firewall itself\&. .sp Beginning with Shorewall 4\&.5\&.0, you may specify &\fIinterface\fR in this column to indicate that the source is the primary IP address of the named interface\&. .sp Beginning with Shorewall 4\&.6\&.8, you may specify a comma\-separated list of addresses in this column\&. .RE .PP \fBDEST\fR (Optional) \- {\fB\-\fR|\fIaddress\fR} .RS 4 An ip address (network or host) that matches the destination IP address in a packet\&. .sp If you choose to omit either \fBSOURCE\fR or \fBDEST\fR, place "\-" in that column\&. Note that you may not omit both \fBSOURCE\fR and \fBDEST\fR\&. .sp Beginning with Shorewall 4\&.6\&.8, you may specify a comma\-separated list of addresses in this column\&. .RE .PP \fBPROVIDER\fR \- {\fIprovider\-name\fR|\fIprovider\-number\fR|\fBmain\fR} .RS 4 The provider to route the traffic through\&. May be expressed either as the provider name or the provider number\&. May also be \fBmain\fR or 254 for the main routing table\&. This can be used in combination with VPN tunnels, see example 2 below\&. .RE .PP \fBPRIORITY\fR \- \fIpriority\fR\fB[!]\fR .RS 4 The rule\*(Aqs numeric \fIpriority\fR which determines the order in which the rules are processed\&. Rules with equal priority are applied in the order in which they appear in the file\&. .PP 1000\-1999 .RS 4 Before Shorewall\-generated \*(AqMARK\*(Aq rules .RE .PP 11000\-11999 .RS 4 After \*(AqMARK\*(Aq rules but before Shorewall\-generated rules for ISP interfaces\&. .RE .PP 26000\-26999 .RS 4 After ISP interface rules but before \*(Aqdefault\*(Aq rule\&. .RE .sp Beginning with Shorewall 5\&.0\&.2, the priority may be followed optionally by an exclaimation mark ("!")\&. This causes the rule to remain in place if the interface is disabled\&. .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBCaution\fR .ps -1 .br Be careful when using rules of the same PRIORITY as some unexpected behavior can occur when multiple rules have the same SOURCE\&. For example, in the following rules, the second rule overwrites the first unless the priority in the second is changed to 19001 or higher: .sp .if n \{\ .RS 4 .\} .nf 10\&.10\&.0\&.0/24 192\&.168\&.5\&.6 provider1 19000 10\&.10\&.0\&.0/24 \- provider2 19000 .fi .if n \{\ .RE .\} .sp .5v .RE .RE .PP \fBMARK \- {\-|\fR\fB\fImark\fR\fR\fB[/\fR\fB\fImask\fR\fR\fB]}\fR .RS 4 Optional \-\- added in Shorewall 4\&.4\&.25\&. For this rule to be applied to a packet, the packet\*(Aqs mark value must match the \fImark\fR when logically anded with the \fImask\fR\&. If a \fImask\fR is not supplied, Shorewall supplies a suitable provider mask\&. .RE .SH "EXAMPLES" .PP Example 1: .RS 4 You want all traffic coming in on eth1 to be routed to the ISP1 provider\&. .sp .if n \{\ .RS 4 .\} .nf #SOURCE DEST PROVIDER PRIORITY MASK eth1 \- ISP1 1000 .fi .if n \{\ .RE .\} .RE .PP IPv4 Example 2: .RS 4 You use OpenVPN (routed setup /tunX) in combination with multiple providers\&. In this case you have to set up a rule to ensure that the OpenVPN traffic is routed back through the tunX interface(s) rather than through any of the providers\&. 10\&.8\&.0\&.0/24 is the subnet chosen in your OpenVPN configuration (server 10\&.8\&.0\&.0 255\&.255\&.255\&.0)\&. .sp .if n \{\ .RS 4 .\} .nf #SOURCE DEST PROVIDER PRIORITY MASK \- 10\&.8\&.0\&.0/24 main 1000 .fi .if n \{\ .RE .\} .RE .SH "FILES" .PP /etc/shorewall/rtrules .PP /etc/shorewall6/rtrules .SH "SEE ALSO" .PP \m[blue]\fBhttp://www\&.shorewall\&.net/MultiISP\&.html\fR\m[]\&\s-2\u[2]\d\s+2 .PP \m[blue]\fBhttp://www\&.shorewall\&.net/configuration_file_basics\&.htm#Pairs\fR\m[]\&\s-2\u[3]\d\s+2 .PP shorewall(8) .SH "NOTES" .IP " 1." 4 shorewall-providers .RS 4 \%http://www.shorewall.org/manpages/shorewall-providers.html .RE .IP " 2." 4 http://www.shorewall.net/MultiISP.html .RS 4 \%http://www.shorewall.org/MultiISP.html .RE .IP " 3." 4 http://www.shorewall.net/configuration_file_basics.htm#Pairs .RS 4 \%http://www.shorewall.org/configuration_file_basics.htm#Pairs .RE shorewall-5.2.3.4/manpages/shorewall-addresses.50000664000000000000000000001366713453771237020250 0ustar rootroot'\" t .\" Title: shorewall-addresses .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 .\" Date: 04/11/2019 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" .TH "SHOREWALL\-ADDRESSES" "5" "04/11/2019" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" addresses \- Specifying addresses within a Shorewall configuration .SH "DESCRIPTION" .PP In both Shorewall and Shorewall6, there are two basic types of addresses: .PP Host Address .RS 4 This address type refers to a single host\&. .sp In IPv4, the format is \fIi\&.j\&.k\&.l\fR where \fIi\fR through \fIl\fR are decimal numbers between 1 and 255\&. .sp In IPv6, the format is \fIa:b:c:d:e:f:g:h\fR where \fIa\fR through \fIh\fR consist of 1 to 4 hexadecimal digits (leading zeros may be omitted)\&. a single series of 0 addresses may be omitted\&. For example 2001:227:e857:1:0:0:0:0:1 may be written 2001:227:e857:1::1\&. .RE .PP Network Address .RS 4 A network address refers to 1 or more hosts and consists of a host address followed by a slash ("/") and a Variable Length Subnet Mask (VLSM)\&. This is known as Classless Internet Domain Routing (CIDR) notation\&. .sp The VLSM is a decimal number\&. For IPv4, it is in the range 0 through 32\&. For IPv6, the range is 0 through 128\&. The number represents the number of leading bits in the address that represent the network address; the remainder of the bits are a host address and are generally given as zero\&. .sp Examples: .sp IPv4: 192\&.168\&.1\&.0/24 .sp IPv6: 2001:227:e857:1:0:0:0:0:1/64 .RE .PP In the Shorewall documentation and manpages, we have tried to make it clear which type of address is accepted in each specific case\&. .PP Because Shorewall uses a colon (":") as a separator in many contexts, IPv6 addresses are best written using the standard convention in which the address itself is enclosed in square brackets: .RS 4 [2001:227:e857:1::1] .RE .RS 4 [2001:227:e857:1::]/64 .RE .SH "SPECIFYING SOURCE AND DEST" .PP Entries in Shorewall configuration files often deal with the source (SOURCE) and destination (DEST) of connections and Shorewall implements a uniform way for specifying them\&. .PP A SOURCE or DEST consists of one to three parts separated by colons (":"): .sp .RS 4 .ie n \{\ \h'-04' 1.\h'+01'\c .\} .el \{\ .sp -1 .IP " 1." 4.2 .\} ZONE \(em The name of a zone declared in /etc/shorewall/zones or /etc/shorewall6/zones\&. This part is only available in the rules file (/etc/shorewall/rules, /etc/shorewall/blrules,/etc/shorewall6/rules and /etc/shorewall6/blrules)\&. .RE .sp .RS 4 .ie n \{\ \h'-04' 2.\h'+01'\c .\} .el \{\ .sp -1 .IP " 2." 4.2 .\} INTERFACE \(em The name of an interface that matches an entry in /etc/shorewall/interfaces (/etc/shorewall6/interfaces)\&. .sp Beginning with Shorweall 5\&.2\&.1, the \fIinterface\fR may be preceded with \*(Aq!\*(Aq which matches all interfaces except the one specified\&. .RE .sp .RS 4 .ie n \{\ \h'-04' 3.\h'+01'\c .\} .el \{\ .sp -1 .IP " 3." 4.2 .\} ADDRESS LIST \(em A list of one or more addresses (host or network) or address ranges, separated by commas\&. In an IPv6 configuration, this list must be included in square or angled brackets ("[\&.\&.\&.]" or "<\&.\&.\&.>")\&. The list may have exclusion\&. .RE .PP Examples\&. .sp .RS 4 .ie n \{\ \h'-04' 1.\h'+01'\c .\} .el \{\ .sp -1 .IP " 1." 4.2 .\} All hosts in the \fBnet\fR zone \(em \fBnet\fR .RE .sp .RS 4 .ie n \{\ \h'-04' 2.\h'+01'\c .\} .el \{\ .sp -1 .IP " 2." 4.2 .\} Subnet 192\&.168\&.1\&.0/29 in the \fBloc\fR zone \(em \fBloc:192\&.168\&.1\&.0/29\fR .RE .sp .RS 4 .ie n \{\ \h'-04' 3.\h'+01'\c .\} .el \{\ .sp -1 .IP " 3." 4.2 .\} All hosts in the net zone connecting through ppp0 \(em \fBnet:ppp0\fR .RE .sp .RS 4 .ie n \{\ \h'-04' 4.\h'+01'\c .\} .el \{\ .sp -1 .IP " 4." 4.2 .\} All hosts interfaced by eth3 \(em \fBeth3\fR .RE .sp .RS 4 .ie n \{\ \h'-04' 5.\h'+01'\c .\} .el \{\ .sp -1 .IP " 5." 4.2 .\} Subnet 10\&.0\&.1\&.0/24 interfacing through eth2 \(em \fBeth2:10\&.0\&.1\&.0/24\fR .RE .sp .RS 4 .ie n \{\ \h'-04' 6.\h'+01'\c .\} .el \{\ .sp -1 .IP " 6." 4.2 .\} Host 2002:ce7c:92b4:1:a00:27ff:feb1:46a9 in the \fBloc\fR zone \(em \fBloc:[2002:ce7c:92b4:1:a00:27ff:feb1:46a9]\fR .RE .sp .RS 4 .ie n \{\ \h'-04' 7.\h'+01'\c .\} .el \{\ .sp -1 .IP " 7." 4.2 .\} The primary IP address of eth0 in the $FW zone \- \fB$FW:ð0\fR .RE .sp .RS 4 .ie n \{\ \h'-04' 8.\h'+01'\c .\} .el \{\ .sp -1 .IP " 8." 4.2 .\} All hosts in Vatican City \- \fBnet:^VA\fR (Requires the \fIGeoIP Match\fR capability)\&. .RE .SH "IP ADDRESS RANGES" .PP If you kernel and iptables have \fIIP Range match support\fR, you may use IP address ranges in Shorewall configuration file entries; IP address ranges have the syntax <\fIlow IP address\fR>\-<\fIhigh IP address\fR>\&. .PP Example: 192\&.168\&.1\&.5\-192\&.168\&.1\&.12\&. .SH "" .PP .SH "SEE ALSO" .PP For more information about addressing, see the\m[blue]\fBSetup Guide\fR\m[]\&\s-2\u[1]\d\s+2\&. .SH "NOTES" .IP " 1." 4 Setup Guide .RS 4 \%http://www.shorewall.orgshorewall_setup_guide.htm#Addressing .RE shorewall-5.2.3.4/manpages/shorewall-hosts.50000664000000000000000000002007713453771253017422 0ustar rootroot'\" t .\" Title: shorewall-hosts .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 .\" Date: 04/11/2019 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" .TH "SHOREWALL\-HOSTS" "5" "04/11/2019" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" hosts \- Shorewall file .SH "SYNOPSIS" .HP \w'\fB/etc/shorewall[6]/hosts\fR\ 'u \fB/etc/shorewall[6]/hosts\fR .SH "DESCRIPTION" .PP This file is used to define zones in terms of subnets and/or individual IP addresses\&. Most simple setups don\*(Aqt need to (should not) place anything in this file\&. .PP The order of entries in this file is not significant in determining zone composition\&. Rather, the order that the zones are declared in \m[blue]\fBshorewall\-zones\fR\m[]\&\s-2\u[1]\d\s+2(5) determines the order in which the records in this file are interpreted\&. .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBWarning\fR .ps -1 .br .PP The only time that you need this file is when you have more than one zone connected through a single interface\&. .sp .5v .RE .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBWarning\fR .ps -1 .br .PP If you have an entry for a zone and interface in \m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[2]\d\s+2(5) then do not include any entries in this file for that same (zone, interface) pair\&. .sp .5v .RE .PP The columns in the file are as follows\&. .PP \fBZONE\fR \- \fIzone\-name\fR .RS 4 The name of a zone declared in \m[blue]\fBshorewall\-zones\fR\m[]\&\s-2\u[1]\d\s+2(5)\&. You may not list the firewall zone in this column\&. .RE .PP \fBHOST(S)\fR \- \fIinterface\fR:{[{\fIaddress\-or\-range\fR[\fB,\fR\fIaddress\-or\-range\fR]\&.\&.\&.|\fB+\fR\fIipset\fR|\fBdynamic\fR}[\fIexclusion\fR] .RS 4 The name of an interface defined in the \m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[2]\d\s+2(5) file followed by a colon (":") and a comma\-separated list whose elements are either: .sp .RS 4 .ie n \{\ \h'-04' 1.\h'+01'\c .\} .el \{\ .sp -1 .IP " 1." 4.2 .\} The IP \fIaddress\fR of a host\&. .RE .sp .RS 4 .ie n \{\ \h'-04' 2.\h'+01'\c .\} .el \{\ .sp -1 .IP " 2." 4.2 .\} A network in CIDR format\&. .RE .sp .RS 4 .ie n \{\ \h'-04' 3.\h'+01'\c .\} .el \{\ .sp -1 .IP " 3." 4.2 .\} An IP address range of the form \fIlow\&.address\fR\-\fIhigh\&.address\fR\&. Your kernel and iptables must have iprange match support\&. .RE .sp .RS 4 .ie n \{\ \h'-04' 4.\h'+01'\c .\} .el \{\ .sp -1 .IP " 4." 4.2 .\} The name of an \fIipset\fR\&. .RE .sp .RS 4 .ie n \{\ \h'-04' 5.\h'+01'\c .\} .el \{\ .sp -1 .IP " 5." 4.2 .\} The word \fBdynamic\fR which makes the zone dynamic in that you can use the \fBshorewall add\fR and \fBshorewall delete\fR commands to change to composition of the zone\&. .RE .sp You may also exclude certain hosts through use of an \fIexclusion\fR (see \m[blue]\fBshorewall\-exclusion\fR\m[]\&\s-2\u[3]\d\s+2(5)\&. .RE .PP \fBOPTIONS\fR (Optional) \- [\fIoption\fR[\fB,\fR\fIoption\fR]\&.\&.\&.] .RS 4 A comma\-separated list of options from the following list\&. The order in which you list the options is not significant but the list must have no embedded white\-space\&. .PP \fBblacklist\fR .RS 4 Check packets arriving on this port against the \m[blue]\fBshorewall\-blacklist\fR\m[]\&\s-2\u[4]\d\s+2(5) file\&. .RE .PP \fBbroadcast\fR .RS 4 Used when you want to include limited broadcasts (destination IP address 255\&.255\&.255\&.255) from the firewall to this zone\&. Only necessary when: .sp .RS 4 .ie n \{\ \h'-04' 1.\h'+01'\c .\} .el \{\ .sp -1 .IP " 1." 4.2 .\} The network specified in the HOST(S) column does not include 255\&.255\&.255\&.255\&. .RE .sp .RS 4 .ie n \{\ \h'-04' 2.\h'+01'\c .\} .el \{\ .sp -1 .IP " 2." 4.2 .\} The zone does not have an entry for this interface in \m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[2]\d\s+2(5)\&. .RE .RE .PP \fBdestonly\fR .RS 4 Normally used with the Multi\-cast IP address range (224\&.0\&.0\&.0/4)\&. Specifies that traffic will be sent to the specified net(s) but that no traffic will be received from the net(s)\&. .RE .PP \fBipsec\fR .RS 4 The zone is accessed via a kernel 2\&.6 ipsec SA\&. Note that if the zone named in the ZONE column is specified as an IPSEC zone in the \m[blue]\fBshorewall\-zones\fR\m[]\&\s-2\u[1]\d\s+2(5) file then you do NOT need to specify the \*(Aqipsec\*(Aq option here\&. .RE .PP \fBmaclist\fR .RS 4 Connection requests from these hosts are compared against the contents of \m[blue]\fBshorewall\-maclist\fR\m[]\&\s-2\u[5]\d\s+2(5)\&. If this option is specified, the interface must be an Ethernet NIC or equivalent and must be up before Shorewall is started\&. .RE .PP \fBmss\fR=\fImss\fR .RS 4 Added in Shorewall 4\&.5\&.2\&. When present, causes the TCP mss for new connections to/from the hosts given in the HOST(S) column to be clamped at the specified \fImss\fR\&. .RE .PP \fBnosmurfs\fR .RS 4 This option only makes sense for ports on a bridge\&. .sp Filter packets for smurfs (packets with a broadcast address as the source)\&. .sp Smurfs will be optionally logged based on the setting of SMURF_LOG_LEVEL in \m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[6]\d\s+2(5)\&. After logging, the packets are dropped\&. .RE .PP \fBrouteback\fR .RS 4 Shorewall should set up the infrastructure to pass packets from this/these address(es) back to themselves\&. This is necessary if hosts in this group use the services of a transparent proxy that is a member of the group or if DNAT is used to send requests originating from this group to a server in the group\&. .RE .PP \fBtcpflags\fR .RS 4 Packets arriving from these hosts are checked for certain illegal combinations of TCP flags\&. Packets found to have such a combination of flags are handled according to the setting of TCP_FLAGS_DISPOSITION after having been logged according to the setting of TCP_FLAGS_LOG_LEVEL\&. .RE .RE .SH "EXAMPLES" .PP Example 1 .RS 4 The firewall runs a PPTP server which creates a ppp interface for each remote client\&. The clients are assigned IP addresses in the network 192\&.168\&.3\&.0/24 and in a zone named \*(Aqvpn\*(Aq\&. .sp .if n \{\ .RS 4 .\} .nf #ZONE HOST(S) OPTIONS vpn ppp+:192\&.168\&.3\&.0/24 .fi .if n \{\ .RE .\} .RE .SH "FILES" .PP /etc/shorewall/hosts .PP /etc/shorewall6/hosts .SH "SEE ALSO" .PP \m[blue]\fBhttp://www\&.shorewall\&.net/configuration_file_basics\&.htm#Pairs\fR\m[]\&\s-2\u[7]\d\s+2 .PP shorewall(8) .SH "NOTES" .IP " 1." 4 shorewall-zones .RS 4 \%http://www.shorewall.org/manpages/shorewall-zones.html .RE .IP " 2." 4 shorewall-interfaces .RS 4 \%http://www.shorewall.org/manpages/shorewall-interfaces.html .RE .IP " 3." 4 shorewall-exclusion .RS 4 \%http://www.shorewall.org/manpages/shorewall-exclusion.html .RE .IP " 4." 4 shorewall-blacklist .RS 4 \%http://www.shorewall.org/manpages/shorewall-blacklist.html .RE .IP " 5." 4 shorewall-maclist .RS 4 \%http://www.shorewall.org/manpages/shorewall-maclist.html .RE .IP " 6." 4 shorewall.conf .RS 4 \%http://www.shorewall.org/manpages/shorewall.conf.html .RE .IP " 7." 4 http://www.shorewall.net/configuration_file_basics.htm#Pairs .RS 4 \%http://www.shorewall.org/configuration_file_basics.htm#Pairs .RE shorewall-5.2.3.4/manpages/shorewall-vardir.50000664000000000000000000000411613430375777017553 0ustar rootroot'\" t .\" Title: shorewall-vardir .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 .\" Date: 02/11/2019 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" .TH "SHOREWALL\-VARDIR" "5" "02/11/2019" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" vardir \- Shorewall file .SH "SYNOPSIS" .HP \w'\fB/etc/shorewall[6]/vardir\fR\ 'u \fB/etc/shorewall[6]/vardir\fR .SH "DESCRIPTION" .PP This file does not exist by default\&. You may create the file if you want to change the directory used by Shorewall to store state information, including compiled firewall scripts\&. By default, the directory used is /var/lib/shorewall/ for IPv4 and /var/lib/shorewall6/ for IPv6 .PP The file contains a single variable assignment: .PP \fBVARDIR=\fR\fIdirectory\fR .PP where \fIdirectory\fR is the name of a directory\&. If you add this file, you should copy the files from /var/lib/shorewall to the new directory before performing a \fBshorewall restart\fR\&. .SH "EXAMPLE" .PP VARDIR=/root/shorewall .SH "FILES" .PP /etc/shorewall/vardir .PP /etc/shorewall6/vardir .SH "SEE ALSO" .PP shorewall(8) shorewall-5.2.3.4/manpages/shorewall-tcfilters.50000664000000000000000000002422713453771310020254 0ustar rootroot'\" t .\" Title: shorewall-tcfilters .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 .\" Date: 04/11/2019 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" .TH "SHOREWALL\-TCFILTERS" "5" "04/11/2019" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" tcfilters \- Shorewall u32/basic classifier rules file .SH "SYNOPSIS" .HP \w'\fB/etc/shorewall[6]/tcfilters\fR\ 'u \fB/etc/shorewall[6]/tcfilters\fR .SH "DESCRIPTION" .PP Entries in this file cause packets to be classified for traffic shaping\&. .PP Beginning with Shorewall 4\&.4\&.15, the file may contain entries for both IPv4 and IPv6\&. By default, all rules apply to IPv4 but that can be changed by inserting a line as follows: .PP IPV4 .RS 4 Following entries apply to IPv4\&. .RE .PP IPV6 .RS 4 Following entries apply to IPv6 .RE .PP ALL .RS 4 Following entries apply to both IPv4 and IPv6\&. Each entry is processed twice; once for IPv4 and once for IPv6\&. .RE .PP The columns in the file are as follows (where the column name is followed by a different name in parentheses, the different name is used in the alternate specification syntax)\&. .PP \fBCLASS\fR \- \fIinterface\fR\fB:\fR\fIclass\fR .RS 4 The name or number of an interface defined in \m[blue]\fBshorewall\-tcdevices\fR\m[]\&\s-2\u[1]\d\s+2(5) followed by a \fIclass\fR number defined for that interface in \m[blue]\fBshorewall\-tcclasses\fR\m[]\&\s-2\u[2]\d\s+2(5)\&. .RE .PP \fBSOURCE\fR \- {\fB\-\fR|\fIaddress\fR|+\fIipset\fR} .RS 4 Source of the packet\&. May be a host or network \fIaddress\fR\&. DNS names are not allowed\&. Beginning with Shorewall 4\&.6\&.0, an ipset name (prefixed with \*(Aq+\*(Aq) may be used if your kernel and ip6tables have the Basic Ematch capability and you set BASIC_FILTERS=Yes in \m[blue]\fBshorewall\&.conf (5)\fR\m[]\&\s-2\u[3]\d\s+2\&. The ipset name may optionally be followed by a number or a comma separated list of src and/or dst enclosed in square brackets ([\&.\&.\&.])\&. See \m[blue]\fBshorewall\-ipsets(5)\fR\m[]\&\s-2\u[4]\d\s+2 for details\&. .RE .PP \fBDEST\fR \- {\fB\-\fR|\fIaddress\fR|+\fIipset\fR} .RS 4 Destination of the packet\&. May be a host or network \fIaddress\fR\&. DNS names are not allowed\&. Beginning with Shorewall 4\&.6\&.0, an ipset name (prefixed with \*(Aq+\*(Aq) may be used if your kernel and ip6tables have the Basic Ematch capability and you set BASIC_FILTERS=Yes in \m[blue]\fBshorewall\&.conf (5)\fR\m[]\&\s-2\u[3]\d\s+2\&. The ipset name may optionally be followed by a number or a comma separated list of src and/or dst enclosed in square brackets ([\&.\&.\&.])\&. See \m[blue]\fBshorewall\-ipsets(5)\fR\m[]\&\s-2\u[4]\d\s+2 for details\&. .sp You may exclude certain hosts from the set already defined through use of an \fIexclusion\fR (see \m[blue]\fBshorewall\-exclusion\fR\m[]\&\s-2\u[5]\d\s+2(5))\&. .RE .PP \fBPROTO\fR \- {\fB\-\fR|{\fIprotocol\-number\fR|\fIprotocol\-name\fR|\fBall}[,\&.\&.\&.]}\fR .RS 4 Protocol\&. .sp Beginning with Shorewall 4\&.5\&.12, this column can accept a comma\-separated list of protocols\&. .RE .PP \fBDPORT\fR \- [\fB\-\fR|\fIport\-name\-or\-number\fR] .RS 4 Optional destination Ports\&. A Port name (from services(5)) or a \fIport number\fR; if the protocol is \fBicmp\fR, this column is interpreted as the destination icmp\-type(s)\&. .sp This column was previously labelled DEST PORT(S)\&. .RE .PP \fBSPORT\fR \- [\fB\-\fR|\fIport\-name\-or\-number\fR] .RS 4 Optional source port\&. .sp This column was previously labelled SOURCE PORT(S)\&. .RE .PP \fBTOS\fR (Optional) \- [\fB\-\fR|\fItos\fR] .RS 4 Specifies the value of the TOS field\&. The \fItos\fR value can be any of the following: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \fBtos\-minimize\-delay\fR .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \fBtos\-maximize\-throughput\fR .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \fBtos\-maximize\-reliability\fR .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \fBtos\-minimize\-cost\fR .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \fBtos\-normal\-service\fR .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \fIhex\-number\fR .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \fIhex\-number\fR/\fIhex\-number\fR .RE .sp The \fIhex\-number\fRs must be exactly two digits (e\&.g\&., 0x04)x\&. .RE .PP \fBLENGTH\fR \- [\fB\-\fR|\fInumber\fR] .RS 4 Optional \- Must be a power of 2 between 32 and 8192 inclusive\&. Packets with a total length that is strictly less than the specified \fInumber\fR will match the rule\&. .RE .PP \fBPRIORITY\fR \- [\fB\-\fR|\fIpriority\fR] .RS 4 Added in Shorewall 4\&.5\&.8\&. Specifies the rule \fIpriority\fR\&. The \fIpriority\fR value must be > 0 and <= 65535\&. .sp When a \fIpriority\fR is not given: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} For Shorewall versions prior to 4\&.5\&.8 \- all filters have priority 10\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} For Shorewall 4\&.5\&.8 and later \- for each device, the compiler maintains a high\-water priority with an initial value of 0\&. When a filter has no \fIpriority\fR, the high\-water priority is incremented by 1 and assigned to the filter\&. When a \fIpriority\fR greater than the high\-water priority is entered in this column, the high\-water priority is set to the specified \fIpriority\fR\&. An attempt to assign a priority value greater than 65535 (explicitly or implicitly) raises an error\&. .RE .sp The default priority values used by other Shorewall\-generated filters are as follows: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} Classify by packet mark \- ( \fIclass priority\fR << 8 ) | 20\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} Ingress policing \- 10 .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} Simple TC ACK packets \- 1 .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} Complex TC ACK packets \- ( \fIclass priority\fR << 8 ) | 10\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} Classify by TOS \- ( \fIclass priority\fR << 8 ) | 15\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} Class with \*(Aqoccurs\*(Aq \- 65535 .RE .RE .SH "EXAMPLE" .PP IPv4 Example 1: .RS 4 Place all \*(Aqping\*(Aq traffic on interface 1 in class 10\&. Note that ALL cannot be used because IPv4 ICMP and IPv6 ICMP are two different protocols\&. .sp .if n \{\ .RS 4 .\} .nf #CLASS SOURCE DEST PROTO DPORT IPV4 1:10 0\&.0\&.0\&.0/0 0\&.0\&.0\&.0/0 icmp echo\-request 1:10 0\&.0\&.0\&.0/0 0\&.0\&.0\&.0/0 icmp echo\-reply IPV6 1:10 ::/0 ::/0 icmp6 echo\-request 1:10 ::/0 ::/0 icmp6 echo\-reply .fi .if n \{\ .RE .\} .RE .PP IPv4 Example 2: .RS 4 Add two filters with priority 10 (Shorewall 4\&.5\&.8 or later)\&. .sp .if n \{\ .RS 4 .\} .nf #CLASS SOURCE DEST PROTO DPORT PRIORITY IPV4 1:10 0\&.0\&.0\&.0/0 0\&.0\&.0\&.0/0 icmp echo\-request 10 1:10 0\&.0\&.0\&.0/0 0\&.0\&.0\&.0/0 icmp echo\-reply 10 .fi .if n \{\ .RE .\} .RE .PP IPv6 Example 1: .RS 4 Add two filters with priority 10 (Shorewall 4\&.5\&.8 or later)\&. .sp .if n \{\ .RS 4 .\} .nf #CLASS SOURCE DEST PROTO DPORT PRIORITY IPV6 1:10 ::/0 ::/0 icmp echo\-request 10 1:10 ::/0 ::/0 icmp echo\-reply 10 .fi .if n \{\ .RE .\} .RE .SH "FILES" .PP /etc/shorewall/tcfilters .PP /etc/shorewall6/tcfilters .SH "SEE ALSO" .PP \m[blue]\fBhttp://www\&.shorewall\&.net/traffic_shaping\&.htm\fR\m[]\&\s-2\u[6]\d\s+2 .PP \m[blue]\fBhttp://www\&.shorewall\&.net/MultiISP\&.html\fR\m[]\&\s-2\u[7]\d\s+2 .PP \m[blue]\fBhttp://www\&.shorewall\&.net/PacketMarking\&.html\fR\m[]\&\s-2\u[8]\d\s+2 .PP \m[blue]\fBhttp://www\&.shorewall\&.net/configuration_file_basics\&.htm#Pairs\fR\m[]\&\s-2\u[9]\d\s+2 .PP shorewall(8) .SH "NOTES" .IP " 1." 4 shorewall-tcdevices .RS 4 \%http://www.shorewall.org/manpages/shorewall-tcdevices.html .RE .IP " 2." 4 shorewall-tcclasses .RS 4 \%http://www.shorewall.org/manpages/shorewall-tcclasses.html .RE .IP " 3." 4 shorewall.conf (5) .RS 4 \%http://www.shorewall.org/manpages/shorewall.conf.html .RE .IP " 4." 4 shorewall-ipsets(5) .RS 4 \%http://www.shorewall.org/manpages/shorewall-ipsets.html .RE .IP " 5." 4 shorewall-exclusion .RS 4 \%http://www.shorewall.org/manpages/shorewall-exclusion.html .RE .IP " 6." 4 http://www.shorewall.net/traffic_shaping.htm .RS 4 \%http://www.shorewall.org/traffic_shaping.htm .RE .IP " 7." 4 http://www.shorewall.net/MultiISP.html .RS 4 \%http://www.shorewall.org/MultiISP.html .RE .IP " 8." 4 http://www.shorewall.net/PacketMarking.html .RS 4 \%http://www.shorewall.org/PacketMarking.html .RE .IP " 9." 4 http://www.shorewall.net/configuration_file_basics.htm#Pairs .RS 4 \%http://www.shorewall.org/configuration_file_basics.htm#Pairs .RE shorewall-5.2.3.4/manpages/shorewall-ipsets.50000664000000000000000000001700113453771257017566 0ustar rootroot'\" t .\" Title: shorewall-ipsets .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 .\" Date: 04/11/2019 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" .TH "SHOREWALL\-IPSETS" "5" "04/11/2019" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" ipsets \- Specifying the name if an ipset in Shorewall configuration files .SH "SYNOPSIS" .HP \w'\fB+\fR\fB\fIipsetname\fR\fR\ 'u \fB+\fR\fB\fIipsetname\fR\fR .HP \w'\fB+\fR\fB\fIipsetname\fR\fR\fB[\fR\fB\fIflag\fR\fR\fB,\&.\&.\&.]\fR\ 'u \fB+\fR\fB\fIipsetname\fR\fR\fB[\fR\fB\fIflag\fR\fR\fB,\&.\&.\&.]\fR .HP \w'\fB+[ipsetname,\&.\&.\&.]\fR\ 'u \fB+[ipsetname,\&.\&.\&.]\fR .SH "DESCRIPTION" .PP Note: In the above syntax descriptions, the square brackets ("[]") are to be taken literally rather than as meta\-characters\&. .PP In most places where a network address may be entered, an ipset may be substituted\&. Set names must be prefixed by the character "+", must start with a letter and may be composed of alphanumeric characters, "\-" and "_"\&. .PP Whether the set is matched against the packet source or destination is determined by which column the set name appears (SOURCE or DEST)\&. For those set types that specify a tuple, two alternative syntaxes are available: .RS 4 [\fInumber\fR] \- Indicates that \*(Aqsrc\*(Aq or \*(Aqdst\*(Aq should be repeated \fInumber\fR times\&. Example: myset[2]\&. .RE .RS 4 [\fIflag\fR,\&.\&.\&.] where \fIflag\fR is \fBsrc\fR or \fBdst\fR\&. Example: myset[src,dst]\&. .RE .PP In a SOURCE or SPORT column, the following pairs are equivalent: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} +myset[2] and +myset[src,src] .RE .PP In a DEST or DPORT column, the following pairs are equivalent: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} +myset[2] and +myset[dst,dst] .RE .PP Beginning with Shorewall 4\&.4\&.14, multiple source or destination matches may be specified by enclosing the set names within +[\&.\&.\&.]\&. The set names need not be prefixed with \*(Aq+\*(Aq\&. When such a list of sets is specified, matching packets must match all of the listed sets\&. .PP For information about set lists and exclusion, see \m[blue]\fBshorewall\-exclusion\fR\m[]\&\s-2\u[1]\d\s+2 (5)\&. .PP Beginning with Shorewall 4\&.5\&.16, you can increment one or more nfacct objects each time a packet matches an ipset\&. You do that by listing the objects separated by commas within parentheses\&. .PP Example: .RS 4 +myset[src](myobject) .RE .PP In that example, when the source address of a packet matches the \fBmyset\fR ipset, the \fBmyobject\fR nfacct counter will be incremented\&. .PP Beginning with Shorewall 4\&.6\&.0, an ipset name (and src/dst list, if any) can be immediately be followed by a list of match options\&. .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBImportant\fR .ps -1 .br .PP These additional match options are not available in \m[blue]\fBshorewall\-tcfilters(5)\fR\m[]\&\s-2\u[2]\d\s+2\&. .sp .5v .RE .PP Available options are: .PP nomatch .RS 4 If the set type supports the nomatch flag, then the matching is reversed: a match with an element flagged with nomatch returns true, while a match with a plain element returns false\&. This option requires the \*(AqIpset Match nomatch\*(Aq capability in your kernel and ip[6]tables\&. .RE .PP no\-update\-counters .RS 4 The packet and byte counters of the matching element in the set won\*(Aqt be updated\&. By default, the packet and byte counters are updated\&. This option and those that follow require the \*(AqIpset Match counters\*(Aq capability in your kernel and ip[6]tables\&. .RE .PP no\-update\-subcounters .RS 4 The packet and byte counters of the matching element in the member set of a list type of set won\*(Aqt be updated\&. Default the packet and byte counters are updated\&. .RE .PP packets=\fIvalue\fR .RS 4 If the packet is matched an element in the set, match only if the packet counter of the element matches the given \fIvalue\fR also\&. .RE .PP packets<\fIvalue\fR .RS 4 If the packet is matched an element in the set, match only if the packet counter of the element is less than the given \fIvalue\fR as well\&. .RE .PP packets>\fIvalue\fR .RS 4 If the packet is matched an element in the set, match only if the packet counter of the element is greater than the given \fIvalue\fR as well\&. .RE .PP packets!=\fIvalue\fR .RS 4 If the packet is matched an element in the set, match only if the packet counter of the element does not match the given \fIvalue\fR also\&. .RE .PP bytes=\fIvalue\fR .RS 4 If the packet is matched an element in the set, match only if the byte counter of the element matches the given \fIvalue\fR also\&. .RE .PP bytes<\fIvalue\fR .RS 4 If the packet is matched an element in the set, match only if the byte counter of the element is less than the given \fIvalue\fR as well\&. .RE .PP bytes>\fIvalue\fR .RS 4 If the packet is matched an element in the set, match only if the byte counter of the element is greater than the given \fIvalue\fR as well\&. .RE .PP bytes<>\fIvalue\fR .RS 4 If the packet is matched an element in the set, match only if the byte counter of the element does not match the given \fIvalue\fR also\&. .RE .SH "EXAMPLES" .PP In the examples that follow, myset, myset1 and myset2 are ipsets and myObject is an NFacct object name\&. .PP +myset .PP +myset[src] .PP +myset[2] .PP +[myset1,myset2[dst]] .PP +myset[src](myObject) .PP +myset[src,nomatch,packets>100] .PP +myset[nomatch,no\-update\-counters](myObject) .SH "FILES" .PP /etc/shorewall/accounting .PP /etc/shorewall6/accounting .PP /etc/shorewall/blrules .PP /etc/shorewall6/blrules .PP /etc/shorewall/hosts \-\- \fBNote:\fR Multiple matches enclosed in +[\&.\&.\&.] may not be used in this file\&. .PP /etc/shorewall6/hosts \-\- \fBNote:\fR Multiple matches enclosed in +[\&.\&.\&.] may not be used in this file\&. .PP /etc/shorewall/maclist \-\- \fBNote:\fR Multiple matches enclosed in +[\&.\&.\&.] may not be used in this file\&. .PP /etc/shorewall6/maclist \-\- \fBNote:\fR Multiple matches enclosed in +[\&.\&.\&.] may not be used in this file\&. .PP /etc/shorewall/rules .PP /etc/shorewall6/rules .PP /etc/shorewall/secmarks .PP /etc/shorewall6/secmarks .PP /etc/shorewall/mangle .PP /etc/shorewall6/mangle .PP /etc/shorewall/snat .PP /etc/shorewall6/snat .SH "SEE ALSO" .PP shorewall(8) .SH "NOTES" .IP " 1." 4 shorewall-exclusion .RS 4 \%http://www.shorewall.org/manpages/shorewall-exclusion.html .RE .IP " 2." 4 shorewall-tcfilters(5) .RS 4 \%http://www.shorewall.org/manpages/shorewall-tcfilters.html .RE shorewall-5.2.3.4/manpages/shorewall-stoppedrules.50000664000000000000000000001337713453771305021016 0ustar rootroot'\" t .\" Title: shorewall-stoppedrules .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 .\" Date: 04/11/2019 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" .TH "SHOREWALL\-STOPPEDRU" "5" "04/11/2019" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" stoppedrules \- The Shorewall file that governs what traffic flows through the firewall while it is in the \*(Aqstopped\*(Aq state\&. .SH "SYNOPSIS" .HP \w'\fB/etc/shorewall[6]/stoppedrules\fR\ 'u \fB/etc/shorewall[6]/stoppedrules\fR .SH "DESCRIPTION" .PP This file is used to define the hosts that are accessible when the firewall is stopped or is being stopped\&. .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBWarning\fR .ps -1 .br .PP Changes to this file do not take effect until after the next \fBshorewall start\fR, \fBshorewall reload\fR, \fBshorewall restart\fR, or \fBshorewall compile\fR command\&. .sp .5v .RE .PP The columns in the file are as follows (where the column name is followed by a different name in parentheses, the different name is used in the alternate specification syntax)\&. .PP \fBACTION\fR \- \fBACCEPT|NOTRACK|DROP\fR .RS 4 Determines the disposition of the packet\&. .sp \fBACCEPT\fR means that the packet will be accepted\&. .sp \fBNOTRACK\fR indicates that no conntrack entry should be created for the packet\&. \fBNOTRACK\fR does not imply \fBACCEPT\fR\&. .sp \fBDROP\fR was added in Shorewall 4\&.6\&.0 and causes the packet to be dropped in the raw table\*(Aqs PREROUTING chain\&. .RE .PP \fBSOURCE\fR \- [\fB\-\fR|[$FW|\fIinterface\fR]|[{$FW|interface}[\fI:address\fR[,\fIaddress\fR]\&.\&.\&.]]|[\fIaddress\fR[,\fIaddress\fR]\&.\&.\&.] .RS 4 \fB$FW\fR matches packets originating on the firewall itself, while \fIinterface\fR specifies packets arriving on the named interface\&. .sp This column may also include a comma\-separated list of IP/subnet addresses\&. If your kernel and iptables include iprange match support, IP address ranges are also allowed\&. Ipsets and exclusion are also supported\&. When \fB$FW\fR or interface are specified, the list must be preceded by a colon (":")\&. .sp If left empty or supplied as "\-", 0\&.0\&.0\&.0/0 is assumed\&. .RE .PP \fBDEST\fR \- [\fB\-\fR|[$FW|\fIinterface\fR]|[{$FW|interface}[\fI:address\fR[,\fIaddress\fR]\&.\&.\&.]]|[\fIaddress\fR[,\fIaddress\fR]\&.\&.\&.] .RS 4 \fB$FW\fR matches packets addressed the firewall itself, while \fIinterface\fR specifies packets arriving on the named interface\&. Neither may be specified if the target is \fBNOTRACK\fR or \fBDROP\fR\&. .sp This column may also include a comma\-separated list of IP/subnet addresses\&. If your kernel and iptables include iprange match support, IP address ranges are also allowed\&. Ipsets and exclusion are also supported\&. When \fB$FW\fR or interface are specified, the list must be preceded by a colon (":")\&. .sp If left empty or supplied as "\-", 0\&.0\&.0\&.0/0 is assumed\&. .RE .PP \fBPROTO (Optional)\fR \(en \fIprotocol\-name\-or\-number\fR[,\&.\&.\&.] .RS 4 Protocol\&. .sp Beginning with Shorewall 4\&.5\&.12, this column can accept a comma\-separated list of protocols\&. .RE .PP \fBDPORT\fR \(en \fIservice\-name/port\-number\-list\fR .RS 4 Optional\&. A comma\-separated list of port numbers and/or service names from /etc/services\&. May also include port ranges of the form \fIlow\-port\fR:\fIhigh\-port\fR if your kernel and iptables include port range support\&. .sp This column was formerly labelled DEST PORT(S)\&. .RE .PP \fBSPORT\fR \(en \fIservice\-name/port\-number\-list\fR .RS 4 Optional\&. A comma\-separated list of port numbers and/or service names from /etc/services\&. May also include port ranges of the form \fIlow\-port\fR:\fIhigh\-port\fR if your kernel and iptables include port range support\&. .sp Beginning with Shorewall 4\&.5\&.15, you may place \*(Aq=\*(Aq in this column, provided that the DPORT column is non\-empty\&. This causes the rule to match when either the source port or the destination port in a packet matches one of the ports specified in DEST PORTS(S)\&. Use of \*(Aq=\*(Aq requires multi\-port match in your iptables and kernel\&. .sp This column was formerly labelled SOURCE PORT(S)\&. .RE .SH "FILES" .PP /etc/shorewall/stoppedrules .PP /etc/shorewall6/stoppedrules .SH "SEE ALSO" .PP \m[blue]\fBhttp://www\&.shorewall\&.net/starting_and_stopping_shorewall\&.htm\fR\m[]\&\s-2\u[1]\d\s+2 .PP \m[blue]\fBhttp://www\&.shorewall\&.net/configuration_file_basics\&.htm#Pairs\fR\m[]\&\s-2\u[2]\d\s+2 .PP shorewall(8) .SH "NOTES" .IP " 1." 4 http://www.shorewall.net/starting_and_stopping_shorewall.htm .RS 4 \%http://www.shorewall.org/starting_and_stopping_shorewall.htm .RE .IP " 2." 4 http://www.shorewall.net/configuration_file_basics.htm#Pairs .RS 4 \%http://www.shorewall.org/configuration_file_basics.htm#Pairs .RE shorewall-5.2.3.4/manpages/shorewall-tcdevices.50000664000000000000000000002167613453771307020241 0ustar rootroot'\" t .\" Title: shorewall-tcdevices .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 .\" Date: 04/11/2019 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" .TH "SHOREWALL\-TCDEVICES" "5" "04/11/2019" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" tcdevices \- Shorewall Traffic Shaping Devices file .SH "SYNOPSIS" .HP \w'\fB/etc/shorewall[6]/tcdevices\fR\ 'u \fB/etc/shorewall[6]/tcdevices\fR .SH "DESCRIPTION" .PP Entries in this file define the bandwidth for interfaces on which you want traffic shaping to be enabled\&. .PP If you do not plan to use traffic shaping for a device, don\*(Aqt put it in here as it limits the throughput of that device to the limits you set here\&. .PP A note on the \fIbandwidth\fR definitions used in this file: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} don\*(Aqt use a space between the integer value and the unit: 30kbit is valid while 30 kbit is not\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} you can use one of the following units: .PP \fBkbps\fR .RS 4 Kilobytes per second\&. .RE .PP \fBmbps\fR .RS 4 Megabytes per second\&. .RE .PP \fBkbit\fR .RS 4 Kilobits per second\&. .RE .PP \fBmbit\fR .RS 4 Megabits per second\&. .RE .PP \fBbps\fR or \fBnumber\fR .RS 4 Bytes per second\&. .RE .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} Only whole integers are allowed\&. .RE .PP The columns in the file are as follows (where the column name is followed by a different name in parentheses, the different name is used in the alternate specification syntax)\&. .PP \fBINTERFACE\fR \- [\fInumber\fR:]\fIinterface\fR .RS 4 Name of \fIinterface\fR\&. Each interface may be listed only once in this file\&. You may NOT specify the name of an alias (e\&.g\&., eth0:0) here; see \m[blue]\fBhttp://www\&.shorewall\&.net/FAQ\&.htm#faq18\fR\m[]\&\s-2\u[1]\d\s+2 .sp You may NOT specify wildcards here, e\&.g\&. if you have multiple ppp interfaces, you need to put them all in here! .sp If the device doesn\*(Aqt exist, a warning message will be issued during "shorewall [re]start" and "shorewall reload" and traffic shaping configuration will be skipped for that device\&. .sp Shorewall assigns a sequential interface number to each interface (the first entry in the file is interface 1, the second is interface 2 and so on) You can explicitly specify the interface number by prefixing the interface name with the number and a colon (":")\&. Example: 1:eth0\&. .RE .PP \fBIN\-BANDWIDTH (in_bandwidth)\fR \- {\-|\fIbandwidth\fR[:\fIburst\fR]|~\fIbandwidth\fR[:\fIinterval\fR:\fIdecay_interval\fR]} .RS 4 The incoming \fIbandwidth\fR of that interface\&. Please note that you are not able to do traffic shaping on incoming traffic, as the traffic is already received before you could do so\&. But this allows you to define the maximum traffic allowed for this interface in total, if the rate is exceeded, the packets are dropped\&. You want this mainly if you have a DSL or Cable connection to avoid queuing at your providers side\&. .sp If you don\*(Aqt want any traffic to be dropped, set this to a value to zero in which case Shorewall will not create an ingress qdisc\&.Must be set to zero if the REDIRECTED INTERFACES column is non\-empty\&. .sp The optional burst option was added in Shorewall 4\&.4\&.18\&. The default \fIburst\fR is 10kb\&. A larger \fIburst\fR can help make the \fIbandwidth\fR more accurate; often for fast lines, the enforced rate is well below the specified \fIbandwidth\fR\&. .sp What is described above creates a rate/burst policing filter\&. Beginning with Shorewall 4\&.4\&.25, a rate\-estimated policing filter may be configured instead\&. Rate\-estimated filters should be used with Ethernet adapters that have Generic Receive Offload enabled by default\&. See \m[blue]\fBShorewall FAQ 97a\fR\m[]\&\s-2\u[2]\d\s+2\&. .sp To create a rate\-estimated filter, precede the bandwidth with a tilde ("~")\&. The optional interval and decay_interval determine how often the rate is estimated and how many samples are retained for estimating\&. Please see \m[blue]\fBhttp://ace\-host\&.stuart\&.id\&.au/russell/files/tc/doc/estimators\&.txt\fR\m[] for details\&. If not specified, the default \fIinterval\fR is 250ms and the default \fIdecay_interval\fR is 4sec\&. .RE .PP \fBOUT\-BANDWIDTH\fR (out_bandwidth) \- \fIbandwidth\fR .RS 4 The outgoing \fIbandwidth\fR of that interface\&. This is the maximum speed your connection can handle\&. It is also the speed you can refer as "full" if you define the tc classes in \m[blue]\fBshorewall\-tcclasses\fR\m[]\&\s-2\u[3]\d\s+2(5)\&. Outgoing traffic above this rate will be dropped\&. .RE .PP \fBOPTIONS\fR \- {\fB\-\fR|\fB{classify\fR|\fBhtb|hfsc\fR|\fBlinklayer\fR={\fBethernet\fR|\fBatm\fR|\fBadsl\fR}|\fBtsize\fR=\fItsize\fR|\fBmtu\fR=\fImtu\fR|\fBmpu\fR=\fImpu\fR|\fBoverhead\fR=\fIoverhead\fR} ,\&.\&.\&.} .RS 4 \fBclassify\fR \(em When specified, Shorewall will not generate tc or Netfilter rules to classify traffic based on packet marks\&. You must do all classification using CLASSIFY rules in \m[blue]\fBshorewall\-mangle\fR\m[]\&\s-2\u[4]\d\s+2(5)\&. .sp \fBhtb\fR \- Use the Hierarchical Token Bucket queuing discipline\&. This is the default\&. .sp \fBhfsc\fR \- Shorewall normally uses the Hierarchical Token Bucket queuing discipline\&. When \fBhfsc\fR is specified, the Hierarchical Fair Service Curves discipline is used instead (see tc\-hfsc (7))\&. .sp \fBlinklayer\fR \- Added in Shorewall 4\&.5\&.6\&. Type of link (ethernet, atm, adsl)\&. When specified, causes scheduler packet size manipulation as described in tc\-stab (8)\&. When this option is given, the following options may also be given after it: \fBmtu\fR=\fImtu\fR \- The device MTU; default 2048 (will be rounded up to a power of two) .sp \fBmpu\fR=\fImpubytes\fR \- Minimum packet size used in calculations\&. Smaller packets will be rounded up to this size .sp \fBtsize\fR=\fItablesize\fR \- Size table entries; default is 512 .sp \fBoverhead\fR=\fIoverheadbytes\fR \- Number of overhead bytes per packet\&. .RE .PP \fBREDIRECTED INTERFACES\fR (redirect)\- [\fIinterface\fR[,\fIinterface\fR]\&.\&.\&.] .RS 4 May only be specified if the interface in the INTERFACE column is an Intermediate Frame Block (IFB) device\&. Causes packets that enter each listed interface to be passed through the egress filters defined for this device, thus providing a form of incoming traffic shaping\&. When this column is non\-empty, the \fBclassify\fR option is assumed\&. .RE .SH "EXAMPLES" .PP Example 1: .RS 4 Suppose you are using PPP over Ethernet (DSL) and ppp0 is the interface for this\&. The device has an outgoing bandwidth of 500kbit and an incoming bandwidth of 6000kbit .sp .if n \{\ .RS 4 .\} .nf #INTERFACE IN\-BANDWIDTH OUT\-BANDWIDTH OPTIONS REDIRECTED # INTERFACES 1:ppp0 6000kbit 500kbit .fi .if n \{\ .RE .\} .RE .SH "FILES" .PP /etc/shorewall/tcdevices .PP /etc/shorewall6/tcdevices .SH "SEE ALSO" .PP tc\-hfsc (7) .PP \m[blue]\fBhttp://www\&.shorewall\&.net/traffic_shaping\&.htm\fR\m[]\&\s-2\u[5]\d\s+2 .PP \m[blue]\fBhttp://www\&.shorewall\&.net/configuration_file_basics\&.htm#Pairs\fR\m[]\&\s-2\u[6]\d\s+2 .PP \m[blue]\fBhttp://ace\-host\&.stuart\&.id\&.au/russell/files/tc/doc/estimators\&.txt\fR\m[] .PP shorewall(8) .SH "NOTES" .IP " 1." 4 http://www.shorewall.net/FAQ.htm#faq18 .RS 4 \%http://www.shorewall.org/FAQ.htm#faq18 .RE .IP " 2." 4 Shorewall FAQ 97a .RS 4 \%http://www.shorewall.org/FAQ.htm#faq97a .RE .IP " 3." 4 shorewall-tcclasses .RS 4 \%http://www.shorewall.org/manpages/shorewall-tcclasses.html .RE .IP " 4." 4 shorewall-mangle .RS 4 \%http://www.shorewall.org/manpages/shorewall-mangle.html .RE .IP " 5." 4 http://www.shorewall.net/traffic_shaping.htm .RS 4 \%http://www.shorewall.org/traffic_shaping.htm .RE .IP " 6." 4 http://www.shorewall.net/configuration_file_basics.htm#Pairs .RS 4 \%http://www.shorewall.org/configuration_file_basics.htm#Pairs .RE shorewall-5.2.3.4/manpages/shorewall-files.50000664000000000000000000007135413453771252017367 0ustar rootroot'\" t .\" Title: shorewall-files .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 .\" Date: 04/11/2019 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" .TH "SHOREWALL\-FILES" "5" "04/11/2019" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" files \- Shorewall Configuration Files .SH "SYNOPSIS" .HP \w'\fB/etc/shorewall[6]/*\fR\ 'u \fB/etc/shorewall[6]/*\fR .SH "DESCRIPTION" .PP The following are the Shorewall[6] configuration files: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \m[blue]\fB/etc/shorewall/shorewall\&.conf and /etc/shorewall6/shorewall6\&.conf\fR\m[]\&\s-2\u[1]\d\s+2 \- used to set global firewall parameters\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \m[blue]\fB/etc/shorewall[6]/params\fR\m[]\&\s-2\u[2]\d\s+2 \- use this file to set shell variables that you will expand in other files\&. It is always processed by /bin/sh or by the shell specified through SHOREWALL_SHELL in /etc/shorewall/shorewall\&.conf\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \m[blue]\fB/etc/shorewall[6]/zones\fR\m[]\&\s-2\u[3]\d\s+2 \- partition the firewall\*(Aqs view of the world into zones\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \m[blue]\fB/etc/shorewall[6]/policy\fR\m[]\&\s-2\u[4]\d\s+2 \- establishes firewall high\-level policy\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} /etc/shorewall[6]/initdone \- An optional Perl script that will be invoked by the Shorewall rules compiler when the compiler has finished it\*(Aqs initialization\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \m[blue]\fB/etc/shorewall[6]/interfaces\fR\m[]\&\s-2\u[5]\d\s+2 \- describes the interfaces on the firewall system\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \m[blue]\fB/etc/shorewall[6]/hosts\fR\m[]\&\s-2\u[6]\d\s+2 \- allows defining zones in terms of individual hosts and subnetworks\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \m[blue]\fB/etc/shorewall[6]/masq\fR\m[]\&\s-2\u[7]\d\s+2 \- directs the firewall where to use many\-to\-one (dynamic) Network Address Translation (a\&.k\&.a\&. Masquerading) and Source Network Address Translation (SNAT)\&. Superseded by /etc/shorewall[6]/snat in Shorewall 5\&.0\&.14 and not supported in Shorewall 5\&.1\&.0 and later versions\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \m[blue]\fB/etc/shorewall[6]/mangle\fR\m[]\&\s-2\u[8]\d\s+2 \- supersedes /etc/shorewall/tcrules in Shorewall 4\&.6\&.0\&. Contains rules for packet marking, TTL, TPROXY, etc\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \m[blue]\fB/etc/shorewall[6]/rules\fR\m[]\&\s-2\u[9]\d\s+2 \- defines rules that are exceptions to the overall policies established in /etc/shorewall/policy\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \m[blue]\fB/etc/shorewall[6]/nat\fR\m[]\&\s-2\u[10]\d\s+2 \- defines one\-to\-one NAT rules\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \m[blue]\fB/etc/shorewall6/proxyarp\fR\m[]\&\s-2\u[11]\d\s+2 \- defines use of Proxy ARP\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \m[blue]\fB/etc/shorewall6/proxyndp\fR\m[]\&\s-2\u[12]\d\s+2 \- defines use of Proxy NDP\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} /etc/shorewall[6]/routestopped \- defines hosts accessible when Shorewall is stopped\&. Superseded in Shorewall 4\&.6\&.8 by /etc/shorewall/stoppedrules\&. Not supported in Shorewall 5\&.0\&.0 and later versions\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \m[blue]\fB/etc/shorewall[6]/tcrules\fR\m[]\&\s-2\u[13]\d\s+2\- The file has a rather unfortunate name because it is used to define marking of packets for later use by both traffic control/shaping and policy routing\&. This file is superseded by /etc/shorewall/mangle in Shorewall 4\&.6\&.0\&. Not supported in Shorewall 5\&.0\&.0 and later releases\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \m[blue]\fB/etc/shorewall[6]/tos\fR\m[]\&\s-2\u[14]\d\s+2 \- defines rules for setting the TOS field in packet headers\&. Superseded in Shorewall 4\&.5\&.1 by the TOS target in /etc/shorewall/tcrules (which file has since been superseded by /etc/shorewall/mangle)\&. Not supported in Shorewall 5\&.0\&.0 and later versions\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \m[blue]\fB/etc/shorewall[6]/tunnels\fR\m[]\&\s-2\u[15]\d\s+2 \- defines tunnels (VPN) with end\-points on the firewall system\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \m[blue]\fB/etc/shorewall[6]/blacklist\fR\m[]\&\s-2\u[16]\d\s+2 \- Deprecated in favor of /etc/shorewall/blrules\&. Lists blacklisted IP/subnet/MAC addresses\&. Not supported in Shorewall 5\&.0\&.0 and later releases\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} /etc/shorewall[6]/blrules \(em Added in Shorewall 4\&.5\&.0\&. Define blacklisting and whitelisting\&. Supersedes /etc/shorewall/blacklist\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} /etc/shorewall[6]/init \- shell commands that you wish to execute at the beginning of a \(lqshorewall start\(rq, "shorewall reload" or \(lqshorewall restart\(rq\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} /etc/shorewall[6]/start \- shell commands that you wish to execute near the completion of a \(lqshorewall start\(rq, "shorewall reload" or \(lqshorewall restart\(rq .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} /etc/shorewall[6]/started \- shell commands that you wish to execute after the completion of a \(lqshorewall start\(rq, "shorewall reload" or \(lqshorewall restart\(rq .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} /etc/shorewall[6]/stop\- commands that you wish to execute at the beginning of a \(lqshorewall stop\(rq\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} /etc/shorewall[6]/stopped \- shell commands that you wish to execute at the completion of a \(lqshorewall stop\(rq\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \m[blue]\fB/etc/shorewall/ecn\fR\m[]\&\s-2\u[17]\d\s+2 \- disable Explicit Congestion Notification (ECN \- RFC 3168) to remote hosts or networks\&. Superseded by ECN entries in /etc/shorewall/mangle in Shorewall 5\&.0\&.6\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \m[blue]\fB/etc/shorewall/accounting\fR\m[]\&\s-2\u[18]\d\s+2 \- define IP traffic accounting rules .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \m[blue]\fB/etc/shorewall[6]/actions\fR\m[]\&\s-2\u[19]\d\s+2 and /usr/share/shorewall[6]/action\&.template allow user\-defined actions\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \m[blue]\fB/etc/shorewall[6]/providers\fR\m[]\&\s-2\u[20]\d\s+2 \- defines alternate routing tables\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \m[blue]\fB/etc/shorewall[6]/rtrules\fR\m[]\&\s-2\u[21]\d\s+2 \- Defines routing rules to be used in conjunction with the routing tables defined in /etc/shorewall/providers\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \m[blue]\fB/etc/shorewall[6]/tcdevices\fR\m[]\&\s-2\u[22]\d\s+2, \m[blue]\fB/etc/shorewall[6]/tcclasses\fR\m[]\&\s-2\u[23]\d\s+2, \m[blue]\fB/etc/shorewall[6]/tcfilters\fR\m[]\&\s-2\u[24]\d\s+2 \- Define complex traffic shaping\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \m[blue]\fB/etc/shorewall[6]/tcrules\fR\m[]\&\s-2\u[13]\d\s+2 \- Mark or classify traffic for traffic shaping or multiple providers\&. Deprecated in Shorewall 4\&.6\&.0 in favor of /etc/shorewall/mangle\&. Not supported in Shorewall 5\&.0\&.0 and later releases\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \m[blue]\fB/etc/shorewall[6]/tcinterfaces\fR\m[]\&\s-2\u[25]\d\s+2 and \m[blue]\fB/etc/shorewall[6]/tcpri\fR\m[]\&\s-2\u[26]\d\s+2 \- Define simple traffic shaping\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \m[blue]\fB/etc/shorewall[6]/secmarks\fR\m[]\&\s-2\u[27]\d\s+2 \- Added in Shorewall 4\&.4\&.13\&. Attach an SELinux context to selected packets\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \m[blue]\fB/etc/shorewall[6]/vardir\fR\m[]\&\s-2\u[28]\d\s+2 \- Determines the directory where Shorewall maintains its state\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \m[blue]\fB/etc/shorewall/arprules\fR\m[]\&\s-2\u[29]\d\s+2 \(em Added in Shorewall 4\&.5\&.12\&. Allows specification of arptables rules\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \m[blue]\fB/etc/shorewall/mangle\fR\m[]\&\s-2\u[8]\d\s+2 \-\- Added in Shorewall 4\&.6\&.0\&. Supersedes/etc/shorewall/tcrules\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \m[blue]\fB/etc/shorewall[6]/snat\fR\m[]\&\s-2\u[30]\d\s+2 \- directs the firewall where to use many\-to\-one (dynamic) Network Address Translation (a\&.k\&.a\&. Masquerading) and Source Network Address Translation (SNAT)\&. Superseded /etc/shorewall[6]/masq in Shorewall 5\&.0\&.14 .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} /usr/share/shorewall[6]/actions\&.std \- Actions defined by Shorewall\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} /usr/share/shorewall[6]/action\&.* \- Details of actions defined by Shorewall\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} /usr/share/shorewall[6]/macro\&.* \- Details of macros defined by Shorewall\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} /usr/share/shorewall[6]/modules \(em Specifies the kernel modules to be loaded during shorewall start/restart\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} /usr/share/shorewall[6]/helpers \(em Added in Shorewall 4\&.4\&.7\&. Specifies the kernel modules to be loaded during shorewall start/restart when LOAD_HELPERS_ONLY=Yes in shorewall\&.conf\&. .RE .SH "CONFIG_PATH" .PP The CONFIG_PATH option in \m[blue]\fBshorewall[6]\&.conf(5)\fR\m[]\&\s-2\u[20]\d\s+2 determines where the compiler searches for configuration files\&. The default setting is CONFIG_PATH=/etc/shorewall:/usr/share/shorewall which means that the compiler first looks in /etc/shorewall and if it doesn\*(Aqt find the file, it then looks in /usr/share/shorewall\&. .PP You can change this setting to have the compiler look in different places\&. For example, if you want to put your own versions of standard macros in /etc/shorewall/Macros, then you could set CONFIG_PATH=/etc/shorewall:/etc/shorewall/Macros:/usr/share/shorewall and the compiler will use your versions rather than the standard ones\&. .SH "COMMENTS" .PP You may place comments in configuration files by making the first non\-whitespace character a pound sign (\(lq#\(rq)\&. You may also place comments at the end of any line, again by delimiting the comment from the rest of the line with a pound sign\&. .PP \fBExample\ \&1.\ \&Comments in a Configuration File\fR .sp .if n \{\ .RS 4 .\} .nf # This is a comment ACCEPT net $FW tcp www #This is an end\-of\-line comment .fi .if n \{\ .RE .\} .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBImportant\fR .ps -1 .br .PP Except in \m[blue]\fBshorewall\&.conf(5)\fR\m[]\&\s-2\u[1]\d\s+2 and \m[blue]\fBparams(5)\fR\m[]\&\s-2\u[2]\d\s+2, if a comment ends with a backslash ("\e"), the next line will also be treated as a comment\&. See Line Continuation below\&. .sp .5v .RE .SH "BLANK LINES" .PP Most of the configuration files are organized into space\-separated columns\&. If you don\*(Aqt want to supply a value in a column but want to supply a value in a following column, simply enter \*(Aq\-\*(Aq to make the column appear empty\&. .PP Example: .sp .if n \{\ .RS 4 .\} .nf #INTERFACE BROADCAST OPTIONS br0 \- routeback .fi .if n \{\ .RE .\} .SH "LINE CONTINUATION" .PP Lines may be continued using the usual backslash (\(lq\e\(rq) followed immediately by a new line character (Enter key)\&. .sp .if n \{\ .RS 4 .\} .nf ACCEPT net $FW tcp \e\(CR smtp,www,pop3,imap #Services running on the firewall .fi .if n \{\ .RE .\} .sp .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBImportant\fR .ps -1 .br .PP What follows does NOT apply to \m[blue]\fBshorewall\-params(5)\fR\m[]\&\s-2\u[31]\d\s+2 and \m[blue]\fBshorewall\&.conf(5)\fR\m[]\&\s-2\u[1]\d\s+2\&. .sp .5v .RE .PP In certain cases, leading white space is ignored in continuation lines: .sp .RS 4 .ie n \{\ \h'-04' 1.\h'+01'\c .\} .el \{\ .sp -1 .IP " 1." 4.2 .\} The continued line ends with a colon (":") .RE .sp .RS 4 .ie n \{\ \h'-04' 2.\h'+01'\c .\} .el \{\ .sp -1 .IP " 2." 4.2 .\} The continued line ends with a comma (",") .RE .PP Example (/etc/shorewall/rules): .sp .if n \{\ .RS 4 .\} .nf #ACTION SOURCE DEST PROTO DPORT ACCEPT net:\e 206\&.124\&.146\&.177,\e 206\&.124\&.146\&.178,\e 206\&.124\&.146\&.180\e dmz tcp 873 .fi .if n \{\ .RE .\} .PP The leading white space on the first through third continuation lines is ignored so the SOURCE column effectively contains "net:206\&.124\&.146\&.177,206\&.124\&.147\&.178,206\&.124\&.146\&.180"\&. Because the third continuation line does not end with a comma or colon, the leading white space in the last line is not ignored\&. .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBImportant\fR .ps -1 .br .PP A trailing backslash is not ignored in a comment\&. So the continued rule above can be commented out with a single \*(Aq#\*(Aq as follows: .sp .if n \{\ .RS 4 .\} .nf #ACTION SOURCE DEST PROTO DPORT \fB#\fRACCEPT net:\e 206\&.124\&.146\&.177,\e 206\&.124\&.146\&.178,\e 206\&.124\&.146\&.180\e dmz tcp 873 .fi .if n \{\ .RE .\} .sp .5v .RE .SH "ALTERNATIVE SPECIFICATION OF COLUMN VALUES" .PP Some of the configuration files now have a large number of columns\&. That makes it awkward to specify a value for one of the right\-most columns as you must have the correct number of intervening \*(Aq\-\*(Aq columns\&. .PP This problem is addressed by allowing column values to be specified as \fIcolumn\-name\fR/\fIvalue\fR pairs\&. .PP There is considerable flexibility in how you specify the pairs: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} At any point, you can enter a left curly bracket (\*(Aq{\*(Aq) followed by one or more specifications of the following forms: .RS 4 \fIcolumn\-name\fR=\fIvalue\fR .RE .RS 4 \fIcolumn\-name\fR=\fI>value\fR .RE .RS 4 \fIcolumn\-name\fR:\fIvalue\fR .RE The pairs must be followed by a right curly bracket ("}")\&. .sp The value may optionally be enclosed in double quotes\&. .sp The pairs must be separated by white space, but you can add a comma adjacent to the \fIvalues\fR for readability as in: .RS 4 \fB{ proto=>udp, port=1024 }\fR .RE .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} You can also separate the pairs from columns by using a semicolon: .RS 4 \fB; proto:udp, port:1024\fR .RE .RE .PP In Shorewall 5\&.0\&.3, the sample configuration files and the man pages were updated to use the same column names in both the column headings and in the alternate specification format\&. The following table shows the column names for each of the table\-oriented configuration files\&. .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBNote\fR .ps -1 .br .PP Column names are \fBcase\-insensitive\fR\&. .sp .5v .RE .TS allbox tab(:); l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l. T{ \fBFile\fR T}:T{ \fBColumn names\fR T} T{ accounting T}:T{ action,chain, source, dest, proto, dport, sport, user, mark, ipsec, headers T} T{ conntrack T}:T{ action,source,dest,proto,dport,sport,user,switch T} T{ blacklist T}:T{ networks,proto,port,options T} T{ blrules T}:T{ action,source,dest,proto,dport,sport,origdest,rate,user,mark,connlimit,time,headers,switch,helper T} T{ ecn T}:T{ interface,hosts\&. Beginning with Shorewall 4\&.5\&.4, \*(Aqhost\*(Aq is a synonym for \*(Aqhosts\*(Aq\&. T} T{ hosts T}:T{ zone,hosts,options\&. Beginning with Shorewall 4\&.5\&.4, \*(Aqhost\*(Aq is a synonym for \*(Aqhosts\*(Aq\&. T} T{ interfaces T}:T{ zone,interface,broadcast,options T} T{ maclist T}:T{ disposition,interface,mac,addresses T} T{ mangle T}:T{ action,source,dest,proto,dport,sport,user,test,length,tos,connbytes,helper,headers T} T{ masq T}:T{ interface,source,address,proto,port,ipsec,mark,user,switch T} T{ nat T}:T{ external,interface,internal,allints,local T} T{ netmap T}:T{ type,net1,interface,net2,net3,proto,dport,sport T} T{ notrack T}:T{ source,dest,proto,dport,sport,user T} T{ policy T}:T{ source,dest,policy,loglevel,limit,connlimit T} T{ providers T}:T{ table,number,mark,duplicate,interface,gateway,options,copy T} T{ proxyarp and proxyndp T}:T{ address,interface,external,haveroute,persistent T} T{ rtrules T}:T{ source,dest,provider,priority T} T{ routes T}:T{ provider,dest,gateway,device T} T{ routestopped T}:T{ interface,hosts,options,proto,dport,sport T} T{ rules T}:T{ action,source,dest,proto,dport,sport,origdest,rate,user,mark,connlimit,time,headers,switch,helper T} T{ secmarks T}:T{ secmark,chain,source,dest,proto,dport,sport,user,mark T} T{ tcclasses T}:T{ interface,mark,rate,ceil,prio,options T} T{ tcdevices T}:T{ interface,in_bandwidth,out_bandwidth,options,redirect T} T{ tcfilters T}:T{ class,source,dest,proto,dport,sport,tos,length T} T{ tcinterfaces T}:T{ interface,type,in_bandwidth,out_bandwidth T} T{ tcpri T}:T{ band,proto,port,address,interface,helper T} T{ tcrules T}:T{ mark,source,dest,proto,dport,sport,user,test,length,tos,connbytes,helper,headers\&. Beginning with Shorewall 4\&.5\&.3, \*(Aqaction\*(Aq is a synonym for \*(Aqmark\*(Aq\&. T} T{ tos T}:T{ source,dest,proto,dport,sport,tos,mark T} T{ tunnels T}:T{ type,zone,gateway,gateway_zone\&. Beginning with Shorewall 4\&.5\&.3, \*(Aqgateways\*(Aq is a synonym for \*(Aqgateway\*(Aq\&. Beginning with Shorewall 4\&.5\&.4, \*(Aqgateway_zones\*(Aq is a synonym for \*(Aqgateway_zone\*(Aq\&. T} T{ zones T}:T{ zone,type,options,in_options,out_options T} .TE .sp 1 .PP Example (rules file): .sp .if n \{\ .RS 4 .\} .nf #ACTION SOURCE DEST PROTO DPORT DNAT net loc:10\&.0\&.0\&.1 tcp 80 ; mark="88" .fi .if n \{\ .RE .\} .PP Here\*(Aqs the same line in several equivalent formats: .sp .if n \{\ .RS 4 .\} .nf { action=>DNAT, source=>net, dest=>loc:10\&.0\&.0\&.1, proto=>tcp, dport=>80, mark=>88 } ; action:"DNAT" source:"net" dest:"loc:10\&.0\&.0\&.1" proto:"tcp" dport:"80" mark:"88" DNAT { source=net dest=loc:10\&.0\&.0\&.1 proto=tcp dport=80 mark=88 } .fi .if n \{\ .RE .\} .PP Beginning with Shorewall 5\&.0\&.11, ip[6]table comments can be attached to individual rules using the \fBcomment\fR keyword\&. .PP Example from the rules file: .sp .if n \{\ .RS 4 .\} .nf ACCEPT net $FW { proto=tcp, dport=22, comment="Accept \e"SSH\e"" } .fi .if n \{\ .RE .\} .PP As shown in that example, when the comment contains whitespace, it must be enclosed in double quotes and any embedded double quotes must be escaped using a backslash ("\e")\&. .SH "TIME COLUMNS" .PP Several of the files include a TIME column that allows you to specify times when the rule is to be applied\&. Contents of this column is a list of \fItimeelement\fRs separated by apersands (&)\&. .PP Each \fItimeelement\fR is one of the following: .PP timestart=\fIhh\fR:\fImm\fR[:\fIss\fR] .RS 4 Defines the starting time of day\&. .RE .PP timestop=\fIhh\fR:\fImm\fR[:\fIss\fR] .RS 4 Defines the ending time of day\&. .RE .PP contiguous .RS 4 Added in Shoreawll 5\&.0\&.12\&. When \fBtimestop\fR is smaller than \fBtimestart\fR value, match this as a single time period instead of distinct intervals\&. See the Examples below\&. .RE .PP utc .RS 4 Times are expressed in Greenwich Mean Time\&. .RE .PP localtz .RS 4 Deprecated by the Netfilter team in favor of \fBkerneltz\fR\&. Times are expressed in Local Civil Time (default)\&. .RE .PP kerneltz .RS 4 Added in Shorewall 4\&.5\&.2\&. Times are expressed in Local Kernel Time (requires iptables 1\&.4\&.12 or later)\&. .RE .PP weekdays=ddd[,ddd]\&.\&.\&. .RS 4 where \fIddd\fR is one of \fBMon\fR, \fBTue\fR, \fBWed\fR, \fBThu\fR, \fBFri\fR, \fBSat\fR or \fBSun\fR .RE .PP monthdays=dd[,dd],\&.\&.\&. .RS 4 where \fIdd\fR is an ordinal day of the month .RE .PP datestart=\fIyyyy\fR[\-\fImm\fR[\-\fIdd\fR[\fBT\fR\fIhh\fR[:\fImm\fR[:\fIss\fR]]]]] .RS 4 Defines the starting date and time\&. .RE .PP datestop=\fIyyyy\fR[\-\fImm\fR[\-\fIdd\fR[\fBT\fR\fIhh\fR[:\fImm\fR[:\fIss\fR]]]]] .RS 4 Defines the ending date and time\&. .RE .PP Examples: .PP To match on weekends, use: .RS 4 .sp weekdays=Sat,Sun .RE .PP Or, to match (once) on a national holiday block: .RS 4 .sp datestart=2016\-12\-24&datestop=2016\-12\-27 .RE .PP Since the stop time is actually inclusive, you would need the following stop time to not match the first second of the new day: .RS 4 .sp datestart=2016\-12\-24T17:00&datestop=2016\-12\-27T23:59:59 .RE .PP During Lunch Hour .RS 4 .RE .PP The fourth Friday in the month: .RS 4 .sp weekdays=Fri&monthdays=22,23,24,25,26,27,28 .RE .PP Matching across days might not do what is expected\&. For instance, .RS 4 .sp weekdays=Mon×tart=23:00×top=01:00 .sp Will match Monday, for one hour from midnight to 1 a\&.m\&., and then again for another hour from 23:00 onwards\&. If this is unwanted, e\&.g\&. if you would like \*(Aqmatch for two hours from Montay 23:00 onwards\*(Aq you need to also specify the \fBcontiguous\fR option in the example above\&. .RE .SH "SWITCHES" .PP here are times when you would like to enable or disable one or more rules in the configuration without having to do a \fBshorewall reload\fR or \fBshorewall restart\fR\&. This may be accomplished using the SWITCH column in \m[blue]\fBshorewall\-rules\fR\m[]\&\s-2\u[32]\d\s+2 (5) or \m[blue]\fBshorewall6\-rules\fR\m[]\&\s-2\u[33]\d\s+2 (5)\&. Using this column requires that your kernel and iptables include Condition Match Support and you must be running Shorewall 4\&.4\&.24 or later\&. See the output of \fBshorewall show capabilities\fR and \fBshorewall version\fR to determine if you can use this feature\&. .PP The SWITCH column contains the name of a switch\&. Each switch is initially in the \fBoff\fR position\&. You can turn on the switch named \fIswitch1\fR by: .RS 4 \fBecho 1 > /proc/net/nf_condition/switch1\fR .RE .PP You can turn it off again by: .RS 4 \fBecho 0 > /proc/net/nf_condition/switch1\fR .RE .PP If you simply include the switch name in the SWITCH column, then the rule is enabled only when the switch is \fBon\fR\&. If you precede the switch name with ! (e\&.g\&., !switch1), then the rule is enabled only when the switch is \fBoff\fR\&. Switch settings are retained over \fBshorewall restart\fR\&. .PP Shorewall requires that switch names: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} begin with a letter and be composed of letters, digits, underscore (\*(Aq_\*(Aq) or hyphen (\*(Aq\-\*(Aq); and .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} be 30 characters or less in length\&. .RE .PP Multiple rules can be controlled by the same switch\&. .PP Example: .PP Forward port 80 to dmz host $BACKUP if switch \*(Aqprimary_down\*(Aq is on\&. .sp .if n \{\ .RS 4 .\} .nf #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH DNAT net dmz:$BACKUP tcp 80 \- \- \- \- \- \- \- \- \fBprimary_down\fR .fi .if n \{\ .RE .\} .SH "FILES" .PP /etc/shorewall[6]/* .SH "NOTES" .IP " 1." 4 /etc/shorewall/shorewall.conf and /etc/shorewall6/shorewall6.conf .RS 4 \%http://www.shorewall.orgshorewall.conf.html .RE .IP " 2." 4 /etc/shorewall[6]/params .RS 4 \%http://www.shorewall.orgshorewall-params.html .RE .IP " 3." 4 /etc/shorewall[6]/zones .RS 4 \%http://www.shorewall.orgshorewall-zones.html .RE .IP " 4." 4 /etc/shorewall[6]/policy .RS 4 \%http://www.shorewall.orgshorewall-policy.html .RE .IP " 5." 4 /etc/shorewall[6]/interfaces .RS 4 \%http://www.shorewall.orgshorewall-interfaces.html .RE .IP " 6." 4 /etc/shorewall[6]/hosts .RS 4 \%http://www.shorewall.orgshorewall-hosts.html .RE .IP " 7." 4 /etc/shorewall[6]/masq .RS 4 \%http://www.shorewall.orgshorewall-masq.html .RE .IP " 8." 4 /etc/shorewall[6]/mangle .RS 4 \%http://www.shorewall.orgshorewall-mangle.html .RE .IP " 9." 4 /etc/shorewall[6]/rules .RS 4 \%http://www.shorewall.orgshorewall-rules.html .RE .IP "10." 4 /etc/shorewall[6]/nat .RS 4 \%http://www.shorewall.orgshorewall-nat.html .RE .IP "11." 4 /etc/shorewall6/proxyarp .RS 4 \%http://www.shorewall.orgshorewall-proxyarp.html .RE .IP "12." 4 /etc/shorewall6/proxyndp .RS 4 \%http://www.shorewall.orgshorewall-proxyndp.html .RE .IP "13." 4 /etc/shorewall[6]/tcrules .RS 4 \%http://www.shorewall.orgshorewall-tcrules.html .RE .IP "14." 4 /etc/shorewall[6]/tos .RS 4 \%http://www.shorewall.orgshorewall-tos.html .RE .IP "15." 4 /etc/shorewall[6]/tunnels .RS 4 \%http://www.shorewall.orgshorewall-tunnels.html .RE .IP "16." 4 /etc/shorewall[6]/blacklist .RS 4 \%http://www.shorewall.orgshorewall-blacklist.html .RE .IP "17." 4 /etc/shorewall/ecn .RS 4 \%http://www.shorewall.orgshorewall-ecn.html .RE .IP "18." 4 /etc/shorewall/accounting .RS 4 \%http://www.shorewall.orgshorewall-accounting.html .RE .IP "19." 4 /etc/shorewall[6]/actions .RS 4 \%http://www.shorewall.orgshorewall-actions.html .RE .IP "20." 4 /etc/shorewall[6]/providers .RS 4 \%http://www.shorewall.org??? .RE .IP "21." 4 /etc/shorewall[6]/rtrules .RS 4 \%http://www.shorewall.orgshorewall-rtrules.html .RE .IP "22." 4 /etc/shorewall[6]/tcdevices .RS 4 \%http://www.shorewall.orgshorewall-tcdevices.html .RE .IP "23." 4 /etc/shorewall[6]/tcclasses .RS 4 \%http://www.shorewall.orgshorewall-tcclasses.html .RE .IP "24." 4 /etc/shorewall[6]/tcfilters .RS 4 \%http://www.shorewall.orgshorewall-tcfilters.html .RE .IP "25." 4 /etc/shorewall[6]/tcinterfaces .RS 4 \%http://www.shorewall.orgshorewall-tcinterfaces.html .RE .IP "26." 4 /etc/shorewall[6]/tcpri .RS 4 \%http://www.shorewall.orgshorewall-tcpri.html .RE .IP "27." 4 /etc/shorewall[6]/secmarks .RS 4 \%http://www.shorewall.orgshorewall-secmarks.html .RE .IP "28." 4 /etc/shorewall[6]/vardir .RS 4 \%http://www.shorewall.orgshorewall-vardir.html .RE .IP "29." 4 /etc/shorewall/arprules .RS 4 \%http://www.shorewall.orgshorewall-arprules.html .RE .IP "30." 4 /etc/shorewall[6]/snat .RS 4 \%http://www.shorewall.orgshorewall-snat.html .RE .IP "31." 4 shorewall-params(5) .RS 4 \%http://www.shorewall.orgmanpages/shorewall-params.html .RE .IP "32." 4 shorewall-rules .RS 4 \%http://www.shorewall.orgmanpages/shorewall-rules.html .RE .IP "33." 4 shorewall6-rules .RS 4 \%http://www.shorewall.orgmanpages6/shorewall6-rules.html .RE shorewall-5.2.3.4/manpages/shorewall-proxyarp.50000664000000000000000000000741113453771274020146 0ustar rootroot'\" t .\" Title: shorewall-proxyarp .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 .\" Date: 04/11/2019 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" .TH "SHOREWALL\-PROXYARP" "5" "04/11/2019" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" proxyarp \- Shorewall Proxy ARP file .SH "SYNOPSIS" .HP \w'\fB/etc/shorewall/proxyarp\fR\ 'u \fB/etc/shorewall/proxyarp\fR .SH "DESCRIPTION" .PP IPv4 only\&. .PP This file is used to define Proxy ARP\&. There is one entry in this file for each IP address to be proxied\&. .PP The columns in the file are as follows\&. .PP \fBADDRESS\fR \- \fIaddress\fR .RS 4 IP Address\&. .RE .PP \fBINTERFACE\fR \- \fIinterface\fR (Optional as of Shorewall 4\&.4\&.16) .RS 4 Local interface where system with the ip address in ADDRESS is connected\&. This column is only required when HAVEROUTE is set to \fBNo\fR (\fBno\fR) or is left empty\&. .RE .PP \fBEXTERNAL\fR \- \fIinterface\fR .RS 4 External Interface to be used to access this system from the Internet\&. .RE .PP \fBHAVEROUTE\fR \- [\fB\-\fR|\fBYes\fR|\fBNo\fR] .RS 4 If there is already a route from the firewall to the host whose address is given, enter \fBYes\fR or \fByes\fR in this column\&. Otherwise, enter \fBno\fR or \fBNo\fR or leave the column empty and Shorewall will add the route for you\&. If Shorewall adds the route, its persistence depends on the value of the\fBPERSISTENT\fR column contains \fBYes\fR; otherwise, \fBshorewall stop\fR or \fBshorewall clear\fR will delete the route\&. .RE .PP \fBPERSISTENT\fR \- [\fB\-\fR|\fBYes\fR|\fBNo\fR] .RS 4 If HAVEROUTE is \fBNo\fR or \fBno\fR, then the value of this column determines if the route added by Shorewall persists after a \fBshorewall stop\fR or a \fBshorewall clear\fR\&. If this column contains \fBYes\fR or \fByes\fR then the route persists; If the column is empty or contains \fBNo\fR or \fBno\fR then the route is deleted by \fBshorewall stop\fR or \fBshorewall clear\fR\&. .RE .SH "EXAMPLE" .PP Example 1: .RS 4 Host with IP 155\&.186\&.235\&.6 is connected to interface eth1 and we want hosts attached via eth0 to be able to access it using that address\&. .sp .if n \{\ .RS 4 .\} .nf #ADDRESS INTERFACE EXTERNAL 155\&.186\&.235\&.6 eth1 eth0 .fi .if n \{\ .RE .\} .RE .SH "FILES" .PP /etc/shorewall/proxyarp .SH "SEE ALSO" .PP \m[blue]\fBhttp://www\&.shorewall\&.net/ProxyARP\&.htm\fR\m[]\&\s-2\u[1]\d\s+2 .PP \m[blue]\fBhttp://www\&.shorewall\&.net/configuration_file_basics\&.htm#Pairs\fR\m[]\&\s-2\u[2]\d\s+2 .PP shorewall(8) .SH "NOTES" .IP " 1." 4 http://www.shorewall.net/ProxyARP.htm .RS 4 \%http://www.shorewall.org/ProxyARP.htm .RE .IP " 2." 4 http://www.shorewall.net/configuration_file_basics.htm#Pairs .RS 4 \%http://www.shorewall.org/configuration_file_basics.htm#Pairs .RE shorewall-5.2.3.4/manpages/shorewall-modules.50000664000000000000000000000672213453771264017735 0ustar rootroot'\" t .\" Title: shorewall-modules .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 .\" Date: 04/11/2019 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" .TH "SHOREWALL\-MODULES" "5" "04/11/2019" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" modules \- Shorewall file .SH "SYNOPSIS" .HP \w'\fB/usr/share/shorewall[6]/modules\fR\ 'u \fB/usr/share/shorewall[6]/modules\fR .HP \w'\fB/usr/share/shorewall[6]/helpers\fR\ 'u \fB/usr/share/shorewall[6]/helpers\fR .SH "DESCRIPTION" .PP These files specify which kernel modules Shorewall will load before trying to determine your iptables/kernel\*(Aqs capabilities\&. .PP The modules file is used when LOAD_HELPERS_ONLY=No in \m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[1]\d\s+2(8); the helpers file is used when LOAD_HELPERS_ONLY=Yes .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBImportant\fR .ps -1 .br .PP Beginning with Shorewall 5\&.2\&.3, the LOAD_HELPERS_ONLY option has been removed and the behavior is the same as if LOAD_HELPERS_ONLY=Yes was specified\&. .sp .5v .RE .PP Each record in the files has the following format: .HP \w'\fBloadmodule\fR\ 'u \fBloadmodule\fR \fImodulename\fR [\fImoduleoption\fR...] .PP The \fImodulename\fR names a kernel module (without suffix)\&. Shorewall will search for modules based on your MODULESDIR setting in \m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[1]\d\s+2(8)\&. The \fImoduleoption\fRs are passed to modprobe (if installed) or to insmod\&. .PP The /usr/share/shorewall/modules file contains a large number of modules\&. Users are encouraged to copy the file to /etc/shorewall/modules and modify the copy to load only the modules required or to use LOAD_HELPERS_ONLY=Yes\&..if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBNote\fR .ps -1 .br .PP If you build monolithic kernels and have not installed module\-init\-tools, then create an empty /etc/shorewall/modules file; that will prevent Shorewall from trying to load modules at all\&. .sp .5v .RE .SH "EXAMPLE" .PP loadmodule ip_conntrack_ftp ports=21,221 .SH "FILES" .PP /usr/share/shorewall/modules .PP /usr/share/shorewall/helpers .PP /etc/shorewall/modules .PP /etc/shorewall/helpers .PP /usr/share/shorewall6/modules .PP /usr/share/shorewall6/helpers .PP /etc/shorewall6/modules .PP /etc/shorewall6/helpers .SH "SEE ALSO" .PP shorewall(8) .SH "NOTES" .IP " 1." 4 shorewall.conf .RS 4 \%http://www.shorewall.org/manpages/shorewall.conf.html .RE shorewall-5.2.3.4/manpages/shorewall-nat.50000664000000000000000000001673713453771266017060 0ustar rootroot'\" t .\" Title: shorewall-nat .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 .\" Date: 04/11/2019 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" .TH "SHOREWALL\-NAT" "5" "04/11/2019" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" nat \- Shorewall one\-to\-one NAT file .SH "SYNOPSIS" .HP \w'\fB/etc/shorewall/nat\fR\ 'u \fB/etc/shorewall/nat\fR .SH "DESCRIPTION" .PP This file is used to define one\-to\-one Network Address Translation (NAT)\&. .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBWarning\fR .ps -1 .br .PP If all you want to do is simple port forwarding, do NOT use this file\&. See \m[blue]\fBhttp://www\&.shorewall\&.net/FAQ\&.htm#faq1\fR\m[]\&\s-2\u[1]\d\s+2\&. Also, in many cases, Proxy ARP (\m[blue]\fBshorewall\-proxyarp\fR\m[]\&\s-2\u[2]\d\s+2(5)) or Proxy\-NDP(\m[blue]\fBshorewall6\-proxyndp\fR\m[]\&\s-2\u[3]\d\s+2(5)) is a better solution that one\-to\-one NAT\&. .sp .5v .RE .PP The columns in the file are as follows (where the column name is followed by a different name in parentheses, the different name is used in the alternate specification syntax)\&. .PP \fBEXTERNAL\fR \- {\fIaddress\fR|?COMMENT} .RS 4 External IP Address \- this should NOT be the primary IP address of the interface named in the next column and must not be a DNS Name\&. .sp If you put ?COMMENT in this column, the rest of the line will be attached as a comment to the Netfilter rule(s) generated by the following entries in the file\&. The comment will appear delimited by "/* \&.\&.\&. */" in the output of "shorewall show nat" .sp To stop the comment from being attached to further rules, simply include ?COMMENT on a line by itself\&. .RE .PP \fBINTERFACE\fR \- \fIinterfacelist\fR[\fB:\fR[\fIdigit\fR]] .RS 4 Interfaces that have the \fBEXTERNAL\fR address\&. If ADD_IP_ALIASES=Yes in \m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[4]\d\s+2(5), Shorewall will automatically add the EXTERNAL address to this interface\&. Also if ADD_IP_ALIASES=Yes, you may follow the interface name with ":" and a \fIdigit\fR to indicate that you want Shorewall to add the alias with this name (e\&.g\&., "eth0:0")\&. That allows you to see the alias with ifconfig\&. \fBThat is the only thing that this name is good for \-\- you cannot use it anywhere else in your Shorewall configuration\&. \fR .sp Each interface must match an entry in \m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[5]\d\s+2(5)\&. Shorewall allows loose matches to wildcard entries in \m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[5]\d\s+2(5)\&. For example, ppp0 in this file will match a \m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[5]\d\s+2(5) entry that defines ppp+\&. .sp If you want to override ADD_IP_ALIASES=Yes for a particular entry, follow the interface name with ":" and no digit (e\&.g\&., "eth0:")\&. .RE .PP \fBINTERNAL\fR \- \fIaddress\fR .RS 4 Internal Address (must not be a DNS Name)\&. .RE .PP \fBALLINTS\fR \- [\fBYes\fR|\fBNo\fR] .RS 4 If Yes or yes, NAT will be effective from all hosts\&. If No or no (or left empty) then NAT will be effective only through the interface named in the \fBINTERFACE\fR column\&. .sp This column was formerly labelled ALL INTERFACES\&. .RE .PP \fBLOCAL\fR \- [\fBYes\fR|\fBNo\fR] .RS 4 If \fBYes\fR or \fByes\fR, NAT will be effective from the firewall system .RE .SH "RESTRICTIONS" .PP DNAT rules always preempt one\-to\-one NAT rules\&. This has subtile consequences when there are sub\-zones on an \fIinterface\fR\&. Consider the following: .PP /etc/shorewall/zones: .sp .if n \{\ .RS 4 .\} .nf #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ipv4 loc ipv4 smc:net ipv4 .fi .if n \{\ .RE .\} .PP /etc/shorewall/interfaces: .sp .if n \{\ .RS 4 .\} .nf #ZONE INTERFACE OPTIONS net eth0 dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0 loc eth1 tcpflags,nosmurfs,routefilter,logmartians .fi .if n \{\ .RE .\} .PP /etc/shorewall/hosts: .sp .if n \{\ .RS 4 .\} .nf #ZONE HOST(S) OPTIONS smc eth0:10\&.1\&.10\&.0/24 .fi .if n \{\ .RE .\} .PP /etc/shorewall/nat: .sp .if n \{\ .RS 4 .\} .nf #EXTERNAL INTERFACE INTERNAL ALLINTS LOCAL 10\&.1\&.10\&.100 eth0 172\&.20\&.1\&.100 .fi .if n \{\ .RE .\} .PP Note that the EXTERNAL address is in the \fBsmc\fR zone\&. .PP /etc/shorewall/rules: .sp .if n \{\ .RS 4 .\} .nf #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH HELPER ?SECTION ALL ?SECTION ESTABLISHED ?SECTION RELATED ?SECTION INVALID ?SECTION UNTRACKED ?SECTION NEW \&.\&.\&. DNAT net loc:172\&.20\&.1\&.4 tcp 80 .fi .if n \{\ .RE .\} .PP For the one\-to\-one NAT to work correctly in this configuration, one of two approaches can be taken: .sp .RS 4 .ie n \{\ \h'-04' 1.\h'+01'\c .\} .el \{\ .sp -1 .IP " 1." 4.2 .\} Define a CONTINUE policy with \fBsmc\fR as the SOURCE zone (preferred): .sp .if n \{\ .RS 4 .\} .nf #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST \fBsmc $FW CONTINUE\fR loc net ACCEPT net all DROP info # THE FOLLOWING POLICY MUST BE LAST all all REJECT info .fi .if n \{\ .RE .\} .RE .sp .RS 4 .ie n \{\ \h'-04' 2.\h'+01'\c .\} .el \{\ .sp -1 .IP " 2." 4.2 .\} Set IMPLICIT_CONTINUE=Yes in \m[blue]\fBshorewall\&.conf(5)\fR\m[]\&\s-2\u[4]\d\s+2\&. .RE .SH "FILES" .PP /etc/shorewall/nat .PP /etc/shorewall6/nat .SH "SEE ALSO" .PP \m[blue]\fBhttp://www\&.shorewall\&.net/NAT\&.htm\fR\m[]\&\s-2\u[6]\d\s+2 .PP \m[blue]\fBhttp://www\&.shorewall\&.net/configuration_file_basics\&.htm#Pairs\fR\m[]\&\s-2\u[7]\d\s+2 .PP shorewall(8) .SH "NOTES" .IP " 1." 4 http://www.shorewall.net/FAQ.htm#faq1 .RS 4 \%http://www.shorewall.org/FAQ.htm#faq1 .RE .IP " 2." 4 shorewall-proxyarp .RS 4 \%http://www.shorewall.org/manpages/shorewall-proxyarp.html .RE .IP " 3." 4 shorewall6-proxyndp .RS 4 \%http://www.shorewall.org/manpages6/shorewall6-proxyndp.html .RE .IP " 4." 4 shorewall.conf .RS 4 \%http://www.shorewall.org/manpages/shorewall.conf.html .RE .IP " 5." 4 shorewall-interfaces .RS 4 \%http://www.shorewall.org/manpages/shorewall-interfaces.html .RE .IP " 6." 4 http://www.shorewall.net/NAT.htm .RS 4 \%http://www.shorewall.org/NAT.htm .RE .IP " 7." 4 http://www.shorewall.net/configuration_file_basics.htm#Pairs .RS 4 \%http://www.shorewall.org/configuration_file_basics.htm#Pairs .RE shorewall-5.2.3.4/manpages/shorewall-netmap.50000664000000000000000000001321513453771270017541 0ustar rootroot'\" t .\" Title: shorewall-netmap .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 .\" Date: 04/11/2019 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" .TH "SHOREWALL\-NETMAP" "5" "04/11/2019" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" netmap \- Shorewall NETMAP definition file .SH "SYNOPSIS" .HP \w'\fB/etc/shorewall[6]/netmap\fR\ 'u \fB/etc/shorewall[6]/netmap\fR .SH "DESCRIPTION" .PP This file is used to map addresses in one network to corresponding addresses in a second network\&. .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBWarning\fR .ps -1 .br .PP To use this file, your kernel and iptables must have NETMAP support included\&. .sp .5v .RE .PP The columns in the file are as follows (where the column name is followed by a different name in parentheses, the different name is used in the alternate specification syntax)\&. .PP \fBTYPE\fR \- \fB{DNAT\fR|\fBSNAT}\fR .RS 4 If DNAT, traffic entering INTERFACE and addressed to NET1 has its destination address rewritten to the corresponding address in NET2\&. .sp If SNAT, traffic leaving INTERFACE with a source address in NET1 has it\*(Aqs source address rewritten to the corresponding address in NET2\&. .RE .PP \fBNET1\fR \- \fInetwork\-address\fR .RS 4 Network in CIDR format (e\&.g\&., 192\&.168\&.1\&.0/24)\&. Beginning with Shorewall 4\&.4\&.24, \m[blue]\fBexclusion\fR\m[]\&\s-2\u[1]\d\s+2 is supported\&. .RE .PP \fBINTERFACE\fR \- \fIinterface\fR .RS 4 The name of a network interface\&. The interface must be defined in \m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[2]\d\s+2(5)\&. Shorewall allows loose matches to wildcard entries in \m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[2]\d\s+2(5)\&. For example, ppp0 in this file will match a \m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[2]\d\s+2(8) entry that defines ppp+\&. .RE .PP \fBNET2\fR \- \fInetwork\-address\fR .RS 4 Network in CIDR format .RE .PP \fBNET3 (Optional)\fR \- \fInetwork\-address\fR .RS 4 Added in Shorewall 4\&.4\&.11\&. If specified, qualifies INTERFACE\&. It specifies a SOURCE network for DNAT rules and a DESTINATION network for SNAT rules\&. .RE .PP \fBPROTO\fR \- \fIprotocol\-number\-or\-name\fR .RS 4 Optional \-\- added in Shorewall 4\&.4\&.23\&.2\&. Only packets specifying this protocol will have their IP header modified\&. .RE .PP \fBDPORT\fR \- \fIport\-number\-or\-name\-list\fR .RS 4 Optional \- added in Shorewall 4\&.4\&.23\&.2\&. Destination Ports\&. A comma\-separated list of Port names (from services(5)), \fIport number\fRs or \fIport range\fRs; if the protocol is \fBicmp\fR, this column is interpreted as the destination icmp\-type(s)\&. ICMP types may be specified as a numeric type, a numeric type and code separated by a slash (e\&.g\&., 3/4), or a typename\&. See \m[blue]\fBhttp://www\&.shorewall\&.net/configuration_file_basics\&.htm#ICMP\fR\m[]\&\s-2\u[3]\d\s+2\&. .sp If the protocol is \fBipp2p\fR, this column is interpreted as an ipp2p option without the leading "\-\-" (example \fBbit\fR for bit\-torrent)\&. If no PORT is given, \fBipp2p\fR is assumed\&. .sp An entry in this field requires that the PROTO column specify icmp (1), tcp (6), udp (17), sctp (132) or udplite (136)\&. Use \*(Aq\-\*(Aq if any of the following field is supplied\&. .sp This column was formerly labelled DEST PORT(S)\&. .RE .PP \fBSPORT\fR \- \fIport\-number\-or\-name\-list\fR .RS 4 Optional \-\- added in Shorewall 4\&.4\&.23\&.2\&. Source port(s)\&. If omitted, any source port is acceptable\&. Specified as a comma\-separated list of port names, port numbers or port ranges\&. .sp An entry in this field requires that the PROTO column specify tcp (6), udp (17), sctp (132) or udplite (136)\&. Use \*(Aq\-\*(Aq if any of the following fields is supplied\&. .sp This column was formerly labelled SOURCE PORT(S)\&. .RE .SH "FILES" .PP /etc/shorewall/netmap .PP /etc/shorewall6/netmap .SH "SEE ALSO" .PP \m[blue]\fBhttp://www\&.shorewall\&.net/netmap\&.html\fR\m[]\&\s-2\u[4]\d\s+2 .PP \m[blue]\fBhttp://www\&.shorewall\&.net/configuration_file_basics\&.htm#Pairs\fR\m[]\&\s-2\u[5]\d\s+2 .PP shorewall(8) .SH "NOTES" .IP " 1." 4 exclusion .RS 4 \%http://www.shorewall.org/manpages/shorewall-exclusion.html .RE .IP " 2." 4 shorewall-interfaces .RS 4 \%http://www.shorewall.org/manpages/shorewall-interfaces.html .RE .IP " 3." 4 http://www.shorewall.net/configuration_file_basics.htm#ICMP .RS 4 \%http://www.shorewall.org/configuration_file_basics.htm#ICMP .RE .IP " 4." 4 http://www.shorewall.net/netmap.html .RS 4 \%http://www.shorewall.org/netmap.html .RE .IP " 5." 4 http://www.shorewall.net/configuration_file_basics.htm#Pairs .RS 4 \%http://www.shorewall.org/configuration_file_basics.htm#Pairs .RE shorewall-5.2.3.4/manpages/shorewall-policy.50000664000000000000000000003312213453771272017555 0ustar rootroot'\" t .\" Title: shorewall-policy .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 .\" Date: 04/11/2019 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" .TH "SHOREWALL\-POLICY" "5" "04/11/2019" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" policy \- Shorewall policy file .SH "SYNOPSIS" .HP \w'\fB/etc/shorewall[6]/policy\fR\ 'u \fB/etc/shorewall[6]/policy\fR .SH "DESCRIPTION" .PP This file defines the high\-level policy for connections between zones defined in \m[blue]\fBshorewall\-zones\fR\m[]\&\s-2\u[1]\d\s+2(5)\&. .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBImportant\fR .ps -1 .br .PP The order of entries in this file is important .PP This file determines what to do with a new connection request if we don\*(Aqt get a match from the \m[blue]\fBshorewall\-blrules\fR\m[]\&\s-2\u[2]\d\s+2(5) or \m[blue]\fBshorewall\-rules\fR\m[]\&\s-2\u[3]\d\s+2(5) files\&. For each source/destination pair, the file is processed in order until a match is found ("all" will match any source or destination)\&. .sp .5v .RE .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBImportant\fR .ps -1 .br .PP Intra\-zone policies are pre\-defined .PP For $FW and for all of the zones defined in \m[blue]\fBshorewall\-zones\fR\m[]\&\s-2\u[1]\d\s+2(5), the POLICY for connections from the zone to itself is ACCEPT (with no logging or TCP connection rate limiting) but may be overridden by an entry in this file\&. The overriding entry must be explicit (specifying the zone name in both SOURCE and DEST) or it must use "all+" (Shorewall 4\&.5\&.17 or later)\&. .PP Similarly, if you have IMPLICIT_CONTINUE=Yes in \m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[4]\d\s+2(5), then the implicit policy to/from any sub\-zone is CONTINUE\&. These implicit CONTINUE policies may also be overridden by an explicit entry in this file\&. .sp .5v .RE .PP The columns in the file are as follows (where the column name is followed by a different name in parentheses, the different name is used in the alternate specification syntax)\&. .PP \fBSOURCE\fR \- \fIzone\fR[,\&.\&.\&.[+]]|\fB$FW\fR|\fBall[+][!\fR\fB\fIezone\fR\fR\fB[,\&.\&.\&.]]\fR .RS 4 Source zone\&. Must be the name of a zone defined in \m[blue]\fBshorewall\-zones\fR\m[]\&\s-2\u[1]\d\s+2(5), $FW, "all" or "all+"\&. .sp Support for \fBall+\fR was added in Shorewall 4\&.5\&.17\&. \fBall\fR does not override the implicit intra\-zone ACCEPT policy while \fBall+\fR does\&. .sp Beginning with Shorewall 5\&.0\&.12, multiple zones may be listed separated by commas\&. As above, if \*(Aq+\*(Aq is specified after two or more zone names, then the policy overrides the implicit intra\-zone ACCEPT policy if the same \fIzone\fR appears in both the SOURCE and DEST columns\&. .sp Beginning with Shorewall 5\&.2\&.3, a comma\-separated list of excluded zones preceded by "!" may follow \fBall\fR or \fBall+\&.\fR .RE .PP \fBDEST\fR \- \fIzone\fR[,\&.\&.\&.[+]]|\fB$FW\fR|all[+][!\fIezone\fR[,\&.\&.\&.]] .RS 4 Destination zone\&. Must be the name of a zone defined in \m[blue]\fBshorewall\-zones\fR\m[]\&\s-2\u[1]\d\s+2(5), $FW, "all" or "all+"\&. If the DEST is a bport zone, then the SOURCE must be "all", "all+", another bport zone associated with the same bridge, or it must be an ipv4 zone that is associated with only the same bridge\&. .sp Support for "all+" was added in Shorewall 4\&.5\&.17\&. "all" does not override the implicit intra\-zone ACCEPT policy while "all+" does\&. .sp Beginning with Shorewall 5\&.0\&.12, multiple zones may be listed separated by commas\&. As above, if \*(Aq+\*(Aq is specified after two or more zone names, then the policy overrides the implicit intra\-zone ACCEPT policy if the same \fIzone\fR appears in both the SOURCE and DEST columns\&. .sp Beginning with Shorewall 5\&.2\&.3, a comma\-separated list of excluded zones preceded by "!" may follow \fBall\fR or \fBall+\fR\&. .RE .PP \fBPOLICY\fR \- {\fBACCEPT\fR|\fBDROP\fR|\fBREJECT\fR|\fBBLACKLIST\fR|\fBCONTINUE\fR|\fBQUEUE\fR|\fBNFQUEUE\fR[(\fIqueuenumber1\fR[:\fIqueuenumber2\fR])]|\fBNONE\fR}[\fB:\fR{[+]\fIpolicy\-action\fR[:level][,\&.\&.\&.]|\fBNone\fR}] .RS 4 Policy if no match from the rules file is found\&. .sp If the policy is neither CONTINUE nor NONE then the policy may be followed by ":" and one of the following: .sp .RS 4 .ie n \{\ \h'-04' 1.\h'+01'\c .\} .el \{\ .sp -1 .IP " 1." 4.2 .\} The word "None" or "none"\&. This causes any default action defined in \m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[4]\d\s+2(5) to be omitted for this policy\&. .RE .sp .RS 4 .ie n \{\ \h'-04' 2.\h'+01'\c .\} .el \{\ .sp -1 .IP " 2." 4.2 .\} The name of an action with optional parameters enclosed in parentheses\&. The action will be invoked before the policy is enforced\&. .RE .sp Actions can have parameters specified\&. .sp Beginning with Shorewall 4\&.5\&.10, the action name can be followed optionally by a colon and a log level\&. The level will be applied to each rule in the action or body that does not already have a log level\&. .sp Beginning with Shorewall 5\&.1\&.2, multiple \fIaction\fR[:\fIlevel\fR] specification may be listeded, separated by commas\&. The actions are invoked in the order listed\&. Also beginning with Shorewall 5\&.1\&.2, the policy\-action list can be prefixed with a plus sign ("+") indicating that the listed actions are in addition to those listed in the related _DEFAULT setting in \m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[4]\d\s+2(5)\&. .sp Possible policies are: .PP \fBACCEPT\fR .RS 4 Accept the connection\&. .RE .PP \fBDROP\fR .RS 4 Ignore the connection request\&. .RE .PP \fBREJECT\fR .RS 4 For TCP, send RST\&. For all other, send an "unreachable" ICMP\&. .RE .PP \fBBLACKLIST\fR .RS 4 Added in Shorewall 5\&.1\&.1 and requires that the DYNAMIC_BLACKLIST setting in \m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[4]\d\s+2(5) specifies ipset\-based dynamic blacklisting\&. The SOURCE IP address is added to the blacklist ipset and the connection request is ignored\&. .RE .PP \fBQUEUE\fR .RS 4 Queue the request for a user\-space application such as Snort\-inline\&. .RE .PP \fBNFQUEUE\fR .RS 4 Queue the request for a user\-space application using the nfnetlink_queue mechanism\&. If a \fIqueuenumber1\fR is not given, queue zero (0) is assumed\&. Beginning with Shorewall 4\&.6\&.10, a second queue number (queuenumber2) may be given\&. This specifies a range of queues to use\&. Packets are then balanced across the given queues\&. This is useful for multicore systems: start multiple instances of the userspace program on queues x, x+1, \&.\&. x+n and use "x:x+n"\&. Packets belonging to the same connection are put into the same nfqueue\&. .RE .PP \fBCONTINUE\fR .RS 4 Pass the connection request past any other rules that it might also match (where the source or destination zone in those rules is a superset of the SOURCE or DEST in this policy)\&. See \m[blue]\fBshorewall\-nesting\fR\m[]\&\s-2\u[5]\d\s+2(5) for additional information\&. .RE .PP \fBNONE\fR .RS 4 Assume that there will never be any packets from this SOURCE to this DEST\&. Shorewall will not create any infrastructure to handle such packets and you may not have any rules with this SOURCE and DEST in the /etc/shorewall/rules file\&. If such a packet \fBis\fR received, the result is undefined\&. NONE may not be used if the SOURCE or DEST columns contain the firewall zone ($FW) or "all"\&. .RE .RE .PP \fBLOGLEVEL\fR (loglevel) \- [\fIlog\-level\fR|\fBULOG|NFLOG\fR] .RS 4 Optional \- if supplied, each connection handled under the default POLICY is logged at that level\&. If not supplied, no log message is generated\&. See syslog\&.conf(5) for a description of log levels\&. .sp You may also specify ULOG or NFLOG (must be in upper case)\&. This will log to the ULOG or NFLOG target and will send to a separate log through use of ulogd (\m[blue]\fBhttp://www\&.netfilter\&.org/projects/ulogd/index\&.html\fR\m[])\&. .sp For a description of logging, see \m[blue]\fBshorewall\-logging(5)\fR\m[]\&\s-2\u[6]\d\s+2\&. .sp If you don\*(Aqt want to log but need to specify the following column, place "\-" here\&. .RE .PP \fBRATE\fR (rate) \- [\-|\fIlimit\fR] .RS 4 where limit is one of: .RS 4 [\fB\-\fR|[{\fBs\fR|\fBd\fR}[/\fIvlsm\fR]:[[\fIname\fR][(ht\-buckets,ht\-max)]:]]]\fIrate\fR\fB/\fR{\fBsec\fR|\fBmin\fR|\fBhour\fR|\fBday\fR}[:\fIburst\fR] .RE .RS 4 [\fIname\fR1:]\fIrate1\fR\fB/\fR{\fBsec\fR|\fBmin\fR|\fBhour\fR|\fBday\fR}[:\fIburst1\fR],[\fIname\fR2:]\fIrate2\fR\fB/\fR{\fBsec\fR|\fBmin\fR|\fBhour\fR|\fBday\fR}[:\fIburst2\fR] .RE If passed, specifies the maximum TCP connection \fIrate\fR and the size of an acceptable \fIburst\fR\&. If not specified, TCP connections are not limited\&. If the \fIburst\fR parameter is omitted, a value of 5 is assumed\&. .sp When \fBs:\fR or \fBd:\fR is specified, the rate applies per source IP address or per destination IP address respectively\&. The \fIname\fR may be chosen by the user and specifies a hash table to be used to count matching connections\&. If not give, the name \fBshorewall\fR is assumed\&. Where more than one POLICY or rule specifies the same name, the connections counts for the policies are aggregated and the individual rates apply to the aggregated count\&. Beginning with Shorewall 5\&.2\&.1, the \fBs\fR or \fBd\fR may be followed by a slash ("/") and an integer \fIvlsm\fR\&. When a \fIvlsm\fR is specified, all source or destination addresses encountered will be grouped according to the given prefix length and the so\-created subnet will be subject to the rate limit\&. .sp Beginning with Shorewall 4\&.6\&.5, two\fI limit\fRs may be specified, separated by a comma\&. In this case, the first limit (\fIname1\fR, \fIrate1\fR, burst1) specifies the per\-source IP limit and the second limit specifies the per\-destination IP limit\&. .sp Example: \fBclient:10/sec:20,:60/sec:100\fR .sp Beginning with Shorewall 5\&.2\&.1, the table name, if any, may be followed by two integers separated by commas and enclosed in parentheses\&. The first integer (\fIht\-buckets\fR) specifies the number of buckets in the generated hash table\&. The second integer (\fIht\-max\fR) specifies the maximum number of entries in the hash table\&. .sp Example: \fBs:client(1024,65536):10/sec\fR .RE .PP \fBCONNLIMIT\fR \- \fIlimit\fR[:\fImask\fR] .RS 4 May be used to limit the number of simultaneous connections from each individual host to \fIlimit\fR connections\&. While the limit is only checked on connections to which this policy could apply, the number of current connections is calculated over all current connections from the SOURCE host\&. By default, the limit is applied to each host individually but can be made to apply to networks of hosts by specifying a \fImask\fR\&. The \fImask\fR specifies the width of a VLSM mask to be applied to the source address; the number of current connections is then taken over all hosts in the subnet \fIsource\-address\fR/\fImask\fR\&. .RE .SH "EXAMPLE" .sp .RS 4 .ie n \{\ \h'-04' 1.\h'+01'\c .\} .el \{\ .sp -1 .IP " 1." 4.2 .\} All connections from the local network to the internet are allowed .RE .sp .RS 4 .ie n \{\ \h'-04' 2.\h'+01'\c .\} .el \{\ .sp -1 .IP " 2." 4.2 .\} All connections from the internet are ignored but logged at syslog level KERNEL\&.INFO\&. .RE .sp .RS 4 .ie n \{\ \h'-04' 3.\h'+01'\c .\} .el \{\ .sp -1 .IP " 3." 4.2 .\} All other connection requests are rejected and logged at level KERNEL\&.INFO\&. .RE .sp .if n \{\ .RS 4 .\} .nf #SOURCE DEST POLICY LOG BURST:LIMIT # LEVEL loc net ACCEPT net all DROP info # # THE FOLLOWING POLICY MUST BE LAST # all all REJECT info .fi .if n \{\ .RE .\} .SH "FILES" .PP /etc/shorewall/policy .PP /etc/shorewall6/policy .SH "SEE ALSO" .PP \m[blue]\fBhttp://www\&.shorewall\&.net/configuration_file_basics\&.htm#Pairs\fR\m[]\&\s-2\u[7]\d\s+2 .PP shorewall(8) .SH "NOTES" .IP " 1." 4 shorewall-zones .RS 4 \%http://www.shorewall.org/manpages/shorewall-zones.html .RE .IP " 2." 4 shorewall-blrules .RS 4 \%http://www.shorewall.org/manpages/shorewall-blrules.html .RE .IP " 3." 4 shorewall-rules .RS 4 \%http://www.shorewall.org/manpages/shorewall-rules.html .RE .IP " 4." 4 shorewall.conf .RS 4 \%http://www.shorewall.org/manpages/shorewall.conf.html .RE .IP " 5." 4 shorewall-nesting .RS 4 \%http://www.shorewall.org/manpages/shorewall-nesting.html .RE .IP " 6." 4 shorewall-logging(5) .RS 4 \%http://www.shorewall.org/shorewall_logging.html .RE .IP " 7." 4 http://www.shorewall.net/configuration_file_basics.htm#Pairs .RS 4 \%http://www.shorewall.org/configuration_file_basics.htm#Pairs .RE shorewall-5.2.3.4/manpages/shorewall-tcinterfaces.50000664000000000000000000001317513453771312020731 0ustar rootroot'\" t .\" Title: shorewall-tcinterfaces .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 .\" Date: 04/11/2019 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" .TH "SHOREWALL\-TCINTERFA" "5" "04/11/2019" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" tcinterfaces \- Shorewall file .SH "SYNOPSIS" .HP \w'\fB/etc/shorewall[6]/tcinterfaces\fR\ 'u \fB/etc/shorewall[6]/tcinterfaces\fR .SH "DESCRIPTION" .PP This file lists the interfaces that are subject to simple traffic shaping\&. Simple traffic shaping is enabled by setting TC_ENABLED=Simple in \m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[1]\d\s+2(5)\&. .PP A note on the \fIbandwidth\fR definition used in this file: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} don\*(Aqt use a space between the integer value and the unit: 30kbit is valid while 30 kbit is not\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} you can use one of the following units: .PP \fBkbps\fR .RS 4 Kilobytes per second\&. .RE .PP \fBmbps\fR .RS 4 Megabytes per second\&. .RE .PP \fBkbit\fR .RS 4 Kilobits per second\&. .RE .PP \fBmbit\fR .RS 4 Megabits per second\&. .RE .PP \fBbps\fR or \fBnumber\fR .RS 4 Bytes per second\&. .RE .PP k or kb .RS 4 Kilo bytes\&. .RE .PP m or mb .RS 4 Megabytes\&. .RE .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} Only whole integers are allowed\&. .RE .PP The columns in the file are as follows (where the column name is followed by a different name in parentheses, the different name is used in the alternate specification syntax)\&. .PP \fBINTERFACE\fR .RS 4 The logical name of an interface\&. If you run both IPv4 and IPv6 Shorewall firewalls, a given interface should only be listed in one of the two configurations\&. .RE .PP \fBTYPE\fR \- [\fBexternal\fR|\fBinternal\fR] .RS 4 Optional\&. If given specifies whether the interface is \fBexternal\fR (facing toward the Internet) or \fBinternal\fR (facing toward a local network) and enables SFQ flow classification\&. .RE .PP \fBIN\-BANDWIDTH (in_bandwidth)\fR \- {\-|\fIbandwidth\fR[:\fIburst\fR]|~\fIbandwidth\fR[:\fIinterval\fR:\fIdecay_interval\fR]} .RS 4 The incoming \fIbandwidth\fR of that interface\&. Please note that you are not able to do traffic shaping on incoming traffic, as the traffic is already received before you could do so\&. But this allows you to define the maximum traffic allowed for this interface in total, if the rate is exceeded, the packets are dropped\&. You want this mainly if you have a DSL or Cable connection to avoid queuing at your providers side\&. .sp If you don\*(Aqt want any traffic to be dropped, set this to a value to zero in which case Shorewall will not create an ingress qdisc\&.Must be set to zero if the REDIRECTED INTERFACES column is non\-empty\&. .sp The optional burst option was added in Shorewall 4\&.4\&.18\&. The default \fIburst\fR is 10kb\&. A larger \fIburst\fR can help make the \fIbandwidth\fR more accurate; often for fast lines, the enforced rate is well below the specified \fIbandwidth\fR\&. .sp What is described above creates a rate/burst policing filter\&. Beginning with Shorewall 4\&.4\&.25, a rate\-estimated policing filter may be configured instead\&. Rate\-estimated filters should be used with Ethernet adapters that have Generic Receive Offload enabled by default\&. See \m[blue]\fBShorewall FAQ 97a\fR\m[]\&\s-2\u[2]\d\s+2\&. .sp To create a rate\-estimated filter, precede the bandwidth with a tilde ("~")\&. The optional interval and decay_interval determine how often the rate is estimated and how many samples are retained for estimating\&. Please see \m[blue]\fBhttp://ace\-host\&.stuart\&.id\&.au/russell/files/tc/doc/estimators\&.txt\fR\m[] for details\&. If not specified, the default \fIinterval\fR is 250ms and the default \fIdecay_interval\fR is 4sec\&. .RE .PP OUT\-BANDWIDTH (out_bandwidth) \- [\fIrate\fR[:[\fIburst\fR][:[\fIlatency\fR][:[\fIpeek\fR][:[\fIminburst\fR]]]]]] .RS 4 Added in Shorewall 4\&.4\&.13\&. The terms are defined in tc\-tbf(8)\&. .sp Shorewall provides defaults as follows: .RS 4 \fIburst\fR \- 10kb .RE .RS 4 \fIlatency\fR \- 200ms .RE The remaining options are defaulted by tc(8)\&. .RE .SH "FILES" .PP /etc/shorewall/tcinterfaces .PP /etc/shorewall6/tcinterfaces .SH "SEE ALSO" .PP \m[blue]\fBhttp://ace\-host\&.stuart\&.id\&.au/russell/files/tc/doc/sch_tbf\&.txt\fR\m[] .PP \m[blue]\fBhttp://ace\-host\&.stuart\&.id\&.au/russell/files/tc/doc/estimators\&.txt\fR\m[] .PP shorewall(8) .SH "NOTES" .IP " 1." 4 shorewall.conf .RS 4 \%http://www.shorewall.org/manpages/shorewall.conf.html .RE .IP " 2." 4 Shorewall FAQ 97a .RS 4 \%http://www.shorewall.org/FAQ.htm#faq97a .RE shorewall-5.2.3.4/manpages/shorewall-secmarks.50000664000000000000000000002457713453771303020077 0ustar rootroot'\" t .\" Title: shorewall-secmarks .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 .\" Date: 04/11/2019 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" .TH "SHOREWALL\-SECMARKS" "5" "04/11/2019" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" secmarks \- Shorewall file .SH "SYNOPSIS" .HP \w'\fB/etc/shorewall[6]/secmarks\fR\ 'u \fB/etc/shorewall[6]/secmarks\fR .SH "DESCRIPTION" .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBImportant\fR .ps -1 .br .PP Unlike rules in the \m[blue]\fBshorewall\-rules\fR\m[]\&\s-2\u[1]\d\s+2(5) file, evaluation of rules in this file will continue after a match\&. So the final secmark for each packet will be the one assigned by the LAST rule that matches\&. .sp .5v .RE .PP The secmarks file is used to associate an SELinux context with packets\&. It was added in Shorewall version 4\&.4\&.13\&. .PP The columns in the file are as follows (where the column name is followed by a different name in parentheses, the different name is used in the alternate specification syntax)\&. .PP \fBSECMARK \- {SAVE|RESTORE|\fR\fB\fIcontext\fR\fR\fB|?COMMENT \fR\fB\fIcomment\fR\fR\fB}\fR .RS 4 .PP \fBSAVE\fR .RS 4 If an SELinux context is associated with the packet, the context is saved in the connection\&. Normally, the remaining columns should be left blank\&. .RE .PP \fBRESTORE\fR .RS 4 If an SELinux context is not currently associated with the packet, then the saved context (if any) is associated with the packet\&. Normally, the remaining columns should be left blank\&. .RE .PP \fIcontext\fR .RS 4 An SELinux context\&. .RE .PP ?COMMENT .RS 4 The remainder of the line is treated as a comment which is attached to subsequent rules until another ?COMMENT line is found or until the end of the file is reached\&. To stop adding comments to rules, use a line with only the word ?COMMENT\&. .RE .RE .PP \fBCHAIN \- {P|I|F|O|T}[:{N|I|U|IU|NI|NU|NIU|NUI:E|ER}]\fR .RS 4 This column determines the CHAIN where the SELinux context is to be applied: .RS 4 P \- PREROUTING .RE .RS 4 I \- INPUT .RE .RS 4 F \- FORWARD .RE .RS 4 O \- OUTPUT .RE .RS 4 T \- POSTROUTING .RE It may be optionally followed by a colon and an indication of the Netfilter connection state(s) at which the context is to be applied: .RS 4 :N \- NEW connection .RE .RS 4 :I \- INVALID connection .RE .RS 4 :NI \- NEW or INVALID connection .RE .RS 4 :E \- ESTABLISHED connection .RE .RS 4 :ER \- ESTABLISHED or RELATED connection .RE Beginning with Shorewall 4\&.5\&.10, the following additional options are available .RS 4 :U \- UNTRACKED connection .RE .RS 4 :IU \- INVALID or UNTRACKED connection .RE .RS 4 :NU \- NEW or UNTRACKED connection .RE .RS 4 :NIU \- NEW, INVALID or UNTRACKED connection\&. .RE This column was formerly labelled CHAIN:STATE\&. .RE .PP \fBSOURCE\fR \- {\fB\-\fR\fIinterface\fR|[\fIinterface\fR:]\fIaddress\-or\-range\fR[\fB,\fR\fIaddress\-or\-range\fR]\&.\&.\&.}[\fIexclusion\fR] .RS 4 May be: .sp .RS 4 .ie n \{\ \h'-04' 1.\h'+01'\c .\} .el \{\ .sp -1 .IP " 1." 4.2 .\} An interface name \- matches traffic entering the firewall on the specified interface\&. May not be used in classify rules or in rules using the T in the CHAIN column\&. .RE .sp .RS 4 .ie n \{\ \h'-04' 2.\h'+01'\c .\} .el \{\ .sp -1 .IP " 2." 4.2 .\} A comma\-separated list of host or network IP addresses or MAC addresses\&. .RE .sp .RS 4 .ie n \{\ \h'-04' 3.\h'+01'\c .\} .el \{\ .sp -1 .IP " 3." 4.2 .\} An interface name followed by a colon (":") followed by a comma\-separated list of host or network IP addresses or MAC addresses\&. .RE .sp MAC addresses must be prefixed with "~" and use "\-" as a separator\&. .sp Example: ~00\-A0\-C9\-15\-39\-78 .sp You may exclude certain hosts from the set already defined through use of an \fIexclusion\fR (see \m[blue]\fBshorewall\-exclusion\fR\m[]\&\s-2\u[2]\d\s+2(5))\&. .sp Addresses may be specified using an ipset name preceded by \*(Aq+\*(Aq\&. .RE .PP \fBDEST\fR \- {\fB\-\fR|{\fIinterface\fR|[\fIinterface\fR:]\fIaddress\-or\-range\fR[\fB,\fR\fIaddress\-or\-range\fR]\&.\&.\&.}[\fIexclusion\fR] .RS 4 May be: .sp .RS 4 .ie n \{\ \h'-04' 1.\h'+01'\c .\} .el \{\ .sp -1 .IP " 1." 4.2 .\} An interface name\&. May not be used in the PREROUTING or INPUT chains\&. The interface name may be optionally followed by a colon (":") and an IP address list\&. .RE .sp .RS 4 .ie n \{\ \h'-04' 2.\h'+01'\c .\} .el \{\ .sp -1 .IP " 2." 4.2 .\} A comma\-separated list of host or network IP addresses\&. The list may include ip address ranges if your kernel and iptables include iprange support\&. .RE .sp You may exclude certain hosts from the set already defined through use of an \fIexclusion\fR (see \m[blue]\fBshorewall\-exclusion\fR\m[]\&\s-2\u[2]\d\s+2(5))\&. .sp Addresses may be specified using an ipset name preceded by \*(Aq+\*(Aq\&. .RE .PP \fBPROTO\fR \- {\fB\-\fR|\fBtcp:syn\fR|\fBipp2p\fR|\fBipp2p:udp\fR|\fBipp2p:all\fR|\fIprotocol\-number\fR|\fIprotocol\-name\fR|\fBall}[,\&.\&.\&.]\fR .RS 4 See \m[blue]\fBshorewall\-rules(5)\fR\m[]\&\s-2\u[3]\d\s+2 for details\&. .sp Beginning with Shorewall 4\&.5\&.12, this column can accept a comma\-separated list of protocols\&. .RE .PP \fBDPORT\fR \- [\fB\-\fR|\fIport\-name\-number\-or\-range\fR[\fB,\fR\fIport\-name\-number\-or\-range\fR]\&.\&.\&.] .RS 4 Optional destination Ports\&. A comma\-separated list of Port names (from services(5)), \fIport number\fRs or \fIport range\fRs; if the protocol is \fBicmp\fR, this column is interpreted as the destination icmp\-type(s)\&. ICMP types may be specified as a numeric type, a numeric type and code separated by a slash (e\&.g\&., 3/4), or a typename\&. See \m[blue]\fBhttp://www\&.shorewall\&.net/configuration_file_basics\&.htm#ICMP\fR\m[]\&\s-2\u[4]\d\s+2\&. .sp If the protocol is \fBipp2p\fR, this column is interpreted as an ipp2p option without the leading "\-\-" (example \fBbit\fR for bit\-torrent)\&. If no PORT is given, \fBipp2p\fR is assumed\&. .sp This column is ignored if PROTOCOL = all but must be entered if any of the following field is supplied\&. In that case, it is suggested that this field contain "\-" .sp This column was formerly labelled DEST PORT(S)\&. .RE .PP \fBSPORT\fR \- [\fB\-\fR|\fIport\-name\-number\-or\-range\fR[\fB,\fR\fIport\-name\-number\-or\-range\fR]\&.\&.\&.] .RS 4 Optional source port(s)\&. If omitted, any source port is acceptable\&. Specified as a comma\-separated list of port names, port numbers or port ranges\&. .sp This column was formerly labelled SOURCE PORT(S)\&. .RE .PP \fBUSER\fR \- [\fB!\fR][\fIuser\-name\-or\-number\fR][\fB:\fR\fIgroup\-name\-or\-number\fR] .RS 4 This optional column may only be non\-empty if the SOURCE is the firewall itself\&. .sp When this column is non\-empty, the rule applies only if the program generating the output is running under the effective \fIuser\fR and/or \fIgroup\fR specified (or is NOT running under that id if "!" is given)\&. .sp Examples: .PP joe .RS 4 program must be run by joe .RE .PP :kids .RS 4 program must be run by a member of the \*(Aqkids\*(Aq group .RE .PP !:kids .RS 4 program must not be run by a member of the \*(Aqkids\*(Aq group .RE .RE .PP \fBMARK\fR \- [\fB!\fR]\fIvalue\fR[/\fImask\fR][\fB:C\fR] .RS 4 Defines a test on the existing packet or connection mark\&. The rule will match only if the test returns true\&. .sp If you don\*(Aqt want to define a test but need to specify anything in the following columns, place a "\-" in this field\&. .PP ! .RS 4 Inverts the test (not equal) .RE .PP \fIvalue\fR .RS 4 Value of the packet or connection mark\&. .RE .PP \fImask\fR .RS 4 A mask to be applied to the mark before testing\&. .RE .PP \fB:C\fR .RS 4 Designates a connection mark\&. If omitted, the packet mark\*(Aqs value is tested\&. .RE .RE .SH "EXAMPLE" .PP Mark the first incoming packet of a connection on the loopback interface and destined for address 127\&.0\&.0\&.1 and tcp port 3306 with context system_u:object_r:mysqld_t:s0 and save that context in the conntrack table\&. On subsequent input packets in the connection, set the context from the conntrack table\&. .PP /etc/shorewall/interfaces: .sp .if n \{\ .RS 4 .\} .nf #ZONE INTERFACE BROADCAST OPTIONS \- lo \- ignore .fi .if n \{\ .RE .\} .PP /etc/shorewall/secmarks: .sp .if n \{\ .RS 4 .\} .nf #SECMARK CHAIN SOURCE DEST PROTO DPORT SPORT USER MARK system_u:object_r:mysqld_packet_t:s0 I:N lo 127\&.0\&.0\&.1 tcp 3306 SAVE I:N lo 127\&.0\&.0\&.1 tcp 3306 RESTORE I:ER .fi .if n \{\ .RE .\} .SH "FILES" .PP /etc/shorewall/secmarks .PP /etc/shorewall6/secmarks .SH "SEE ALSO" .PP \m[blue]\fBhttp://james\-morris\&.livejournal\&.com/11010\&.html\fR\m[] .PP \m[blue]\fBhttp://www\&.shorewall\&.net/configuration_file_basics\&.htm#Pairs\fR\m[]\&\s-2\u[5]\d\s+2 .PP shorewall(8) .SH "NOTES" .IP " 1." 4 shorewall-rules .RS 4 \%http://www.shorewall.org/manpages/shorewall-rules.html .RE .IP " 2." 4 shorewall-exclusion .RS 4 \%http://www.shorewall.org/manpages/shorewall-exclusion.html .RE .IP " 3." 4 shorewall-rules(5) .RS 4 \%http://www.shorewall.orgshorewall-rules.html .RE .IP " 4." 4 http://www.shorewall.net/configuration_file_basics.htm#ICMP .RS 4 \%http://www.shorewall.org/configuration_file_basics.htm#ICMP .RE .IP " 5." 4 http://www.shorewall.net/configuration_file_basics.htm#Pairs .RS 4 \%http://www.shorewall.org/configuration_file_basics.htm#Pairs .RE shorewall-5.2.3.4/manpages/shorewall-rules.50000664000000000000000000020263313531077741017412 0ustar rootroot'\" t .\" Title: shorewall-rules .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 .\" Date: 08/26/2019 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" .TH "SHOREWALL\-RULES" "5" "08/26/2019" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" rules \- Shorewall rules file .SH "SYNOPSIS" .HP \w'\fB/etc/shorewall[6]/rules\fR\ 'u \fB/etc/shorewall[6]/rules\fR .SH "DESCRIPTION" .PP Entries in this file govern connection establishment by defining exceptions to the policies laid out in \m[blue]\fBshorewall\-policy\fR\m[]\&\s-2\u[1]\d\s+2(5)\&. By default, subsequent requests and responses are automatically allowed using connection tracking\&. For any particular (source,dest) pair of zones, the rules are evaluated in the order in which they appear in this file and the first terminating match is the one that determines the disposition of the request\&. All rules are terminating except LOG and COUNT rules\&. .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBWarning\fR .ps -1 .br .PP If you masquerade or use SNAT from a local system to the internet, you cannot use an ACCEPT rule to allow traffic from the internet to that system\&. You \fBmust\fR use a DNAT rule instead\&. .sp .5v .RE .PP The rules file is divided into sections\&. Each section is introduced by a "Section Header" which is a line beginning with ?SECTION and followed by the section name\&. .PP Sections are as follows and must appear in the order listed: .PP \fBALL\fR .RS 4 This section was added in Shorewall 4\&.4\&.23\&. Rules in this section are applied, regardless of the connection tracking state of the packet and are applied before rules in the other sections\&. .RE .PP \fBESTABLISHED\fR .RS 4 Packets in the ESTABLISHED state are processed by rules in this section\&. .sp The only ACTIONs allowed in this section are ACCEPT, DROP, REJECT, LOG, NFLOG, NFQUEUE and QUEUE .sp There is an implicit ACCEPT rule inserted at the end of this section\&. .RE .PP \fBRELATED\fR .RS 4 Packets in the RELATED state are processed by rules in this section\&. .sp The only ACTIONs allowed in this section are ACCEPT, DROP, REJECT, LOG, NFLOG, NFQUEUE and QUEUE .sp There is an implicit rule added at the end of this section that invokes the RELATED_DISPOSITION (\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[2]\d\s+2(5))\&. .RE .PP \fBINVALID\fR .RS 4 Added in Shorewall 4\&.5\&.13\&. Packets in the INVALID state are processed by rules in this section\&. .sp The only Actions allowed in this section are ACCEPT, DROP, REJECT, LOG, NFLOG, NFQUEUE and QUEUE\&. .sp There is an implicit rule added at the end of this section that invokes the INVALID_DISPOSITION (\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[2]\d\s+2(5))\&. .RE .PP \fBUNTRACKED\fR .RS 4 Added in Shorewall 4\&.5\&.13\&. Packets in the UNTRACKED state are processed by rules in this section\&. .sp The only Actions allowed in this section are ACCEPT, DROP, REJECT, LOG, NFLOG, NFQUEUE and QUEUE\&. .sp There is an implicit rule added at the end of this section that invokes the UNTRACKED_DISPOSITION (\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[2]\d\s+2(5))\&. .RE .PP \fBNEW\fR .RS 4 Packets in the NEW state are processed by rules in this section\&. If the INVALID and/or UNTRACKED sections are empty or not included, then the packets in the corresponding state(s) are also processed in this section\&. .RE .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBNote\fR .ps -1 .br .PP If you are not familiar with Netfilter to the point where you are comfortable with the differences between the various connection tracking states, then it is suggested that you place all of your rules in the NEW section (That\*(Aqs after the line that reads ?SECTION NEW\*(Aq)\&. .sp .5v .RE .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBWarning\fR .ps -1 .br .PP If you specify FASTACCEPT=Yes in \m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[2]\d\s+2(5) then the \fBALL, ESTABLISHED\fR and \fBRELATED\fR sections must be empty\&. .PP An exception is made if you are running Shorewall 4\&.4\&.27 or later and you have specified a non\-default value for RELATED_DISPOSITION or RELATED_LOG_LEVEL\&. In that case, you may have rules in the RELATED section of this file\&. .sp .5v .RE .PP You may omit any section that you don\*(Aqt need\&. If no Section Headers appear in the file then all rules are assumed to be in the NEW section\&. .PP When defining rules that rewrite the destination IP address and/or port number (namely DNAT and REDIRECT rules), it is important to keep straight which columns in the file specify the packet before rewriting and which specify how the packet will look after rewriting\&. .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} The DEST column specifies the final destination for the packet after rewriting and can include the final IP address and/or port number\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} The remaining columns specify characteristics of the packet before rewriting\&. In particular, the ORIGDEST column gives the original destination IP address of the packet and the DPORT column give the original destination port(s)\&. .RE .PP The columns in the file are as follows (where the column name is followed by a different name in parentheses, the different name is used in the alternate specification syntax)\&. .PP \fBACTION\fR \- \fB\fItarget\fR\fR\fB[:\fR{\fIlog\-level\fR|\fBnone\fR}[\fB\fB!\fR\fR][\fB:\fR\fItag\fR]] .RS 4 Specifies the action to be taken if the connection request matches the rule\&. \fItarget\fR must be one of the following\&. .PP \fBACCEPT\fR .RS 4 Allow the connection request\&. .RE .PP \fBACCEPT+\fR .RS 4 like ACCEPT but also excludes the connection from any subsequent matching \fBDNAT\fR[\fB\-\fR] or \fBREDIRECT\fR[\fB\-\fR] rules\&. Use with IPv6 requires Shorewall 4\&.5\&.14 or later\&. .RE .PP \fBACCEPT!\fR .RS 4 like ACCEPT but exempts the rule from being suppressed by OPTIMIZE=1 in \m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[2]\d\s+2(5)\&. .RE .PP \fIaction\fR .RS 4 The name of an \fIaction\fR declared in \m[blue]\fBshorewall\-actions\fR\m[]\&\s-2\u[3]\d\s+2(5) or in /usr/share/shorewall[6]/actions\&.std\&. .RE .PP \fBADD(\fR\fB\fIipset\fR\fR\fB:\fR\fB\fIflags\fR\fR\fB[:\fR\fB\fItimeout\fR\fR\fB])\fR .RS 4 Added in Shorewall 4\&.4\&.12\&. Causes addresses and/or port numbers to be added to the named \fIipset\fR\&. The \fIflags\fR specify the address or tuple to be added to the set and must match the type of ipset involved\&. For example, for an iphash ipset, either the SOURCE or DESTINATION address can be added using \fIflags\fR \fBsrc\fR or \fBdst\fR respectively (see the \-A command in ipset (8))\&. .sp Beginning with Shorewall 5\&.0\&.3, an optional \fItimeout\fR can be specified\&. This is the number of seconds that the new entry in the ipset is to remain valid and overrides any timeout specified when the ipset was created\&. .sp ADD is non\-terminating\&. Even if a packet matches the rule, it is passed on to the next rule\&. .RE .PP \fBAUDIT\fR[(accept|drop|reject)] .RS 4 Added in Shorewall 4\&.5\&.10\&. Audits the packet with the specified type; if the type is omitted, then \fBdrop\fR is assumed\&. Require AUDIT_TARGET support in the kernel and iptables\&. .RE .PP \fBA_ACCEPT\fR, \fBA_ACCEPT\fR\fB+\fR and \fBA_ACCEPT\fR\fB!\fR .RS 4 Added in Shorewall 4\&.4\&.20\&. Audited versions of ACCEPT, ACCEPT+ and ACCEPT! respectively\&. Require AUDIT_TARGET support in the kernel and iptables\&. A_ACCEPT+ with IPv6 requires Shorewall 4\&.5\&.14 or later\&. .RE .PP \fBA_DROP\fR and\fB A_DROP!\fR .RS 4 Added in Shorewall 4\&.4\&.20\&. Audited versions of DROP and DROP! respectively\&. Require AUDIT_TARGET support in the kernel and iptables\&. .RE .PP \fBA_REJECT\fR AND \fBA_REJECT!\fR .RS 4 Added in Shorewall 4\&.4\&.20\&. Audited versions of REJECT and REJECT! respectively\&. Require AUDIT_TARGET support in the kernel and iptables\&. .RE .PP \fB?COMMENT\fR .RS 4 the rest of the line will be attached as a comment to the Netfilter rule(s) generated by the following entries\&. The comment will appear delimited by "/* \&.\&.\&. */" in the output of "shorewall show "\&. To stop the comment from being attached to further rules, simply include ?COMMENT on a line by itself\&. .RE .PP \fBCONMARK({\fR\fB\fImark\fR\fR\fB})\fR .RS 4 Added in Shorewall 5\&.0\&.7, CONNMARK is identical to MARK with the exception that the mark is assigned to connection to which the packet belongs is marked rather than to the packet itself\&. .RE .PP \fBCONTINUE\fR .RS 4 For experts only\&. .sp Do not process any of the following rules for this (source zone,destination zone)\&. If the source and/or destination IP address falls into a zone defined later in \m[blue]\fBshorewall\-zones\fR\m[]\&\s-2\u[4]\d\s+2(5) or in a parent zone of the source or destination zones, then this connection request will be passed to the rules defined for that (those) zone(s)\&. See \m[blue]\fBshorewall\-nesting\fR\m[]\&\s-2\u[5]\d\s+2(5) for additional information\&. .RE .PP \fBCONTINUE!\fR .RS 4 like CONTINUE but exempts the rule from being suppressed by OPTIMIZE=1 in \m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[2]\d\s+2(5)\&. .RE .PP \fBCOUNT\fR .RS 4 Simply increment the rule\*(Aqs packet and byte count and pass the packet to the next rule\&. .RE .PP \fBDEL(\fR\fB\fIipset\fR\fR\fB:\fR\fB\fIflags\fR\fR\fB)\fR .RS 4 Added in Shorewall 4\&.4\&.12\&. Causes an entry to be deleted from the named \fIipset\fR\&. The \fIflags\fR specify the address or tuple to be deleted from the set and must match the type of ipset involved\&. For example, for an iphash ipset, either the SOURCE or DESTINATION address can be deleted using \fIflags\fR \fBsrc\fR or \fBdst\fR respectively (see the \-D command in ipset (8))\&. .sp DEL is non\-terminating\&. Even if a packet matches the rule, it is passed on to the next rule\&. .RE .PP \fBDNAT\fR .RS 4 Forward the request to another system (and optionally another port)\&. Use with IPv6 requires Shorewall 4\&.5\&.14 or later\&. .RE .PP \fBDNAT\-\fR .RS 4 Advanced users only\&. .sp Like \fBDNAT\fR but only generates the \fBDNAT\fR iptables rule and not the companion \fBACCEPT\fR rule\&. Use with IPv6 requires Shorewall 4\&.5\&.14 or later\&. .RE .PP \fBDROP\fR .RS 4 Ignore the request\&. .RE .PP \fBDROP!\fR .RS 4 like DROP but exempts the rule from being suppressed by OPTIMIZE=1 in \m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[2]\d\s+2(5)\&. .RE .PP \fBHELPER\fR .RS 4 Added in Shorewall 4\&.5\&.7\&. This action requires that the HELPER column contains the name of the Netfilter helper to be associated with connections matching this connection\&. May only be specified in the NEW section and is useful for being able to specify a helper when the applicable policy is ACCEPT\&. No destination zone should be specified in HELPER rules\&. .RE .PP \fBINLINE\fR[(\fIaction\fR)] .RS 4 Added in Shorewall 4\&.5\&.16\&. This action allows you to construct most of the rule yourself using iptables syntax\&. The part that you specify must follow two semicolons (\*(Aq;;\*(Aq) and is completely free\-form\&. If the target of the rule (the part following \*(Aqj\*(Aq) is something that Shorewall supports in the ACTION column, then you may enclose it in parentheses (e\&.g\&., INLINE(ACCEPT))\&. Otherwise, you can include it after the semicolon(s)\&. In this case, you must declare the target as a builtin action in \m[blue]\fBshorewall\-actions\fR\m[]\&\s-2\u[3]\d\s+2(5)\&. .sp Some considerations when using INLINE: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} The \fBp\fR, \fBs\fR, \fBd\fR, \fBi\fR, \fBo\fR, \fBpolicy\fR, and state match (\fBstate\fR or \fBconntrack \-\-ctstate\fR) matches will always appear in the front of the rule in that order\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} When multiple matches are specified, the compiler will keep them in the order in which they appear (excluding the above listed ones), but they will not necessarily be at the end of the generated rule\&. For example, if addresses are specified in the SOURCE and/or DEST columns, their generated matches will appear after those specified using \*(Aq;;\*(Aq or \*(Aq;\*(Aq\&. .RE .RE .PP \fBIPTABLES\fR({\fIiptables\-target\fR [\fIoption\fR \&.\&.\&.]) .RS 4 IPv4 only\&. This action allows you to specify an iptables target with options (e\&.g\&., \*(AqIPTABLES(MARK \-\-set\-xmark 0x01/0xff)\*(Aq\&. If the \fIiptables\-target\fR is not one recognized by Shorewall, the following error message will be issued: .sp .if n \{\ .RS 4 .\} .nf ERROR: Unknown target (\fIiptables\-target\fR) .fi .if n \{\ .RE .\} .sp This error message may be eliminated by adding the \fIiptables\-\fR\fItarget\fR as a builtin action in \m[blue]\fBshorewall\-actions\fR\m[]\&\s-2\u[3]\d\s+2(5)\&. .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBImportant\fR .ps -1 .br If you specify REJECT as the \fIiptables\-target\fR, the target of the rule will be the iptables REJECT target and not Shorewall\*(Aqs builtin \*(Aqreject\*(Aq chain which is used when REJECT (see below) is specified as the \fItarget\fR in the ACTION column\&. .sp .5v .RE .RE .PP \fBIP6TABLES\fR({\fIip6tables\-target\fR [\fIoption\fR \&.\&.\&.]) .RS 4 IPv6 only\&. This action allows you to specify an ip6tables target with options (e\&.g\&., \*(AqIPTABLES(MARK \-\-set\-xmark 0x01/0xff)\*(Aq\&. If the \fIip6tables\-target\fR is not one recognized by Shorewall, the following error message will be issued: .sp .if n \{\ .RS 4 .\} .nf ERROR: Unknown target (\fIip6tables\-target\fR) .fi .if n \{\ .RE .\} .sp This error message may be eliminated by adding the\fI ip6tables\-\fR\fItarget\fR as a builtin action in \m[blue]\fBshorewall\-actions\fR\m[]\&\s-2\u[6]\d\s+2(5)\&. .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBImportant\fR .ps -1 .br If you specify REJECT as the \fIip6tables\-target\fR, the target of the rule will be the i6ptables REJECT target and not Shorewall\*(Aqs builtin \*(Aqreject\*(Aq chain which is used when REJECT (see below) is specified as the \fItarget\fR in the ACTION column\&. .sp .5v .RE .RE .PP \fBLOG:\fR\fB\fIlevel\fR\fR .RS 4 Simply log the packet and continue with the next rule\&. .RE .PP \fImacro\fR\fB[(\fR\fB\fImacrotarget\fR\fR\fB)]\fR .RS 4 The name of a macro defined in a file named macro\&.\fImacro\fR\&. If the macro accepts an action parameter (Look at the macro source to see if it has PARAM in the TARGET column) then the \fImacro\fR name is followed by the parenthesized \fImacrotarget\fR (\fBACCEPT\fR, \fBDROP\fR, \fBREJECT\fR, \&.\&.\&.) to be substituted for the parameter\&. .sp Example: FTP(ACCEPT)\&. .sp The older syntax where the macro name and the target are separated by a slash (e\&.g\&. FTP/ACCEPT) is still allowed but is deprecated\&. .RE .PP \fBMARK({\fR\fB\fImark\fR\fR\fB})\fR .RS 4 where \fImark\fR is a packet mark value\&. .sp Added in Shorewall 5\&.0\&.7, MARK requires "Mark in filter table" support in your kernel and iptables\&. .sp Normally will set the mark value of the current packet\&. If preceded by a vertical bar ("|"), the mark value will be logically ORed with the current mark value to produce a new mark value\&. If preceded by an ampersand ("&"), will be logically ANDed with the current mark value to produce a new mark value\&. .sp Both "|" and "&" require Extended MARK Target support in your kernel and iptables\&. .sp The mark value may be optionally followed by "/" and a mask value (used to determine those bits of the connection mark to actually be set)\&. When a mask is specified, the result of logically ANDing the mark value with the mask must be the same as the mark value\&. .RE .PP \fBNFLOG\fR[(\fInflog\-parameters\fR)] .RS 4 Added in Shorewall 4\&.5\&.9\&.3\&. Queues matching packets to a back end logging daemon via a netlink socket then continues to the next rule\&. See \m[blue]\fBhttp://www\&.shorewall\&.net/shorewall_logging\&.html\fR\m[]\&\s-2\u[7]\d\s+2\&. .sp The \fInflog\-parameters\fR are a comma\-separated list of up to 3 numbers: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} The first number specifies the netlink group (0\-65535)\&. If omitted (e\&.g\&., NFLOG(,0,10)) then a value of 0 is assumed\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} The second number specifies the maximum number of bytes to copy\&. If omitted, 0 (no limit) is assumed\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} The third number specifies the number of log messages that should be buffered in the kernel before they are sent to user space\&. The default is 1\&. .RE .sp NFLOG is similar to\fB LOG:NFLOG\fR[(\fInflog\-parameters\fR)], except that the log level is not changed when this ACTION is used in an action or macro body and the invocation of that action or macro specifies a log level\&. .RE .PP \fBNFQUEUE\fR[([\fIqueuenumber\fR1[:\fIqueuenumber2\fR[c]][,bypass]]|bypass)] .RS 4 Queues the packet to a user\-space application using the nfnetlink_queue mechanism\&. If a \fIqueuenumber\fR1 is not specified, queue zero (0) is assumed\&. Beginning with Shorewall 4\&.6\&.10, the keyword \fBbypass\fR can be given\&. By default, if no userspace program is listening on an NFQUEUE, then all packets that are to be queued are dropped\&. When this option is used, the NFQUEUE rule behaves like ACCEPT instead\&. Also beginning in Shorewall 4\&.6\&.10, a second queue number (\fIqueuenumber2\fR) may be specified\&. This specifies a range of queues to use\&. Packets are then balanced across the given queues\&. This is useful for multicore systems: start multiple instances of the userspace program on queues x, x+1, \&.\&. x+n and use "x:x+n"\&. Packets belonging to the same connection are put into the same nfqueue\&. .sp Beginning with Shorewall 5\&.1\&.0, queuenumber2 may be followed by the letter \*(Aqc\*(Aq to indicate that the CPU ID will be used as an index to map packets to the queues\&. The idea is that you can improve performance if there\*(Aqs a queue per CPU\&. Requires the NFQUEUE CPU Fanout capability in your kernel and iptables\&. .RE .PP \fB\fBNFQUEUE!\fR\fR\fB[([\fR\fB\fIqueuenumber1\fR\fR\fB[:\fR\fB\fIqueuenumber2\fR\fR\fB[c]][,bypass]]|bypass)]\fR .RS 4 like NFQUEUE but exempts the rule from being suppressed by OPTIMIZE=1 in \m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[2]\d\s+2(5)\&. .RE .PP \fBNONAT\fR .RS 4 Excludes the connection from any subsequent \fBDNAT\fR[\-] or \fBREDIRECT\fR[\-] rules but doesn\*(Aqt generate a rule to accept the traffic\&. Use with IPv6 requires Shorewall 4\&.5\&.14 or later\&. .RE .PP \fBQUEUE\fR .RS 4 Queue the packet to a user\-space application such as ftwall (http://p2pwall\&.sf\&.net)\&. The application may reinsert the packet for further processing\&. .RE .PP \fBQUEUE!\fR .RS 4 like QUEUE but exempts the rule from being suppressed by OPTIMIZE=1 in \m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[2]\d\s+2(5)\&. .RE .PP \fBREJECT[(\fR\fB\fIoption\fR\fR\fB)]\fR .RS 4 disallow the request and return an icmp\-unreachable or an RST packet\&. If no option is passed, Shorewall selects the appropriate option based on the protocol of the packet\&. .sp Beginning with Shorewall 5\&.0\&.8, the type of reject may be specified in the \fIoption\fR paramater\&. Valid IPv4 \fIoption\fR values are: .RS 4 \fBicmp\-net\-unreachable\fR .RE .RS 4 \fBicmp\-host\-unreachable\fR .RE .RS 4 \fBi\fR\fBcmp\-port\-unreachable\fR .RE .RS 4 \fBicmp\-proto\-unreachable\fR .RE .RS 4 \fBicmp\-net\-prohibited\fR .RE .RS 4 \fBicmp\-host\-prohibited\fR .RE .RS 4 \fBicmp\-admin\-prohibited\fR .RE .RS 4 \fBicmp\-tcp\-reset\fR (the PROTO column must specify TCP)\&. Beginning with Shorewall 5\&.1\&.3, this option may also be specified as \fBtcp\-reset\fR\&. .RE Valid IPv6 \fIoption\fR values are: .RS 4 \fBicmp6\-no\-route\fR .RE .RS 4 \fBno\-route\fR .RE .RS 4 \fBi\fR\fBcmp6\-adm\-prohibited\fR .RE .RS 4 \fBadm\-prohibited\fR .RE .RS 4 \fBicmp6\-addr\-unreachable\fR .RE .RS 4 \fBaddr\-unreach\fR .RE .RS 4 \fBicmp6\-port\-unreachable\fR .RE .RS 4 \fBtcp\-reset\fR (the PROTO column must specify TCP) .RE .RE .PP \fBREJECT!\fR .RS 4 like REJECT but exempts the rule from being suppressed by OPTIMIZE=1 in \m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[2]\d\s+2(5)\&. .RE .PP \fBREDIRECT\fR .RS 4 Redirect the request to a server running on the firewall\&. Use with IPv6 requires Shorewall 4\&.5\&.14 or later\&. .RE .PP \fBREDIRECT\-\fR .RS 4 Advanced users only\&. .sp Like \fBREDIRECT\fR but only generates the \fBREDIRECT\fR iptables rule and not the companion \fBACCEPT\fR rule\&. Use with IPv6 requires Shorewall 4\&.5\&.14 or later\&. .RE .PP \fBTARPIT\fR [(\fBtarpit\fR | \fBhoneypot\fR | \fBreset\fR)] .RS 4 Added in Shorewall 4\&.6\&.6\&. .sp TARPIT captures and holds incoming TCP connections using no local per\-connection resources\&. .sp TARPIT only works with the PROTO column set to tcp (6), and is totally application agnostic\&. This module will answer a TCP request and play along like a listening server, but aside from sending an ACK or RST, no data is sent\&. Incoming packets are ignored and dropped\&. The attacker will terminate the session eventually\&. This module allows the initial packets of an attack to be captured by other software for inspection\&. In most cases this is sufficient to determine the nature of the attack\&. .sp This offers similar functionality to LaBrea but does not require dedicated hardware or IPs\&. Any TCP port that you would normally DROP or REJECT can instead become a tarpit\&. .sp The target accepts a single optional parameter: .PP tarpit .RS 4 This mode is the default and completes a connection with the attacker but limits the window size to 0, thus keeping the attacker waiting long periods of time\&. While he is maintaining state of the connection and trying to continue every 60\-240 seconds, we keep none, so it is very lightweight\&. Attempts to close the connection are ignored, forcing the remote side to time out the connection in 12\-24 minutes\&. .RE .PP honeypot .RS 4 This mode completes a connection with the attacker, but signals a normal window size, so that the remote side will attempt to send data, often with some very nasty exploit attempts\&. We can capture these packets for decoding and further analysis\&. The module does not send any data, so if the remote expects an application level response, the game is up\&. .RE .PP reset .RS 4 This mode is handy because we can send an inline RST (reset)\&. It has no other function\&. .RE .RE .PP \fBULOG\fR[(\fIulog\-parameters\fR)] .RS 4 IPv4 only\&. Added in Shorewall 4\&.5\&.10\&. Queues matching packets to a back end logging daemon via a netlink socket then continues to the next rule\&. See \m[blue]\fBshorewall\-logging(5)\fR\m[]\&\s-2\u[8]\d\s+2\&. .sp Similar to\fB LOG:ULOG\fR[(\fIulog\-parameters\fR)], except that the log level is not changed when this ACTION is used in an action or macro body and the invocation of that action or macro specifies a log level\&. .RE .sp The \fItarget\fR may optionally be followed by ":" and a syslog log level (e\&.g, REJECT:info or Web(ACCEPT):debug)\&. This causes the packet to be logged at the specified level\&. Note that if the \fBACTION\fR involves destination network address translation (DNAT, REDIRECT, etc\&.) then the packet is logged \fBbefore\fR the destination address is rewritten\&. .sp If the \fBACTION\fR names an \fIaction\fR declared in \m[blue]\fBshorewall\-actions\fR\m[]\&\s-2\u[3]\d\s+2(5) or in /usr/share/shorewall/actions\&.std then: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} If the log level is followed by "!\*(Aq then all rules in the action are logged at the log level\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} If the log level is not followed by "!" then only those rules in the action that do not specify logging are logged at the specified level\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} The special log level \fBnone!\fR suppresses logging by the action\&. .RE .sp You may also specify \fBULOG\fR (IPv4 only) or \fBNFLOG\fR (must be in upper case) as a log level\&.This will log to the ULOG or NFLOG target for routing to a separate log through use of ulogd (\m[blue]\fBshorewall\-logging(5)\fR\m[]\&\s-2\u[8]\d\s+2)\&. .sp Actions specifying logging may be followed by a log tag (a string of alphanumeric characters) which is appended to the string generated by the LOGPREFIX (in \m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[2]\d\s+2(5))\&. .sp Example: ACCEPT:info:ftp would include \*(Aqftp \*(Aq at the end of the log prefix generated by the LOGPREFIX setting\&. .RE .PP \fBSOURCE \- \fR\fB\fIsource\-spec\fR\fR\fB[,\&.\&.\&.]\fR .RS 4 Source hosts to which the rule applies\&. .sp \fIsource\-spec\fR is one of the following: .PP \fB\fIzone\fR\fR\fB[,\&.\&.\&.[+]]\fR .RS 4 The name of a zone defined in \m[blue]\fBshorewall\-zones\fR\m[]\&\s-2\u[4]\d\s+2(5)\&. When only the zone name is specified, the packet source may be any host in that zone\&. .sp zone may also be one of the following: .PP all[+] .RS 4 \fBall\fR, without the "\-" means "All Zones, including the firewall zone"\&. Normally all omits intra\-zone traffic, but intra\-zone traffic can be included specifying "+"\&. .RE .PP any[+] .RS 4 \fBany\fR is equivalent to \fBall\fR when there are no nested zones\&. When there are nested zones, \fBany\fR only refers to top\-level zones (those with no parent zones)\&. Note that \fBany\fR excludes all vserver zones, since those zones are nested within the firewall zone\&. .RE .PP none .RS 4 When \fBnone\fR is used either in the \fBSOURCE\fR or \fBDEST\fR column, the rule is ignored\&. .RE .sp Similar to with \fBall\fR and \fBany\fR, intra\-zone traffic is normally excluded when multiple zones are listed\&. Intra\-zone traffic may be included by following the list with a plus sign ("+")\&. .sp \fBall\fR and \fBany\fR may be followed by an exclamation point ("!") and a comma\-separated list of zone names to be omitted\&. .RE .PP \fIzone\fR:[!]\fIinterface\fR .RS 4 When this form is used, \fIinterface\fR must be the name of an interface associated with the named \fIzone\fR in either \m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[9]\d\s+2(5) or \m[blue]\fBshorewall\-hosts\fR\m[]\&\s-2\u[10]\d\s+2(5)\&. Only packets from hosts in the \fIzone\fR that arrive through the named interface will match the rule\&. .sp Beginning with Shorweall 5\&.2\&.1, the \fIinterface\fR may be preceded with \*(Aq!\*(Aq which matches all interfaces associated with the zone except the one specified\&. .RE .PP \fIzone\fR:\fIaddress\fR[,\&.\&.\&.] .RS 4 where address can be: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} A host or network IP address\&. A network address may be followed by exclusion (see \m[blue]\fBshorewall\-exclusion\fR\m[]\&\s-2\u[11]\d\s+2(5))\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} An address range, specified using the syntax \fIlowaddress\fR\-\fIhighaddress\fR\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} +\fIipset\fR where \fIipset\fR is the name of an ipset and must be preceded by a plus sign ("+")\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} A MAC address in Shorewall format (preceded by a tilde ("~") and with the hex byte values separated by dashes (e\&.g\&., "~00\-0a\-f6\-04\-9c\-7d")\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} ^\fIcountry\-code\fR where country\-code is a two\-character ISO\-3661 country code preceded by a caret ("^")\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} ^\fIcountry\-code\-list\fR where \fIcountry\-code\-list\fR is a comma\-separated list of up to 15 ISO\-3661 country codes enclosed in square brackets ("[\&.\&.\&.]")\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} The primary IP address of a firewall interface can be specified by an ampersand (\*(Aq&\*(Aq) followed by the logical name of the interface as found in the INTERFACE column of \m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[9]\d\s+2 (5)\&. .RE .RE .PP \fIzone\fR:\fIinterface\fR:\fIaddress\fR[,\&.\&.\&.] .RS 4 This form combines the preceding two and requires that both the incoming interface and source address match\&. .RE .PP \fIzone\fR:\fIexclusion\fR .RS 4 This form matches if the host IP address does not match any of the entries in the exclusion (see \m[blue]\fBshorewall\-exclusion\fR\m[]\&\s-2\u[11]\d\s+2(5))\&. .RE .PP \fIzone\fR:\fIinterface\fR:\fIexclusion\fR .RS 4 This form matches packets from the named \fIzone\fR entering through the specified \fIinterface\fR where the source address does not match any entry in the \fIexclusion\fR\&. .RE .sp Beginning with Shorewall 5\&.1\&.0, multiple \fIsource\-spec\fRs may be listed, provided that extended forms of the source\-spec are used: \fIzone\fR:(\fIinterface\fR) .sp \fIzone\fR:(\fIaddress\fR[,\&.\&.\&.]) .sp zone:(interface:address[,\&.\&.\&.]) .sp \fIzone\fR:(\fIexclusion\fR) .sp \fIzone\fR:(\fIinterface\fR:\fIexclusion\fR) Examples: .PP dmz:192\&.168\&.2\&.2 .RS 4 Host 192\&.168\&.2\&.2 in the DMZ .RE .PP net:155\&.186\&.235\&.0/24 .RS 4 Subnet 155\&.186\&.235\&.0/24 on the Internet .RE .PP loc:192\&.168\&.1\&.1,192\&.168\&.1\&.2 .RS 4 Hosts 192\&.168\&.1\&.1 and 192\&.168\&.1\&.2 in the local zone\&. .RE .PP loc:~00\-A0\-C9\-15\-39\-78 .RS 4 Host in the local zone with MAC address 00:A0:C9:15:39:78\&. .RE .PP net:192\&.0\&.2\&.11\-192\&.0\&.2\&.17 .RS 4 Hosts 192\&.0\&.2\&.11\-192\&.0\&.2\&.17 in the net zone\&. .RE .PP net:!192\&.0\&.2\&.11\-192\&.0\&.2\&.17 .RS 4 All hosts in the net zone except for 192\&.0\&.2\&.11\-192\&.0\&.2\&.17\&. .RE .PP net:155\&.186\&.235\&.0/24!155\&.186\&.235\&.16/28 .RS 4 Subnet 155\&.186\&.235\&.0/24 on the Internet except for 155\&.186\&.235\&.16/28 .RE .PP $FW:ð0 .RS 4 The primary IP address of eth0 in the firewall zone\&. .RE .PP loc,dmz .RS 4 Both the \fBloc\fR and \fBdmz\fR zones\&. .RE .PP all!dmz .RS 4 All but the \fBdmz\fR zone\&. .RE .PP all+!$FW .RS 4 All but the firewall zone and applies to intrazone traffic\&. .RE .PP net:^CN .RS 4 China\&. .RE .PP loc:(eth1:1\&.2\&.3\&.4,2\&.3\&.4\&.5),dmz:(eth2:5\&.6\&.7\&.8,9\&.10\&.11\&.12),net .RS 4 Hosts 1\&.2\&.3\&.4 and 2\&.3\&.4\&.5 in the loc zone when the packet arrives through eth1 plus hosts 5\&.6\&.7\&.8 and 9\&.10\&.11\&.12 in the dmz zone when the packet arrives through eth2 plus all of the net zone\&. .RE .PP dmz:[2002:ce7c:2b4:1::2] .RS 4 Host 2002:ce7c:92b4:1::2 in the DMZ .RE .PP net:2001:4d48:ad51:24::/64 .RS 4 Subnet 2001:4d48:ad51:24::/64 on the Internet .RE .PP loc:[2002:cec792b4:1::2],[2002:cec792b4:1::44] .RS 4 Hosts 2002:cec792b4:1::2 and 2002:cec792b4:1::44 in the local zone\&. .RE .PP loc:~00\-A0\-C9\-15\-39\-78 .RS 4 Host in the local zone with MAC address 00:A0:C9:15:39:78\&. .RE .PP net:[2001:4d48:ad51:24::]/64![2001:4d48:ad51:24:6::]/80 .RS 4 Subnet 2001:4d48:ad51:24::/64 on the Internet except for 2001:4d48:ad51:24:6::/80\&. .RE .RE .PP \fBDEST \- \fR\fB\fIdest\-spec\fR\fR\fB[,\&.\&.\&.]\fR .RS 4 Destination hosts to which the rule applies\&. .sp \fIdest\-spec\fR is one of the following: .PP \fB\fIzone\fR\fR\fB[,\&.\&.\&.[+]]\fR .RS 4 The name of a zone defined in \m[blue]\fBshorewall\-zones\fR\m[]\&\s-2\u[4]\d\s+2(5)\&. When only the zone name is specified, the packet destination may be any host in that zone\&. .sp zone may also be one of the following: .PP all[+] .RS 4 \fBall\fR, without the "\-" means "All Zones, including the firewall zone"\&. Normally all omits intra\-zone traffic, but intra\-zone traffic can be included specifying "+"\&. .RE .PP any[+] .RS 4 \fBany\fR is equivalent to \fBall\fR when there are no nested zones\&. When there are nested zones, \fBany\fR only refers to top\-level zones (those with no parent zones)\&. Note that \fBany\fR excludes all vserver zones, since those zones are nested within the firewall zone\&. .RE .PP none .RS 4 When \fBnone\fR is used either in the \fBSOURCE\fR or \fBDEST\fR column, the rule is ignored\&. .RE .sp Similar to with \fBall\fR and \fBany\fR, intra\-zone traffic is normally excluded when multiple zones are listed\&. Intra\-zone traffic may be included by following the list with a plus sign ("+")\&. .sp \fBall\fR and \fBany\fR may be followed by an exclamation point ("!") and a comma\-separated list of zone names to be omitted\&. .RE .PP \fIzone\fR:[!]\fIinterface\fR .RS 4 When this form is used, \fIinterface\fR must be the name of an interface associated with the named \fIzone\fR in either \m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[9]\d\s+2(5) or \m[blue]\fBshorewall\-hosts\fR\m[]\&\s-2\u[12]\d\s+2(5)\&. Only packets to hosts in the \fIzone\fR that are sent through the named interface will match the rule\&. .sp Beginning with Shorweall 5\&.2\&.1, the \fIinterface\fR may be preceded with \*(Aq!\*(Aq which matches all interfaces associated with the zone except the one specified\&. .RE .PP \fIzone\fR:\fIaddress\fR[,\&.\&.\&.] .RS 4 where address can be: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} A host or network IP address\&. A network address may be followed by exclusion (see \m[blue]\fBshorewall\-exclusion\fR\m[]\&\s-2\u[11]\d\s+2(5))\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} An address range, specified using the syntax \fIlowaddress\fR\-\fIhighaddress\fR\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} +\fIipset\fR where \fIipset\fR is the name of an ipset and must be preceded by a plus sign ("+")\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} ^\fIcountry\-code\fR where country\-code is a two\-character ISO\-3661 country code preceded by a caret ("^")\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} ^\fIcountry\-code\-list\fR where \fIcountry\-code\-list\fR is a comma\-separated list of up to 15 ISO\-3661 country codes enclosed in square brackets ("[\&.\&.\&.]")\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} The primary IP address of a firewall interface can be specified by an ampersand (\*(Aq&\*(Aq) followed by the logical name of the interface as found in the INTERFACE column of \m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[9]\d\s+2 (5)\&. .RE .RE .PP \fIzone\fR:[!]\fIinterface\fR:\fIaddress\fR[,\&.\&.\&.] .RS 4 This form combines the preceding two and requires that both the outgoing interface and destinationaddress match\&. .sp Beginning with Shorweall 5\&.2\&.1, the \fIinterface\fR may be preceded with \*(Aq!\*(Aq which matches all interfaces associated with the zone except the one specified\&. .RE .PP \fIzone\fR:\fIexclusion\fR .RS 4 This form matches if the host IP address does not match any of the entries in the exclusion (see \m[blue]\fBshorewall\-exclusion\fR\m[]\&\s-2\u[11]\d\s+2(5))\&. .RE .PP \fIzone\fR:[!]\fIinterface\fR:\fIexclusion\fR .RS 4 This form matches packets to the named \fIzone\fR leaving through the specified \fIinterface\fR where the destination address does not match any entry in the \fIexclusion\fR\&. .sp Beginning with Shorweall 5\&.2\&.1, the \fIinterface\fR may be preceded with \*(Aq!\*(Aq which matches all interfaces associated with the zone except the one specified\&. .RE .PP [\fIzone\fR]:[\fIserver\-IP\fR][:\fIport\-or\-port\-range\fR[:random]] .RS 4 This form applies when the ACTION is DNAT[\-] or REDIRECT[\-]\&. The zone may be omitted in REDIRECT rules ($FW is assumed) and must be omitted in DNAT\-, REDIRECT\- and NONAT rules\&. .sp \fIserver\-IP\fR is not allowed in REDIRECT rules and may be omitted in DNAT[\-] rules provided that \fIport\-or\-port\-range\fR is included\&. .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} The IP address of the server to which the packet is to be sent\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} A range of IP address with the low and high address separated by a dash (:"\-")\&. Connections are distributed among the IP addresses in the range\&. .RE .sp If \fIserver\-IP \fRis omitted in a DNAT[\-] rule, only the destination port number is modified by the rule\&. .sp port\-or\-port\-range may be: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} An integer port number in the range 1 \- 65535\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} The name of a service from /etc/services\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} A port range with the low and high integer port numbers separated by a dash ("\-")\&. Connections are distributed among the ports in the range\&. .RE .sp If \fBrandom\fR is specified, port mapping will be randomized\&. .RE .sp If the DEST \fIzone\fR is a bport zone, then either: .sp .RS 4 .ie n \{\ \h'-04' 1.\h'+01'\c .\} .el \{\ .sp -1 .IP " 1." 4.2 .\} the SOURCE must be \fBall[+]\fR, or .RE .sp .RS 4 .ie n \{\ \h'-04' 2.\h'+01'\c .\} .el \{\ .sp -1 .IP " 2." 4.2 .\} the SOURCE \fIzone\fR must be another bport zone associated with the same bridge, or .RE .sp .RS 4 .ie n \{\ \h'-04' 3.\h'+01'\c .\} .el \{\ .sp -1 .IP " 3." 4.2 .\} the SOURCE \fIzone\fR must be an ipv4 zone that is associated with only the same bridge\&. .RE .sp Beginning with Shorewall 5\&.1\&.0, multiple \fIdest\-spec\fRs may be listed, provided that extended forms of the source\-spec are used: \fIzone\fR:(\fIinterface\fR) .sp \fIzone\fR:(\fIaddress\fR[,\&.\&.\&.]) .sp zone:(interface:address[,\&.\&.\&.]) .sp \fIzone\fR:(\fIexclusion\fR) .sp \fIzone\fR:(\fIinterface\fR:\fIexclusion\fR) Multiple \fIdest\-spec\fRs are not permitted in DNAT[\-] and REDIRECT[\-] rules\&. .sp Examples: .PP dmz:192\&.168\&.2\&.2 .RS 4 Host 192\&.168\&.2\&.2 in the DMZ .RE .PP net:155\&.186\&.235\&.0/24 .RS 4 Subnet 155\&.186\&.235\&.0/24 on the Internet .RE .PP loc:192\&.168\&.1\&.1,192\&.168\&.1\&.2 .RS 4 Hosts 192\&.168\&.1\&.1 and 192\&.168\&.1\&.2 in the local zone\&. .RE .PP net:192\&.0\&.2\&.11\-192\&.0\&.2\&.17 .RS 4 Hosts 192\&.0\&.2\&.11\-192\&.0\&.2\&.17 in the net zone\&. .RE .PP net:!192\&.0\&.2\&.11\-192\&.0\&.2\&.17 .RS 4 All hosts in the net zone except for 192\&.0\&.2\&.11\-192\&.0\&.2\&.17\&. .RE .PP net:155\&.186\&.235\&.0/24!155\&.186\&.235\&.16/28 .RS 4 Subnet 155\&.186\&.235\&.0/24 on the Internet except for 155\&.186\&.235\&.16/28 .RE .PP $FW:ð0 .RS 4 The primary IP address of eth0 in the firewall zone\&. .RE .PP loc,dmz .RS 4 Both the \fBloc\fR and \fBdmz\fR zones\&. .RE .PP all!dmz .RS 4 All but the \fBdmz\fR zone\&. .RE .PP net:^CN .RS 4 China\&. .RE .PP dmz:192\&.168\&.10\&.4:25 .RS 4 Port 25 on server 192\&.168\&.10\&.4 in the dmz zone (DNAT rule)\&. .RE .PP loc:(eth1:1\&.2\&.3\&.4,2\&.3\&.4\&.5),dmz:(eth2:5\&.6\&.7\&.8,9\&.10\&.11\&.12),net .RS 4 Hosts 1\&.2\&.3\&.4 and 2\&.3\&.4\&.5 in the loc zone when the packet arrives through eth1 plus hosts 5\&.6\&.7\&.8 and 9\&.10\&.11\&.12 in the dmz zone when the packet arrives through eth2 plus all of the net zone\&. .RE .RE .PP \fBPROTO\fR\- {\fB\-\fR|\fBtcp:[!]syn\fR|\fBipp2p\fR|\fBipp2p:udp\fR|\fBipp2p:all\fR|\fIprotocol\-number\fR|\fIprotocol\-name\fR|\fBall}\fR .RS 4 Optional Protocol \- \fBipp2p\fR* requires ipp2p match support in your kernel and iptables\&. \fBtcp:syn\fR implies \fBtcp\fR plus the SYN flag must be set and the RST, ACK and FIN flags must be reset\&. Beginning with Shorewall 5\&.1\&.3, you may also specify \fBtcp:!syn\fR, which matches if SYN is not set or if RST, ACK or FIN is set\&. .sp Beginning with Shorewall 4\&.4\&.19, this column can contain a comma\-separated list of protocol\-numbers and/or protocol names\&. .RE .PP \fBDPORT\fR \- {\fB\-\fR|\fIport\-name\-number\-or\-range\fR[\fB,\fR\fIport\-name\-number\-or\-range\fR]\&.\&.\&.|+\fIipset\fR} .RS 4 Optional destination Ports\&. A comma\-separated list of Port names (from services(5)), port numbers or port ranges; if the protocol is \fBicmp\fR, this column is interpreted as the destination icmp\-type(s)\&. ICMP types may be specified as a numeric type, a numeric type and code separated by a slash (e\&.g\&., 3/4), or a typename\&. See \m[blue]\fBhttp://www\&.shorewall\&.net/configuration_file_basics\&.htm#ICMP\fR\m[]\&\s-2\u[13]\d\s+2\&. Note that prior to Shorewall 4\&.4\&.19, only a single ICMP type may be listed\&. .sp If the protocol is \fBipp2p\fR, this column is interpreted as an ipp2p option without the leading "\-\-" (example \fBbit\fR for bit\-torrent)\&. If no port is given, \fBipp2p\fR is assumed\&. .sp A port range is expressed as \fIlowport\fR:\fIhighport\fR\&. .sp This column is ignored if \fBPROTO\fR = \fBall\fR but must be entered if any of the following columns are supplied\&. In that case, it is suggested that this field contain a dash (\fB\-\fR)\&. .sp If your kernel contains multi\-port match support, then only a single Netfilter rule will be generated if in this list and the \fBSPORT\fR list below: .sp 1\&. There are 15 or less ports listed\&. .sp 2\&. No port ranges are included or your kernel and iptables contain extended multi\-port match support\&. .sp Beginning with Shorewall 4\&.6\&.0, an \fIipset\fR name can be specified in this column\&. This is intended to be used with bitmap:port ipsets\&. .sp This column was formerly labelled DEST PORT(S)\&. .RE .PP \fBSPORT\fR \- {\fB\-\fR|\fIport\-name\-number\-or\-range\fR[\fB,\fR\fIport\-name\-number\-or\-range\fR]\&.\&.\&.|+\fIipset\fR} .RS 4 Optional port(s) used by the client\&. If omitted, any source port is acceptable\&. Specified as a comma\- separated list of port names, port numbers or port ranges\&. .sp Beginning with Shorewall 4\&.5\&.15, you may place \*(Aq=\*(Aq in this column, provided that the DPORT column is non\-empty\&. This causes the rule to match when either the source port or the destination port in a packet matches one of the ports specified in DEST PORTS(S)\&. Use of \*(Aq=\*(Aq requires multi\-port match in your iptables and kernel\&. .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBWarning\fR .ps -1 .br Unless you really understand IP, you should leave this column empty or place a dash (\fB\-\fR) in the column\&. Most people who try to use this column get it wrong\&. .sp .5v .RE If you don\*(Aqt want to restrict client ports but need to specify an \fBORIGDEST\fR in the next column, then place "\-" in this column\&. .sp If your kernel contains multi\-port match support, then only a single Netfilter rule will be generated if in this list and the \fBDPORT\fR list above: .sp 1\&. There are 15 or less ports listed\&. .sp 2\&. No port ranges are included or your kernel and iptables contain extended multi\-port match support\&. .sp Beginning with Shorewall 4\&.6\&.0, an \fIipset\fR name can be specified in this column\&. This is intended to be used with bitmap:port ipsets\&. .sp This column was formerly labelled SOURCE PORT(S)\&. .RE .PP \fBORIGDEST\fR \- [\fB\-\fR|\fIaddress\fR[,\fIaddress\fR]\&.\&.\&.[\fIexclusion\fR]|\fIexclusion\fR] .RS 4 Optional\&. If ACTION is \fBDNAT\fR[\fB\-\fR] or \fBREDIRECT\fR[\fB\-\fR] then if this column is included and is different from the IP address given in the \fBDEST\fR column, then connections destined for that address will be forwarded to the IP and port specified in the \fBDEST\fR column\&. .sp A comma\-separated list of addresses may also be used\&. This is most useful with the \fBREDIRECT\fR target where you want to redirect traffic destined for particular set of hosts\&. Finally, if the list of addresses begins with "!" (\fIexclusion\fR) then the rule will be followed only if the original destination address in the connection request does not match any of the addresses listed\&. .sp Beginning with Shorewall 4\&.4\&.17, the primary IP address of a firewall interface can be specified by an ampersand (\*(Aq&\*(Aq) followed by the logical name of the interface as found in the INTERFACE column of \m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[9]\d\s+2 (5)\&. .sp For other actions, this column may be included and may contain one or more addresses (host or network) separated by commas\&. Address ranges are not allowed\&. When this column is supplied, rules are generated that require that the original destination address matches one of the listed addresses\&. This feature is most useful when you want to generate a filter rule that corresponds to a \fBDNAT\-\fR or \fBREDIRECT\-\fR rule\&. In this usage, the list of addresses should not begin with "!"\&. .sp It is also possible to specify a set of addresses then exclude part of those addresses\&. For example, \fB192\&.168\&.1\&.0/24!192\&.168\&.1\&.16/28\fR specifies the addresses 192\&.168\&.1\&.0\-182\&.168\&.1\&.15 and 192\&.168\&.1\&.32\-192\&.168\&.1\&.255\&. See \m[blue]\fBshorewall\-exclusion\fR\m[]\&\s-2\u[11]\d\s+2(5)\&. .sp See \m[blue]\fBhttp://www\&.shorewall\&.net/PortKnocking\&.html\fR\m[]\&\s-2\u[14]\d\s+2 for an example of using an entry in this column with a user\-defined action rule\&. .sp This column was formerly labelled ORIGINAL DEST\&. .RE .PP \fBRATE\fR \- \fIlimit\fR .RS 4 where \fIlimit\fR is one of: .RS 4 [\fB\-\fR|[{\fBs\fR|\fBd\fR}[/\fIvlsm\fR]:[\fIname\fR[(\fIht\-buckets\fR,\fIht\-max\fR)]:]\fIrate\fR\fB/\fR{\fBsec\fR|\fBmin\fR|\fBhour\fR|\fBday\fR}[:\fIburst\fR] .RE .RS 4 [\fBs\fR[/\fIvlsm1\fR]:][\fIname\fR1[(\fIht\-buckets1\fR,\fIht\-max1\fR)]:]\fIrate1\fR\fB/\fR{\fBsec\fR|\fBmin\fR|\fBhour\fR|\fBday\fR}[:\fIburst1\fR],[\fBd\fR[/\fIvlsm2\fR:][\fIname\fR2[(\fIht\-buckets2\fR,\fIht\-max2\fR)]:]\fIrate2\fR\fB/\fR{\fBsec\fR|\fBmin\fR|\fBhour\fR|\fBday\fR}[:\fIburst2\fR] .RE You may optionally rate\-limit the rule by placing a value in this column: .sp \fIrate*\fR is the number of connections per interval (\fBsec\fR or \fBmin\fR) and \fIburst\fR* is the largest burst permitted\&. If no \fIburst\fR is given, a value of 5 is assumed\&. There may be no no white\-space embedded in the specification\&. .sp Example: \fB10/sec:20\fR .sp When \fBs:\fR or \fBd:\fR is specified, the rate applies per source IP address or per destination IP address respectively\&. The \fIname\fRs may be chosen by the user and specify a hash table to be used to count matching connections\&. If not given, the name \fBshorewallN\fR (where N is a unique integer) is assumed\&. Where more than one rule or POLICY specifies the same name, the connections counts for the rules are aggregated and the individual rates apply to the aggregated count\&. Beginning with Shorewall 5\&.2\&.1, the \fBs\fR or \fBd\fR may be followed by a slash ("/") and an integer \fIvlsm\fR\&. When a \fIvlsm\fR is specified, all source or destination addresses encountered will be grouped according to the given prefix length and the so\-created subnet will be subject to the rate limit\&. .sp Example: \fBs/24::10/sec\fR .sp Beginning with Shorewall 4\&.6\&.5, two\fI limit\fRs may be specified, separated by a comma\&. In this case, the first limit (\fIname1\fR, \fIrate1\fR, burst1) specifies the per\-source IP limit and the second limit specifies the per\-destination IP limit\&. .sp Example: \fBclient:10/sec:20,:60/sec:100\fR .sp In this example, the \*(Aqclient\*(Aq hash table will be used to enforce the per\-source limit and the compiler will pick a unique name for the hash table that tracks the per\-destination limit\&. .sp Beginning with Shorewall 5\&.2\&.1, the table name, if any, may be followed by two integers separated by commas and enclosed in parentheses\&. The first integer (\fIht\-buckets\fR) specifies the number of buckets in the generated hash table\&. The second integer (\fIht\-max\fR) specifies the maximum number of entries in the hash table\&. .sp Example: \fBs:netfw(1024,65536):10/sec\fR .sp This column was formerly labelled RATE LIMIT\&. .RE .PP \fBUSER\fR \- [\fB!\fR][\fIuser\-name\-or\-number\fR][\fB:\fR\fIgroup\-name\-or\-number\fR][,\&.\&.\&.] .RS 4 This optional column may only be non\-empty if the SOURCE is the firewall itself\&. .sp When this column is non\-empty, the rule applies only if the program generating the output is running under the effective \fIuser\fR and/or \fIgroup\fR specified (or is NOT running under that id if "!" is given)\&. .sp Beginning with Shorewall 4\&.5\&.8, multiple user or group names/ids separated by commas may be specified\&. .sp Examples: .PP joe .RS 4 program must be run by joe .RE .PP :kids .RS 4 program must be run by a member of the \*(Aqkids\*(Aq group .RE .PP !:kids .RS 4 program must not be run by a member of the \*(Aqkids\*(Aq group .RE .PP 2001\-2099 .RS 4 UIDs 2001 through 2099 (Shorewall 4\&.5\&.6 and later) .RE .sp This column was formerly labelled USER/GROUP\&. .RE .PP \fBMARK\fR \- [\fB!\fR]\fIvalue\fR[/\fImask\fR][\fB:C\fR] .RS 4 Defines a test on the existing packet or connection mark\&. The rule will match only if the test returns true\&. .sp If you don\*(Aqt want to define a test but need to specify anything in the following columns, place a "\-" in this field\&. .PP ! .RS 4 Inverts the test (not equal) .RE .PP \fIvalue\fR .RS 4 Value of the packet or connection mark\&. .RE .PP \fImask\fR .RS 4 A mask to be applied to the mark before testing\&. .RE .PP \fB:C\fR .RS 4 Designates a connection mark\&. If omitted, the packet mark\*(Aqs value is tested\&. .RE .RE .PP \fBCONNLIMIT\fR \- [d:][\fB!\fR]\fIlimit\fR[:\fImask\fR] .RS 4 May be used to limit the number of simultaneous connections to/from each individual host or network to \fIlimit\fR connections\&. Requires connlimit match in your kernel and iptables\&. While the limit is only checked on rules specifying CONNLIMIT, the number of current connections is calculated over all current connections from the SOURCE or DESTINATION host\&. By default, limiting is done by SOURCE host or net, but if the specification begins with \fBd:\fR, then limiting will be donw by destination host or net\&. .sp By default, the limit is applied to each host but can be made to apply to networks of hosts by specifying a \fImask\fR\&. The \fImask\fR specifies the width of a VLSM mask to be applied to the source address; the number of current connections is then taken over all hosts in the subnet \fIsource\-address\fR/\fImask\fR\&. When\fB !\fR is specified, the rule matches when the number of connection exceeds the \fIlimit\fR\&. .RE .PP \fBTIME\fR \- \fItimeelement\fR[&\fItimeelement\fR\&.\&.\&.] .RS 4 May be used to limit the rule to a particular time period each day, to particular days of the week or month, or to a range defined by dates and times\&. Requires time match support in your kernel and iptables\&. .sp \fItimeelement\fR may be: .PP timestart=\fIhh\fR:\fImm\fR[:\fIss\fR] .RS 4 Defines the starting time of day\&. .RE .PP timestop=\fIhh\fR:\fImm\fR[:\fIss\fR] .RS 4 Defines the ending time of day\&. .RE .PP contiguous .RS 4 Added in Shoreawll 5\&.0\&.12\&. When \fBtimestop\fR is smaller than \fBtimestart\fR value, match this as a single time period instead of distinct intervals\&. .RE .PP utc .RS 4 Times are expressed in Greenwich Mean Time\&. .RE .PP localtz .RS 4 Deprecated by the Netfilter team in favor of \fBkerneltz\fR\&. Times are expressed in Local Civil Time (default)\&. .RE .PP kerneltz .RS 4 Added in Shorewall 4\&.5\&.2\&. Times are expressed in Local Kernel Time (requires iptables 1\&.4\&.12 or later)\&. .RE .PP weekdays=ddd[,ddd]\&.\&.\&. .RS 4 where \fIddd\fR is one of \fBMon\fR, \fBTue\fR, \fBWed\fR, \fBThu\fR, \fBFri\fR, \fBSat\fR or \fBSun\fR .RE .PP monthdays=dd[,dd],\&.\&.\&. .RS 4 where \fIdd\fR is an ordinal day of the month .sp .RE .PP datestart=\fIyyyy\fR[\-\fImm\fR[\-\fIdd\fR[\fBT\fR\fIhh\fR[:\fImm\fR[:\fIss\fR]]]]] .RS 4 Defines the starting date and time\&. .RE .PP datestop=\fIyyyy\fR[\-\fImm\fR[\-\fIdd\fR[\fBT\fR\fIhh\fR[:\fImm\fR[:\fIss\fR]]]]] .RS 4 Defines the ending date and time\&. .RE .RE .PP \fBHEADERS \- [!][any:|exactly:]\fR\fIheader\-list \fR(Optional \- Added in Shorewall 4\&.4\&.15) .RS 4 This column is only used in IPv6\&. In IPv4, supply "\-" in this column if you with to place a value in one of the following columns\&. .sp The \fIheader\-list\fR consists of a comma\-separated list of headers from the following list\&. .PP \fBauth\fR, \fBah\fR, or \fB51\fR .RS 4 Authentication Headers extension header\&. .RE .PP \fBesp\fR, or \fB50\fR .RS 4 Encrypted Security Payload extension header\&. .RE .PP \fBhop\fR, \fBhop\-by\-hop\fR or \fB0\fR .RS 4 Hop\-by\-hop options extension header\&. .RE .PP \fBroute\fR, \fBipv6\-route\fR or \fB43\fR .RS 4 IPv6 Route extension header\&. .RE .PP \fBfrag\fR, \fBipv6\-frag\fR or \fB44\fR .RS 4 IPv6 fragmentation extension header\&. .RE .PP \fBnone\fR, \fBipv6\-nonxt\fR or \fB59\fR .RS 4 No next header .RE .PP \fBproto\fR, \fBprotocol\fR or \fB255\fR .RS 4 Any protocol header\&. .RE .sp If \fBany:\fR is specified, the rule will match if any of the listed headers are present\&. If \fBexactly:\fR is specified, the will match packets that exactly include all specified headers\&. If neither is given, \fBany:\fR is assumed\&. .sp If \fB!\fR is entered, the rule will match those packets which would not be matched when \fB!\fR is omitted\&. .RE .PP \fBSWITCH \- [!]\fR\fB\fIswitch\-name\fR\fR\fB[={0|1}]\fR .RS 4 Added in Shorewall 4\&.4\&.24 and allows enabling and disabling the rule without requiring \fBshorewall restart\fR\&. .sp The rule is enabled if the value stored in /proc/net/nf_condition/\fIswitch\-name\fR is 1\&. The rule is disabled if that file contains 0 (the default)\&. If \*(Aq!\*(Aq is supplied, the test is inverted such that the rule is enabled if the file contains 0\&. .sp Within the \fIswitch\-name\fR, \*(Aq@0\*(Aq and \*(Aq@{0}\*(Aq are replaced by the name of the chain to which the rule is a added\&. The \fIswitch\-name\fR (after \*(Aq@\&.\&.\&.\*(Aq expansion) must begin with a letter and be composed of letters, decimal digits, underscores or hyphens\&. Switch names must be 30 characters or less in length\&. .sp Switches are normally \fBoff\fR\&. To turn a switch \fBon\fR: .RS 4 \fBecho 1 > /proc/net/nf_condition/\fR\fB\fIswitch\-name\fR\fR .RE To turn it \fBoff\fR again: .RS 4 \fBecho 0 > /proc/net/nf_condition/\fR\fB\fIswitch\-name\fR\fR .RE Switch settings are retained over \fBshorewall restart\fR\&. .sp Beginning with Shorewall 4\&.5\&.10, when the \fIswitch\-name\fR is followed by \fB=0\fR or \fB=1\fR, then the switch is initialized to off or on respectively by the \fBstart\fR command\&. Other commands do not affect the switch setting\&. .RE .PP \fBHELPER\fR \- [helper] .RS 4 Added in Shorewall 4\&.5\&.7\&. .sp In the NEW section, causes the named conntrack \fIhelper\fR to be associated with this connection; the contents of this column are ignored unless ACTION is ACCEPT*, DNAT* or REDIRECT*\&. .sp In the RELATED section, will only match if the related connection has the named \fIhelper\fR associated with it\&. .sp The \fIhelper\fR may be one of: .RS 4 \fBamanda\fR .RE .RS 4 \fBftp\fR .RE .RS 4 \fBirc\fR .RE .RS 4 \fBnetbios\-ns\fR .RE .RS 4 \fBpptp\fR .RE .RS 4 \fBQ\&.931\fR .RE .RS 4 \fBRAS\fR .RE .RS 4 \fBsane\fR .RE .RS 4 \fBsip\fR .RE .RS 4 \fBsnmp\fR .RE .RS 4 \fBtftp\fR .RE If the HELPERS option is specified in \m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[2]\d\s+2(5), then any module specified in this column must be listed in the HELPERS setting\&. .RE .SH "EXAMPLES" .PP Example 1: .RS 4 Accept SMTP requests from the DMZ to the internet .sp .if n \{\ .RS 4 .\} .nf #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST ACCEPT dmz net tcp smtp .fi .if n \{\ .RE .\} .RE .PP Example 2: .RS 4 Forward all ssh and http connection requests from the internet to local system 192\&.168\&.1\&.3 .sp .if n \{\ .RS 4 .\} .nf #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST DNAT net loc:192\&.168\&.1\&.3 tcp ssh,http .fi .if n \{\ .RE .\} .RE .PP Example 3: .RS 4 Forward all http connection requests from the internet to local system 192\&.168\&.1\&.3 with a limit of 3 per second and a maximum burst of 10 .sp .if n \{\ .RS 4 .\} .nf #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE DNAT net loc:192\&.168\&.1\&.3 tcp http \- \- 3/sec:10 .fi .if n \{\ .RE .\} .RE .PP Example 4: .RS 4 Redirect all locally\-originating www connection requests to port 3128 on the firewall (Squid running on the firewall system) except when the destination address is 192\&.168\&.2\&.2 .sp .if n \{\ .RS 4 .\} .nf #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST REDIRECT loc 3128 tcp www \- !192\&.168\&.2\&.2 .fi .if n \{\ .RE .\} .RE .PP Example 5: .RS 4 All http requests from the internet to address 130\&.252\&.100\&.69 are to be forwarded to 192\&.168\&.1\&.3 .sp .if n \{\ .RS 4 .\} .nf #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST DNAT net loc:192\&.168\&.1\&.3 tcp 80 \- 130\&.252\&.100\&.69 .fi .if n \{\ .RE .\} .RE .PP Example 6: .RS 4 You want to accept SSH connections to your firewall only from internet IP addresses 130\&.252\&.100\&.69 and 130\&.252\&.100\&.70 .sp .if n \{\ .RS 4 .\} .nf #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST ACCEPT net:130\&.252\&.100\&.69,130\&.252\&.100\&.70 \e $FW tcp 22 .fi .if n \{\ .RE .\} .RE .PP Example 7: .RS 4 You wish to accept connections from the internet to your firewall on port 2222 and you want to forward them to local system 192\&.168\&.1\&.3, port 22 .sp .if n \{\ .RS 4 .\} .nf #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST DNAT net loc:192\&.168\&.1\&.3:22 tcp 2222 .fi .if n \{\ .RE .\} .RE .PP Example 8: .RS 4 You want to redirect connection requests to port 80 randomly to the port range 81\-90\&. .sp .if n \{\ .RS 4 .\} .nf #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST REDIRECT net $FW::81\-90:random tcp www .fi .if n \{\ .RE .\} .RE .PP Example 9: .RS 4 Shorewall does not impose as much structure on the Netfilter rules in the \*(Aqnat\*(Aq table as it does on those in the filter table\&. As a consequence, when using Shorewall versions before 4\&.1\&.4, care must be exercised when using DNAT and REDIRECT rules with zones defined with wildcard interfaces (those ending with \*(Aq+\*(Aq\&. Here is an example: .sp \m[blue]\fBshorewall\-zones\fR\m[]\&\s-2\u[4]\d\s+2(5): .sp .if n \{\ .RS 4 .\} .nf #ZONE TYPE OPTIONS fw firewall net ipv4 dmz ipv4 loc ipv4 .fi .if n \{\ .RE .\} .sp \m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[9]\d\s+2(5): .sp .if n \{\ .RS 4 .\} .nf #ZONE INTERFACE BROADCAST OPTIONS net ppp0 loc eth1 detect dmz eth2 detect \- ppp+ # Addresses are assigned from 192\&.168\&.3\&.0/24 .fi .if n \{\ .RE .\} .sp \m[blue]\fBshorewall\-host\fR\m[]\&\s-2\u[12]\d\s+2(5): .sp .if n \{\ .RS 4 .\} .nf #ZONE HOST(S) OPTIONS loc ppp+:192\&.168\&.3\&.0/24 .fi .if n \{\ .RE .\} .sp rules: .sp .if n \{\ .RS 4 .\} .nf #ACTION SOURCE DEST PROTO DPORT REDIRECT loc 3128 tcp 80 .fi .if n \{\ .RE .\} .sp Note that it would have been tempting to simply define the loc zone entirely in shorewall\-interfaces(8): .sp .if n \{\ .RS 4 .\} .nf #******************* INCORRECT ***************** #ZONE INTERFACE BROADCAST OPTIONS net ppp0 loc eth1 detect loc ppp+ dmz eth2 .fi .if n \{\ .RE .\} .sp This would have made it impossible to run a internet\-accessible web server in the DMZ because all traffic entering ppp+ interfaces would have been redirected to port 3128 on the firewall and there would have been no net\->fw ACCEPT rule for that traffic\&. .RE .PP Example 10: .RS 4 Add the tuple (source IP, dest port, dest IP) of an incoming SSH connection to the ipset S: .sp .if n \{\ .RS 4 .\} .nf #ACTION SOURCE DEST PROTO DPORT ADD(+S:dst,src,dst) net fw tcp 22 .fi .if n \{\ .RE .\} .RE .PP Example 11: .RS 4 You wish to limit SSH connections from remote systems to 1/min with a burst of three (to allow for limited retry): .sp .if n \{\ .RS 4 .\} .nf #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE SSH(ACCEPT) net all \- \- \- \- s:1/min:3 .fi .if n \{\ .RE .\} .RE .PP Example 12: .RS 4 Forward port 80 to dmz host $BACKUP if switch \*(Aqprimary_down\*(Aq is on\&. .sp .if n \{\ .RS 4 .\} .nf #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH DNAT net dmz:$BACKUP tcp 80 \- \- \- \- \- \- \- \- primary_down .fi .if n \{\ .RE .\} .RE .PP Example 13: .RS 4 Drop all email from the \fIAnonymous Proxy\fR and \fISatellite Provider\fR address ranges: .sp .if n \{\ .RS 4 .\} .nf #ACTION SOURCE DEST PROTO DPORT DROP net:^A1,A2 fw tcp 25 .fi .if n \{\ .RE .\} .RE .PP Example 14: .RS 4 You want to generate your own rule involving iptables targets and matches not supported by Shorewall\&. .sp .if n \{\ .RS 4 .\} .nf #ACTION SOURCE DEST PROTO DPORT INLINE $FW net ; \-p 6 \-m mickey\-mouse \-\-name test \-m set \-\-match\-set set1 src \-m mickey\-mouse \-\-name test2 \-j SECCTX \-\-name test3 .fi .if n \{\ .RE .\} .sp The above will generate the following iptables\-restore input: .sp .if n \{\ .RS 4 .\} .nf \-A fw2net \-p 6 \-m mickey\-mouse \-\-name test \-m set \-\-match\-set set1 src \-m mickey\-mouse \-\-name test2 \-j SECCTX \-\-name test3 .fi .if n \{\ .RE .\} .sp Note that SECCTX must be defined as a builtin action in \m[blue]\fBshorewall\-actions\fR\m[]\&\s-2\u[3]\d\s+2(5): .sp .if n \{\ .RS 4 .\} .nf #ACTION OPTIONS SECCTX builtin .fi .if n \{\ .RE .\} .RE .PP Example 15: .RS 4 You want to accept SSH connections to your firewall only from internet IP addresses 2002:ce7c::92b4:1::2 and 2002:ce7c::92b4:1::22 .sp .if n \{\ .RS 4 .\} .nf #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST ACCEPT net:<2002:ce7c::92b4:1::2,2002:ce7c::92b4:1::22> \e $FW tcp 22 .fi .if n \{\ .RE .\} .RE .SH "FILES" .PP /etc/shorewall/rules .PP /etc/shorewall6/rules .SH "SEE ALSO" .PP \m[blue]\fBshorewall\-logging(5)\fR\m[]\&\s-2\u[8]\d\s+2 .PP \m[blue]\fBhttp://www\&.shorewall\&.net/ipsets\&.html\fR\m[]\&\s-2\u[15]\d\s+2 .PP \m[blue]\fBhttp://www\&.shorewall\&.net/configuration_file_basics\&.htm#Pairs\fR\m[]\&\s-2\u[16]\d\s+2 .PP shorewall(8) .SH "NOTES" .IP " 1." 4 shorewall-policy .RS 4 \%http://www.shorewall.org/manpages/shorewall-policy.html .RE .IP " 2." 4 shorewall.conf .RS 4 \%http://www.shorewall.org/manpages/shorewall.conf.html .RE .IP " 3." 4 shorewall-actions .RS 4 \%http://www.shorewall.org/manpages/shorewall-actions.html .RE .IP " 4." 4 shorewall-zones .RS 4 \%http://www.shorewall.org/manpages/shorewall-zones.html .RE .IP " 5." 4 shorewall-nesting .RS 4 \%http://www.shorewall.org/manpages/shorewall-nesting.html .RE .IP " 6." 4 shorewall-actions .RS 4 \%http://www.shorewall.org/manpages6/shorewall6-actions.html .RE .IP " 7." 4 http://www.shorewall.net/shorewall_logging.html .RS 4 \%http://www.shorewall.org/shorewall_logging.html .RE .IP " 8." 4 shorewall-logging(5) .RS 4 \%http://www.shorewall.orgshorewall-logging.html .RE .IP " 9." 4 shorewall-interfaces .RS 4 \%http://www.shorewall.org/manpages/shorewall-interfaces.html .RE .IP "10." 4 shorewall-hosts .RS 4 \%http://www.shorewall.org/manpages/shorewall.hosts.html .RE .IP "11." 4 shorewall-exclusion .RS 4 \%http://www.shorewall.org/manpages/shorewall-exclusion.html .RE .IP "12." 4 shorewall-hosts .RS 4 \%http://www.shorewall.org/manpages/shorewall-hosts.html .RE .IP "13." 4 http://www.shorewall.net/configuration_file_basics.htm#ICMP .RS 4 \%http://www.shorewall.org/configuration_file_basics.htm#ICMP .RE .IP "14." 4 http://www.shorewall.net/PortKnocking.html .RS 4 \%http://www.shorewall.org/PortKnocking.html .RE .IP "15." 4 http://www.shorewall.net/ipsets.html .RS 4 \%http://www.shorewall.org/ipsets.html .RE .IP "16." 4 http://www.shorewall.net/configuration_file_basics.htm#Pairs .RS 4 \%http://www.shorewall.org/configuration_file_basics.htm#Pairs .RE shorewall-5.2.3.4/manpages/shorewall-logging.50000664000000000000000000003156413453771260017711 0ustar rootroot'\" t .\" Title: shorewall-logging .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 .\" Date: 04/11/2019 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" .TH "SHOREWALL\-LOGGING" "5" "04/11/2019" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" logging \- Shorewall logging .SH "SYNOPSIS" .HP \w'\fB\fIaction\fR\fR\fB:\fR\fB\fIlevel\fR\fR\ 'u \fB\fIaction\fR\fR\fB:\fR\fB\fIlevel\fR\fR .HP \w'\fBNFLOG(\fR\fB\fInflog\-parameters\fR\fR\fB)\fR\ 'u \fBNFLOG(\fR\fB\fInflog\-parameters\fR\fR\fB)\fR .HP \w'\fBULOG(\fR\fB\fIulog\-parameters\fR\fR\fB)\fR\ 'u \fBULOG(\fR\fB\fIulog\-parameters\fR\fR\fB)\fR .SH "DESCRIPTION" .PP The disposition of packets entering a Shorewall firewall is determined by one of a number of Shorewall facilities\&. Only some of these facilities permit logging\&. .sp .RS 4 .ie n \{\ \h'-04' 1.\h'+01'\c .\} .el \{\ .sp -1 .IP " 1." 4.2 .\} The packet is part of an established connection\&. While the packet can be logged using LOG rules in the ESTABLISHED section of \m[blue]\fB/etc/shorewall/rules\fR\m[]\&\s-2\u[1]\d\s+2, that is not recommended because of the large amount of information that may be logged\&. .RE .sp .RS 4 .ie n \{\ \h'-04' 2.\h'+01'\c .\} .el \{\ .sp -1 .IP " 2." 4.2 .\} The packet represents a connection request that is related to an established connection (such as a \m[blue]\fBdata connection associated with an FTP control connection\fR\m[]\&\s-2\u[2]\d\s+2)\&. These packets may be logged using LOG rules in the RELATED section of \m[blue]\fBshorewall\-rules(5)\fR\m[]\&\s-2\u[1]\d\s+2\&. .RE .sp .RS 4 .ie n \{\ \h'-04' 3.\h'+01'\c .\} .el \{\ .sp -1 .IP " 3." 4.2 .\} The packet is rejected because of an option in \m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[3]\d\s+2(5) or \m[blue]\fBshorewall\-interfaces(5)\fR\m[]\&\s-2\u[4]\d\s+2\&. These packets can be logged by setting the appropriate logging\-related option in \m[blue]\fB/etc/shorewall/shorewall\&.conf\fR\m[]\&\s-2\u[3]\d\s+2\&. .RE .sp .RS 4 .ie n \{\ \h'-04' 4.\h'+01'\c .\} .el \{\ .sp -1 .IP " 4." 4.2 .\} The packet matches a rule in \m[blue]\fBshorewall\-rules\fR\m[]\&\s-2\u[1]\d\s+2(5)\&. By including a syslog level (see below) in the ACTION column of a rule (e\&.g\&., \(lqACCEPT\fB:info\fR net $FW tcp 22\(rq), the connection attempt will be logged at that level\&. .RE .sp .RS 4 .ie n \{\ \h'-04' 5.\h'+01'\c .\} .el \{\ .sp -1 .IP " 5." 4.2 .\} The packet doesn\*(Aqt match a rule so it is handled by a policy defined in \m[blue]\fBshorewall\-policy(5)\fR\m[]\&\s-2\u[5]\d\s+2\&. These may be logged by specifying a syslog level in the LOG LEVEL column of the policy\*(Aqs entry (e\&.g\&., \(lqloc net ACCEPT \fBinfo\fR\(rq)\&. .RE .SH "DEFAULT LOGGING" .PP By default, Shorewall directs Netfilter to log using syslog (8)\&. Syslog classifies log messages by a \fIfacility\fR and a \fIpriority\fR (using the notation \fIfacility\&.priority\fR)\&. .PP The facilities defined by syslog are \fIauth, authpriv, cron, daemon, kern, lpr, mail, mark, news, syslog, user, uucp\fR and \fIlocal0\fR through \fIlocal7\&.\fR .PP Throughout the Shorewall documentation, the term \fIlevel\fR rather than \fIpriority is used, \fRsince \fIlevel\fR is the term used by Netfilter\&. The syslog documentation uses the term \fIpriority\fR\&. .SH "SYSLOG LEVELS" .PP Syslog levels are a method of describing to syslog (8) the importance of a message\&. A number of Shorewall parameters have a syslog level as their value\&. .PP Valid levels are: .RS 4 7 \- \fBdebug\fR (Debug\-level messages) .RE .RS 4 6 \- \fBinfo\fR (Informational) .RE .RS 4 5 \- \fBnotice\fR (Normal but significant Condition) .RE .RS 4 4 \- \fBwarning\fR (Warning Condition) .RE .RS 4 3 \- \fBerr\fR (Error Condition) .RE .RS 4 2 \- \fBcrit\fR (Critical Conditions) .RE .RS 4 1 \- \fBalert\fR (must be handled immediately) .RE .RS 4 0 \- \fBemerg\fR (System is unusable) .RE .PP For most Shorewall logging, a level of 6 (info) is appropriate\&. Shorewall log messages are generated by Netfilter and are logged using the \fIkern\fR facility and the level that you specify\&. If you are unsure of the level to choose, 6 (info) is a safe bet\&. You may specify levels by name or by number\&. .PP Beginning with Shorewall 4\&.5\&.5, the \fIlevel\fR name or number may be optionally followed by a comma\-separated list of one or more\fI log options\fR\&. The list is enclosed in parentheses\&. Log options cause additional information to be included in each log message\&. .PP Valid log options are: .PP \fBip_options\fR .RS 4 Log messages will include the option settings from the IP header\&. .RE .PP \fBmacdecode\fR .RS 4 Decode the MAC address and protocol\&. .RE .PP \fBtcp_sequence\fR .RS 4 Include TCP sequence numbers\&. .RE .PP \fBtcp_options\fR .RS 4 Include options from the TCP header\&. .RE .PP \fBuid\fR .RS 4 Include the UID of the sending program; only valid for packets originating on the firewall itself\&. .RE .PP Example: \fBinfo(tcp_options,tcp_sequence)\fR .PP Syslogd writes log messages to files (typically in /var/log/*) based on their facility and level\&. The mapping of these facility/level pairs to log files is done in /etc/syslog\&.conf (5)\&. If you make changes to this file, you must restart syslogd before the changes can take effect\&. .PP Syslog may also write to your system console\&. See \m[blue]\fBShorewall FAQ 16\fR\m[]\&\s-2\u[6]\d\s+2 for ways to avoid having Shorewall messages written to the console\&. .SH "CONFIGURING A SEPARATE LOG FOR SHOREWALL MESSAGES (ULOGD)" .PP There are a couple of limitations to syslogd\-based logging: .sp .RS 4 .ie n \{\ \h'-04' 1.\h'+01'\c .\} .el \{\ .sp -1 .IP " 1." 4.2 .\} If you give, for example, kern\&.info its own log destination then that destination will also receive all kernel messages of levels 5 (notice) through 0 (emerg)\&. .RE .sp .RS 4 .ie n \{\ \h'-04' 2.\h'+01'\c .\} .el \{\ .sp -1 .IP " 2." 4.2 .\} All kernel\&.info messages will go to that destination and not just those from Netfilter\&. .RE .sp .RS 4 .ie n \{\ \h'-04' 3.\h'+01'\c .\} .el \{\ .sp -1 .IP " 3." 4.2 .\} Netfilter (Shorewall) messages show up in \fBdmesg\fR\&. .RE .PP If your kernel has NFLOG target support (and most vendor\-supplied kernels do), you may also specify a log level of NFLOG (must be all caps)\&. When NFLOG is used, Shorewall will direct Netfilter to log the related messages via the NFLOG target which will send them to a process called \(lqulogd\(rq\&. The ulogd program is included in most distributions\&. .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBNote\fR .ps -1 .br .PP The NFLOG logging mechanism is \fIcompletely separate\fR from syslog\&. Once you switch to NFLOG, the settings in /etc/syslog\&.conf have absolutely no effect on your Shorewall logging (except for Shorewall status messages which still go to syslog)\&. .sp .5v .RE .PP You will need to change all instances of log levels (usually \(lqinfo\(rq) in your Shorewall configuration files to \(lqNFLOG\(rq \- this includes entries in the policy, rules and shorewall\&.conf files\&. If you initially installed using Shorewall 5\&.1\&.2 or later, you can simply change the setting of LOG_LEVEL in shorewall\&.conf\&. .SH "UNDERSTANDING THE CONTENTS OF SHOREWALL LOG MESSAGES" .PP For general information on the contents of Netfilter log messages, see \m[blue]\fBhttp://logi\&.cc/en/2010/07/netfilter\-log\-format/\fR\m[]\&. .PP For Shorewall\-specific information, see \m[blue]\fBFAQ #17\fR\m[]\&\s-2\u[7]\d\s+2\&. .SH "CUSTOMIZING THE CONTENT OF SHOREWALL LOG MESSAGES" .PP In a Shorewall logging rule, the log level can be followed by a log tag as in "DROP:NFLOG:junk"\&. The generated log message will include "\fIchain\-name\fR junk DROP"\&. .PP By setting the LOGTAGONLY option to Yes in \m[blue]\fBshorewall\&.conf(5)\fR\m[]\&\s-2\u[8]\d\s+2 or \m[blue]\fBshorewall6\&.conf(5)\fR\m[]\&\s-2\u[9]\d\s+2, the disposition (\*(AqDROP\*(Aq in the above example) will be omitted\&. Consider the following rule: .sp .if n \{\ .RS 4 .\} .nf #ACTION SOURCE DEST PROTO REJECT(icmp\-proto\-unreachable):notice:IPv6 loc net 41 # who\*(Aqs using IPv6 tunneling .fi .if n \{\ .RE .\} .PP This rule generates the following warning at compile time: .RS 4 WARNING: Log Prefix shortened to "Shorewall:IPv6:REJECT(icmp\-p " /etc/shorewall/rules (line 212) .RE .PP and produces the rather ugly prefix "Shorewall:IPv6:REJECT(icmp\-p "\&. .PP Now consider this similar rule: .sp .if n \{\ .RS 4 .\} .nf #ACTION SOURCE DEST PROTO REJECT(icmp\-proto\-unreachable):notice:IPv6,tunneling loc net 41 # who\*(Aqs using IPv6 tunneling .fi .if n \{\ .RE .\} .PP With LOGTAGONLY=Yes, no warning is generated and the prefix becomes "Shorewall:IPv6:tunneling:" .PP See the \m[blue]\fBshorewall[6]\&.conf man page\fR\m[]\&\s-2\u[10]\d\s+2 for further information about how LOGTAGONLY=Yes can be used\&. .SH "LOG BACKENDS" .PP Netfilter logging allows configuration of multiple backends\&. Logging backends provide the The low\-level forward of log messages\&. There are currently three backends: .PP LOG (ipt_LOG and ip6t_LOG)\&. .RS 4 Normal kernel\-based logging to a syslog daemon\&. .RE .PP ULOG (ipt_ULOG) .RS 4 ULOG logging as described ablve\&. Only available for IPv4\&. .RE .PP netlink (nfnetlink_log) .RS 4 The logging backend behind NFLOG, defined above\&. .RE .PP The currently\-available and currently\-selected IPv4 and IPv6 backends are shown in /proc/sys/net/netfilter/nf_log: .sp .if n \{\ .RS 4 .\} .nf cat /proc/net/netfilter/nf_log 0 NONE (nfnetlink_log) 1 NONE (nfnetlink_log) 2 ipt_ULOG (ipt_ULOG,ipt_LOG,nfnetlink_log) 3 NONE (nfnetlink_log) 4 NONE (nfnetlink_log) 5 NONE (nfnetlink_log) 6 NONE (nfnetlink_log) 7 NONE (nfnetlink_log) 8 NONE (nfnetlink_log) 9 NONE (nfnetlink_log) 10 ip6t_LOG (ip6t_LOG,nfnetlink_log) 11 NONE (nfnetlink_log) 12 NONE (nfnetlink_log) .fi .if n \{\ .RE .\} .PP The magic numbers (0\-12) are Linux address family numbers (AF_INET is 2 and AF_INET6 is 10)\&. .PP The name immediately following the number is the currently\-selected backend, and the ones in parentheses are the ones that are available\&. You can change the currently selected backend by echoing it\*(Aqs name into /proc/net/netfilter/nf_log\&.\fInumber\fR\&. .PP Example \- change the IPv4 backend to LOG: .sp .if n \{\ .RS 4 .\} .nf sysctl net\&.netfilter\&.nf_log\&.2=ipt_LOG .fi .if n \{\ .RE .\} .PP Beginning with Shorewall 4\&.6\&.4, you can configure the backend using the LOG_BACKEND option in \m[blue]\fBshorewall\&.conf(5)\fR\m[]\&\s-2\u[3]\d\s+2 and \m[blue]\fBshorewall6\&.conf(5)\fR\m[]\&\s-2\u[11]\d\s+2\&. .SH "SEE ALSO" .PP \m[blue]\fBhttp://www\&.shorewall\&.net/shorewall_logging\&.html\fR\m[]\&\s-2\u[12]\d\s+2 .SH "NOTES" .IP " 1." 4 /etc/shorewall/rules .RS 4 \%http://www.shorewall.orgmanpages/shorewall-rules.html .RE .IP " 2." 4 data connection associated with an FTP control connection .RS 4 \%http://www.shorewall.orgFTP.html .RE .IP " 3." 4 shorewall.conf .RS 4 \%http://www.shorewall.orgmanpages/shorewall.conf.html .RE .IP " 4." 4 shorewall-interfaces(5) .RS 4 \%http://www.shorewall.orgmanpages/shorewall-interfaces.html .RE .IP " 5." 4 shorewall-policy(5) .RS 4 \%http://www.shorewall.orgmanpages/shorewall-policy.html .RE .IP " 6." 4 Shorewall FAQ 16 .RS 4 \%http://www.shorewall.orgFAQ.htm#faq16 .RE .IP " 7." 4 FAQ #17 .RS 4 \%http://www.shorewall.org/FAQ.htm#faq17 .RE .IP " 8." 4 shorewall.conf(5) .RS 4 \%http://www.shorewall.org/manpages/shorewall.conf.html .RE .IP " 9." 4 shorewall6.conf(5) .RS 4 \%http://www.shorewall.org/manpages6/shorewall6.conf.html .RE .IP "10." 4 shorewall[6].conf man page .RS 4 \%http://www.shorewall.orgshorewall.conf.html .RE .IP "11." 4 shorewall6.conf(5) .RS 4 \%http://www.shorewall.orgmanpages6/shorewall6.conf.html .RE .IP "12." 4 http://www.shorewall.net/shorewall_logging.html .RS 4 \%http://www.shorewall.org/shorewall_logging.htm .RE shorewall-5.2.3.4/manpages/shorewall-tcclasses.50000664000000000000000000005156213453771306020250 0ustar rootroot'\" t .\" Title: shorewall-tcclasses .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 .\" Date: 04/11/2019 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" .TH "SHOREWALL\-TCCLASSES" "5" "04/11/2019" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" tcclasses \- Shorewall file to define HTB and HFSC classes .SH "SYNOPSIS" .HP \w'\fB/etc/shorewall[6]/tcclasses\fR\ 'u \fB/etc/shorewall[6]/tcclasses\fR .SH "DESCRIPTION" .PP A note on the \fIrate\fR/bandwidth definitions used in this file: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} don\*(Aqt use a space between the integer value and the unit: 30kbit is valid while 30 kbit is NOT\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} you can use one of the following units: .PP \fBkpbs\fR .RS 4 Kilobytes per second\&. .RE .PP \fBmbps\fR .RS 4 Megabytes per second\&. .RE .PP \fBkbit\fR .RS 4 Kilobits per second\&. .RE .PP \fBmbit\fR .RS 4 Megabits per second\&. .RE .PP \fBbps\fR or \fBnumber\fR .RS 4 Bytes per second\&. .RE .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} if you want the values to be calculated for you depending on the output bandwidth setting defined for an interface in tcdevices, you can use expressions like the following: .PP full/3 .RS 4 causes the bandwidth to be calculated as 1/3 of the full outgoing speed that is defined\&. .RE .PP full*9/10 .RS 4 will set this bandwidth to 9/10 of the full bandwidth .RE .sp Note that in a sub\-class (a class that has a specified parent class), full refers to the RATE or CEIL of the parent class rather than to the OUT\-BANDWIDTH of the device\&. .sp DO NOT add a unit to the rate if it is calculated ! .RE .PP The columns in the file are as follows\&. .PP \fBINTERFACE\fR \- \fIinterface\fR[[:\fIparent\fR]:\fIclass\fR] .RS 4 Name of \fIinterface\fR\&. .sp You may specify the interface number rather than the interface name\&. If the \fBclassify\fR option is given for the interface in \m[blue]\fBshorewall\-tcdevices\fR\m[]\&\s-2\u[1]\d\s+2(5), then you must also specify an interface class (an integer that must be unique within classes associated with this interface)\&. If the classify option is not given, you may still specify a \fIclass\fR or you may have Shorewall generate a class number from the MARK value\&. Interface numbers and class numbers are always assumed to be specified in hex and class number 1 is reserved as the root class of the queuing discipline\&. .sp You may NOT specify wildcards here, e\&.g\&. if you have multiple ppp interfaces, you need to put them all in here! .sp Please note that you can only use interface names in here that have a bandwidth defined in the \m[blue]\fBshorewall\-tcdevices\fR\m[]\&\s-2\u[1]\d\s+2(5) file\&. .sp Normally, all classes defined here are sub\-classes of a root class that is implicitly defined from the entry in \m[blue]\fBshorewall\-tcdevices\fR\m[]\&\s-2\u[1]\d\s+2(5)\&. You can establish a class hierarchy by specifying a \fIparent\fR class \-\- the number of a class that you have previously defined\&. The sub\-class may borrow unused bandwidth from its parent\&. .RE .PP \fBMARK\fR \- {\-|\fIvalue\fR[:\fIpriority\fR]} .RS 4 The mark \fIvalue\fR which is an integer in the range 1\-255\&. You set mark values in the \m[blue]\fBshorewall\-mangle\fR\m[]\&\s-2\u[2]\d\s+2(5) file, marking the traffic you want to fit in the classes defined in here\&. You can use the same marks for different interfaces\&. .sp The \fIpriority\fR, if specified, is an integer in the range 1\-65535 and determines the relative order in which the tc mark classification filter for this class is to be applied to packets being sent on the \fIinterface\fR\&. Filters are applied in ascending numerical order\&. If not supplied, the value is derived from the class priority (PRIORITY column value below): (\fIclass priority\fR << 8) | 20\&. .RE .PP \fBRATE\fR \- {\-|\fIrate\fR[:\fIdmax\fR[:\fIumax\fR]]} .RS 4 The minimum bandwidth this class should get, when the traffic load rises\&. If the sum of the rates in this column exceeds the INTERFACE\*(Aqs OUT\-BANDWIDTH, then the OUT\-BANDWIDTH limit may not be honored\&. Similarly, if the sum of the rates of sub\-classes of a class exceed the CEIL of the parent class, things don\*(Aqt work well\&. .sp When using the HFSC queuing discipline, this column specify the real\-time (RT) service curve\&. leaf classes may specify \fIdmax\fR, the maximum delay in milliseconds that the first queued packet for this class should experience\&. May be expressed as an integer, optionally followed by \*(Aqms\*(Aq with no intervening white\-space (e\&.g\&., 10ms)\&. .sp HFSC leaf classes may also specify \fIumax\fR, the largest packet expected in this class\&. May be expressed as an integer\&. The unit of measure is \fIbytes\fR and the integer may be optionally followed by \*(Aqb\*(Aq with no intervening white\-space (e\&.g\&., 800b)\&. \fIumax\fR may only be given if \fIdmax\fR is also given\&. .sp Beginning with Shorewall 4\&.5\&.6, HFSC classes may omit this column (e\&.g, \*(Aq\-\*(Aq in the column), provided that an \fIlsrate\fR is specified (see CEIL below)\&. These rates are used to arbitrate between classes of the same priority\&. .RE .PP \fBCEIL\fR \- [\fIlsrate\fR:]\fIrate\fR .RS 4 The maximum bandwidth this class is allowed to use when the link is idle\&. Useful if you have traffic which can get full speed when more needed services (e\&.g\&. ssh) are not used\&. .sp You can use the value \fBfull\fR in here for setting the maximum bandwidth to the RATE of the parent class, or the OUT\-BANDWIDTH of the device if there is no parent class\&. .sp Beginning with Shorewall 4\&.5\&.6, you can also specify an \fIlsrate\fR (link sharing rate)\&. .RE .PP \fBPRIORITY\fR \- \fIpriority\fR .RS 4 For HTB: The \fIpriority\fR in which classes will be serviced by the packet shaping scheduler and also the priority in which bandwidth in excess of the rate will be given to each class\&. .sp Higher priority classes will experience less delay since they are serviced first\&. Priority values are serviced in ascending order (e\&.g\&. 0 is higher priority than 1)\&. .sp Classes may be set to the same priority, in which case they will be serviced as equals\&. For both HTB and HFSC, the \fIpriority\fR is used to calculate the priority of following Shorewall\-generated classification filters that refer to the class: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} Packet MARK .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \fBtcp\-ack\fR and the \fBtos\fR options (see below) .RE .sp The rules for classes with lower numeric priorities will appear before those with higher numeric priorities\&. .sp Beginning with Shorewall 4\&.5\&.8, the PRIORITY may be omitted from an HFSC class if you do not use the MARK column or the \fBtcp\-ack\fR or \fBtos\fR options\&. If you use any of those features and omit the PRIORITY, then you must specify a \fIpriority\fR along with the MARK or option\&. .RE .PP \fBOPTIONS\fR (Optional) \- [\fIoption\fR[\fB,\fR\fIoption\fR]\&.\&.\&.] .RS 4 A comma\-separated list of options including the following: .PP \fBdefault\fR .RS 4 This is the default class for that interface where all traffic should go, that is not classified otherwise\&. .sp .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBNote\fR .ps -1 .br You must define \fBdefault\fR for exactly one class per interface\&. .sp .5v .RE .RE .PP \fBtos=0x\fR\fIvalue\fR[/0x\fImask\fR][:\fIpriority\fR] (mask defaults to 0xff) .RS 4 This lets you define a classifier for the given \fIvalue\fR/\fImask\fR combination of the IP packet\*(Aqs TOS/Precedence/DiffSrv octet (aka the TOS byte)\&. .sp Beginning with Shorewall 4\&.5\&.8, the \fIvalue/mask\fR may be followed by a colon (":") and a \fIpriority\fR\&. This priority determines the order in which filter rules are processed during packet classification\&. If not specified, the value (\fIclass priority\fR << 8) | 15) is used\&. .RE .PP \fBtos\-\fR\fItosname\fR[:\fIpriority\fR] .RS 4 Aliases for the following TOS octet value and mask encodings\&. TOS encodings of the "TOS byte" have been deprecated in favor of diffserve classes, but programs like ssh, rlogin, and ftp still use them\&. .sp Beginning with Shorewall 4\&.5\&.8, the \fItos\-name\fR may be followed by a colon (":") and a \fIpriority\fR\&. This priority determines the order in which filter rules are processed during packet classification\&. If not specified, the value (\fIclass priority\fR << 8) | 15) is used\&. .sp .if n \{\ .RS 4 .\} .nf \fBtos\-minimize\-delay\fR 0x10/0x10 \fBtos\-maximize\-throughput\fR 0x08/0x08 \fBtos\-maximize\-reliability\fR 0x04/0x04 \fBtos\-minimize\-cost\fR 0x02/0x02 \fBtos\-normal\-service\fR 0x00/0x1e .fi .if n \{\ .RE .\} .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBNote\fR .ps -1 .br Each of these options is only valid for ONE class per interface\&. .sp .5v .RE .RE .PP \fBtcp\-ack[:\fR\fB\fIpriority\fR\fR\fB]\fR .RS 4 If defined, causes a tc filter to be created that puts all tcp ack packets on that interface that have a size of <=64 Bytes to go in this class\&. This is useful for speeding up downloads\&. Please note that the size of the ack packets is limited to 64 bytes because we want only packets WITHOUT payload to match\&. .sp Beginning with Shorewall 4\&.5\&.8, the \fBtcp\-ack\fR may be followed by a colon (":") and a \fIpriority\fR\&. This priority determines the order in which filter rules are processed during packet classification\&. If not specified, the value (\fIclass priority\fR << 8) | 10) is used\&. .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBNote\fR .ps -1 .br This option is only valid for ONE class per interface\&. .sp .5v .RE .RE .PP \fBoccurs\fR=\fInumber\fR .RS 4 Typically used with an IPMARK entry in tcrules\&. Causes the rule to be replicated for a total of \fInumber\fR rules\&. Each rule has a successively class number and mark value\&. .sp When \*(Aqoccurs\*(Aq is used: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} The associated device may not have the \*(Aqclassify\*(Aq option\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} The class may not be the default class\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} The class may not have any \*(Aqtos=\*(Aq options (including \*(Aqtcp\-ack\*(Aq)\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} The class should not specify a MARK value\&. If one is specified, it will be ignored with a warning message\&. .RE .sp The \*(AqRATE\*(Aq and \*(AqCEIL\*(Aq parameters apply to each instance of the class\&. So the total RATE represented by an entry with \*(Aqoccurs\*(Aq will be the listed RATE multiplied by \fInumber\fR\&. For additional information, see \m[blue]\fBshorewall\-tcrules\fR\m[]\&\s-2\u[3]\d\s+2 (5)\&. .RE .PP flow=\fIkeys\fR .RS 4 Shorewall attaches an SFQ queuing discipline to each leaf HTB class\&. SFQ ensures that each flow gets equal access to the interface\&. The default definition of a flow corresponds roughly to a Netfilter connection\&. So if one internal system is running BitTorrent, for example, it can have lots of \*(Aqflows\*(Aq and can thus take up a larger share of the bandwidth than a system having only a single active connection\&. The \fBflow\fR classifier (module cls_flow) works around this by letting you define what a \*(Aqflow\*(Aq is\&. The classifier must be used carefully or it can block off all traffic on an interface! The flow option can be specified for an HTB leaf class (one that has no sub\-classes)\&. We recommend that you use the following: .RS 4 Shaping internet\-bound traffic: flow=nfct\-src .RE .RS 4 Shaping traffic bound for your local net: flow=dst .RE These will cause a \*(Aqflow\*(Aq to consists of the traffic to/from each internal system\&. .sp When more than one key is give, they must be enclosed in parenthesis and separated by commas\&. .sp To see a list of the possible flow keys, run this command: \fBtc filter add flow help\fR Those that begin with "nfct\-" are Netfilter connection tracking fields\&. As shown above, we recommend flow=nfct\-src; that means that we want to use the source IP address \fIbefore NAT\fR as the key\&. .RE .PP pfifo .RS 4 When specified for a leaf class, the pfifo queuing discipline is applied to the class rather than the sfq queuing discipline\&. .RE .PP limit=\fInumber\fR .RS 4 Added in Shorewall 4\&.4\&.3\&. When specified for a leaf class, determines the maximum number of packets that may be queued within the class\&. The \fInumber\fR must be > 2 and <=128\&. If not specified, the value 127 is assumed\&. .RE .PP red=(\fIredoption\fR=\fIvalue\fR, \&.\&.\&.) .RS 4 Added in Shorewall 4\&.5\&.6\&. When specified on a leaf class, causes the class to use the RED (Random Early Detection) queuing discipline rather than SFQ\&. See tc\-red (8) for additional information\&. .sp Allowable \fIredoptions\fR are: .PP min \fImin\fR .RS 4 Average queue size at which marking becomes a possibility\&. .RE .PP max \fImax\fR .RS 4 At this average queue size, the marking probability is maximal\&. Must be at least twice \fImin\fR to prevent synchronous retransmits, higher for low \fImin\fR\&. .RE .PP probability \fIprobability\fR .RS 4 Maximum probability for marking, specified as a floating point number from 0\&.0 to 1\&.0\&. Suggested values are 0\&.01 or 0\&.02 (1 or 2%, respectively)\&. .RE .PP limit \fIlimit\fR .RS 4 Hard limit on the real (not average) queue size in bytes\&. Further packets are dropped\&. Should be set higher than \fImax\fR+\fIburst\fR\&. It is advised to set this a few times higher than \fImax\fR\&. Shorewall requires that \fIlimit\fR be at least twice \fImin\fR\&. .RE .PP burst \fIburst\fR .RS 4 Used for determining how fast the average queue size is influenced by the real queue size\&. Larger values make the calculation more sluggish, allowing longer bursts of traffic before marking starts\&. Real life experiments support the following guide\(hyline: (\fImin\fR+\fImin\fR+\fImax\fR)/(3*\fIavpkt\fR)\&. .RE .PP avpkt \fIavpkt\fR .RS 4 Optional\&. Specified in bytes\&. Used with burst to determine the time constant for average queue size calculations\&. 1000 is a good value and is the Shorewall default\&. .RE .PP bandwidth \fIbandwidth\fR .RS 4 Optional\&. This rate is used for calculating the average queue size after some idle time\&. Should be set to the bandwidth of your interface\&. Does not mean that RED will shape for you! .RE .PP ecn .RS 4 RED can either \*(Aqmark\*(Aq or \*(Aqdrop\*(Aq\&. Explicit Congestion Notification allows RED to notify remote hosts that their rate exceeds the amount of bandwidth available\&. Non\-ECN capable hosts can only be notified by dropping a packet\&. If this parameter is specified, packets which indicate that their hosts honor ECN will only be marked and not dropped, unless the queue size hits \fIlimit\fR bytes\&. Recommended\&. .RE .RE .PP fq_codel[=(\fIcodeloption\fR=\fIvalue\fR, \&.\&.\&.)] .RS 4 Added in Shorewall 4\&.5\&.12\&. When specified for a leaf class, causes the class to use the FQ_CODEL (Fair\-queuing Controlled Delay) queuing discipline rather than SFQ\&. See tc\-fq_codel (8) for additional information\&. .sp Allowable \fIcodeloptions\fR are: .PP limit .RS 4 hard limit on the real queue size\&. When this limit is reached, incoming packets are dropped\&. If the value is lowered, packets are dropped so that the new limit is met\&. Default is 1000 packets\&. .RE .PP flows .RS 4 is the number of flows into which the incoming packets are classified\&. Due to the stochastic nature of hashing, multiple flows may end up being hashed into the same slot\&. Newer flows have priority over older ones\&. This parameter can be set only at load time since memory has to be allocated for the hash table\&. Default value is 1024\&. .RE .PP target .RS 4 is the acceptable minimum standing/persistent queue delay\&. This minimum delay is identified by tracking the local minimum queue delay that packets experience\&. Default and recommended value is 5ms\&. .RE .PP interval .RS 4 is used to ensure that the measured minimum delay does not become too stale\&. The minimum delay must be experienced in the last epoch of length interval\&. It should be set on the order of the worst\-case RTT through the bottleneck to give endpoints sufficient time to react\&. Default value is 100ms\&. .RE .PP quantum .RS 4 is the number of bytes used as \*(Aqdeficit\*(Aq in the fair queuing algorithm\&. Default is set to 1514 bytes which corresponds to the Ethernet MTU plus the hardware header length of 14 bytes\&. .RE .PP ecn | noecn .RS 4 can be used to mark packets instead of dropping them\&. If ecn has been enabled, noecn can be used to turn it off and vice\-versa\&. By default, ecn is enabled\&. .RE .RE .RE .SH "EXAMPLES" .PP Example 1: .RS 4 Suppose you are using PPP over Ethernet (DSL) and ppp0 is the interface for this\&. You have 4 classes here, the first you can use for voice over IP traffic, the second interactive traffic (e\&.g\&. ssh/telnet but not scp), the third will be for all unclassified traffic, and the forth is for low priority traffic (e\&.g\&. peer\-to\-peer)\&. .sp The voice traffic in the first class will be guaranteed a minimum of 100kbps and always be serviced first (because of the low priority number, giving less delay) and will be granted excess bandwidth (up to 180kbps, the class ceiling) first, before any other traffic\&. A single VoIP stream, depending upon codecs, after encapsulation, can take up to 80kbps on a PPPoE/DSL link, so we pad a little bit just in case\&. (TOS byte values 0xb8 and 0x68 are DiffServ classes EF and AFF3\-1 respectively and are often used by VOIP devices)\&. .sp Interactive traffic (tos\-minimum\-delay) and TCP acks (and ICMP echo traffic if you use the example in tcrules) and any packet with a mark of 2 will be guaranteed 1/4 of the link bandwidth, and may extend up to full speed of the link\&. .sp Unclassified traffic and packets marked as 3 will be guaranteed 1/4th of the link bandwidth, and may extend to the full speed of the link\&. .sp Packets marked with 4 will be treated as low priority packets\&. (The tcrules example marks p2p traffic as such\&.) If the link is congested, they\*(Aqre only guaranteed 1/8th of the speed, and even if the link is empty, can only expand to 80% of link bandwidth just as a precaution in case there are upstream queues we didn\*(Aqt account for\&. This is the last class to get additional bandwidth and the last to get serviced by the scheduler because of the low priority\&. .sp .if n \{\ .RS 4 .\} .nf #INTERFACE MARK RATE CEIL PRIORITY OPTIONS ppp0 1 100kbit 180kbit 1 tos=0x68/0xfc,tos=0xb8/0xfc ppp0 2 full/4 full 2 tcp\-ack,tos\-minimize\-delay ppp0 3 full/4 full 3 default ppp0 4 full/8 full*8/10 4 .fi .if n \{\ .RE .\} .RE .SH "FILES" .PP /etc/shorewall/tcclasses .PP /etc/shorewall6/tcclasses .SH "SEE ALSO" .PP \m[blue]\fBhttp://www\&.shorewall\&.net/traffic_shaping\&.htm\fR\m[]\&\s-2\u[4]\d\s+2 .PP \m[blue]\fBhttp://www\&.shorewall\&.net/configuration_file_basics\&.htm#Pairs\fR\m[]\&\s-2\u[5]\d\s+2 .PP tc\-hfsc(7) .PP tc\-red(8) .PP shorewall(8) .SH "NOTES" .IP " 1." 4 shorewall-tcdevices .RS 4 \%http://www.shorewall.org/manpages/shorewall-tcdevices.html .RE .IP " 2." 4 shorewall-mangle .RS 4 \%http://www.shorewall.org/manpages/shorewall-mangle.html .RE .IP " 3." 4 shorewall-tcrules .RS 4 \%http://www.shorewall.org/manpages/shorewall-tcrules.html .RE .IP " 4." 4 http://www.shorewall.net/traffic_shaping.htm .RS 4 \%http://www.shorewall.org/traffic_shaping.htm .RE .IP " 5." 4 http://www.shorewall.net/configuration_file_basics.htm#Pairs .RS 4 \%http://www.shorewall.org/configuration_file_basics.htm#Pairs .RE shorewall-5.2.3.4/manpages/shorewall-arprules.50000664000000000000000000001376413430375727020125 0ustar rootroot'\" t .\" Title: shorewall-arprules .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 .\" Date: 02/11/2019 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" .TH "SHOREWALL\-ARPRULES" "5" "02/11/2019" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" arprules \- Shorewall ARP rules file .SH "SYNOPSIS" .HP \w'\fB/etc/shorewall/arprules\fR\ 'u \fB/etc/shorewall/arprules\fR .SH "DESCRIPTION" .PP IPv4 only\&. .PP This file was added in Shorewall 4\&.5\&.12 and is used to describe low\-level rules managed by arptables (8)\&. These rules only affect Address Resolution Protocol (ARP), Reverse Address Resolution Protocol (RARP) and Dynamic Reverse Address Resolution Protocol (DRARP) frames\&. .PP The columns in the file are as shown below\&. MAC addresses are specified normally (6 hexadecimal numbers separated by colons)\&. .PP \fBACTION\fR .RS 4 Describes the action to take when a frame matches the criteria in the other columns\&. Possible values are: .PP \fBACCEPT\fR .RS 4 This is the default action if no rules matches a frame; it lets the frame go through\&. .RE .PP \fBDROP\fR .RS 4 Causes the frame to be dropped\&. .RE .PP \fBSNAT:\fR\fIip\-address\fR .RS 4 Modifies the source IP address to the specified \fIip\-address\fR\&. .RE .PP \fBDNAT:\fR\fIip\-address\fR .RS 4 Modifies the destination IP address to the specified \fIip\-address\fR\&. .RE .PP \fBSMAT:\fR\fImac\-address\fR .RS 4 Modifies the source MAC address to the specified \fImac\-address\fR\&. .RE .PP \fBDMAT:\fR\fImac\-address\fR .RS 4 Modifies the destination MAC address to the specified \fImac\-address\fR\&. .RE .PP \fBSNATC:\fR\fIip\-address\fR .RS 4 Like SNAT except that the frame is then passed to the next rule\&. .RE .PP \fBDNATC:\fR\fIip\-address\fR .RS 4 Like DNAT except that the frame is then passed to the next rule\&. .RE .PP \fBSMATC:\fR\fImac\-address\fR .RS 4 Like SMAT except that the frame is then passed to the next rule\&. .RE .PP \fBDMATC:\fR\fImac\-address\fR .RS 4 Like DMAT except that the frame is then passed to the next rule\&. .RE .RE .PP \fBSOURCE\fR \- \fB[\fR\fB\fIinterface\fR\fR\fB[:[!]\fR\fB\fIipaddress\fR\fR\fB[/ip\fR\fB\fImask\fR\fR\fB][:[!]\fR\fB\fImacaddress\fR\fR\fB[/\fR\fB\fImacmask\fR\fR\fB]]]]\fR .RS 4 Where .PP \fIinterface\fR .RS 4 Is an interface defined in shorewall\-interfaces(5)\&. .RE .PP \fIipaddress\fR .RS 4 is an IPv4 address\&. DNS names are not allowed\&. .RE .PP \fIipmask\fR .RS 4 specifies a mask to be applied to \fIipaddress\fR\&. .RE .PP \fImacaddress\fR .RS 4 The source MAC address\&. .RE .PP \fImacmask\fR .RS 4 Mask for MAC address; must be specified as 6 hexadecimal numbers separated by colons\&. .RE .sp When \*(Aq!\*(Aq is specified, the test is inverted\&. .sp If not specified, matches only frames originating on the firewall itself\&. .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBCaution\fR .ps -1 .br Either SOURCE or DEST must be specified\&. .sp .5v .RE .RE .PP \fBDEST\fR \- \fB[\fR\fB\fIinterface\fR\fR\fB[:[!]\fR\fB\fIipaddress\fR\fR\fB[/ip\fR\fB\fImask\fR\fR\fB][:[!]\fR\fB\fImacaddress\fR\fR\fB[/\fR\fB\fImacmask\fR\fR\fB]]]]\fR .RS 4 Where .PP \fIinterface\fR .RS 4 Is an interface defined in shorewall\-interfaces(5)\&. .RE .PP \fIipaddress\fR .RS 4 is an IPv4 address\&. DNS Names are not allowed\&. .RE .PP \fIipmask\fR .RS 4 specifies a mask to be applied to frame addresses\&. .RE .PP \fImacaddress\fR .RS 4 The destination MAC address\&. .RE .PP \fImacmask\fR .RS 4 Mask for MAC address; must be specified as 6 hexadecimal numbers separated by colons\&. .RE .sp When \*(Aq!\*(Aq is specified, the test is inverted and the rule matches frames which do not match the specified address/mask\&. .sp If not specified, matches only frames originating on the firewall itself\&. .sp If both SOURCE and DEST are specified, then both interfaces must be bridge ports on the same bridge\&. .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBCaution\fR .ps -1 .br Either SOURCE or DEST must be specified\&. .sp .5v .RE .RE .PP OPCODE \- [[!]\fIopcode\fR] .RS 4 Optional\&. Describes the type of frame\&. Possible \fIopcode\fR values are: .PP 1 .RS 4 ARP Request .RE .PP 2 .RS 4 ARP Reply .RE .PP 3 .RS 4 RARP Request .RE .PP 4 .RS 4 RARP Reply .RE .PP 5 .RS 4 Dynamic RARP Request .RE .PP 6 .RS 4 Dynamic RARP Reply .RE .PP 7 .RS 4 Dynamic RARP Error .RE .PP 8 .RS 4 InARP Request .RE .PP 9 .RS 4 ARP NAK .RE .sp When \*(Aq!\*(Aq is specified, the test is inverted and the rule matches frames which do not match the specified \fIopcode\fR\&. .RE .SH "EXAMPLE" .PP The eth1 interface has both a public IP address and a private address (10\&.1\&.10\&.11/24)\&. When sending ARP requests to 10\&.1\&.10\&.0/24, use the private address as the IP source: .sp .if n \{\ .RS 4 .\} .nf #ACTION SOURCE DEST ARP OPCODE SNAT:10\&.1\&.10\&.11 \- eth1:10\&.1\&.10\&.0/24 1 .fi .if n \{\ .RE .\} .SH "FILES" .PP /etc/shorewall/arprules .SH "SEE ALSO" .PP shorewall(8) shorewall-5.2.3.4/manpages/shorewall-exclusion.50000664000000000000000000001265113453771251020270 0ustar rootroot'\" t .\" Title: shorewall-exclusion .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 .\" Date: 04/11/2019 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" .TH "SHOREWALL\-EXCLUSION" "5" "04/11/2019" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" exclusion \- Exclude a set of hosts from a definition in a shorewall configuration file\&. .SH "SYNOPSIS" .HP \w'\ 'u \fB!\fR\fIaddress\-or\-range\fR[,\fIaddress\-or\-range\fR]... .HP \w'\ 'u \fB!\fR\fIzone\-name\fR[,\fIzone\-name\fR]... .SH "DESCRIPTION" .PP The first form of exclusion is used when you wish to exclude one or more addresses from a definition\&. An exclamation point is followed by a comma\-separated list of addresses\&. The addresses may be single host addresses (e\&.g\&., 192\&.168\&.1\&.4) or they may be network addresses in CIDR format (e\&.g\&., 192\&.168\&.1\&.0/24)\&. If your kernel and iptables include iprange support, you may also specify ranges of ip addresses of the form \fIlowaddress\fR\-\fIhighaddress\fR .PP No embedded white\-space is allowed\&. .PP Exclusion can appear after a list of addresses and/or address ranges\&. In that case, the final list of address is formed by taking the first list and then removing the addresses defined in the exclusion\&. .PP Beginning in Shorewall 4\&.4\&.13, the second form of exclusion is allowed after \fBall\fR and \fBany\fR in the SOURCE and DEST columns of \m[blue]\fBshorewall\-rules\fR\m[]\&\s-2\u[1]\d\s+2(5)\&. It allows you to omit arbitrary zones from the list generated by those key words\&. .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBWarning\fR .ps -1 .br .PP If you omit a sub\-zone and there is an explicit or explicit CONTINUE policy, a connection to/from that zone can still be matched by the rule generated for a parent zone\&. .PP For example: .PP /etc/shorewall/zones: .sp .if n \{\ .RS 4 .\} .nf #ZONE TYPE z1 ip z2:z1 ip \&.\&.\&. .fi .if n \{\ .RE .\} .PP /etc/shorewall/policy: .sp .if n \{\ .RS 4 .\} .nf #SOURCE DEST POLICY z1 net CONTINUE z2 net REJECT .fi .if n \{\ .RE .\} .PP /etc/shorewall/rules: .sp .if n \{\ .RS 4 .\} .nf #ACTION SOURCE DEST PROTO DPORT ACCEPT all!z2 net tcp 22 .fi .if n \{\ .RE .\} .PP In this case, SSH connections from \fBz2\fR to \fBnet\fR will be accepted by the generated \fBz1\fR to net ACCEPT rule\&. .sp .5v .RE .PP In most contexts, ipset names can be used as an \fIaddress\-or\-range\fR\&. Beginning with Shorewall 4\&.4\&.14, ipset lists enclosed in +[\&.\&.\&.] may also be included (see \m[blue]\fBshorewall\-ipsets\fR\m[]\&\s-2\u[2]\d\s+2 (5))\&. The semantics of these lists when used in an exclusion are as follows: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} !+[\fIset1\fR,\fIset2\fR,\&.\&.\&.\fIsetN\fR] produces a packet match if the packet does not match at least one of the sets\&. In other words, it is like NOT match \fIset1\fR OR NOT match \fIset2\fR \&.\&.\&. OR NOT match \fIsetN\fR\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} +[!\fIset1\fR,!\fIset2\fR,\&.\&.\&.!\fIsetN\fR] produces a packet match if the packet does not match any of the sets\&. In other words, it is like NOT match \fIset1\fR AND NOT match \fIset2\fR \&.\&.\&. AND NOT match \fIsetN\fR\&. .RE .SH "EXAMPLES" .PP IPv4 Example 1 \- All IPv4 addresses except 192\&.168\&.3\&.4 .RS 4 !192\&.168\&.3\&.4 .RE .PP IPv4 Example 2 \- All IPv4 addresses except the network 192\&.168\&.1\&.0/24 and the host 10\&.2\&.3\&.4 .RS 4 !192\&.168\&.1\&.0/24,10\&.1\&.3\&.4 .RE .PP IPv4 Example 3 \- All IPv4 addresses except the range 192\&.168\&.1\&.3\-192\&.168\&.1\&.12 and the network 10\&.0\&.0\&.0/8 .RS 4 !192\&.168\&.1\&.3\-192\&.168\&.1\&.12,10\&.0\&.0\&.0/8 .RE .PP IPv4 Example 4 \- The network 192\&.168\&.1\&.0/24 except hosts 192\&.168\&.1\&.3 and 192\&.168\&.1\&.9 .RS 4 192\&.168\&.1\&.0/24!192\&.168\&.1\&.3,192\&.168\&.1\&.9 .RE .PP Example 5 \- All parent zones except loc .RS 4 any!loc .RE .SH "FILES" .PP /etc/shorewall/hosts .PP /etc/shorewall/masq .PP /etc/shorewall/rules .PP /etc/shorewall/tcrules .SH "SEE ALSO" .PP shorewall(8) .SH "NOTES" .IP " 1." 4 shorewall-rules .RS 4 \%http://www.shorewall.org/manpages/shorewall-rules.html .RE .IP " 2." 4 shorewall-ipsets .RS 4 \%http://www.shorewall.org/manpages/shorewall-ipsets.html .RE shorewall-5.2.3.4/manpages/shorewall-zones.50000664000000000000000000002620313453771315017414 0ustar rootroot'\" t .\" Title: shorewall-zones .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 .\" Date: 04/11/2019 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" .TH "SHOREWALL\-ZONES" "5" "04/11/2019" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" zones \- Shorewall zone declaration file .SH "SYNOPSIS" .HP \w'\fB/etc/shorewall/zones\fR\ 'u \fB/etc/shorewall/zones\fR .SH "DESCRIPTION" .PP The /etc/shorewall/zones file declares your network zones\&. You specify the hosts in each zone through entries in /etc/shorewall/interfaces or /etc/shorewall/hosts\&. .PP The columns in the file are as follows (where the column name is followed by a different name in parentheses, the different name is used in the alternate specification syntax)\&. .PP \fBZONE\fR \- \fIzone\fR[\fB:\fR\fIparent\-zone\fR[\fB,\fR\fIparent\-zone\fR]\&.\&.\&.] .RS 4 Name of the \fIzone\fR\&. Must start with a letter and consist of letters, digits or \*(Aq_\*(Aq\&. The names "all", "none", "any", "SOURCE" and "DEST" are reserved and may not be used as zone names\&. The maximum length of a zone name is determined by the setting of the LOGFORMAT option in \m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[1]\d\s+2(5)\&. With the default LOGFORMAT, zone names can be at most 5 characters long\&. The maximum length of an iptables log prefix is 29 bytes\&. As explained in \m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[1]\d\s+2 (5), the legacy default LOGPREFIX formatting string is \(lqShorewall:%s:%s:\(rq where the first %s is replaced by the chain name and the second is replaced by the disposition\&. .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} The "Shorewall:%s:%s:" formatting string has 12 fixed characters ("Shorewall" and three colons)\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} The longest of the standard dispositions are ACCEPT and REJECT which have 6 characters each\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} The canonical name for the chain containing the rules for traffic going from zone 1 to zone 2 is "2" or "\-"\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} So if M is the maximum zone name length, such chains can have length 2*M + 1\&. .RS 4 12 + 6 + 2*M + 1 = 29 which reduces to .RE .RS 4 2*M = 29 \- 12 \- 6 \- 1 = 10 or .RE .RS 4 M = 5 .RE .RE .sp In Shorewall 5\&.1\&.0, the LOGFORMAT in the default and sample shorewall\&.conf files was changed to "%s:%s "\&. .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} That formatting string has 2 fixed characters (":" and a space)\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} So the maximum zone name length M is calculated as: .RS 4 2 + 6 + 2*M + 1 = 29 .RE .RS 4 2M = 29 \- 2 \- 6 \- 1 = 20 .RE .RS 4 M = 10 .RE .RE The order in which Shorewall matches addresses from packets to zones is determined by the order of zone declarations\&. Where a zone is nested in one or more other zones, you may either ensure that the nested zone precedes its parents in this file, or you may follow the (sub)zone name by ":" and a comma\-separated list of the parent zones\&. The parent zones must have been declared in earlier records in this file\&. See \m[blue]\fBshorewall\-nesting\fR\m[]\&\s-2\u[2]\d\s+2(5) for additional information\&. .sp Example: .sp .if n \{\ .RS 4 .\} .nf #ZONE TYPE OPTIONS IN OPTIONS OUT OPTIONS a ip b ip c:a,b ip .fi .if n \{\ .RE .\} .sp Currently, Shorewall uses this information to reorder the zone list so that parent zones appear after their subzones in the list\&. The IMPLICIT_CONTINUE option in \m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[1]\d\s+2(5) can also create implicit CONTINUE policies to/from the subzone\&. .sp Where an \fBipsec\fR zone is explicitly included as a child of an \fBip\fR zone, the ruleset allows CONTINUE policies (explicit or implicit) to work as expected\&. .sp In the future, Shorewall may make additional use of nesting information\&. .RE .PP \fBTYPE\fR .RS 4 .PP \fBip\fR .RS 4 This is the standard Shorewall zone type and is the default if you leave this column empty or if you enter "\-" in the column\&. Communication with some zone hosts may be encrypted\&. Encrypted hosts are designated using the \*(Aqipsec\*(Aq option in \m[blue]\fBshorewall\-hosts\fR\m[]\&\s-2\u[3]\d\s+2(5)\&. For clarity, this zone type may be specified as \fBipv4\fR in IPv4 configurations and \fBipv6\fR in IPv6 configurations\&. .RE .PP \fBipsec\fR .RS 4 Communication with all zone hosts is encrypted\&. Your kernel and iptables must include policy match support\&. For clarity, this zone type may be specified as \fBipsec4\fR in IPv4 configurations and \fBipsec6\fR in IPv6 configurations\&. .RE .PP \fBfirewall\fR .RS 4 Designates the firewall itself\&. You must have exactly one \*(Aqfirewall\*(Aq zone\&. No options are permitted with a \*(Aqfirewall\*(Aq zone\&. The name that you enter in the ZONE column will be stored in the shell variable $FW which you may use in other configuration files to designate the firewall zone\&. .RE .PP \fBbport\fR .RS 4 The zone is associated with one or more ports on a single bridge\&. For clarity, this zone type may be specified as \fBbport4\fR in IPv4 configurations and \fBbport6\fR in IPv6 configurations\&. .RE .PP \fBvserver\fR .RS 4 Added in Shorewall 4\&.4\&.11 Beta 2 \- A zone composed of Linux\-vserver guests\&. The zone contents must be defined in \m[blue]\fBshorewall\-hosts\fR\m[]\&\s-2\u[3]\d\s+2 (5)\&. .sp Vserver zones are implicitly handled as subzones of the firewall zone\&. .RE .PP \fBloopback\fR .RS 4 Added in Shorewall 4\&.5\&.17\&. .sp Normally, Shorewall treats the loopback interface (lo) in the following way: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} By default, all traffic through the interface is ACCEPTed\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} If a $FW \-> $FW policy is defined or $FW \-> $FW rules are defined, they are placed in a chain named ${FW}2${F2} or ${FW}\-${FW} (e\&.g\&., \*(Aqfw2fw\*(Aq or \*(Aqfw\-fw\*(Aq ) depending on the ZONE2ZONE setting in \m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[1]\d\s+2(5)\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} $FW \-> $FW traffic is only filtered in the OUTPUT chain\&. .RE .sp By defining a \fBloopback\fR zone and associating it with the loopback interface in shorewall\-interfaces(5), you can effect a slightly different model\&. Suppose that the \fBloopback\fR zone name is \*(Aqlocal\*(Aq; then: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} Both $FW \-> local and local \-> $FW chains are created\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} The $FW \-> local and local \-> $FW policies may be different\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} Both $FW \-> local and local \-> $FW rules may be specified\&. .RE .sp Rules to/from the \fBloopback\fR zone and any zone other than the firewall zone are ignored with a warning\&. .sp \fBloopback\fR zones may be nested within other \fBloopback\fR zones\&. .RE .PP local .RS 4 Added in Shorewall 4\&.5\&.17\&. \fBlocal\fR is the same as \fBipv4\fR with the exception that the zone is only accessible from the \fBfirewall\fR and \fBvserver\fR zones\&. .RE .RE .PP \fBOPTIONS, IN OPTIONS and OUT OPTIONS\fR (options, in_options, out_options) \- [\fIoption\fR[\fB,\fR\fIoption\fR]\&.\&.\&.] .RS 4 A comma\-separated list of options\&. With the exception of the \fBmss\fR and \fBblacklist\fR options, these only apply to TYPE \fBipsec\fR zones\&. .PP \fBdynamic_shared\fR .RS 4 Added in Shorewall 4\&.5\&.9\&. May only be specified in the OPTIONS column and indicates that only a single ipset should be created for this zone if it has multiple dynamic entries in \m[blue]\fBshorewall\-hosts\fR\m[]\&\s-2\u[3]\d\s+2(5)\&. Without this option, a separate ipset is created for each interface\&. .RE .PP \fBreqid=\fR\fInumber\fR .RS 4 where \fInumber\fR is specified using setkey(8) using the \*(Aqunique:\fInumber\fR option for the SPD level\&. .RE .PP \fBspi=\fR .RS 4 where \fInumber\fR is the SPI of the SA used to encrypt/decrypt packets\&. .RE .PP \fBproto=\fR\fBah\fR|\fBesp\fR|\fBipcomp\fR .RS 4 IPSEC Encapsulation Protocol .RE .PP \fBmss=\fR\fInumber\fR .RS 4 sets the MSS field in TCP packets\&. If you supply this option, you should also set FASTACCEPT=No in \m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[1]\d\s+2(5) to insure that both the SYN and SYN,ACK packets have their MSS field adjusted\&. .RE .PP \fBmode=\fR\fBtransport\fR|\fBtunnel\fR .RS 4 IPSEC mode .RE .PP \fBtunnel\-src=\fR\fIaddress\fR[/\fImask\fR] .RS 4 only available with mode=tunnel .RE .PP \fBtunnel\-dst=\fR\fIaddress\fR[/\fImask\fR] .RS 4 only available with mode=tunnel .RE .PP \fBstrict\fR .RS 4 Means that packets must match all rules\&. .RE .PP \fBnext\fR .RS 4 Separates rules; can only be used with strict .RE .sp The options in the OPTIONS column are applied to both incoming and outgoing traffic\&. The IN OPTIONS are applied to incoming traffic (in addition to OPTIONS) and the OUT OPTIONS are applied to outgoing traffic\&. .sp If you wish to leave a column empty but need to make an entry in a following column, use "\-"\&. .RE .SH "FILES" .PP /etc/shorewall/zones .PP /etc/shorewall6/zones .SH "SEE ALSO" .PP \m[blue]\fBhttp://www\&.shorewall\&.net/Multiple_Zones\&.html\fR\m[]\&\s-2\u[4]\d\s+2\&. .PP \m[blue]\fBhttp://www\&.shorewall\&.net/configuration_file_basics\&.htm#Pairs\fR\m[]\&\s-2\u[5]\d\s+2 .PP shorewall(8) .SH "NOTES" .IP " 1." 4 shorewall.conf .RS 4 \%http://www.shorewall.org/manpages/shorewall.conf.html .RE .IP " 2." 4 shorewall-nesting .RS 4 \%http://www.shorewall.org/manpages/shorewall-nesting.html .RE .IP " 3." 4 shorewall-hosts .RS 4 \%http://www.shorewall.org/manpages/shorewall-hosts.html .RE .IP " 4." 4 http://www.shorewall.net/Multiple_Zones.html .RS 4 \%http://www.shorewall.org/Multiple_Zones.html .RE .IP " 5." 4 http://www.shorewall.net/configuration_file_basics.htm#Pairs .RS 4 \%http://www.shorewall.org/configuration_file_basics.htm#Pairs .RE shorewall-5.2.3.4/manpages/shorewall-init.80000664000000000000000000001207113453771254017224 0ustar rootroot'\" t .\" Title: shorewall-init .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 .\" Date: 04/11/2019 .\" Manual: Administrative Commands .\" Source: Administrative Commands .\" Language: English .\" .TH "SHOREWALL\-INIT" "8" "04/11/2019" "Administrative Commands" "Administrative Commands" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" shorewall-init \- Companion package .SH "SYNOPSIS" .HP \w'\fB/etc/init\&.d/shorewall\-init\fR\ 'u \fB/etc/init\&.d/shorewall\-init\fR [start|stop] .SH "DESCRIPTION" .PP Shorewall\-init is an optional package (added in Shorewall 4\&.4\&.10) that can be installed along with Shorewall, Shorewall6, Shorewall\-lite and/or Shorewall6\-lite\&. It provides two key features: .sp .RS 4 .ie n \{\ \h'-04' 1.\h'+01'\c .\} .el \{\ .sp -1 .IP " 1." 4.2 .\} It can close (stop) the firewall during boot prior to starting the network\&. This can prevent unwanted connections from being accepted after the network comes up but before the firewall is started\&. .RE .sp .RS 4 .ie n \{\ \h'-04' 2.\h'+01'\c .\} .el \{\ .sp -1 .IP " 2." 4.2 .\} It can interface with your distribution\*(Aqs ifup/ifdown scripts and/or NetworkManager to allow firewall actions when an interface starts or stops\&. .RE .PP These two capabilities can be enabled separately\&. .PP After you install the shorewall\-init package, you can activate it by modifying the Shorewall\-init configuration file: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} On Debian\-based system, the file is /etc/default/shorewall\-init\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} On other systems, the file is /etc/sysconfig/shorewall\-init\&. .RE .PP To activate the safe boot feature, edit the configuration file and set PRODUCTS to a space\-separated list of Shorewall products that you want to be closed before networking starts\&. .PP Example: .RS 4 PRODUCTS="shorewall shorewall6" .RE .PP You also must insure that the compiled scripts for the listed products are compiled using Shorewall 4\&.4\&.10 or later\&. .PP Shorewall .RS 4 \fBshorewall compile\fR .RE .PP Shorewall6 .RS 4 \fBshorewall6 compile\fR .RE .PP Shorewall\-lite .RS 4 On the administrative system, enter the command \fBshorewall export firewall\fR from the firewall\*(Aqs configuration directory\&. .RE .PP Shorewall6\-lite .RS 4 On the administrative system, enter the command \fBshorewall6 export firewall\fR from the firewall\*(Aqs configuration directory\&. .RE .PP The second feature (ifup/ifdown and NetworkManager integration) should only be activated on systems that do not use a link status monitor line swping or LSM\&. .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} Edit the configuration file and set IFUPDOWN=1 .RE .PP For NetworkManager integration, you will want to disable firewall startup at boot and delay it to when your interface comes up\&. For this to work correctly, you must set the required or the optional option on at least one interface then: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} On Debian\-based systems, edit /etc/default/\fIproduct\fR for each \fIproduct\fR listed in the PRODUCTS setting and set \fBstartup=0\fR\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} On other systems, use the distribution\*(Aqs service control tool (insserv, chkconfig, etc\&.) to disable startup of the products listed in the PRODUCTS setting\&. .RE .PP On a laptop with both Ethernet and wireless interfaces, you will want to make both interfaces optional and set the REQUIRE_INTERFACE option to Yes in \m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[1]\d\s+2(5) or \m[blue]\fBshorewall6\&.conf\fR\m[]\&\s-2\u[2]\d\s+2 (5)\&. This causes the firewall to remain stopped until at least one of the interfaces comes up\&. .SH "FILES" .PP /etc/default/shorewall\-init (Debian\-based systems) or /etc/sysconfig/shorewall\-init (other distributions) .SH "SEE ALSO" .PP shorewall(8) .SH "NOTES" .IP " 1." 4 shorewall.conf .RS 4 \%http://www.shorewall.org/manpages/shorewall.conf.html .RE .IP " 2." 4 shorewall6.conf .RS 4 \%http://www.shorewall.org/manpages6/shorewall6.conf.html .RE shorewall-5.2.3.4/manpages/shorewall.conf.50000664000000000000000000030160213453771245017205 0ustar rootroot'\" t .\" Title: shorewall.conf .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 .\" Date: 04/11/2019 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" .TH "SHOREWALL\&.CONF" "5" "04/11/2019" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" shorewall.conf \- Shorewall global configuration file .SH "SYNOPSIS" .HP \w'\fB/etc/shorewall/shorewall\&.conf\fR\ 'u \fB/etc/shorewall/shorewall\&.conf\fR .HP \w'\fB/etc/shorewall6/shorewall6\&.conf\fR\ 'u \fB/etc/shorewall6/shorewall6\&.conf\fR .SH "DESCRIPTION" .PP The IPv4 and IPv6 environments each have their own configuration\&. The IPv4 configuration resides in /etc/shorewall/ while the IPv6 configuration resides in /etc/shorewall6/\&. .PP The \&.conf files set options that apply to Shorewall and Shorewall6 as a whole\&. .PP The \&.conf files consist of Shell comments (lines beginning with \*(Aq#\*(Aq), blank lines and assignment statements (\fIvariable\fR=\fIvalue\fR)\&. If the \fIvalue\fR contains shell meta characters or white\-space, then it must be enclosed in quotes\&. Example: MACLIST_LOG_LEVEL="NFLOG(1,0,1)"\&. .SH "OPTIONS" .PP Many options have as their value a \fIlog\-level\fR\&. Log levels are a method of describing to syslog (8) the importance of a message and a number of parameters in this file have log levels as their value\&. .PP These levels are defined by syslog and are used to determine the destination of the messages through entries in /etc/syslog\&.conf (5)\&. The syslog documentation refers to these as "priorities"; Netfilter calls them "levels" and Shorewall also uses that term\&. .PP Valid levels are: .sp .if n \{\ .RS 4 .\} .nf 7 debug 6 info 5 notice 4 warning 3 err 2 crit 1 alert 0 emerg .fi .if n \{\ .RE .\} .PP For most Shorewall logging, a level of 6 (info) is appropriate\&. Shorewall log messages are generated by NetFilter and are logged using facility \*(Aqkern\*(Aq and the level that you specify\&. If you are unsure of the level to choose, 6 (info) is a safe bet\&. You may specify levels by name or by number\&. .PP If you have built your kernel with ULOG (IPv4 only) and/or NFLOG target support, you may also specify a log level of ULOG and/or NFLOG (must be all caps)\&. Rather than log its messages to syslogd, Shorewall will direct netfilter to log the messages via the ULOG or NFLOG target which will send them to a process called \*(Aqulogd\*(Aq\&. ulogd is available with most Linux distributions (although it probably isn\*(Aqt installed by default)\&. .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBNote\fR .ps -1 .br .PP If you want to specify parameters to ULOG or NFLOG (e\&.g\&., NFLOG(1,0,1)), then you must quote the setting\&. .PP Example: .sp .if n \{\ .RS 4 .\} .nf LOG_LEVEL="NFLOG(1,0,1)" .fi .if n \{\ .RE .\} .sp .5v .RE .PP Beginning with Shorewall 5\&.0\&.0, the log level may be followed by a colon (":") and a log tag\&. The log tag normally follows the packet disposition in Shorewall\-generated Netfilter log messages, separated from the disposition by a colon (e\&.g, "DROP:mytag")\&. See LOGTAGONLY below for additional information\&. .PP Beginning with Shorewall 4\&.4\&.22, LOGMARK is also a valid level which logs the packet\*(Aqs mark value along with the other usual information\&. The syntax is: .RS 4 \fBLOGMARK[\fR\fI(priority)\fR\fB]\fR .RE .PP where \fIpriority\fR is one of the levels listed in the list above\&. If omitted, the default is info (6)\&. .PP The following options may be set in shorewall\&.conf\&. .PP \fBACCEPT_DEFAULT=\fR{\fIaction\fR[(\fIparameters\fR)][:\fIlevel\fR][,\&.\&.\&.]|\fBnone\fR} .RS 4 .RE .PP \fBBLACKLIST_DEFAULT=\fR{\fIaction\fR[(\fIparameters\fR)][:\fIlevel\fR][,\&.\&.\&.]|\fBnone\fR} .RS 4 .RE .PP \fBDROP_DEFAULT=\fR{\fIaction\fR[(\fIparameters\fR)][:\fIlevel\fR][,\&.\&.\&.]|\fBnone\fR} .RS 4 .RE .PP \fBNFQUEUE_DEFAULT=\fR{\fIaction\fR[(\fIparameters\fR)][:\fIlevel\fR][,\&.\&.\&.]|\fBnone\fR} .RS 4 .RE .PP \fBQUEUE_DEFAULT=\fR{\fIaction\fR[(\fIparameters\fR)][:\fIlevel\fR][,\&.\&.\&.]|\fBnone\fR} .RS 4 .RE .PP \fBREJECT_DEFAULT=\fR{\fIaction\fR[(\fIparameters\fR)][:\fIlevel\fR][,\&.\&.\&.]|\fBnone\fR} .RS 4 In earlier Shorewall versions, a "default action" for DROP and REJECT policies was specified in the file /usr/share/shorewall/actions\&.std\&. .sp In Shorewall 4\&.4\&.0, the DROP_DEFAULT, REJECT_DEFAULT, ACCEPT_DEFAULT, QUEUE_DEFAULT and NFQUEUE_DEFAULT options were added\&. .sp DROP_DEFAULT describes the rules to be applied before a connection request is dropped by a DROP policy; REJECT_DEFAULT describes the rules to be applied if a connection request is rejected by a REJECT policy\&. The other three are similar for ACCEPT, QUEUE and NFQUEUE policies\&. .sp The value applied to these may be: .RS 4 a) The name of an \fIaction\fR\&. The name may optionally be followed by a comma\-separated list of parameters enclosed in parentheses if the specified action accepts parameters (e\&.g\&., \*(AqDrop(audit)\*(Aq)\&. .RE .RS 4 c) \fBNone\fR or \fBnone\fR .RE Prior to Shorewall 5\&.1\&.2, the default values are: .RS 4 DROP_DEFAULT="Drop" .RE .RS 4 REJECT_DEFAULT="Reject" .RE .RS 4 BLACKLIST_DEFAULT="Drop" (added in Shorewall 5\&.1\&.1) .RE .RS 4 ACCEPT_DEFAULT="none" .RE .RS 4 QUEUE_DEFAULT="none" .RE .RS 4 NFQUEUE_DEFAULT="none" .RE Beginning with Shorewall 5\&.1\&.2, the default value is \*(Aqnone\*(Aq for all of these\&. Note that the sample configuration files do, however, provide settings for DROP_DEFAULT, BLACKLIST_DEFAULT and REJECT_DEFAULT\&. .sp If you set the value of either option to "None" then no default action will be used and the default action or macro must be specified in \m[blue]\fBshorewall\-policy\fR\m[]\&\s-2\u[1]\d\s+2(5)\&. .sp You can pass \fIparameters\fR to the specified action (e\&.g\&., \fImyaction(audit,DROP)\fR)\&. .sp Beginning with Shorewall 4\&.5\&.10, the action name can be followed optionally by a colon and a log \fIlevel\fR\&. The level will be applied to each rule in the action or body that does not already have a log level\&. .sp Beginning with Shorewall 5\&.1\&.2, multiple \fIaction\fR[(\fIparameters\fR)][:\fIlevel\fR] specifications may be listed, separated by commas\&. .RE .PP \fBACCOUNTING=\fR[\fBYes\fR|\fBNo\fR] .RS 4 Added in Shorewall 4\&.4\&.7\&. If set to Yes, Shorewall accounting is enabled (see \m[blue]\fBshorewall\-accounting\fR\m[]\&\s-2\u[2]\d\s+2(5))\&. If not specified or set to the empty value, ACCOUNTING=Yes is assumed\&. .RE .PP \fBACCOUNTING_TABLE=\fR[\fBfilter\fR|\fBmangle\fR] .RS 4 Added in Shorewall 4\&.4\&.20\&. This setting determines which Netfilter table the accounting rules are added in\&. By default, ACCOUNTING_TABLE=filter is assumed\&. See also \m[blue]\fBshorewall\-accounting\fR\m[]\&\s-2\u[2]\d\s+2(5)\&. .RE .PP \fBADD_IP_ALIASES=\fR[\fBYes\fR|\fBNo\fR] .RS 4 This parameter determines whether Shorewall automatically adds the external address(es) in \m[blue]\fBshorewall\-nat\fR\m[]\&\s-2\u[3]\d\s+2(5), and is only available in IPv4 configurations\&. If the variable is set to \fBYes\fR or \fByes\fR then Shorewall automatically adds these aliases\&. If it is set to \fBNo\fR or \fBno\fR, you must add these aliases yourself using your distribution\*(Aqs network configuration tools\&. .sp If this variable is not set or is given an empty value (ADD_IP_ALIASES="") then ADD_IP_ALIASES=Yes is assumed\&. .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBWarning\fR .ps -1 .br Addresses added by ADD_IP_ALIASES=Yes are deleted and re\-added during \fBshorewall reload\fR and \fBshorewall restart\fR\&. As a consequence, connections using those addresses may be severed\&. .sp .5v .RE .RE .PP \fBADD_SNAT_ALIASES=\fR[\fBYes\fR|\fBNo\fR] .RS 4 This parameter determines whether Shorewall automatically adds the SNAT ADDRESS in \m[blue]\fBshorewall\-masq\fR\m[]\&\s-2\u[4]\d\s+2(5), and is only available in IPv4 configurations\&. If the variable is set to \fBYes\fR or \fByes\fR then Shorewall automatically adds these addresses\&. If it is set to \fBNo\fR or \fBno\fR, you must add these addresses yourself using your distribution\*(Aqs network configuration tools\&. .sp If this variable is not set or is given an empty value (ADD_SNAT_ALIASES="") then ADD_SNAT_ALIASES=No is assumed\&. .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBWarning\fR .ps -1 .br Addresses added by ADD_SNAT_ALIASES=Yes are deleted and re\-added during \fBshorewall reload\fR and \fBshorewall restart\fR\&. As a consequence, connections using those addresses may be severed\&. .sp .5v .RE .RE .PP \fBADMINISABSENTMINDED=\fR[\fBYes\fR|\fBNo\fR] .RS 4 The value of this variable affects Shorewall\*(Aqs stopped state\&. The behavior differs depending on whether \m[blue]\fBshorewall\-routestopped\fR\m[]\&\s-2\u[5]\d\s+2(5) or \m[blue]\fBshorewall\-stoppedrules\fR\m[]\&\s-2\u[6]\d\s+2(5) is used: .PP routestopped .RS 4 When ADMINISABSENTMINDED=No, only traffic to/from those addresses listed in routestopped is accepted when Shorewall is stopped\&. When ADMINISABSENTMINDED=Yes, in addition to traffic to/from addresses in routestopped, connections that were active when Shorewall stopped continue to work and all new connections from the firewall system itself are allowed\&. .sp Note that the routestopped file is not supported in Shorewall 5\&.0 and later versions\&. .RE .PP stoppedrules .RS 4 All existing connections continue to work\&. To sever all existing connections when the firewall is stopped, install the conntrack utility and place the command \fBconntrack \-F\fR in the stopped user exit (/etc/shorewall/stopped)\&. .sp If ADMINISABSENTMINDED=No, only new connections matching entries in stoppedrules are accepted when Shorewall is stopped\&. Response packets and related connections are automatically accepted\&. .sp If ADMINISABSENTMINDED=Yes, in addition to connections matching entries in stoppedrules, all new connections from the firewall system itself are allowed when the firewall is stopped\&. Response packets and related connections are automatically accepted\&. .RE .sp If this variable is not set or is given the empty value then ADMINISABSENTMINDED=No is assumed\&. .RE .PP \fBARPTABLES=\fR[\fIpathname\fR] .RS 4 Added in Shorewall 4\&.5\&.12 and available in IPv4 only\&. This parameter names the arptables executable to be used by Shorewall\&. If not specified or if specified as a null value, then the arptables executable located using the PATH option is used\&. .sp Regardless of how the arptables utility is located (specified via arptables= or located via PATH), Shorewall uses the arptables\-restore and arptables\-save utilities from that same directory\&. .RE .PP \fBAUTOCOMMENT=\fR[\fBYes\fR|\fBNo\fR] .RS 4 Formerly named AUTO_COMMENT\&. If set, if there is not a current comment when a macro is invoked, the behavior is as if the first line of the macro file was "COMMENT "\&. If not specified, the AUTO_COMMENT option has a default value of \*(AqYes\*(Aq\&. .RE .PP \fBAUTOHELPERS=\fR[\fBYes\fR|\fBNo\fR] .RS 4 Added in Shorewall 4\&.5\&.7\&. When set to \fBYes\fR (the default), the generated ruleset will automatically associate helpers with applications that require them (FTP, IRC, etc\&.)\&. When configuring your firewall on systems running kernel 3\&.5 or later, it is recommended that you: .sp .RS 4 .ie n \{\ \h'-04' 1.\h'+01'\c .\} .el \{\ .sp -1 .IP " 1." 4.2 .\} Set AUTOHELPERS=No\&. .RE .sp .RS 4 .ie n \{\ \h'-04' 2.\h'+01'\c .\} .el \{\ .sp -1 .IP " 2." 4.2 .\} Modify the HELPERS setting (see below) to list the helpers that you need\&. .RE .sp .RS 4 .ie n \{\ \h'-04' 3.\h'+01'\c .\} .el \{\ .sp -1 .IP " 3." 4.2 .\} Either: .sp .RS 4 .ie n \{\ \h'-04' 1.\h'+01'\c .\} .el \{\ .sp -1 .IP " 1." 4.2 .\} Modify \m[blue]\fBshorewall\-conntrack\fR\m[]\&\s-2\u[7]\d\s+2 (5) to only apply helpers where they are required; or .RE .sp .RS 4 .ie n \{\ \h'-04' 2.\h'+01'\c .\} .el \{\ .sp -1 .IP " 2." 4.2 .\} Specify the appropriate helper in the HELPER column in \m[blue]\fBshorewall\-rules\fR\m[]\&\s-2\u[8]\d\s+2 (5)\&. .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBNote\fR .ps -1 .br The macros for those applications requiring a helper automatically specify the appropriate HELPER where required\&. .sp .5v .RE .RE .RE .RE .PP \fBAUTOMAKE=\fR[\fBYes\fR|\fBNo\fR|\fBrecursive\fR|\fIdepth\fR] .RS 4 If set, the behavior of the \fBstart\fR, \fBreload\fR and \fBrestart\fR commands are changed; if no files in CONFIG_PATH (see below) have been changed since the last successful \fBstart, reload\fR or \fBrestart\fR command, then the compilation step is skipped and the compiled script that executed the last \fBstart\fR, \fBreload\fR or \fBrestart\fR command is used\&. If not specified, the default is AUTOMAKE=No\&. .sp The setting of the AUTOMAKE option is ignored if the \fBstart\fR, \fBreload\fR or \fBrestart\fR command includes a directory name (e\&.g\&.,\fB shorewall restart /etc/shorewall\&.new\fR)\&. .sp When AUTOMAKE=Yes, each directory in the CONFIG_PATH was originally searched recursively for files newer than the compiled script\&. That was changed in Shorewall 5\&.1\&.10\&.2 such that only the listed directories themselves were searched\&. That broke some configurations that played tricks with embedded SHELL such as "\fBSHELL cat /etc/shorewall/rules\&.d/loc/*\&.rules"\&.\fR Prior to 5\&.1\&.10\&.2, a change to a file in or adding a file to /etc/shorewall/rules\&.d/loc/ would trigger recompilation\&. Beginning with 5\&.1\&.10\&.2, such changes would not trigger recompilation\&. Beginning with Shorewall 5\&.2\&.0, the pre\-5\&.1\&.10\&.2 behavior can be obtained by setting AUTOMAKE=recursive\&. .sp Also beginning with Shorewall 5\&.2\&.0, AUTOMAKE may be set to a numeric \fIdepth\fR which specifies how deeply each listed directory is to be searched\&. AUTOMAKE=1 only searches each directory itself and is equivalent to AUTOMAKE=Yes\&. AUTOMAKE=2 will search each directory and its immediate sub\-directories; AUTOMAKE=3 will search each directory, each of its immediate sub\-directories, and each of their immediate sub\-directories, etc\&. .RE .PP \fBBALANCE_PROVIDERS=\fR[\fBYes\fR|\fBNo\fR] .RS 4 Added in Shorewall 5\&.1\&.1\&. When USE_DEFAULT_RT=Yes, this option determines whether the \fBbalance\fR provider option (see \m[blue]\fBshorewall\-providers(5)\fR\m[]\&\s-2\u[9]\d\s+2) is the default\&. When BALANCE_PROVIDERS=Yes, then the \fBbalance\fR option is assumed unless the \fBfallback\fR, \fBloose\fR, \fBload\fR or \fBtproxy\fR option is specified\&. If this option is not set or is set to the empty value, then the default value is the value of USE_DEFAULT_RT\&. .RE .PP \fBBASIC_FILTERS=\fR[\fBYes\fR|\fBNo\fR] .RS 4 Added in Shorewall\-4\&.6\&.0\&. When set to \fBYes\fR, causes entries in \m[blue]\fBshorewall\-tcfilters(5)\fR\m[]\&\s-2\u[10]\d\s+2 to generate a basic filter rather than a u32 filter\&. This setting requires the Basic Ematch capability in your kernel and iptables\&. .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBNote\fR .ps -1 .br One of the advantages of basic filters is that ipset matches are supported in newer iproute2 and kernel versions\&. Because Shorewall cannot reliably detect this capability, use of basic filters is controlled by this option\&. .sp .5v .RE The default value is \fBNo\fR which causes u32 filters to be generated\&. .RE .PP \fBBLACKLIST=\fR[{\fBALL\fR|\fB\fIstate\fR\fR\fB[,\&.\&.\&.]\fR}] .RS 4 where state is one of NEW, ESTABLISHED, RELATED, INVALID,or UNTRACKED\&. .sp Added in Shorewall 4\&.5\&.13 to replace the BLACKLISTNEWONLY option\&. Specifies the connection tracking states that are to be subject to blacklist screening\&. If BLACKLIST is not specified then the states subject to blacklisting are NEW,ESTABLISHED,INVALID,UNTRACKED\&. .sp ALL sends all packets through the blacklist chains\&. .sp Note: The ESTABLISHED state may not be specified if FASTACCEPT=Yes is specified\&. .RE .PP \fBBLACKLIST_DISPOSITION=\fR[\fBDROP\fR|A_DROP|\fBREJECT|A_REJECT\fR] .RS 4 This parameter determines the disposition of packets from blacklisted hosts\&. It may have the value DROP if the packets are to be dropped or REJECT if the packets are to be replied with an ICMP port unreachable reply or a TCP RST (tcp only)\&. If you do not assign a value or if you assign an empty value then DROP is assumed\&. .sp A_DROP and A_REJECT are audited versions of DROP and REJECT respectively and were added in Shorewall 4\&.4\&.20\&. They require AUDIT_TARGET in the kernel and iptables\&. .sp The BLACKLIST_DISPOSITION setting determines the disposition of packets sent to the \fBblacklog\fR target of \m[blue]\fBshorewall\-blrules\fR\m[]\&\s-2\u[11]\d\s+2(5), but otherwise does not affect entries in that file\&. .RE .PP \fBBLACKLIST_LOG_LEVEL=\fR[\fIlog\-level\fR[:\fIlog\-tag\fR]] .RS 4 Formerly named BLACKLIST_LOGLEVEL\&. This parameter determines if packets from blacklisted hosts are logged and it determines the syslog level that they are to be logged at\&. Its value is a syslog level (Example: BLACKLIST_LOG_LEVEL=debug)\&. If you do not assign a value or if you assign an empty value then packets from blacklisted hosts are not logged\&. The setting determines the log level of packets sent to the \fBblacklog\fR target of \m[blue]\fBshorewall\-blrules\fR\m[]\&\s-2\u[11]\d\s+2(5)\&. .RE .PP \fBCLAMPMSS=[\fR\fBYes\fR|\fBNo\fR|\fIvalue\fR] .RS 4 This parameter enables the TCP Clamp MSS to PMTU feature of Netfilter and is usually required when your internet connection is through PPPoE or PPTP\&. If set to \fBYes\fR or \fByes\fR, the feature is enabled\&. If left blank or set to \fBNo\fR or \fBno\fR, the feature is not enabled\&. .sp \fBImportant\fR: This option requires CONFIG_IP_NF_TARGET_TCPMSS in your kernel\&. .sp You may also set CLAMPMSS to a numeric \fIvalue\fR (e\&.g\&., CLAMPMSS=1400)\&. This will set the MSS field in TCP SYN packets going through the firewall to the \fIvalue\fR that you specify\&. .RE .PP \fBCLEAR_TC=\fR[\fBYes\fR|\fBNo\fR] .RS 4 If this option is set to \fBNo\fR then Shorewall won\*(Aqt clear the current traffic control rules during [\fBre\fR]\fBstart\fR or \fBreload\fR\&. This setting is intended for use by people who prefer to configure traffic shaping when the network interfaces come up rather than when the firewall is started\&. If that is what you want to do, set TC_ENABLED=Yes and CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file\&. That way, your traffic shaping rules can still use the \(lqfwmark\(rq classifier based on packet marking defined in \m[blue]\fBshorewall\-tcrules\fR\m[]\&\s-2\u[12]\d\s+2(5)\&. If not specified, CLEAR_TC=Yes is assumed\&. .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBWarning\fR .ps -1 .br When you specify TC_ENABLED=shared (see below), then you should also specify CLEAR_TC=No\&. .sp .5v .RE .RE .PP \fBCOMPLETE=\fR[\fBYes\fR|\fBNo\fR] .RS 4 Added in Shorewall 4\&.4\&.12\&. When you set this option to Yes, you are asserting that the configuration is complete so that your set of zones encompasses any hosts that can send or receive traffic to/from/through the firewall\&. This causes Shorewall to omit the rules that catch packets in which the source or destination IP address is outside of any of your zones\&. Default is No\&. It is recommended that this option only be set to Yes if: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} You have defined an interface whose effective physical setting is \*(Aq+\*(Aq\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} That interface is assigned to a zone\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} You have no CONTINUE policies or rules\&. .RE .RE .PP \fBCONFIG_PATH\fR=[[:]\fIdirectory\fR[:\fIdirectory\fR]\&.\&.\&.] .RS 4 Specifies where configuration files other than shorewall[6]\&.conf may be found\&. CONFIG_PATH is specifies as a list of directory names separated by colons (":")\&. When looking for a configuration file: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} If the command is "try" or a "" was specified in the command (e\&.g\&., \fBshorewall [\-6] check \&./gateway\fR) then the directory given in the command is searched first\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} Next, each directory in the CONFIG_PATH setting is searched in sequence\&. .RE .sp If CONFIG_PATH is not given or if it is set to the empty value then the contents of /usr/share/shorewall/configpath are used\&. As released from shorewall\&.net, that file sets the CONFIG_PATH to /etc/shorewall:/usr/share/shorewall but your particular distribution may set it differently\&. See the output of shorewall show config for the default on your system\&. .sp Beginning with Shorewall 5\&.1\&.10, the CONFIG_PATH setting may begin with a colon (":"), to signal that the first \fIdirectory\fR listed will be skipped if the user performing a compilation is not root or if the configuration is being compiled for export (\-e option specified or if running one of the remote\-* commands) \&. This prevents the compiler from looking in /etc/shorewall[6]/ when compilation is being done by a non\-root user or if the generated script is to be sent to a remote firewall system\&. .RE .PP \fBDEFER_DNS_RESOLUTION=\fR[\fBYes\fR|\fBNo\fR] .RS 4 Added in Shorewall 4\&.5\&.12\&. When set to \*(AqYes\*(Aq (the default), DNS names are validated in the compiler and then passed on to the generated script where they are resolved by ip[6]tables\-restore\&. This is an advantage if you use AUTOMAKE=Yes and the IP address associated with the DNS name is subject to change\&. When DEFER_DNS_RESOLUTION=No, DNS names are converted into IP addresses by the compiler\&. This has the advantage that when AUTOMAKE=Yes, the \fBstart\fR, \fBreload\fR and \fBrestart\fR commands will succeed even if no DNS server is reachable (assuming that the configuration hasn\*(Aqt changed since the compiled script was last generated)\&. .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBImportant\fR .ps -1 .br When DEFER_DNS_RESOLUTION=No and AUTOMAKE=Yes and a DNS change makes it necessary to recompile an existing firewall script, the \fB\-c\fR option must be used with the \fBreload\fR or \fBrestart\fR command to force recompilation\&. .sp .5v .RE .RE .PP \fBDELETE_THEN_ADD=\fR{\fBYes\fR|\fBNo\fR} .RS 4 If set to Yes (the default value), entries in the /etc/shorewall[6]/rtrules files cause an \*(Aqip rule del\*(Aq command to be generated in addition to an \*(Aqip rule add\*(Aq command\&. Setting this option to No, causes the \*(Aqip rule del\*(Aq command to be omitted\&. .RE .PP \fBDETECT_DNAT_IPADDRS=\fR[\fBYes\fR|\fBNo\fR] .RS 4 IPv4 only\&. .sp If set to \fBYes\fR or \fByes\fR, Shorewall will detect the first IP address of the interface to the source zone and will include this address in DNAT rules as the original destination IP address\&. If set to \fBNo\fR or \fBno\fR, Shorewall will not detect this address and any destination IP address will match the DNAT rule\&. If not specified or empty, \(lqDETECT_DNAT_IPADDRS=Yes\(rq is assumed\&. .RE .PP \fBDISABLE_IPV6=\fR[\fBYes\fR|\fBNo\fR] .RS 4 IPv4 only\&. .sp If set to \fBYes\fR or \fByes\fR, IPv6 traffic to, from and through the firewall system is disabled\&. If set to \fBNo\fR or \fBno\fR, Shorewall will take no action with respect to allowing or disallowing IPv6 traffic\&. If not specified or empty, \(lqDISABLE_IPV6=No\(rq is assumed\&. .sp It is important to note that changing DISABLE_IPV6=Yes to DISABLE_IPV6=No does \fInot\fR enable IPV6\&. The recommended approach for enabling IPv6 on your system is: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} Install, configure and start \m[blue]\fBShorewall6\fR\m[]\&\s-2\u[13]\d\s+2\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} Change DISABLE_IPV6=Yes to DISABLE_IPV6=No in /etc/shorewall/shorewall\&.conf\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} Reload Shorewall .RE .RE .PP \fBDOCKER=\fR[\fBYes\fR|\fBNo\fR] .RS 4 Added in Shorewall 5\&.0\&.6\&. When set to \fBYes\fR, the generated script will save Docker\-generated rules before and restore them after executing the \fBstart\fR, \fBstop\fR, \fBreload\fR and \fBrestart\fR commands\&. If set to \fBNo\fR (the default), the generated script will delete any Docker\-generated rules when executing those commands\&. See\m[blue]\fBhttp://www\&.shorewall\&.net/Docker\&.html\fR\m[]\&\s-2\u[14]\d\s+2 for additional information\&. .RE .PP \fBDONT_LOAD=\fR[\fImodule\fR[,\fImodule\fR]\&.\&.\&.] .RS 4 Causes Shorewall to not load the listed kernel modules\&. .RE .PP \fBDYNAMIC_BLACKLIST=\fR{\fBYes\fR|\fBNo\fR||\fBipset\fR[\fB\-only\fR][\fI,option\fR[,\&.\&.\&.]][:[\fIsetname\fR][:\fIlog_level\fR|:l\fIog_tag\fR]]]} .RS 4 Added in Shorewall 4\&.4\&.7\&. When set to \fBNo\fR or \fBno\fR, chain\-based dynamic blacklisting using \fBshorewall [\-6] [\-l] drop\fR, \fBshorewall [\-6] [\-l] reject\fR, \fBshorewall logdrop\fR and \fBshorewall [\-6] [\-l] logreject\fR is disabled\&. Default is \fBYes\fR\&. Beginning with Shorewall 5\&.0\&.8, ipset\-based dynamic blacklisting using the \fBshorewall blacklist\fR command is also supported\&. The name of the set (\fIsetname\fR) and the level (\fIlog_level\fR), if any, at which blacklisted traffic is to be logged may also be specified\&. The default IPv4 set name is SW_DBL4 and the default IPv6 set name is SW_DBL6\&. The default log level is \fBnone\fR (no logging)\&. If \fBipset\-only\fR is given, then chain\-based dynamic blacklisting is disabled just as if DYNAMIC_BLACKLISTING=No had been specified\&. .sp Possible \fIoption\fRs are: .PP src\-dst .RS 4 Normally, only packets whose source address matches an entry in the ipset are dropped\&. If \fBsrc\-dst\fR is included, then packets whose destination address matches an entry in the ipset are also dropped\&. .RE .PP \fBdisconnect\fR .RS 4 The \fBdisconnect\fR option was added in Shorewall 5\&.0\&.13 and requires that the conntrack utility be installed on the firewall system\&. When an address is blacklisted using the \fBblacklist\fR command, all connections originating from that address are disconnected\&. if the \fBsrc\-dst\fR option was also specified, then all connections to that address are also disconnected\&. .RE .PP \fBtimeout\fR=\fIseconds\fR .RS 4 Added in Shorewall 5\&.0\&.13\&. Normally, Shorewall creates the dynamic blacklisting ipset with timeout 0 which means that entries are permanent\&. If you want entries in the set that are not accessed for a period of time to be deleted from the set, you may specify that period using this option\&. Note that the \fBblacklist\fR command can override the ipset\*(Aqs timeout setting\&. .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBImportant\fR .ps -1 .br Once the dynamic blacklisting ipset has been created, changing this option setting requires a complete restart of the firewall; \fBshorewall [\-6] restart\fR if RESTART=restart, otherwise \fBshorewall [\-6] [\-l] stop && shorewall [\-6] [\-l] start\fR .sp .5v .RE .RE .sp When ipset\-based dynamic blacklisting is enabled, the contents of the blacklist will be preserved over \fBstop\fR/\fBreboot\fR/\fBstart\fR sequences if SAVE_IPSETS=Yes, SAVE_IPSETS=ipv4 or if \fIsetname\fR is included in the list of sets to be saved in SAVE_IPSETS\&. .RE .PP \fBEXPAND_POLICIES=\fR{\fBYes\fR|\fBNo\fR} .RS 4 Normally, when the SOURCE or DEST columns in shorewall\-policy(5) contains \*(Aqall\*(Aq, a single policy chain is created and thes policy is enforced in that chain\&. For example, if the policy entry is .sp .if n \{\ .RS 4 .\} .nf #SOURCE DEST POLICY LOG # LEVEL net all DROP info .fi .if n \{\ .RE .\} .sp then the chain name is \*(Aqnet\-all\*(Aq (\*(Aqnet2all if ZONE2ZONE=2) which is also the chain named in Shorewall log messages generated as a result of the policy\&. If EXPAND_POLICIES=Yes, then Shorewall will create a separate chain for each pair of zones covered by the policy\&. This makes the resulting log messages easier to interpret since the chain in the messages will have a name of the form \*(Aqa2b\*(Aq where \*(Aqa\*(Aq is the SOURCE zone and \*(Aqb\*(Aq is the DEST zone\&. .RE .PP \fBEXPORTMODULES=\fR[\fBYes\fR|\fBNo\fR] .RS 4 Added in Shorewall 4\&.4\&.17\&. When set to Yes when compiling for use by Shorewall Lite (\fBshorewall [\-6] remote\-start\fR, \fBshorewall [\-6] remote\-reload, shorewall [\-6] remote\-restart \fRor \fBshorewall [\-6] export\fR commands), the compiler will copy the modules or helpers file from the administrative system into the script\&. When set to No or not specified, the compiler will not copy the modules or helpers file from /usr/share/shorewall[6] but will copy those found in another location on the CONFIG_PATH\&. .sp When compiling for direct use by Shorewall, causes the contents of the local module or helpers file to be copied into the compiled script\&. When set to No or not set, the compiled script reads the file itself\&. .RE .PP \fBFASTACCEPT=\fR{\fBYes\fR|\fBNo\fR} .RS 4 Normally, Shorewall defers accepting ESTABLISHED/RELATED packets until these packets reach the chain in which the original connection was accepted\&. So for packets going from the \*(Aqloc\*(Aq zone to the \*(Aqnet\*(Aq zone, ESTABLISHED/RELATED packets are ACCEPTED in the \*(Aqloc\-net\*(Aq or \*(Aqloc2net\*(Aq chain, depending on the setting of ZONE2ZONE (see below)\&. .sp If you set FASTACCEPT=Yes, then ESTABLISHED/RELATED packets are accepted early in the INPUT, FORWARD and OUTPUT chains\&. If you set FASTACCEPT=Yes then you may not include rules in the ESTABLISHED or RELATED sections of \m[blue]\fBshorewall\-rules\fR\m[]\&\s-2\u[8]\d\s+2(5)\&. .RE .PP \fBFIREWALL\fR=[\fIdnsname\-or\-ip\-address\fR] .RS 4 This option was added in Shorewall 5\&.0\&.13 and may be used on an administrative system in directories containing the configurations of remote firewalls\&. The contents of the variable are the default value for the \fIsystem\fR parameter to the \fBremote\-start\fR, \fBremote\-reload\fR and \fBremote\-restart\fR commands\&. .RE .PP \fBFORWARD_CLEAR_MARK=\fR{\fBYes\fR|\fBNo\fR} .RS 4 Added in Shorewall 4\&.4\&.11\&. Traditionally, Shorewall has cleared the packet mark in the first rule in the mangle FORWARD chain\&. This behavior is maintained with the default setting of this option (FORWARD_CLEAR_MARK=Yes)\&. If FORWARD_CLEAR_MARK is set to \*(AqNo\*(Aq, packet marks set in the mangle PREROUTING chain are retained in the FORWARD chains\&. .RE .PP \fBGEOIPDIR\fR=[\fIpathname\fR] .RS 4 Added in Shorewall 4\&.5\&.4\&. Specifies the pathname of the directory containing the GeoIP Match database\&. See \m[blue]\fBhttp://www\&.shorewall\&.net/ISO\-3661\&.html\fR\m[]\&\s-2\u[15]\d\s+2\&. If not specified, the default value is /usr/share/xt_geoip/LE which is the default location of the little\-endian database\&. .RE .PP \fBHELPERS\fR=[\fIhelper\fR[,\fIhelper\fR\&.\&.\&.]] .RS 4 Added in Shorewall 4\&.5\&.7\&. This option specifies a comma\-separated list naming the Netfilter application helpers that are to be enabled\&. If not specified, the default is to enable all helpers\&. .sp Possible values for \fIhelper\fR are: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \fBamanda\fR .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \fBftp\fR .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \fBh323\fR .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \fBirc\fR .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \fBnetbios\-ns\fR .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \fBnone\fR \- This special value was added in Shorewall 4\&.5\&.16 and indicates that no helpers are to be enabled\&. It also prevents the compiler for probing for helper support; such probing generates messages on the system log of the form "xt_CT: No such helper XXX" where XXX is the helper name\&. When used, \fBnone\fR must be the only helper specified\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \fBpptp\fR .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \fBsane\fR .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \fBsip\fR .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \fBsnmp\fR .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \fBtftp\fR .RE .sp When HELPERS is specified on a system running Kernel 3\&.5\&.0 or later, automatic association of helpers to connections is disabled\&. .RE .PP \fBIGNOREUNKNOWNVARIABLES=\fR[\fBYes\fR|\fBNo\fR] .RS 4 Added in Shorewall 4\&.5\&.11\&. Normally, if an unknown shell variable is encountered in a configuration file (except in ?IF and ?ELSIF directives), the compiler raises a fatal error\&. If IGNOREUNKNOWNVARIABLES is set to \fBYes\fR, then such variables simply expand to an empty string\&. Default is \fBNo\fR\&. .RE .PP \fBIMPLICIT_CONTINUE=\fR{\fBYes\fR|\fBNo\fR} .RS 4 When this option is set to \fBYes\fR, it causes subzones to be treated differently with respect to policies\&. .sp Subzones are defined by following their name with ":" and a list of parent zones (in \m[blue]\fBshorewall\-zones\fR\m[]\&\s-2\u[16]\d\s+2(5))\&. Normally, you want to have a set of special rules for the subzone and if a connection doesn\*(Aqt match any of those subzone\-specific rules then you want the parent zone rules and policies to be applied; see \m[blue]\fBshorewall\-nesting\fR\m[]\&\s-2\u[17]\d\s+2(5)\&. With IMPLICIT_CONTINUE=Yes, that happens automatically\&. .sp If IMPLICIT_CONTINUE=No or if IMPLICIT_CONTINUE is not set, then subzones are not subject to this special treatment\&. With IMPLICIT_CONTINUE=Yes, an implicit CONTINUE policy may be overridden by including an explicit policy (one that does not specify "all" in either the SOURCE or the DEST columns)\&. .RE .PP \fBINVALID_DISPOSITION=[A_DROP|A_REJECT|DROP|REJECT|CONTINUE]\fR .RS 4 Added in Shorewall 4\&.5\&.13\&. Shorewall has traditionally passed INVALID packets through the NEW section of \m[blue]\fBshorewall\-rules\fR\m[]\&\s-2\u[8]\d\s+2 (5)\&. When a packet in INVALID state fails to match any rule in the INVALID section, the packet is disposed of based on this setting\&. The default value is CONTINUE for compatibility with earlier versions\&. .RE .PP \fBINVALID_LOG_LEVEL=\fR\fIlog\-level\fR[:\fIlog\-tag\fR] .RS 4 Added in Shorewall 4\&.5\&.13\&. Packets in the INVALID state that do not match any rule in the INVALID section of \m[blue]\fBshorewall\-rules\fR\m[]\&\s-2\u[8]\d\s+2 (5) are logged at this level\&. The default value is empty which means no logging is performed\&. .RE .PP \fBIP\fR=[\fIpathname\fR] .RS 4 If specified, gives the pathname of the \*(Aqip\*(Aq executable\&. If not specified, \*(Aqip\*(Aq is assumed and the utility will be located using the current PATH setting\&. .RE .PP \fBIP_FORWARDING=\fR[\fBOn\fR|\fBOff\fR|\fBKeep\fR] .RS 4 This IPv4 parameter determines whether Shorewall enables or disables IPv4 Packet Forwarding (/proc/sys/net/ipv4/ip_forward)\&. In an IPv6 configuration, this parameter determines the setting of /proc/sys/net/ipv6/config/all/ip_forwarding\&. .sp Possible values are: .PP \fBOn\fR or \fBon\fR .RS 4 packet forwarding will be enabled\&. .RE .PP \fBOff\fR or \fBoff\fR .RS 4 packet forwarding will be disabled\&. .RE .PP \fBKeep\fR or \fBkeep\fR .RS 4 Shorewall will neither enable nor disable packet forwarding\&. .RE .sp If this variable is not set or is given an empty value (IP_FORWARD="") then IP_FORWARD=On is assumed\&. .RE .PP \fBIPSET\fR=[\fIpathname\fR] .RS 4 If specified, gives the pathname of the \*(Aqipset\*(Aq executable\&. If not specified, \*(Aqipset\*(Aq is assumed and the utility will be located using the current PATH setting\&. .RE .PP \fBIPSET_WARNINGS=\fR{\fBYes\fR|\fBNo\fR} .RS 4 Added in Shorewall 4\&.5\&.2\&. Default is Yes\&. When set, causes the rules compiler to issue a warning when: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} The compiler is being run by root and an ipset specified in the configuration does not exists\&. Only one warning is issued for each missing ipset\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} When [src] is specified in a destination column and when [dst] is specified in a source column\&. .RE .RE .PP \fBIPTABLES=\fR[\fIpathname\fR] .RS 4 IPv4 only\&. .sp This parameter names the iptables executable to be used by Shorewall\&. If not specified or if specified as a null value, then the iptables executable located using the PATH option is used\&. .sp Regardless of how the iptables utility is located (specified via IPTABLES= or located via PATH), Shorewall uses the iptables\-restore and iptables\-save utilities from that same directory\&. .RE .PP \fBIP6TABLES=\fR[\fIpathname\fR] .RS 4 IPv6 only\&. .sp This parameter names the ip6tables executable to be used by Shorewall6\&. If not specified or if specified as a null value, then the ip6tables executable located using the PATH option is used\&. .sp Regardless of how the ip6tables utility is located (specified via IP6TABLES= or located via PATH), Shorewall6 uses the ip6tables\-restore and ip6tables\-save utilities from that same directory\&. .RE .PP \fBKEEP_RT_TABLES=\fR{\fBYes\fR|\fBNo\fR} .RS 4 IPv4: When set to \fBYes\fR, this option prevents generated scripts from altering the /etc/iproute2/rt_tables database when there are entries in /etc/shorewall/providers\&. If you set this option to \fBYes\fR while Shorewall (Shorewall\-lite) is running, you should remove the file /var/lib/shorewall/rt_tables (/var/lib/shorewall\-lite/rt_tables) before your next \fBstop\fR, \fBrestore\fR, \fBreload\fR or \fBrestart\fR command\&. IPv6: When set to \fBYes\fR, this option prevents scripts generated by Shorewall6 from altering the /etc/iproute2/rt_tables database when there are entries in /etc/shorewall6/providers\&. If you set this option to \fBYes\fR while Shorewall6 (Shorewall6\-lite) is running, you should remove the file /var/lib/shorewall6/rt_tables (/var/lib/shorewall6\-lite/rt_tables) before your next \fBstop\fR, \fBrestore\fR, \fBreload\fR or \fBrestart\fR command\&. .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBImportant\fR .ps -1 .br When both IPv4 and IPv6 Shorewall configurations are present, KEEP_RT_TABLES=No should be specified in only one of the two configurations unless the two provider configurations are identical with respect to interface and provider names and numbers\&. .sp .5v .RE The default is KEEP_RT_TABLES=No\&. .RE .PP \fBLOAD_HELPERS_ONLY=\fR{\fBYes\fR|\fBNo\fR} .RS 4 Added in Shorewall 4\&.4\&.7\&. When set to Yes, restricts the set of modules loaded by shorewall to those listed in /var/lib/shorewall[6]/helpers and those that are actually used\&. When not set, or set to the empty value, LOAD_HELPERS_ONLY=No is assumed in Shorewall versions 5\&.2\&.2 and earlier\&. Beginning with Shorewall 5\&.2\&.3, the LOAD_HELPERS_ONLY option is removed, and the behavior is as if LOAD_HELPERS_ONLY=Yes had been specified\&. .RE .PP \fBLOCKFILE\fR=[\fIpathname\fR] .RS 4 Specifies the name of the Shorewall[6] lock file, used to prevent simultaneous state\-changing commands\&. If not specified, ${VARDIR}/shorewall[6]/lock is assumed (${VARDIR} is normally /var/lib but can be changed when Shorewall\-core is installed \-\- see the output of \fBshorewall show vardir\fR)\&. .RE .PP \fBLOG_BACKEND=\fR[\fIbackend\fR] .RS 4 Added in Shorewall 4\&.6\&.4\&. LOG_BACKEND determines the logging backend to be used for the \fBiptrace\fR command (see \m[blue]\fBshorewall(8)\fR\m[]\&\s-2\u[18]\d\s+2)\&. .sp \fIbackend\fR is one of: .PP LOG .RS 4 Use standard kernel logging\&. .RE .PP ULOG .RS 4 IPv4 only\&. .sp Use ULOG logging to ulogd\&. .RE .PP netlink .RS 4 Use netlink logging to ulogd version 2 or later\&. .RE .RE .PP \fBLOG_ZONE=\fR[\fB\fBsrc\fR\fR\fB|\fR\fB\fBdst\fR\fR\fB|\fR\fB\fBboth\fR\fR] .RS 4 Added in Shorewall 5\&.2\&.0\&. When a log message is issued from a chain that relates to a pair of zones (e\&.g, \*(Aqfw\-net\*(Aq), the chain name normally appears in the log message (unless LOGTAGONLY=Yes and a log tag is specified)\&. This can prevent OPTIMIZE category 8 from combining chains which are identical except for the names of the zones involved\&. LOG_ZONE allows for only the source or destination zone to appear in the messages by setting LOG_ZONE to \fBsrc\fR or \fBdest\fR respectively\&. If LOG_ZONE=\fBboth\fR (the default), then the full chain name is included in log messages\&. .RE .PP \fBLOG_LEVEL=\fR\fIlog\-level\fR[:\fIlog\-tag\fR] .RS 4 Added in Shorewall 5\&.1\&.2\&. Beginning with that release, the sample configurations use this as the default log level and changing it will change all packet logging done by the configuration\&. In any configuration file (except \m[blue]\fBshorewall\-params(5)\fR\m[]\&\s-2\u[19]\d\s+2), $LOG_LEVEL will expand to this value\&. .RE .PP \fBLOG_MARTIANS=\fR[\fBYes\fR|\fBNo\fR|Keep] .RS 4 IPv4 only\&. .sp If set to \fBYes\fR or \fByes\fR, sets /proc/sys/net/ipv4/conf/*/log_martians to 1 with the exception of /proc/sys/net/ipv4/conf/all/log_martians which is set to 0\&. The default value is \fBYes\fR which sets both of the above to one\&. If you do not enable martian logging for all interfaces, you may still enable it for individual interfaces using the \fBlogmartians\fR interface option in \m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[20]\d\s+2(5)\&. .sp The value \fBKeep\fR causes Shorewall to ignore the option\&. If the option is set to \fBYes\fR, then martians are logged on all interfaces\&. If the option is set to \fBNo\fR, then martian logging is disabled on all interfaces except those specified in \m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[20]\d\s+2(5)\&. .RE .PP \fBLOG_VERBOSITY=\fR[\fInumber\fR] .RS 4 This option controls the amount of information logged to the file specified in the STARTUP_LOG option\&. .sp Values are: .RS 4 \-1 \- Logging is disabled .RE .RS 4 0 \- Silent\&. Only error messages are logged\&. .RE .RS 4 1 \- Major progress messages logged\&. .RE .RS 4 2 \- All progress messages logged .RE If not specified, then \-1 is assumed\&. .RE .PP \fBLOGALLNEW=\fR[\fIlog\-level\fR] .RS 4 This option is intended for use as a debugging aid\&. When set to a log level, this option causes Shorewall to generate a logging rule as the first rule in each builtin chain\&. .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} The table name is used as the chain name in the log prefix\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} The chain name is used as the target in the log prefix\&. .RE .sp For example, using the default LOGFORMAT, the log prefix for logging from the nat table\*(Aqs PREROUTING chain is as follows in versions prior to 5\&.1\&.0: .sp .if n \{\ .RS 4 .\} .nf Shorewall:nat:PREROUTING .fi .if n \{\ .RE .\} .sp In Shorewall 5\&.1\&.0 and later releases, the log prefix is: .sp .if n \{\ .RS 4 .\} .nf nat:PREROUTING .fi .if n \{\ .RE .\} .sp .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBImportant\fR .ps -1 .br To help insure that all packets in the NEW state are logged, rate limiting (LOGLIMIT) should be disabled when using LOGALLNEW\&. Use LOGALLNEW at your own risk; it may cause high CPU and disk utilization and you may not be able to control your firewall after you enable this option\&. .sp .5v .RE .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBCaution\fR .ps -1 .br Do not use this option if the resulting log messages will be sent to another system\&. .sp .5v .RE .RE .PP \fBLOGFILE=\fR[\fIpathname\fR|\fBsystemd\fR] .RS 4 This parameter tells the /sbin/shorewall program where to look for Shorewall messages when processing the \fBdump\fR, \fBlogwatch\fR, \fBshow log\fR, and \fBhits\fR commands\&. If not assigned or if assigned an empty value, /var/log/messages is assumed\&. For further information, see \m[blue]\fBshorewall\-logging(8)\fR\m[]\&\s-2\u[21]\d\s+2\&. Beginning with Shorewall 5\&.0\&.10\&.1, you may specify \fBsystemd\fR to use \fBjournelctl \-r\fR to read the log\&. .RE .PP \fBLOGFORMAT=\fR[\fB"\fR\fIformattemplate\fR\fB"\fR] .RS 4 The value of this variable generate the \-\-log\-prefix setting for Shorewall logging rules\&. It contains a \(lqprintf\(rq formatting template which accepts three arguments (the chain name, logging rule number (optional) and the disposition)\&. To use LOGFORMAT with fireparse, set it as: .sp .if n \{\ .RS 4 .\} .nf LOGFORMAT="fp=%s:%d a=%s " .fi .if n \{\ .RE .\} .sp If the LOGFORMAT value contains the substring \(lq%d\(rq then the logging rule number is calculated and formatted in that position; if that substring is not included then the rule number is not included\&. If not supplied or supplied as empty (LOGFORMAT="") then \(lqShorewall:%s:%s:\(rq is assumed\&. .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBNote\fR .ps -1 .br The setting of LOGFORMAT has an effect of the permitted length of zone names\&. See \m[blue]\fBshorewall\-zones\fR\m[]\&\s-2\u[16]\d\s+2 (5)\&. .sp .5v .RE .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBCaution\fR .ps -1 .br Beginning with Shorewall 5\&.1\&.0, the default and sample shorewall[6]\&.conf files set LOGFORMAT="%s %s "\&. .sp Regardless of the LOGFORMAT setting, Shorewall IPv4 log messages that use this LOGFORMAT can be uniquely identified using the following regular expression: .RS 4 \*(AqIN=\&.* OUT=\&.* SRC=\&.*\e\&.\&.* DST=\*(Aq .RE and Shorewall IPv6 log messages can be uniquely identified using the following regular expression: .RS 4 \*(AqIN=\&.* OUT=\&.* SRC=\&.*:\&.* DST=\*(Aq .RE To match all Netfilter log messages (Both IPv4 and IPv6 and regardless of the LOGFORMAT setting), use: .RS 4 \*(AqIN=\&.* OUT=\&.* SRC=\&.* DST=\*(Aq .RE .sp .5v .RE .RE .PP \fBLOGLIMIT=[\fR[{\fIs\fR|\fBd\fR}:]\fIrate\fR\fB/\fR{\fBsec\fR|\fBsecond|min\fR|\fBminute|hour\fR|\fBday\fR}[:\fIburst\fR]] .RS 4 Added in Shorewall 4\&.4\&.12\&. Limits the logging rate, either overall, or by source or destination IP address\&. .sp If the value starts with \*(Aqs:\*(Aq then logging is limited per source IP\&. If the value starts with \*(Aqd:\*(Aq, then logging is limited per destination IP\&. Otherwise, the overall logging rate is limited\&. .sp If \fIburst\fR is not specified, then a value of 5 is assumed\&. .sp The keywords \fBsecond\fR and \fBminute\fR are accepted beginning with Shorewall 4\&.6\&.13\&. .RE .PP \fBLOGTAGONLY=\fR[\fBYes\fR|\fBNo\fR] .RS 4 Using LOGFORMAT=\(lqShorewall:%s:%s:\(rq, chain names may not exceed 5 characters or truncation of the log prefix may occur\&. Longer chain names may be used with log tags if you set LOGTAGONLY=Yes\&. With LOGTAGONLY=Yes, if a log tag is specified then the tag is included in the log prefix in place of the chain name\&. .sp Beginning with Shorewall 4\&.5\&.12, when LOGTAGONLY=Yes, you have more control over the generated log prefix\&. Beginning with that release, the tag is interpreted as a \fIchain name\fR and a \fIdisposition\fR separated by a comma\&. So this rule: .sp .if n \{\ .RS 4 .\} .nf #ACTION SOURCE DEST LOG:info:foo,bar net fw .fi .if n \{\ .RE .\} .sp would generate the following log prefix when using LOGFORMAT=\(lqShorewall:%s:%s:\(rq: .RS 4 Shorewall:foo:bar: .RE Similarly, .sp .if n \{\ .RS 4 .\} .nf #ACTION SOURCE DEST LOG:info:,bar net fw .fi .if n \{\ .RE .\} .sp would generate .RS 4 Shorewall:net2fw:bar: .RE .RE .PP \fBMACLIST_DISPOSITION=\fR[\fBACCEPT\fR|\fBDROP\fR|\fBREJECT\fR|A_DROP|A_REJECT] .RS 4 Determines the disposition of connections requests that fail MAC Verification and must have the value ACCEPT (accept the connection request anyway), REJECT (reject the connection request) or DROP (ignore the connection request)\&. If not set or if set to the empty value (e\&.g\&., MACLIST_DISPOSITION="") then MACLIST_DISPOSITION=REJECT is assumed\&. .sp A_DROP and A_REJECT are audited versions of DROP and REJECT respectively and were added in Shorewall 4\&.4\&.20\&. They require AUDIT_TARGET in the kernel and ip[6]tables\&. .RE .PP \fBMACLIST_LOG_LEVEL=\fR[\fIlog\-level\fR[:\fIlog\-tag\fR]] .RS 4 Determines the syslog level for logging connection requests that fail MAC Verification\&. The value must be a valid syslogd log level\&. If you don\*(Aqt want to log these connection requests, set to the empty value (e\&.g\&., MACLIST_LOG_LEVEL="")\&. .RE .PP \fBMACLIST_TABLE=\fR[\fBfilter\fR|\fBmangle\fR] .RS 4 Normally, MAC verification occurs in the filter table (INPUT and FORWARD) chains\&. When forwarding a packet from an interface with MAC verification to a bridge interface, that doesn\*(Aqt work\&. .sp This problem can be worked around by setting MACLIST_TABLE=mangle which will cause Mac verification to occur out of the PREROUTING chain\&. Because REJECT isn\*(Aqt available in that environment, you may not specify MACLIST_DISPOSITION=REJECT or MACLIST_DISPOSITION=A_REJECT with MACLIST_TABLE=mangle\&. .RE .PP \fBMACLIST_TTL=[\fR\fInumber\fR] .RS 4 The performance of configurations with a large numbers of entries in \m[blue]\fBshorewall\-maclist\fR\m[]\&\s-2\u[22]\d\s+2(5) can be improved by setting the MACLIST_TTL variable in \m[blue]\fBshorewall[6]\&.conf\fR\m[]\&\s-2\u[23]\d\s+2(5)\&. .sp If your iptables and kernel support the "Recent Match" (see the output of "shorewall check" near the top), you can cache the results of a \*(Aqmaclist\*(Aq file lookup and thus reduce the overhead associated with MAC Verification\&. .sp When a new connection arrives from a \*(Aqmaclist\*(Aq interface, the packet passes through then list of entries for that interface in \m[blue]\fBshorewall\-maclist\fR\m[]\&\s-2\u[22]\d\s+2(5)\&. If there is a match then the source IP address is added to the \*(AqRecent\*(Aq set for that interface\&. Subsequent connection attempts from that IP address occurring within $MACLIST_TTL seconds will be accepted without having to scan all of the entries\&. After $MACLIST_TTL from the first accepted connection request from an IP address, the next connection request from that IP address will be checked against the entire list\&. .sp If MACLIST_TTL is not specified or is specified as empty (e\&.g, MACLIST_TTL="" or is specified as zero then \*(Aqmaclist\*(Aq lookups will not be cached)\&. .RE .PP \fBMANGLE_ENABLED=\fR[\fBYes\fR|\fBNo\fR] .RS 4 Determines whether Shorewall will generate rules in the Netfilter mangle table\&. Setting MANGLE_ENABLED=No disables all Shorewall features that require the mangle table\&. The default is MANGLE_ENABLED=Yes\&. .RE .PP \fBMINIUPNPD=\fR[\fBYes\fR|\fBNo\fR] .RS 4 Added in Shorewall 5\&.0\&.8\&. If set to Yes, Shorewall will create a chain in the nat table named MINIUPNPD\-POSTROUTING and will add jumps from POSTROUTING to that chain for each interface with the \fBupnpd\fR option specified\&. Default is No\&. .RE .PP \fBMARK_IN_FORWARD_CHAIN=\fR[\fBYes\fR|\fBNo\fR] .RS 4 If your kernel has a FORWARD chain in the mangle table, you may set MARK_IN_FORWARD_CHAIN=Yes to cause the marking specified in the tcrules file to occur in that chain rather than in the PREROUTING chain\&. This permits you to mark inbound traffic based on its destination address when DNAT is in use\&. To determine if your kernel has a FORWARD chain in the mangle table, use the \fBshorewall [\-6] show mangle\fR command; if a FORWARD chain is displayed then your kernel will support this option\&. If this option is not specified or if it is given the empty value (e\&.g\&., MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed\&. .RE .PP \fBMASK_BITS\fR=[\fInumber\fR] .RS 4 Added in Shorewall 4\&.4\&.26\&. Number of bits on the right of the 32\-bit packet mark to be masked when clearing the traffic shaping mark\&. Must be >= TC_BITS and <= PROVIDER_OFFSET (if PROVIDER_OFFSET > 0)\&. Prior to Shorewall 5\&.0\&.0, default value and the default values of the other mark layout options is determined as follows: .sp .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .B Table\ \&1.\ \&Default Packet Mark Layout .TS tab(:); l l l l l l l l. T{ WIDE_TC_MARKS=No, HIGH_ROUTE_MARKS=No T}:T{ TC_BITS=8, PROVIDER_BITS=8, PROVIDER_OFFSET=0, MASK_BITS=8 T} T{ WIDE_TC_MARKS=No, HIGH_ROUTE_MARKS=Yes T}:T{ TC_BITS=8, PROVIDER_BITS=8, PROVIDER_OFFSET=8, MASK_BITS=8 T} T{ WIDE_TC_MARKS=Yes, HIGH_ROUTE_MARKS=No T}:T{ TC_BITS=14, PROVIDER_BITS=8, PROVIDER_OFFSET=0, MASK_BITS=16 T} T{ WIDE_TC_MARKS=Yes, HIGH_ROUTE_MARKS=Yes T}:T{ TC_BITS=14, PROVIDER_BITS=8, PROVIDER_OFFSET=16, MASK_BITS=16 T} .TE .sp 1 From 5\&.0\&.0 onward, the default value of MASK_BITS is 8, the default value of PROVIDER_BITS, TC_BITS, MASK_BITS and PROVIDER_OFFSET is 8\&. .RE .PP \fBMODULESDIR=\fR[[+]\fIpathname\fR[\fB:\fR\fIpathname\fR]\&.\&.\&.] .RS 4 This parameter specifies the directory/directories where your kernel netfilter modules may be found\&. If you leave the variable empty, Shorewall will supply the value "/lib/modules/$uname/kernel/net/ipv${g_family}/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset" where \fBuname\fR holds the output of \*(Aq\fBuname \-r\fR\*(Aq and \fBg_family\fR holds \*(Aq4\*(Aq in IPv4 configurations and \*(Aq6\*(Aq in IPv6 configurations\&. .sp The option plus sign (\*(Aq+\*(Aq) was added in Shorewall 5\&.0\&.3 and causes the listed pathnames to be appended to the default list above\&. .RE .PP \fBMULTICAST=\fR[\fBYes\fR|\fBNo\fR] .RS 4 IPv4 only\&. .sp This option will normally be set to \*(AqNo\*(Aq (the default)\&. It should be set to \*(AqYes\*(Aq under the following circumstances: .sp .RS 4 .ie n \{\ \h'-04' 1.\h'+01'\c .\} .el \{\ .sp -1 .IP " 1." 4.2 .\} You have an interface that has parallel zones defined via /etc/shorewall/hosts\&. .RE .sp .RS 4 .ie n \{\ \h'-04' 2.\h'+01'\c .\} .el \{\ .sp -1 .IP " 2." 4.2 .\} You want to forward multicast packets to two or more of those parallel zones\&. .RE .sp In such cases, you will configure a \fBdestonly\fR network on each zone receiving multicasts\&. .RE .PP \fBMUTEX_TIMEOUT=\fR[\fIseconds\fR] .RS 4 The value of this variable determines the number of seconds that programs will wait for exclusive access to the Shorewall[6] lock file\&. After the number of seconds corresponding to the value of this variable, programs will assume that the last program to hold the lock died without releasing the lock\&. .sp If not set or set to the empty value, a value of 60 (60 seconds) is assumed\&. .sp An appropriate value for this parameter would be twice the length of time that it takes your firewall system to process a \fBshorewall [\-6] restart\fR command\&. .RE .PP \fBNFACCT=\fR[\fIpathname\fR] .RS 4 Added in Shorewall 4\&.5\&.7\&. Specifies the pathname of the nfacct utility\&. If not specified, Shorewall will use the PATH setting to find the program\&. .RE .PP \fBNULL_ROUTE_RFC1918=\fR[\fBYes\fR|\fBNo\fR|\fBblackhole\fR|\fBunreachable\fR|\fBprohibit\fR] .RS 4 IPv4 only\&. .sp When set to Yes, causes Shorewall to null\-route the IPv4 address ranges reserved by RFC1918\&. The default value is \*(AqNo\*(Aq\&. .sp When combined with route filtering (ROUTE_FILTER=Yes or \fBroutefilter\fR in \m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[20]\d\s+2(5)), this option ensures that packets with an RFC1918 source address are only accepted from interfaces having known routes to networks using such addresses\&. .sp Beginning with Shorewall 4\&.5\&.15, you may specify \fBblackhole\fR, \fBunreachable\fR or \fBprohibit\fR to set the type of route to be created\&. See \m[blue]\fBhttp://www\&.shorewall\&.net/MultiISP\&.html#null_routing\fR\m[]\&\s-2\u[24]\d\s+2\&. .RE .PP \fBOPTIMIZE=\fR[\fIvalue\fR] .RS 4 The specified \fIvalue\fR enables certain optimizations\&. Each optimization category is associated with a power of two\&. To enable multiple optimization categories, simply add their corresponding numbers together\&. .sp Beginning with Shorewall 4\&.5\&.20, you may specify OPTIMIZE=All to enable all optimization categories, and you may also specify OPTIMIZE=None to disable optimization\&. .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} Optimization category 1 \- Traditionally, Shorewall has created rules for the complete matrix of host groups defined by the zones, interfaces and hosts files\&. Any traffic that didn\*(Aqt correspond to an element of that matrix was rejected in one of the built\-in chains\&. When the matrix is sparse, this results in lots of largely useless rules\&. .sp These extra rules can be eliminated by setting the 1 bit in OPTIMIZE\&. .sp The 1 bit setting also controls the suppression of redundant wildcard rules (those specifying "all" in the SOURCE or DEST column)\&. A wildcard rule is considered to be redundant when it has the same ACTION and Log Level as the applicable policy\&. .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBNote\fR .ps -1 .br Optimization level 1 is ignored when optimization level 4 is also selected, since level 4 performs similar optimizations in a more robust way\&. .sp .5v .RE .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} Optimization category 2 \- Added in Shorewall 4\&.4\&.7\&. When set, suppresses superfluous ACCEPT rules in a policy chain that implements an ACCEPT policy\&. Any ACCEPT rules that immediately precede the final blanket ACCEPT rule in the chain are now omitted\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} Optimization category 4 \- Added in Shorewall 4\&.4\&.7\&. When set, causes short chains (those with less than 2 rules) to be optimized away\&. The following chains are excluded from optimization: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} accounting chains (unless OPTIMIZE_ACCOUNTING=Yes) .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} action chains (user\-defined) .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \*(Aqblacklst\*(Aq chain .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} dynamic .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} forwardUPnP .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} UPnP (nat table) .RE .sp Additionally: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} If a built\-in chain has a single rule that branches to a second chain, then the rules from the second chain are moved to the built\-in chain and the target chain is omitted\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} Chains with no references are deleted\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} Accounting chains are subject to optimization if the OPTIMIZE_ACCOUNTING option is set to \*(AqYes\*(Aq\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} If a chain ends with an unconditional branch to a second chain (other than to \*(Aqreject\*(Aq), then the branch is deleted from the first chain and the rules from the second chain are appended to it\&. .RE .sp An additional optimization was added in Shorewall 4\&.5\&.4\&. If the last rule in a chain is an unqualified jump to a simple target, then all immediately preceding rules with the same simple target are omitted\&. .sp For example, consider this chain: .sp .if n \{\ .RS 4 .\} .nf \-A fw\-net \-p udp \-\-dport 67:68 \-j ACCEPT \-A fw\-net \-p udp \-\-sport 1194 \-j ACCEPT \-A fw\-net \-p 41 \-j ACCEPT \-A fw\-net \-j ACCEPT .fi .if n \{\ .RE .\} .sp Since all of the rules are jumps to the simple target ACCEPT, this chain is totally optimized away and jumps to the chain are replace with jumps to ACCEPT\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} Optimization category 8 \- Added in Shorewall 4\&.4\&.9\&. When set, causes chains with identical rules to be collapsed into a single chain\&. .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBWarning\fR .ps -1 .br While Optimization category 8 can significantly reduce the size of the generated iptables ruleset, it can also take significant system resources during compilation\&. If you find that compilation takes an unreasonably long time, try disabling this category by setting OPTIMIZE=23\&. .sp .5v .RE .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} Optimization category 16 \- Added in Shorewall 4\&.4\&.26\&. When set, causes sequences of compatible rules to be combined into a single rule\&. Rules are considered compatible if they differ only in their destination ports and comments\&. .sp A sequence of compatible rules is often generated when macros are invoked in sequence\&. .sp The ability to combine adjacent rules is limited by two factors: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} Destination port lists may only be combined up to a maximum of 15 ports, where a port\-pair counts as two ports\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} Rules may only be combined until the length of their concatenated comment reaches 255 characters\&. .RE .sp When either of these limits would be exceeded, the current combined rule is emitted and the compiler attempts to combine rules beginning with the one that would have exceeded the limit\&. Adjacent combined comments are separated by \*(Aq, \*(Aq\&. Empty comments at the front of a group of combined comments are replaced by \*(AqOthers and\*(Aq\&. Empty comments at the end of a group of combined comments are replaced by \*(Aqand others\*(Aq\&. .sp Beginning in Shorewall 4\&.5\&.10, this option also suppresses duplicate adjacent rules and duplicate non\-adjacent rules that don\*(Aqt include \fBmark\fR, \fBconnmark\fR, \fBdscp\fR, \fBecn\fR, \fBset\fR, \fBtos\fR or \fBu32\fR matches\&. .PP Example 1: .RS 4 Rules with comments "FOO", and "BAR" would result in the combined comment "FOO and others, BAR"\&. .RE .PP Example 2: .RS 4 Rules with comments , "FOO" and "BAR" would result in the combined comment "Others and FOO, BAR"\&. Note: Optimize level 16 requires "Extended Multi\-port Match" in your iptables and kernel\&. .RE .RE .sp In versions prior to 5\&.1\&.0, the default value is zero which disables all optimizations\&. Beginning with Shorewall 5\&.1\&.0, the default value is \fBAll\fR which enables all optimizations\&. .RE .PP \fBOPTIMIZE_ACCOUNTING=\fR[\fBYes\fR|\fBNo\fR] .RS 4 Added in Shorewall 4\&.4\&.7\&. If set to Yes, Shorewall accounting changes are subject to optimization (OPTIMIZE=4,5,6 or 7)\&. If not specified or set to the empty value, OPTIMIZE_ACCOUNTING=No is assumed\&. .RE .PP \fBPAGER=\fR\fIpathname\fR .RS 4 Added in Shorewall 5\&.0\&.6\&. Specifies a path name of a pager program like \fBless\fR or \fBmore\fR\&. When PAGER is given, the output of verbose \fBstatus\fR commands and the \fBdump\fR command are piped through the named program when the output file is a terminal\&. .sp Beginning with Shorewall 5\&.0\&.12, the default value of this option is the DEFAULT_PAGER setting in shorewallrc\&. .RE .PP \fBPATH=\fR\fIpathname\fR[\fB:\fR\fIpathname\fR]\&.\&.\&. .RS 4 Determines the order in which Shorewall searches directories for executable files\&. .RE .PP \fBPERL=\fR\fIpathname\fR .RS 4 Added in Shorewall 4\&.4\&.11 RC1\&. Specifies the path name of the Perl executable\&. Default is /usr/bin/perl\&. If the pathname specified by this option does not exist or the named file is not executable, then Shorewall falls back to /usr/bin/perl .RE .PP \fBPERL_HASH_SEED=\fR\fB\fIseed\fR\fR\fB\fB|random\fR\fR .RS 4 Added in Shorewall 5\&.1\&.4\&. Sets the Perl hash \fIseed\fR (an integer in the range 0\-99999) when running the Shorewall rules compiler\&. If not specified, the value 0 is assumed\&. If \fBrandom\fR is specified, a random seed will be chosed by Perl\&. See perlsec(1) for additional information\&. .RE .PP \fBPROVIDER_BITS\fR=[\fInumber\fR] .RS 4 Added in Shorewall 4\&.4\&.26\&. The number of bits in the 32\-bit packet mark to be used for provider numbers\&. May be zero\&. See MASK_BITS above for default value\&. .RE .PP \fBPROVIDER_OFFSET\fR=[\fInumber\fR]If .RS 4 Added in Shorewall 4\&.4\&.26\&. The offset from the right (low\-order end) of the provider number field in the 32\-bit packet mark\&. If non\-zero, must be >= TC_BITS (Shorewall automatically adjusts PROVIDER_OFFSET\*(Aqs value)\&. PROVIDER_OFFSET + PROVIDER_BITS + ZONE_BITS must be < 32\&. See MASK_BITS above for default value\&. .RE .PP \fBRCP_COMMAND="\fR\fIcommand\fR\fB"\fR .RS 4 .RE .PP \fBRSH_COMMAND="\fR\fIcommand\fR\fB"\fR .RS 4 Earlier generations of Shorewall Lite required that remote root login via ssh be enabled in order to use the \fBload\fR and \fBreload\fR commands\&. Beginning with release 3\&.9\&.5, you may define an alternative means for accessing the remote firewall system\&. In that release, two new options were added to shorewall\&.conf: .RS 4 RSH_COMMAND .RE .RS 4 RCP_COMMAND .RE The default values for these are as follows: .sp .if n \{\ .RS 4 .\} .nf RSH_COMMAND: ssh ${root}@${system} ${command} RCP_COMMAND: scp ${files} ${root}@${system}:${destination} .fi .if n \{\ .RE .\} .sp Shell variables that will be set when the commands are invoked are as follows: .sp .if n \{\ .RS 4 .\} .nf \fIroot\fR \- root user\&. Normally \fBroot\fR but may be overridden using the \*(Aq\-r\*(Aq option\&. \fIsystem\fR \- The name/IP address of the remote firewall system\&. \fIcommand\fR \- For RSH_COMMAND, the command to be executed on the firewall system\&. \fIfiles\fR \- For RCP_COMMAND, a space\-separated list of files to be copied to the remote firewall system\&. \fIdestination\fR \- The directory on the remote system that the files are to be copied into\&. .fi .if n \{\ .RE .\} .RE .PP \fBRELATED_DISPOSITION=[ACCEPT|A_ACCEPT|A_DROP|A_REJECT|DROP|REJECT|CONTINUE]\fR .RS 4 Added in Shorewall 4\&.4\&.27\&. Shorewall has traditionally ACCEPTed RELATED packets that don\*(Aqt match any rule in the RELATED section of \m[blue]\fBshorewall\-rules\fR\m[]\&\s-2\u[8]\d\s+2 (5)\&. Concern about the safety of this practice resulted in the addition of this option\&. When a packet in RELATED state fails to match any rule in the RELATED section, the packet is disposed of based on this setting\&. The default value is ACCEPT for compatibility with earlier versions\&. .RE .PP \fBRELATED_LOG_LEVEL=\fR\fIlog\-level\fR[:\fIlog\-tag\fR] .RS 4 Added in Shorewall 4\&.4\&.27\&. Packets in the related state that do not match any rule in the RELATED section of \m[blue]\fBshorewall\-rules\fR\m[]\&\s-2\u[8]\d\s+2 (5) are logged at this level\&. The default value is empty which means no logging is performed\&. .RE .PP \fBREJECT_ACTION=\fR\fIaction\fR .RS 4 Added in Shorewall 4\&.5\&.21\&. When a REJECT target is specified, Shorewall normally handles the response as follows: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} If the destination address of the packet is a broadcast or multicast address, the packet is dropped\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} if the protocol is ICMP (2) then the packet is dropped\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} if the protocol is TCP (6) then the packet is rejected with an RST\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} if the protocol is UDP (17) then the packet is rejected with an \*(Aqport\-unreachable\*(Aq ICMP\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} if the protocol is ICMP (1) then the packet is rejected with a \*(Aqhost\-unreachable\*(Aq ICMP\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} if the protocol is ICMP6 (1) then the packet is rejected with a \*(Aqicmp6\-addr\-unreachable\*(Aq ICMP6\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} otherwise, the packet is rejected with a \*(Aqhost\-prohibited\*(Aq ICMP\&. .RE .sp You can modify this behavior by implementing your own \fIaction\fR that handles REJECT and specifying it\*(Aqs name in this option\&. The \fBnolog\fR and \fBnoinline\fR options will automatically be assumed for the specified \fIaction\fR\&. .sp The following action implements the default reject action: .sp .if n \{\ .RS 4 .\} .nf ?format 2 #TARGET SOURCE DEST PROTO Broadcast(DROP) \- \- \- DROP \- \- 2 INLINE \- \- 6 ;; \-j REJECT \-\-reject\-with tcp\-reset ?if __ENHANCED_REJECT INLINE \- \- 17 ;; \-j REJECT ?if __IPV4 INLINE \- \- 1 ;; \-j REJECT \-\-reject\-with icmp\-host\-unreachable INLINE \- \- \- ;; \-j REJECT \-\-reject\-with icmp\-host\-prohibited ?else INLINE \- \- 58 ;; \-j REJECT \-\-reject\-with icmp6\-addr\-unreachable INLINE \- \- \- ;; \-j REJECT \-\-reject\-with icmp6\-adm\-prohibited ?endif ?else INLINE \- \- \- ;; \-j REJECT ?endif .fi .if n \{\ .RE .\} .RE .PP \fBRENAME_COMBINED=\fR[\fBYes\fR|\fBNo\fR] .RS 4 Added in Shorewall 5\&.2\&.0\&. Traditionally, when OPTIMIZE category 8 is enabled, identical chains are combined under a name beginning with \*(Aq~comb\*(Aq or \*(Aq~blacklist\*(Aq\&. This behavior is maintained under the default setting RENAME_COMBINED=Yes\&. If RENAMED_COMBINED=No, the chains are combined under the original name of one of the chains\&. .RE .PP \fBREQUIRE_INTERFACE=\fR[\fBYes\fR|\fBNo\fR] .RS 4 Added in Shorewall 4\&.4\&.10\&. The default is No\&. If set to Yes, at least one optional interface must be up in order for the firewall to be in the started state\&. Intended to be used with the \m[blue]\fBShorewall Init Package\fR\m[]\&\s-2\u[25]\d\s+2\&. .RE .PP \fBRESTART=\fR[\fBrestart\fR|\fBreload\fR] .RS 4 Added in Shorewall 5\&.0\&.1 to replace LEGACY_RESTART which was added in Shorewall 5\&.0\&.0\&. In that release, the \fBreload\fR command was redefined to do what \fBrestart\fR had done in earlier releases and \fBrestart\fR became a true restart (equivalent to \fBstop\fR followed by \fBstart\fR)\&. When RESTART=reload, the \fBrestart\fR command performs the same operation as the \fBreload\fR command making it compatible with earlier releases\&. If not specified, RESTART=reload is assumed\&. .RE .PP \fBRESTORE_DEFAULT_ROUTE=\fR[\fBYes\fR|\fBNo\fR] .RS 4 This option determines whether to restore the default route saved when here are \*(Aqbalance\*(Aq providers defined but all of them are down\&. .sp The default is RESTORE_DEFAULT_ROUTE=Yes which preserves the pre\-4\&.2\&.6 behavior\&. .sp RESTORE_DEFAULT_ROUTE=No is appropriate when you don\*(Aqt want a default route in the main table (USE_DEFAULT_RT=No) or in the default table (USE_DEFAULT_RT=Yes) when there are no balance providers available\&. In that case, RESTORE_DEFAULT_ROUTE=No will cause any default route in the relevant table to be deleted\&. .RE .PP \fBRESTORE_ROUTEMARKS=\fR[\fBYes\fR|\fBNo\fR] .RS 4 Added in Shorewall 4\&.5\&.9\&. When set to \fBYes\fR (the default), provider marks are restored unconditionally at the top of the mangle OUTPUT and PREROUTING chains, even if the saved mark is zero\&. When this option is set to \fBNo\fR, the mark is restored only if it is non\-zero\&. If you have problems with IPSEC ESP packets not being routed correctly on output, try setting this option to \fBNo\fR\&. .RE .PP \fBRESTOREFILE=\fR\fIfilename\fR .RS 4 Specifies the simple name of a file in /var/lib/shorewall to be used as the default restore script in the \fBshorewall [\-6] save\fR, \fBshorewall [\-6] restore\fR, \fBshorewall [\-6] forget \fRand \fBshorewall [6] \-f start\fR commands\&. .RE .PP \fBRETAIN_ALIASES=\fR{\fBYes\fR|\fBNo\fR} .RS 4 IPv4 only\&. .sp During \fBshorewall star\fRt, IP addresses to be added as a consequence of ADD_IP_ALIASES=Yes and ADD_SNAT_ALIASES=Yes are quietly deleted when \m[blue]\fBshorewall\-nat\fR\m[]\&\s-2\u[3]\d\s+2(5) and \m[blue]\fBshorewall\-masq\fR\m[]\&\s-2\u[4]\d\s+2(5) are processed then are re\-added later\&. This is done to help ensure that the addresses can be added with the specified labels but can have the undesirable side effect of causing routes to be quietly deleted\&. When RETAIN_ALIASES is set to Yes, existing addresses will not be deleted\&. Regardless of the setting of RETAIN_ALIASES, addresses added during \fBshorewall start\fR are still deleted at a subsequent \fBshorewall [stop\fR, \fBshorewall reload\fR or \fBshorewall restart\fR\&. .RE .PP \fBROUTE_FILTER=\fR[\fBYes\fR|\fBNo\fR|Keep] .RS 4 If this parameter is given the value \fBYes\fR or \fByes\fR then route filtering (anti\-spoofing) is enabled on all network interfaces which are brought up while Shorewall is in the started state\&. The default value is \fBno\fR\&. .sp The value \fBKeep\fR causes Shorewall to ignore the option\&. If the option is set to \fBYes\fR, then route filtering occurs on all interfaces\&. If the option is set to \fBNo\fR, then route filtering is disabled on all interfaces except those specified in \m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[20]\d\s+2(5)\&. .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBImportant\fR .ps -1 .br If you need to disable route filtering on any interface, then you must set ROUTE_FILTER=No then set routefilter=1 or routefilter=2 on those interfaces where you want route filtering\&. See \m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[20]\d\s+2(5) for additional details\&. .sp .5v .RE .RE .PP \fBRPFILTER_DISPOSITION=\fR[\fBDROP\fR|\fBREJECT\fR|A_DROP|A_REJECT] .RS 4 Added in Shorewall 4\&.5\&.7\&. Determines the disposition of packets entering from interfaces the \fBrpfilter\fR option (see \m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[20]\d\s+2(5))\&. Packets disposed of by this option are those whose response packets would not be sent through the same interface receiving the packet\&. .RE .PP \fBRPFILTER_LOG_LEVEL=\fR\fIlog\-level\fR[:\fIlog\-tag\fR] .RS 4 Added in shorewall 4\&.5\&.7\&. Determines the logging of packets disposed via the RPFILTER_DISPOSITION\&. The default value is \fBinfo\fR\&. .RE .PP \fBSAVE_ARPTABLES=\fR{\fBYes\fR|\fBNo\fR} .RS 4 Added in Shorewall 4\&.5\&.12\&. If SAVE_ARPTABLES=Yes, then the current arptables contents will be saved by \fBshorewall save\fR command and restored by \fBshorewall restore\fR command\&. Default value is No\&. .RE .PP \fBSAVE_IPSETS=\fR{\fBYes\fR|\fBNo|ipv4|\fR\fB\fIsetlist\fR\fR} .RS 4 Re\-enabled in Shorewall 4\&.4\&.6\&. If SAVE_IPSETS=Yes, then the current contents of your ipsets will be saved by the \fBshorewall stop\fR and \fBshorewall save\fR commands and restored by the \fBshorewall start\fR and \fBshorewall restore\fR commands\&. .sp Beginning with Shorewall 4\&.6\&.4, you can restrict the set of ipsets saved by specifying a setlist (a comma\-separated list of ipv4 ipset names)\&. You may also restrict the saved sets to just the ipv4 ones by specifying \fBipv4\fR\&. .RE .PP \fBSFILTER_DISPOSITION=\fR[\fBDROP\fR|\fBREJECT\fR|A_DROP|A_REJECT] .RS 4 Added in Shorewall 4\&.4\&.20\&. Determines the disposition of packets matching the \fBsfilter\fR option (see \m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[20]\d\s+2(5)) and of hairpin packets on interfaces without the \fBrouteback\fR option\&.\&\s-2\u[26]\d\s+2 .RE .PP \fBSFILTER_LOG_LEVEL=\fR\fIlog\-level\fR[:\fIlog\-tag\fR] .RS 4 Added on Shorewall 4\&.4\&.20\&. Determines the logging of packets matching the \fBsfilter\fR option (see \m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[20]\d\s+2(5)) and of hairpin packets on interfaces without the \fBrouteback\fR option\&.\&\s-2\u[27]\d\s+2 The default is \fBinfo\fR\&. If you don\*(Aqt wish for these packets to be logged, use SFILTER_LOG_LEVEL=none\&. .RE .PP \fBSHOREWALL_SHELL=\fR[\fIpathname\fR] .RS 4 This option is used to specify the shell program to be used to interpret the compiled script\&. If not specified or specified as a null value, /bin/sh is assumed\&. Using a light\-weight shell such as ash or dash can significantly improve performance\&. .RE .PP \fBSMURF_DISPOSITION=\fR[\fBDROP\fR|A_DROP] .RS 4 Added in Shorewall 4\&.4\&.20\&. The default setting is DROP which causes smurf packets (see the nosmurfs option in \m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[20]\d\s+2(5)) to be dropped\&. A_DROP causes the packets to be audited prior to being dropped and requires AUDIT_TARGET support in the kernel and iptables\&. .RE .PP \fBSMURF_LOG_LEVEL=\fR[\fIlog\-level\fR[:\fIlog\-tag\fR]] .RS 4 Specifies the logging level for smurf packets (see the nosmurfs option in \m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[20]\d\s+2(5))\&. If set to the empty value ( SMURF_LOG_LEVEL="" ) then smurfs are not logged\&. .RE .PP \fBSTARTUP_ENABLED=\fR{\fBYes\fR|\fBNo\fR} .RS 4 Determines if Shorewall is allowed to start\&. As released from shorewall\&.net, this option is set to \fBNo\fR\&. When set to \fBYes\fR or \fByes\fR, Shorewall may be started\&. Used as a guard against Shorewall being accidentally started before it has been configured\&. .RE .PP \fBSTARTUP_LOG=\fR[\fIpathname\fR] .RS 4 If specified, determines where Shorewall will log the details of each \fBstart\fR, \fBreload\fR, \fBrestart\fR, \fBtry\fR, and \fBsafe\-\fR* command\&. Logging verbosity is determined by the setting of LOG_VERBOSITY above\&. .RE .PP \fBSUBSYSLOCK=\fR[\fIpathname\fR] .RS 4 This parameter should be set to the name of a file that the firewall should create if it starts successfully and remove when it stops\&. Creating and removing this file allows Shorewall to work with your distribution\*(Aqs initscripts\&. For OpenSuSE, this should be set to /var/lock/subsys/shorewall (var/lock/subsys/shorewall\-lite if building for export)\&. For Gentoo, it should be set to /run/lock/shorewall (/run/lock/shorewall\-lite)\&. For Redhat and derivatives as well as Debian and derivatives, the pathname should be omitted\&. .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBImportant\fR .ps -1 .br Beginning with Shorewall 5\&.1\&.0, this setting is ignored when SERVICEDIR is non\-empty in ${SHAREDIR}/shorewall/shorewallrc (usually /usr/share/shorewall/shorewallrc)\&. .sp .5v .RE .RE .PP \fBTC\fR=[\fIpathname\fR] .RS 4 If specified, gives the pathname of the \*(Aqtc\*(Aq executable\&. If not specified, \*(Aqtc\*(Aq is assumed and the utility will be located using the current PATH setting\&. .RE .PP \fBTC_BITS\fR=[\fInumber\fR] .RS 4 The number of bits at the low end of the 32\-bit packet mark to be used for traffic shaping marking\&. May be zero\&. See MASK_BITS above for default value\&. .RE .PP \fBTC_ENABLED=\fR[\fBYes\fR|\fBNo\fR|\fBInternal\fR|\fBSimple\fR|\fBShared\fR] .RS 4 If you say \fBYes\fR or \fByes\fR here, Shorewall will use a script that you supply to configure traffic shaping\&. The script must be named \*(Aqtcstart\*(Aq and must be placed in a directory on your CONFIG_PATH\&. .sp If you say \fBNo\fR or \fBno\fR then traffic shaping is not enabled\&. .sp If you set TC_ENABLED=Simple (Shorewall 4\&.4\&.6 and later), simple traffic shaping using \m[blue]\fBshorewall\-tcinterfaces\fR\m[]\&\s-2\u[28]\d\s+2(5) and \m[blue]\fBshorewall\-tcpri\fR\m[]\&\s-2\u[29]\d\s+2(5) is enabled\&. .sp If you set TC_ENABLED=Internal or internal or leave the option empty then Shorewall will use its builtin traffic shaper (tc4shorewall written by Arne Bernin\&. .sp Beginning with Shorewall 4\&.4\&.15, you can set TC_ENABLED=Shared\&. This allows you to configure the tcdevices and tcclasses in your Shorewall6 configuration yet make them available to the compiler when compiling your Shorewall configuration\&. In addition to setting TC_ENABLED=Shared, you need to create symbolic links from your Shorewall configuration directory (normally /etc/shorewall/) to the tcdevices and tcclasses files in your Shorewall6 configuration directory (normally /etc/shorewall6/)\&. .RE .PP \fBTC_EXPERT=\fR{\fBYes\fR|\fBNo\fR} .RS 4 Normally, Shorewall tries to protect users from themselves by preventing PREROUTING and OUTPUT tcrules from being applied to packets that have been marked by the \*(Aqtrack\*(Aq option in \m[blue]\fBshorewall\-providers\fR\m[]\&\s-2\u[9]\d\s+2(5)\&. .sp If you know what you are doing, you can set TC_EXPERT=Yes and Shorewall will not include these cautionary checks\&. .RE .PP \fBTC_PRIOMAP\fR=\fImap\fR .RS 4 Added in Shorewall 4\&.4\&.6\&. Determines the mapping of a packet\*(Aqs TOS field to priority bands\&. See \m[blue]\fBshorewall\-tcpri\fR\m[]\&\s-2\u[29]\d\s+2(5)\&. The \fImap\fR consists of 16 space\-separated digits with values 1, 2 or 3\&. A value of 1 corresponds to Linux priority 0, 2 to Linux priority 1, and 3 to Linux Priority 2\&. The first entry gives the priority of TOS value 0, the second of TOS value 1, and so on\&. See tc\-prio(8) for additional information\&. .sp The default setting is TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"\&. .RE .PP \fBTCP_FLAGS_DISPOSITION=\fR[\fBACCEPT\fR|\fBDROP\fR|\fBREJECT\fR|A_DROP|A_REJECT] .RS 4 Determines the disposition of TCP packets that fail the checks enabled by the \fBtcpflags\fR interface option (see \m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[20]\d\s+2(5)) and must have a value of ACCEPT (accept the packet), REJECT (send an RST response) or DROP (ignore the packet)\&. If not set or if set to the empty value (e\&.g\&., TCP_FLAGS_DISPOSITION="") then TCP_FLAGS_DISPOSITION=DROP is assumed\&. .sp A_DROP and A_REJECT are audited versions of DROP and REJECT respectively and were added in Shorewall 4\&.4\&.20\&. They require AUDIT_TARGET in the kernel and iptables\&. .RE .PP \fBTCP_FLAGS_LOG_LEVEL=\fR[\fIlog\-level\fR[:\fIlog\-tag\fR]] .RS 4 Determines the syslog level for logging packets that fail the checks enabled by the tcpflags interface option\&. The value must be a valid syslogd log level\&. If you don\*(Aqt want to log these packets, set to the empty value (e\&.g\&., TCP_FLAGS_LOG_LEVEL="")\&. .RE .PP \fBTRACK_PROVIDERS=\fR{\fBYes\fR|\fBNo\fR} .RS 4 Added in Shorewall 4\&.4\&.3\&. When set to Yes, causes the \fBtrack\fR option to be assumed on all providers defined in \m[blue]\fBshorewall\-providers\fR\m[]\&\s-2\u[9]\d\s+2(5)\&. May be overridden on an individual provider through use of the \fBnotrack\fR option\&. The default value is \*(AqNo\*(Aq\&. .sp Beginning in Shorewall 4\&.4\&.6, setting this option to \*(AqYes\*(Aq also simplifies PREROUTING rules in \m[blue]\fBshorewall\-tcrules\fR\m[]\&\s-2\u[12]\d\s+2(5)\&. Previously, when TC_EXPERT=No, packets arriving through \*(Aqtracked\*(Aq provider interfaces were unconditionally passed to the PREROUTING tcrules\&. This was done so that tcrules could reset the packet mark to zero, thus allowing the packet to be routed using the \*(Aqmain\*(Aq routing table\&. Using the main table allowed dynamic routes (such as those added for VPNs) to be effective\&. The rtrules file was created to provide a better alternative to clearing the packet mark\&. As a consequence, passing these packets to PREROUTING complicates things without providing any real benefit\&. Beginning with Shorewall 4\&.4\&.6, when TRACK_PROVIDERS=Yes and TC_EXPERT=No, packets arriving through \*(Aqtracked\*(Aq interfaces will not be passed to the PREROUTING rules\&. Since TRACK_PROVIDERS was just introduced in 4\&.4\&.3, this change should be transparent to most, if not all, users\&. .RE .PP \fBTRACK_RULES=\fR{\fBYes\fR|\fBNo\fR|File} .RS 4 Added in Shorewall 4\&.5\&.20\&. If set to \fBYes\fR, causes the compiler to add a comment to iptables rules to indicate the file name and line number of the configuration entry that generated the rule\&. If set to \fBNo\fR (the default), then no such comments are added\&. .sp Setting this option to \fBYes\fR requires the Comments capability in iptables and kernel\&. .sp Beginning with Shorewall 5\&.0\&.5, the option may also be set to \fBFile\fR\&. That setting causes similar comments to be added to the \&.iptables\-restore\-input file, which is normally created in /var/lib/shorewall\&. .RE .PP \fBUNTRACKED_DISPOSITION=[ACCEPT|A_ACCEPT|A_DROP|A_REJECT|DROP|REJECT|CONTINUE]\fR .RS 4 Added in Shorewall 4\&.5\&.13\&. Shorewall has traditionally passed UNTRACKED packets through the NEW section of \m[blue]\fBshorewall\-rules\fR\m[]\&\s-2\u[8]\d\s+2 (5)\&. When a packet in UNTRACKED state fails to match any rule in the UNTRACKED section, the packet is disposed of based on this setting\&. The default value is CONTINUE for compatibility with earlier versions\&. .RE .PP \fBUNTRACKED_LOG_LEVEL=\fR\fIlog\-level\fR[:\fIlog\-tag\fR] .RS 4 Added in Shorewall 4\&.5\&.13\&. Packets in the UNTRACKED state that do not match any rule in the UNTRACKED section of \m[blue]\fBshorewall\-rules\fR\m[]\&\s-2\u[8]\d\s+2 (5) are logged at this level\&. The default value is empty which means no logging is performed\&. .RE .PP \fBUSE_DEFAULT_RT=\fR[\fBYes\fR|\fBNo\fR] .RS 4 When set to \*(AqYes\*(Aq, this option causes the Shorewall multi\-ISP feature to create a set of routing rules which are resilient to changes in the main routing table\&. Such changes can occur for a number of reasons, VPNs going up and down being an example\&. The idea is to send packets through the main table prior to applying any of the Shorewall\-generated routing rules\&. So changes to the main table will affect the routing of packets by default\&. .sp When USE_DEFAULT_RT=Yes: .sp .RS 4 .ie n \{\ \h'-04' 1.\h'+01'\c .\} .el \{\ .sp -1 .IP " 1." 4.2 .\} Both the DUPLICATE and the COPY columns in \m[blue]\fBproviders\fR\m[]\&\s-2\u[9]\d\s+2(5) file must remain empty (or contain "\-")\&. .RE .sp .RS 4 .ie n \{\ \h'-04' 2.\h'+01'\c .\} .el \{\ .sp -1 .IP " 2." 4.2 .\} The default route is added to the the \*(Aqdefault\*(Aq table rather than to the main table\&. .RE .sp .RS 4 .ie n \{\ \h'-04' 3.\h'+01'\c .\} .el \{\ .sp -1 .IP " 3." 4.2 .\} If running Shorewall 5\&.1\&.0 or earlier or if BALANCE_PROVIDERS=Yes (Shorewall 5\&.1\&.1 or later), then the \fBbalance\fR provider option is assumed unless the \fBfallback\fR, \fBloose\fR, \fBload\fR or \fBtproxy\fR option is specified\&. .RE .sp .RS 4 .ie n \{\ \h'-04' 4.\h'+01'\c .\} .el \{\ .sp -1 .IP " 4." 4.2 .\} Packets are sent through the main routing table by a rule with priority 999\&. In \m[blue]\fBshorewall\-rtrules\fR\m[]\&\s-2\u[30]\d\s+2(5), the range 1\-998 may be used for inserting rules that bypass the main table\&. .RE .sp .RS 4 .ie n \{\ \h'-04' 5.\h'+01'\c .\} .el \{\ .sp -1 .IP " 5." 4.2 .\} All provider gateways must be specified explicitly in the GATEWAY column\&. \fBdetect\fR may not be specified\&..if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBNote\fR .ps -1 .br \fBdetect\fR may be specified for interfaces whose configuration is managed by dhcpcd\&. Shorewall will use dhcpcd\*(Aqs database to find the interface\*(Aqs gateway\&. .sp .5v .RE .RE .sp .RS 4 .ie n \{\ \h'-04' 6.\h'+01'\c .\} .el \{\ .sp -1 .IP " 6." 4.2 .\} You should disable all default route management outside of Shorewall\&. If a default route is added to the main table while Shorewall is started, then all policy routing will stop working (except for those routing rules in the priority range 1\-998)\&. .RE .sp Prior to Shorewall 4\&.6\&.0, if USE_DEFAULT_RT was not set or if it was set to the empty string then USE_DEFAULT_RT=No was assumed\&. Beginning with Shorewall 4\&.6\&.0, the default is USE_DEFAULT_RT=Yes and use of USE_DEFAULT_RT=No is deprecated\&. .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBWarning\fR .ps -1 .br The \fBenable\fR, \fBdisable\fR and \fBreenable\fR commands do not work correctly when USE_DEFAULT_RT=No\&. .sp .5v .RE .RE .PP \fBUSE_NFLOG_SIZE=\fR[\fBYes\fR|\fBNo\fR] .RS 4 Added in Shorewall 5\&.1\&.5\&. The second parameter to the NFLOG target specifies how many bytes of the packet to copy to the log; if omitted or if supplied as zero, the entire packet is copied\&. This feature has traditionally been implemented using the \-\-nflog\-range option to the NFLOG iptables target\&. Unfortuntely, the \-\-nflog\-range option never worked (the entire packet was always copied)\&. To deal with this issue, the Netfilter team: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} Added a warning message when \-\-nflog\-range is used .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} Added \-\-nflog\-size which works like \-\-nflog\-range was intended to work\&. .RE .sp When USE_NFLOG_SIZE=Yes, Shorewall will attempt to use the new \-\-nflog\-size feature\&. If that feature is not available in the running kernel and ip[6]tables, an error is raised\&. .sp When USE_NFLOG_SIZE is not supplied, USE_NFLOG_SIZE=No is assumed\&. When USE_NFLOG_SIZE is added by shorewall update, it is added with setting No\&. .RE .PP \fBUSE_PHYSICAL_NAMES=\fR[\fBYes\fR|\fBNo\fR] .RS 4 Added in Shorewall 4\&.4\&.27\&. Normally, when Shorewall creates a Netfilter chain that relates to an interface, it uses the interface\*(Aqs logical name as the base of the chain name\&. For example, if the logical name for an interface is OAKLAND, then the input chain for traffic arriving on that interface would be \*(AqOAKLAND_in\*(Aq\&. If this option is set to Yes, then the physical name of the interface will be used the base of the chain name\&. .RE .PP \fBUSE_RT_NAMES=\fR[\fBYes\fR|\fBNo\fR] .RS 4 Added in Shorewall 4\&.5\&.15\&. When set to \*(AqYes\*(Aq, Shorewall will use routing table (provider) names in the generated script rather than table numbers\&. When set to \*(AqNo\*(Aq (the default), routing table numbers will be used\&. .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBCaution\fR .ps -1 .br If you set USE_RT_NAMES=Yes and KEEP_RT_TABLES=Yes, then you must insure that all of your providers have entries in /etc/iproute2/rt_tables as well as the following entries: .RS 4 255 local .RE .RS 4 254 main .RE .RS 4 253 default .RE .RS 4 250 balance .RE .RS 4 0 unspec .RE Without these entries, the firewall will fail to start\&. .sp .5v .RE .RE .PP \fBVERBOSE_MESSAGES=\fR[\fBYes\fR|\fBNo\fR] .RS 4 Added in Shorewall 5\&.0\&.9\&. When Yes (the default), messages produced by the ?INFO and ?WARNING directives include the filename and linenumber of the directive\&. When set to No, that additional information is omitted\&. The setting may be overridden on a directive by directive basis by following ?INFO or ?WARNING with \*(Aq!\*(Aq (no intervening white space)\&. .RE .PP \fBVERBOSITY=\fR[\fInumber\fR] .RS 4 Shorewall has traditionally been very noisy (produced lots of output)\&. You may set the default level of verbosity using the VERBOSITY OPTION\&. .sp Values are: .RS 4 0 \- Silent\&. You may make it more verbose using the \-v option .RE .RS 4 1 \- Major progress messages displayed .RE .RS 4 2 \- All progress messages displayed (pre Shorewall\-3\&.2\&.0 behavior) .RE If not specified, then 2 is assumed\&. .RE .PP \fBWARNOLDCAPVERSION=\fR[\fBYes\fR|\fBNo\fR] .RS 4 Added in Shorewall 4\&.5\&.12\&. When set to \fBYes\fR (the default), the compiler issues a warning when it finds a capabilities file that doesn\*(Aqt specify all of the capabilities supported by the compiler\&. When WARNOLDCAPVERSION is set to \fBNo\fR, no warning is issued\&. .RE .PP \fBWORKAROUNDS=\fR[\fBYes\fR|\fBNo\fR] .RS 4 Added in Shorewall 4\&.6\&.11\&. Over time, there have been a number of changes in Shorewall that work around defects in other products such as iptables and ipset\&. When WORKAROUNDS=Yes, these workarounds are enabled; when WORKAROUNDS=No, they are disabled\&. If not specified or if specified as empty, WORKAROUNDS=Yes is assumed\&. .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBWarning\fR .ps -1 .br Do not set WORKAROUNDS=Yes if you need to be able to use Shorewall\-generated scripts (such as created by the \fBsave\fR command) built by Shorewall 4\&.4\&.7 or older\&. .sp .5v .RE .RE .PP \fBZERO_MARKS=\fR[\fBYes\fR|\fBNo\fR] .RS 4 Added in Shorewall 5\&.0\&.12, this is a workaround for an issue where packet marks are not zeroed by the kernel\&. It should be set to No (the default) unless you find that incoming packets are being mis\-routed for no apparent reasons\&. .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBCaution\fR .ps -1 .br Do not set this option to Yes if you have IPSEC software running on the firewall system\&. .sp .5v .RE .RE .PP \fBZONE_BITS\fR=[\fInumber\fR] .RS 4 Added in Shorewall 4\&.4\&.26\&. When non\-zero, enables automatic packet marking by source zone and determines the number of bits in the 32\-bit packet mark to be used for the zone mark\&. Default value is 0\&. .RE .PP \fBZONE2ZONE\fR=[\fB2\fR|\fB\-\fR] .RS 4 Added in Shorewall 4\&.4\&.4\&. This option determines how Shorewall constructs chain names involving zone names and/or \*(Aqall\*(Aq\&. Beginning with Shorewall 4\&.6\&.0, the default is \*(Aq\-\*(Aq (e\&.g\&., fw\-net); prior to that release, the default was \*(Aq2\*(Aq (e\&.g\&., fw2net)\&. .RE .SH "FILES" .PP /etc/shorewall/shorewall\&.conf .PP /etc/shorewall6/shorewall6\&.conf .SH "SEE ALSO" .PP shorewall(8) .SH "NOTES" .IP " 1." 4 shorewall-policy .RS 4 \%http://www.shorewall.org/manpages/shorewall-policy.html .RE .IP " 2." 4 shorewall-accounting .RS 4 \%http://www.shorewall.org/manpages/shorewall-accounting.html .RE .IP " 3." 4 shorewall-nat .RS 4 \%http://www.shorewall.org/manpages/shorewall-nat.html .RE .IP " 4." 4 shorewall-masq .RS 4 \%http://www.shorewall.org/manpages/shorewall-masq.html .RE .IP " 5." 4 shorewall-routestopped .RS 4 \%http://www.shorewall.org/manpages/shorewall-routestopped.html .RE .IP " 6." 4 shorewall-stoppedrules .RS 4 \%http://www.shorewall.org/manpages/shorewall-stoppedrules.html .RE .IP " 7." 4 shorewall-conntrack .RS 4 \%http://www.shorewall.org/manpages/shorewall-conntrack.html .RE .IP " 8." 4 shorewall-rules .RS 4 \%http://www.shorewall.org/manpages/shorewall-rules.html .RE .IP " 9." 4 shorewall-providers(5) .RS 4 \%http://www.shorewall.org/manpages/shorewall-providers.html .RE .IP "10." 4 shorewall-tcfilters(5) .RS 4 \%http://www.shorewall.org/manpages/shorewall-tcfilters.html .RE .IP "11." 4 shorewall-blrules .RS 4 \%http://www.shorewall.org/manpages/shorewall-blrules.html .RE .IP "12." 4 shorewall-tcrules .RS 4 \%http://www.shorewall.org/manpages/shorewall-tcrules.html .RE .IP "13." 4 Shorewall6 .RS 4 \%http://www.shorewall.org/IPv6Support.html .RE .IP "14." 4 http://www.shorewall.net/Docker.html .RS 4 \%http://www.shorewall.org/Docker.html .RE .IP "15." 4 http://www.shorewall.net/ISO-3661.html .RS 4 \%http://www.shorewall.org/ISO-3661.html .RE .IP "16." 4 shorewall-zones .RS 4 \%http://www.shorewall.org/manpages/shorewall-zones.html .RE .IP "17." 4 shorewall-nesting .RS 4 \%http://www.shorewall.org/manpages/shorewall-nesting.html .RE .IP "18." 4 shorewall(8) .RS 4 \%http://www.shorewall.orgmanpages/shorewall.html .RE .IP "19." 4 shorewall-params(5) .RS 4 \%http://www.shorewall.org/manpages/shorewall-params.html .RE .IP "20." 4 shorewall-interfaces .RS 4 \%http://www.shorewall.org/manpages/shorewall-interfaces.html .RE .IP "21." 4 shorewall-logging(8) .RS 4 \%http://www.shorewall.orgshorewall-logging.html .RE .IP "22." 4 shorewall-maclist .RS 4 \%http://www.shorewall.org/manpages/shorewall-maclist.html .RE .IP "23." 4 shorewall[6].conf .RS 4 \%http://www.shorewall.org/manpages/shorewall.conf.html .RE .IP "24." 4 http://www.shorewall.net/MultiISP.html#null_routing .RS 4 \%http://www.shorewall.org/MultiISP.html#null_routing .RE .IP "25." 4 Shorewall Init Package .RS 4 \%http://www.shorewall.org/manpages/shorewall-init.html .RE .IP "26." 4 Hairpin packets are packets that are routed out of the same interface that they arrived on. .IP "27." 4 Hairpin packets are packets that are routed out of the same interface that they arrived on. .IP "28." 4 shorewall-tcinterfaces .RS 4 \%http://www.shorewall.org/manpages/shorewall-tcinterfaces.html .RE .IP "29." 4 shorewall-tcpri .RS 4 \%http://www.shorewall.org/manpages/shorewall-tcpri.html .RE .IP "30." 4 shorewall-rtrules .RS 4 \%http://www.shorewall.org/manpages/shorewall-rtrules.html .RE shorewall-5.2.3.4/manpages/shorewall-tunnels.50000664000000000000000000002630313453771313017745 0ustar rootroot'\" t .\" Title: shorewall-tunnels .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 .\" Date: 04/11/2019 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" .TH "SHOREWALL\-TUNNELS" "5" "04/11/2019" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" tunnels \- Shorewall VPN definition file .SH "SYNOPSIS" .HP \w'\fB/etc/shorewall[6]/tunnels\fR\ 'u \fB/etc/shorewall[6]/tunnels\fR .SH "DESCRIPTION" .PP The tunnels file is used to define rules for encapsulated (usually encrypted) traffic to pass between the Shorewall system and a remote gateway\&. Traffic flowing through the tunnel is handled using the normal zone/policy/rule mechanism\&. See \m[blue]\fBhttp://www\&.shorewall\&.net/VPNBasics\&.html\fR\m[]\&\s-2\u[1]\d\s+2 for details\&. .PP The columns in the file are as follows\&. .PP \fBTYPE\fR \- {\fBipsec\fR[\fB:{noah\fR|ah}]|\fBipsecnat\fR|\fBipip\fR|\fBgre\fR|l2tp|\fBpptpclient\fR|\fBpptpserver\fR|?COMMENT|{\fBopenvpn\fR|\fBopenvpnclient\fR|\fBopenvpnserver\fR}[:{\fBtcp\fR|\fBudp\fR}]\fB[\fR:\fIport\fR]|\fBgeneric\fR\fB:\fR\fIprotocol\fR[\fB:\fR\fIport\fR]} .RS 4 Types are as follows: .sp .if n \{\ .RS 4 .\} .nf \fB6to4\fR or \fB6in4\fR \- 6to4 or 6in4 tunnel\&. The \fB6in4\fR synonym was added in 4\&.4\&.24\&. \fBipsec\fR \- IPv4 IPSEC \fBipsecnat\fR \- IPv4 IPSEC with NAT Traversal (UDP port 4500 encapsulation) \fBipip\fR \- IPv4 encapsulated in IPv4 (Protocol 4) \fBgre\fR \- Generalized Routing Encapsulation (Protocol 47) \fBl2tp\fR \- Layer 2 Tunneling Protocol (UDP port 1701) \fBpptpclient\fR \- PPTP Client runs on the firewall \fBpptpserver\fR \- PPTP Server runs on the firewall \fBopenvpn\fR \- OpenVPN in point\-to\-point mode \fBopenvpnclient\fR \- OpenVPN client runs on the firewall \fBopenvpnserver\fR \- OpenVPN server runs on the firewall \fBgeneric\fR \- Other tunnel type \fBtinc\fR \- TINC (added in Shorewall 4\&.6\&.6) .fi .if n \{\ .RE .\} .sp If the type is \fBipsec\fR, it may be followed by \fB:ah\fR to indicate that the Authentication Headers protocol (51) is used by the tunnel (the default is \fB:noah\fR which means that protocol 51 is not used)\&. NAT traversal is only supported with ESP (protocol 50) so \fBipsecnat\fR tunnels don\*(Aqt allow the \fBah\fR option (\fBipsecnat:noah\fR may be specified but is redundant)\&. .sp If type is \fBopenvpn\fR, \fBopenvpnclient\fR or \fBopenvpnserver\fR it may optionally be followed by ":" and \fBtcp\fR or \fBudp\fR to specify the protocol to be used\&. If not specified, \fBudp\fR is assumed\&. .sp If type is \fBopenvpn\fR, \fBopenvpnclient\fR or \fBopenvpnserver\fR it may optionally be followed by ":" and the port number used by the tunnel\&. if no ":" and port number are included, then the default port of 1194 will be used\&. \&. Where both the protocol and port are specified, the protocol must be given first (e\&.g\&., openvpn:tcp:4444)\&. .sp If type is \fBgeneric\fR, it must be followed by ":" and a protocol name (from /etc/protocols) or a protocol number\&. If the protocol is \fBtcp\fR or \fBudp\fR (6 or 17), then it may optionally be followed by ":" and a port number\&. .sp Comments may be attached to Netfilter rules generated from entries in this file through the use of /COMMENT lines\&. These lines begin with ?COMMENT; the remainder of the line is treated as a comment which is attached to subsequent rules until another ?COMMENT line is found or until the end of the file is reached\&. To stop adding comments to rules, use a line containing only ?COMMENT\&. .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBNote\fR .ps -1 .br Beginning with Shorewall 4\&.5\&.11, ?COMMENT is a synonym for COMMENT and is preferred\&. .sp .5v .RE .RE .PP \fBZONE\fR \- \fIzone\fR .RS 4 The \fIzone\fR of the physical interface through which tunnel traffic passes\&. This is normally your internet zone\&. .RE .PP \fBGATEWAY\fR(S) (gateway or gateways) \- \fIaddress\-or\-range\fR \fB[ , \&.\&.\&. ]\fR .RS 4 The IP address of the remote tunnel gateway\&. If the remote gateway has no fixed address (Road Warrior) then specify the gateway as \fB0\&.0\&.0\&.0/0\fR\&. May be specified as a network address and if your kernel and iptables include iprange match support then IP address ranges are also allowed\&. .sp Beginning with Shorewall 4\&.5\&.3, a list of addresses or ranges may be given\&. Exclusion (\m[blue]\fBshorewall\-exclusion\fR\m[]\&\s-2\u[2]\d\s+2 (5) ) is not supported\&. .RE .PP \fBGATEWAY ZONES\fR (gateway_zone or gateway_zones) \- [\fIzone\fR[\fB,\fR\fIzone\fR]\&.\&.\&.] .RS 4 Optional\&. If the gateway system specified in the third column is a standalone host then this column should contain a comma\-separated list of the names of the zones that the host might be in\&. This column only applies to IPSEC tunnels where it enables ISAKMP traffic to flow through the tunnel to the remote gateway(s)\&. .RE .SH "EXAMPLE" .PP IPv4 Example 1: .RS 4 IPSec tunnel\&. .sp The remote gateway is 4\&.33\&.99\&.124 and the remote subnet is 192\&.168\&.9\&.0/24\&. The tunnel does not use the AH protocol .sp .if n \{\ .RS 4 .\} .nf #TYPE ZONE GATEWAY ipsec:noah net 4\&.33\&.99\&.124 .fi .if n \{\ .RE .\} .RE .PP IPv4 Example 2: .RS 4 Road Warrior (LapTop that may connect from anywhere) where the "gw" zone is used to represent the remote LapTop .sp .if n \{\ .RS 4 .\} .nf #TYPE ZONE GATEWAY GATEWAY ZONES ipsec net 0\&.0\&.0\&.0/0 gw .fi .if n \{\ .RE .\} .RE .PP IPv4 Example 3: .RS 4 Host 4\&.33\&.99\&.124 is a standalone system connected via an ipsec tunnel to the firewall system\&. The host is in zone gw\&. .sp .if n \{\ .RS 4 .\} .nf #TYPE ZONE GATEWAY GATEWAY ZONES ipsec net 4\&.33\&.99\&.124 gw .fi .if n \{\ .RE .\} .RE .PP IPv4 Example 4: .RS 4 Road Warriors that may belong to zones vpn1, vpn2 or vpn3\&. The FreeS/Wan _updown script will add the host to the appropriate zone using the \fBshorewall add\fR command on connect and will remove the host from the zone at disconnect time\&. .sp .if n \{\ .RS 4 .\} .nf #TYPE ZONE GATEWAY GATEWAY ZONES ipsec net 0\&.0\&.0\&.0/0 vpn1,vpn2,vpn3 .fi .if n \{\ .RE .\} .RE .PP IPv4 Example 5: .RS 4 You run the Linux PPTP client on your firewall and connect to server 192\&.0\&.2\&.221\&. .sp .if n \{\ .RS 4 .\} .nf #TYPE ZONE GATEWAY GATEWAY ZONES pptpclient net 192\&.0\&.2\&.221 .fi .if n \{\ .RE .\} .RE .PP IPv4 Example 6: .RS 4 You run a PPTP server on your firewall\&. .sp .if n \{\ .RS 4 .\} .nf #TYPE ZONE GATEWAY GATEWAY ZONES pptpserver net 0\&.0\&.0\&.0/0 .fi .if n \{\ .RE .\} .RE .PP Example 7: .RS 4 OPENVPN tunnel\&. The remote gateway is 4\&.33\&.99\&.124 and openvpn uses port 7777\&. .sp .if n \{\ .RS 4 .\} .nf #TYPE ZONE GATEWAY GATEWAY ZONES openvpn:7777 net 4\&.33\&.99\&.124 .fi .if n \{\ .RE .\} .RE .PP IPv4 Example 8: .RS 4 You have a tunnel that is not one of the supported types\&. Your tunnel uses UDP port 4444\&. The other end of the tunnel is 4\&.3\&.99\&.124\&. .sp .if n \{\ .RS 4 .\} .nf #TYPE ZONE GATEWAY GATEWAY ZONES generic:udp:4444 net 4\&.3\&.99\&.124 .fi .if n \{\ .RE .\} .RE .PP IPv4 Example 9: .RS 4 TINC tunnel where the remote gateways are not specified\&. If you wish to specify a list of gateways, you can do so in the GATEWAY column\&. .sp .if n \{\ .RS 4 .\} .nf #TYPE ZONE GATEWAY GATEWAY ZONES tinc net 0\&.0\&.0\&.0/0 .fi .if n \{\ .RE .\} .RE .PP IPv6 Example 1: .RS 4 IPSec tunnel\&. .sp The remote gateway is 2001:cec792b4:1::44\&. The tunnel does not use the AH protocol .sp .if n \{\ .RS 4 .\} .nf #TYPE ZONE GATEWAY ipsec:noah net 2002:cec792b4:1::44 .fi .if n \{\ .RE .\} .RE .PP IPv6 Example 2: .RS 4 Road Warrior (LapTop that may connect from anywhere) where the "gw" zone is used to represent the remote LapTop .sp .if n \{\ .RS 4 .\} .nf #TYPE ZONE GATEWAY GATEWAY ZONES ipsec net ::/0 gw .fi .if n \{\ .RE .\} .RE .PP IPv6 Example 3: .RS 4 Host 2001:cec792b4:1::44 is a standalone system connected via an ipsec tunnel to the firewall system\&. The host is in zone gw\&. .sp .if n \{\ .RS 4 .\} .nf #TYPE ZONE GATEWAY GATEWAY ZONES ipsec net 2001:cec792b4:1::44 gw .fi .if n \{\ .RE .\} .RE .PP IPv6 Example 4: .RS 4 OPENVPN tunnel\&. The remote gateway is 2001:cec792b4:1::44 and openvpn uses port 7777\&. .sp .if n \{\ .RS 4 .\} .nf #TYPE ZONE GATEWAY GATEWAY ZONES openvpn:7777 net 2001:cec792b4:1::44 .fi .if n \{\ .RE .\} .RE .PP IPv6 Example 8: .RS 4 You have a tunnel that is not one of the supported types\&. Your tunnel uses UDP port 4444\&. The other end of the tunnel is 2001:cec792b4:1::44\&. .sp .if n \{\ .RS 4 .\} .nf #TYPE ZONE GATEWAY GATEWAY ZONES generic:udp:4444 net 2001:cec792b4:1::44 .fi .if n \{\ .RE .\} .RE .PP IPv6 Example 9: .RS 4 TINC tunnel where the remote gateways are not specified\&. If you wish to specify a list of gateways, you can do so in the GATEWAY column\&. .sp .if n \{\ .RS 4 .\} .nf #TYPE ZONE GATEWAY GATEWAY ZONES tinc net ::/0 .fi .if n \{\ .RE .\} .RE .SH "FILES" .PP /etc/shorewall/tunnels .PP /etc/shorewall6/tunnels .SH "SEE ALSO" .PP \m[blue]\fBhttp://www\&.shorewall\&.net/configuration_file_basics\&.htm#Pairs\fR\m[]\&\s-2\u[3]\d\s+2 .PP shorewall(8) .SH "NOTES" .IP " 1." 4 http://www.shorewall.net/VPNBasics.html .RS 4 \%http://www.shorewall.org/VPNBasics.html .RE .IP " 2." 4 shorewall-exclusion .RS 4 \%http://www.shorewall.org/manpages/shorewall-exclusion.html .RE .IP " 3." 4 http://www.shorewall.net/configuration_file_basics.htm#Pairs .RS 4 \%http://www.shorewall.org/configuration_file_basics.htm#Pairs .RE shorewall-5.2.3.4/manpages/shorewall-proxyndp.50000664000000000000000000001021513453771275020142 0ustar rootroot'\" t .\" Title: shorewall6-proxyndp .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 .\" Date: 04/11/2019 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" .TH "SHOREWALL6\-PROXYNDP" "5" "04/11/2019" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" proxyndp \- Shorewall6 Proxy NDP file .SH "SYNOPSIS" .HP \w'\fB/etc/shorewall6/proxyndp\fR\ 'u \fB/etc/shorewall6/proxyndp\fR .SH "DESCRIPTION" .PP This file was added in Shorewall 4\&.4\&.16 and is used to define Proxy NDP\&. There is one entry in this file for each IPv6 address to be proxied\&. .PP The columns in the file are as follows\&. .PP \fBADDRESS\fR \- \fIaddress\fR .RS 4 IPv6 Address\&. .RE .PP \fBINTERFACE\fR \- \fIinterface\fR (Optional) .RS 4 Local interface where system with the ip address in ADDRESS is connected\&. Only required when the HAVEROUTE column is left empty or is set to \fBno\fR or \fBNo\fR\&. .RE .PP \fBEXTERNAL\fR \- \fIinterface\fR .RS 4 External Interface to be used to access this system from the Internet\&. .RE .PP \fBHAVEROUTE\fR \- [\fB\-\fR|\fBYes\fR|\fBNo\fR] .RS 4 If there is already a route from the firewall to the host whose address is given, enter \fBYes\fR or \fByes\fR in this column\&. Otherwise, enter \fBno\fR or \fBNo\fR or leave the column empty and Shorewall will add the route for you\&. If Shorewall6 adds the route, its persistence depends on the value of the\fBPERSISTENT\fR column contains \fBYes\fR; otherwise, \fBshorewall6 stop\fR or \fBshorewall clear6\fR will delete the route\&. .RE .PP \fBPERSISTENT\fR \- [\fB\-\fR|\fBYes\fR|\fBNo\fR] .RS 4 If HAVEROUTE is \fBNo\fR or \fBno\fR, then the value of this column determines if the route added by Shorewall persists after a \fBshorewall6 stop\fR or a \fBshorewall6 clear\fR\&. If this column contains \fBYes\fR or \fByes\fR then the route persists; If the column is empty or contains \fBNo\fR or \fBno\fR then the route is deleted by \fBshorewall6 stop\fR or \fBshorewall6 clear\fR\&. .RE .SH "EXAMPLE" .PP Example 1: .RS 4 Host with IPv6 2001:470:b:227::44 is connected to interface eth1 and we want hosts attached via eth0 to be able to access it using that address\&. .sp .if n \{\ .RS 4 .\} .nf #ADDRESS INTERFACE EXTERNAL 2001:470:b:227::44 eth1 eth0 .fi .if n \{\ .RE .\} .RE .SH "FILES" .PP /etc/shorewall6/proxyndp .SH "SEE ALSO" .PP \m[blue]\fBhttp://www\&.shorewall\&.net/configuration_file_basics\&.htm#Pairs\fR\m[]\&\s-2\u[1]\d\s+2 .PP shorewall6(8), shorewall6\-accounting(5), shorewall6\-actions(5), shorewall6\-blacklist(5), shorewall6\-exclusion(5), shorewall6\-hosts(5), shorewall6\-interfaces(5), shorewall6\-maclist(5), shorewall6\-nesting(5), shorewall6\-netmap(5),shorewall6\-params(5), shorewall6\-policy(5), shorewall6\-providers(5), shorewall6\-rtrules(5), shorewall6\-routestopped(5), shorewall6\-rules(5), shorewall6\&.conf(5), shorewall6\-secmarks(5), shorewall6\-tcclasses(5), shorewall6\-tcdevices(5), shorewall6\-mangle(5), shorewall6\-tos(5), shorewall6\-tunnels(5), shorewall6\-zones(5) .SH "NOTES" .IP " 1." 4 http://www.shorewall.net/configuration_file_basics.htm#Pairs .RS 4 \%http://www.shorewall.org/configuration_file_basics.htm#Pairs .RE shorewall-5.2.3.4/manpages/shorewall-actions.50000664000000000000000000001703313453771236017721 0ustar rootroot'\" t .\" Title: shorewall-actions .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 .\" Date: 04/11/2019 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" .TH "SHOREWALL\-ACTIONS" "5" "04/11/2019" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" actions \- Shorewall action declaration file .SH "SYNOPSIS" .HP \w'\fB/etc/shorewall[6]/actions\fR\ 'u \fB/etc/shorewall[6]/actions\fR .SH "DESCRIPTION" .PP This file allows you to define new ACTIONS for use in rules (see \m[blue]\fBshorewall\-rules(5)\fR\m[]\&\s-2\u[1]\d\s+2)\&. You define the iptables rules to be performed in an ACTION in /etc/shorewall/action\&.\fIaction\-name\fR\&. .PP Columns are: .PP NAME .RS 4 The name of the action\&. ACTION names should begin with an upper\-case letter to distinguish them from Shorewall\-generated chain names and be composed of letters, digits or numbers\&. If you intend to log from the action then the name must be no longer than 11 characters in length if you use the standard LOGFORMAT\&. .RE .PP OPTIONS .RS 4 Added in Shorewall 4\&.5\&.10\&. Available options are: .PP \fBaudit\fR .RS 4 Added in Shorewall 5\&.0\&.7\&. When this option is specified, the action is expected to have at least two parameters; the first is a target and the second is either \*(Aqaudit\*(Aq or omitted\&. If the second is \*(Aqaudit\*(Aq, then the first must be an auditable target (ACCEPT, DROP or REJECT)\&. .RE .PP \fBbuiltin\fR .RS 4 Added in Shorewall 4\&.5\&.16\&. Defines the action as a rule target that is supported by your iptables but is not directly supported by Shorewall\&. The action may be used as the rule target in an INLINE rule in \m[blue]\fBshorewall\-rules\fR\m[]\&\s-2\u[1]\d\s+2(5)\&. .sp Beginning with Shorewall 4\&.6\&.0, the Netfilter table(s) in which the \fBbuiltin\fR can be used may be specified: \fBfilter\fR, \fBnat\fR, \fBmangle\fR and \fBraw\fR\&. If no table name(s) are given, then \fBfilter\fR is assumed\&. The table names follow \fBbuiltin\fR and are separated by commas; for example, "FOOBAR builtin,filter,mangle" would specify FOOBAR as a builtin target that can be used in the filter and mangle tables\&. .sp Beginning with Shorewall 4\&.6\&.4, you may specify the \fBterminating\fR option with \fBbuiltin\fR to indicate to the Shorewall optimizer that the action is terminating (the current packet will not be passed to the next rule in the chain)\&. .RE .PP \fBinline\fR .RS 4 Causes the action body (defined in action\&.\fIaction\-name\fR) to be expanded in\-line like a macro rather than in its own chain\&. You can list Shorewall Standard Actions in this file to specify the \fBinline\fR option\&. .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBCaution\fR .ps -1 .br Some of the Shorewall standard actions cannot be used in\-line and will generate a warning and the compiler will ignore \fBinline\fR if you try to use them that way: .RS 4 DropSmurfs .RE .RS 4 IfEvent .RE .RS 4 Invalid (Prior to Shorewall 4\&.5\&.13) .RE .RS 4 NotSyn (Prior to Shorewall 4\&.5\&.13) .RE .RS 4 RST (Prior to Shorewall 4\&.5\&.13) .RE .RS 4 TCPFlags .RE .sp .5v .RE .RE .PP \fBlogjump\fR .RS 4 Added in Shorewall 5\&.0\&.8\&. Performs the same function as \fBnolog\fR (below), with the addition that the jump to the actions chain is logged if a log level is specified on the action invocation\&. For inline actions, this option is identical to \fBnolog\fR\&. .RE .PP \fBmangle\fR .RS 4 Added in Shorewall 5\&.0\&.7\&. Specifies that this action is to be used in \m[blue]\fBshorewall\-mangle(5)\fR\m[]\&\s-2\u[2]\d\s+2 rather than \m[blue]\fBshorewall\-rules(5)\fR\m[]\&\s-2\u[1]\d\s+2\&. .RE .PP \fBnat\fR .RS 4 Added in Shorewall 5\&.0\&.13\&. Specifies that this action is to be used in \m[blue]\fBshorewall\-snat(5)\fR\m[]\&\s-2\u[3]\d\s+2 rather than \m[blue]\fBshorewall\-rules(5)\fR\m[]\&\s-2\u[1]\d\s+2\&. The \fBmangle\fR and \fBnat\fR options are mutually exclusive\&. .RE .PP \fBnoinline\fR .RS 4 Causes any later \fBinline\fR option for the same action to be ignored with a warning\&. .RE .PP \fBnolog\fR .RS 4 Added in Shorewall 4\&.5\&.11\&. When this option is specified, the compiler does not automatically apply the log level and/or tag from the invocation of the action to all rules inside of the action\&. Rather, it simply sets the $_loglevel and $_logtag shell variables which can be used within the action body to apply those logging options only to a subset of the rules\&. .RE .PP \fBproto\fR=\fIprotocol\fR .RS 4 Added in Shorewall 5\&.1\&.10\&. Specifies that the action is only usable with the specified \fIprotocol\fR (name or number)\&. When the action is invoked with no protocol specified in the PROTO column, or if the action is used as a Policy Action, the named \fIprotocol\fR will be assumed\&. If a protocol is specified in the PROTO column of an invocation, then it must match the named \fIprotocol\fR\&. .sp The \fBproto\fR option has no effect if the \fBinline\fR or \fBbuiltin\fR option is specified\&. A warning is issued if \fBproto\fR is specified along with \fBbuiltin\fR\&. .RE .PP \fBsection\fR .RS 4 Added in Shorewall 5\&.1\&.1\&. When specified, this option causes the rules file section name and a comma to be prepended to the parameters passed to the action (if any)\&. Note that this means that the first parameter passed to the action by the user is actually the second parameter to the action\&. If the action is invoked out of the blrules file, \*(AqBLACKLIST\*(Aq is used as the section name\&. .sp Given that neither the snat nor the mangle file is sectioned, this parameter has no effect when \fBmangle\fR or \fBnat\fR is specified\&. .RE .PP \fBstate\fR={\fBUNTRACKED\fR|\fBNEW\fR|\fBESTABLISHED\fR|\fBRELATED\fR|\fBINVALID\fR} .RS 4 Added in Shorewall 5\&.0\&.7\&. Reserved for use by Shorewall in actions\&.std\&. .RE .PP \fBterminating\fR .RS 4 Added in Shorewall 4\&.6\&.4\&. When used with \fBbuiltin\fR, indicates that the built\-in action is termiating (i\&.e\&., if the action is jumped to, the next rule in the chain is not evaluated)\&. .RE .RE .SH "FILES" .PP /etc/shorewall/actions .PP /etc/shorewall6/actions .SH "SEE ALSO" .PP \m[blue]\fBhttp://www\&.shorewall\&.net/Actions\&.html\fR\m[]\&\s-2\u[4]\d\s+2 .PP shorewall(8) .SH "NOTES" .IP " 1." 4 shorewall-rules(5) .RS 4 \%http://www.shorewall.org/manpages/shorewall-rules.html .RE .IP " 2." 4 shorewall-mangle(5) .RS 4 \%http://www.shorewall.org/manpages/shorewall-mangle.html .RE .IP " 3." 4 shorewall-snat(5) .RS 4 \%http://www.shorewall.org/manpages/shorewall-snat.html .RE .IP " 4." 4 http://www.shorewall.net/Actions.html .RS 4 \%http://www.shorewall.org/Actions.html .RE shorewall-5.2.3.4/manpages/shorewall-maclist.50000664000000000000000000000755613453771261017724 0ustar rootroot'\" t .\" Title: shorewall-maclist .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 .\" Date: 04/11/2019 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" .TH "SHOREWALL\-MACLIST" "5" "04/11/2019" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" maclist \- Shorewall MAC Verification file .SH "SYNOPSIS" .HP \w'\fB/etc/shorewall[6]/maclist\fR\ 'u \fB/etc/shorewall[6]/maclist\fR .SH "DESCRIPTION" .PP This file is used to define the MAC addresses and optionally their associated IP addresses to be allowed to use the specified interface\&. The feature is enabled by using the \fBmaclist\fR option in the \m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[1]\d\s+2(5) or \m[blue]\fBshorewall\-hosts\fR\m[]\&\s-2\u[2]\d\s+2(5) configuration file\&. .PP The columns in the file are as follows (where the column name is followed by a different name in parentheses, the different name is used in the alternate specification syntax)\&. .PP \fBDISPOSITION\fR \- {\fBACCEPT\fR|\fBDROP\fR|\fBREJECT\fR}[\fB:\fR\fIlog\-level\fR] .RS 4 \fBACCEPT\fR or \fBDROP\fR (if MACLIST_TABLE=filter in \m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[3]\d\s+2(5), then REJECT is also allowed)\&. If specified, the \fIlog\-level\fR causes packets matching the rule to be logged at that level\&. .RE .PP \fBINTERFACE\fR \- \fIinterface\fR .RS 4 Network \fIinterface\fR to a host\&. .RE .PP \fBMAC\fR \- \fIaddress\fR .RS 4 MAC \fIaddress\fR of the host \-\- you do not need to use the Shorewall format for MAC addresses here\&. If \fBIP ADDRESSES\fR is supplied then \fBMAC\fR can be supplied as a dash (\fB\-\fR) .RE .PP \fBIP ADDRESSES\fR (addresses) \- [\fIaddress\fR[\fB,\fR\fIaddress\fR]\&.\&.\&.] .RS 4 Optional \- if specified, both the MAC and IP address must match\&. This column can contain a comma\-separated list of host and/or subnet addresses\&. If your kernel and iptables have iprange match support then IP address ranges are also allowed\&. Similarly, if your kernel and iptables include ipset support than set names (prefixed by "+") are also allowed\&. .RE .SH "FILES" .PP /etc/shorewall/maclist .PP /etc/shorewall6/maclist .SH "SEE ALSO" .PP \m[blue]\fBhttp://www\&.shorewall\&.net/MAC_Validation\&.html\fR\m[]\&\s-2\u[4]\d\s+2 .PP \m[blue]\fBhttp://www\&.shorewall\&.net/configuration_file_basics\&.htm#Pairs\fR\m[]\&\s-2\u[5]\d\s+2 .PP shorewall(8) .SH "NOTES" .IP " 1." 4 shorewall-interfaces .RS 4 \%http://www.shorewall.org/manpages/shorewall-interfaces.html .RE .IP " 2." 4 shorewall-hosts .RS 4 \%http://www.shorewall.org/manpages/shorewall-hosts.html .RE .IP " 3." 4 shorewall.conf .RS 4 \%http://www.shorewall.org/manpages/shorewall.conf.html .RE .IP " 4." 4 http://www.shorewall.net/MAC_Validation.html .RS 4 \%http://www.shorewall.org/MAC_Validation.html .RE .IP " 5." 4 http://www.shorewall.net/configuration_file_basics.htm#Pairs .RS 4 \%http://www.shorewall.org/configuration_file_basics.htm#Pairs .RE shorewall-5.2.3.4/manpages/shorewall-routes.50000664000000000000000000000642413453771276017610 0ustar rootroot'\" t .\" Title: shorewall-routes .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 .\" Date: 04/11/2019 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" .TH "SHOREWALL\-ROUTES" "5" "04/11/2019" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" routes \- Shorewall file .SH "SYNOPSIS" .HP \w'\fB/etc/shorewall[6]/routes\fR\ 'u \fB/etc/shorewall[6]/routes\fR .SH "DESCRIPTION" .PP This file was added in Shorewall 4\&.4\&.15 and is used to define routes to be added to provider routing tables\&. .PP The columns in the file are as follows\&. .PP \fBPROVIDER\fR .RS 4 The name or number of a provider defined in \m[blue]\fBshorewall\-providers\fR\m[]\&\s-2\u[1]\d\s+2 (5)\&. Beginning with Shorewall 4\&.5\&.14, you may also enter \fBmain\fR in this column to add routes to the main routing table\&. .RE .PP \fBDEST\fR .RS 4 Destination host address or network address\&. .RE .PP \fBGATEWAY\fR (Optional) .RS 4 If specified, gives the IP address of the gateway to the DEST\&. .sp Beginning with Shorewall 4\&.5\&.14, you may specify \fBblackhole\fR in this column to create a blackhole route\&. .sp Beginning with Shorewall 4\&.5\&.15, you may specify \fBprohibit\fR or \fBunreachable\fR in this column to create a prohibit or unreachable route respectively\&. .RE .PP \fBDEVICE\fR (Optional) .RS 4 Specifies the device route\&. If neither DEVICE nor GATEWAY is given, then the INTERFACE specified for the PROVIDER in \m[blue]\fBshorewall\-providers\fR\m[]\&\s-2\u[1]\d\s+2 (5)\&. This column must be omitted if \fBblackhole\fR, \fBprohibit\fR or \fBunreachable\fR is specified in the GATEWAY column\&. .RE .PP \fBOPTIONS\fR (Optional) .RS 4 Added in Shorewall 5\&.0\&.2\&. .sp Allowed options are: .PP \fBpersistent\fR .RS 4 If specified, the route remains in the provider\*(Aqs routing table even when the provider is disabled\&. .RE .RE .SH "FILES" .PP /etc/shorewall/routes .PP /etc/shorewall6/routes .SH "SEE ALSO" .PP \m[blue]\fBhttp://www\&.shorewall\&.net/configuration_file_basics\&.htm#Pairs\fR\m[]\&\s-2\u[2]\d\s+2 .PP shorewall(8) .SH "NOTES" .IP " 1." 4 shorewall-providers .RS 4 \%http://www.shorewall.org/manpages/shorewall-providers.html .RE .IP " 2." 4 http://www.shorewall.net/configuration_file_basics.htm#Pairs .RS 4 \%http://www.shorewall.org/configuration_file_basics.htm#Pairs .RE shorewall-5.2.3.4/manpages/shorewall-nesting.50000664000000000000000000002273313453771267017737 0ustar rootroot'\" t .\" Title: shorewall-nesting .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 .\" Date: 04/11/2019 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" .TH "SHOREWALL\-NESTING" "5" "04/11/2019" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" nesting \- Shorewall Nested Zones .SH "SYNOPSIS" .HP \w'\ 'u \fIchild\-zone\fR[:\fIparent\-zone\fR[,\fIparent\-zone\fR]\&.\&.\&.] .SH "DESCRIPTION" .PP In \m[blue]\fBshorewall\-zones\fR\m[]\&\s-2\u[1]\d\s+2(5), a zone may be declared to be a sub\-zone of one or more other zones using the above syntax\&. The \fIchild\-zone\fR may be neither the firewall zone nor a vserver zone\&. The firewall zone may not appear as a parent zone, although all vserver zones are handled as sub\-zones of the firewall zone\&. .PP Where zones are nested, the CONTINUE policy in \m[blue]\fBshorewall\-policy\fR\m[]\&\s-2\u[2]\d\s+2(5) allows hosts that are within multiple zones to be managed under the rules of all of these zones\&. .SH "EXAMPLE" .PP /etc/shorewall/zones: .sp .if n \{\ .RS 4 .\} .nf #ZONE TYPE OPTION fw firewall net ipv4 sam:net ipv4 loc ipv4 .fi .if n \{\ .RE .\} .PP /etc/shorewall/interfaces: .sp .if n \{\ .RS 4 .\} .nf #ZONE INTERFACE BROADCAST OPTIONS \- eth0 detect dhcp,norfc1918 loc eth1 detect .fi .if n \{\ .RE .\} .PP /etc/shorewall/hosts: .sp .if n \{\ .RS 4 .\} .nf #ZONE HOST(S) OPTIONS net eth0:0\&.0\&.0\&.0/0 sam eth0:206\&.191\&.149\&.197 .fi .if n \{\ .RE .\} .PP /etc/shorewall/policy: .sp .if n \{\ .RS 4 .\} .nf #SOURCE DEST POLICY LOG LEVEL loc net ACCEPT sam all CONTINUE net all DROP info all all REJECT info .fi .if n \{\ .RE .\} .PP The second entry above says that when Sam is the client, connection requests should first be processed under rules where the source zone is sam and if there is no match then the connection request should be treated under rules where the source zone is net\&. It is important that this policy be listed BEFORE the next policy (net to all)\&. You can have this policy generated for you automatically by using the IMPLICIT_CONTINUE option in \m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[3]\d\s+2(5)\&. .PP Partial /etc/shorewall/rules: .sp .if n \{\ .RS 4 .\} .nf #ACTION SOURCE DEST PROTO DPORT \&.\&.\&. DNAT sam loc:192\&.168\&.1\&.3 tcp ssh DNAT net loc:192\&.168\&.1\&.5 tcp www \&.\&.\&. .fi .if n \{\ .RE .\} .PP Given these two rules, Sam can connect to the firewall\*(Aqs internet interface with ssh and the connection request will be forwarded to 192\&.168\&.1\&.3\&. Like all hosts in the net zone, Sam can connect to the firewall\*(Aqs internet interface on TCP port 80 and the connection request will be forwarded to 192\&.168\&.1\&.5\&. The order of the rules is not significant\&. Sometimes it is necessary to suppress port forwarding for a sub\-zone\&. For example, suppose that all hosts can SSH to the firewall and be forwarded to 192\&.168\&.1\&.5 EXCEPT Sam\&. When Sam connects to the firewall\*(Aqs external IP, he should be connected to the firewall itself\&. Because of the way that Netfilter is constructed, this requires two rules as follows: .sp .if n \{\ .RS 4 .\} .nf #ACTION SOURCE DEST PROTO DPORT \&.\&.\&. ACCEPT+ sam $FW tcp ssh DNAT net loc:192\&.168\&.1\&.3 tcp ssh \&.\&.\&. .fi .if n \{\ .RE .\} .PP The first rule allows Sam SSH access to the firewall\&. The second rule says that any clients from the net zone with the exception of those in the \(lqsam\(rq zone should have their connection port forwarded to 192\&.168\&.1\&.3\&. If you need to exclude more than one zone, simply use multiple ACCEPT+ rules\&. This technique also may be used when the ACTION is REDIRECT\&. .PP Care must be taken when nesting occurs as a result of the use of wildcard interfaces (interface names ends in \*(Aq+\*(Aq)\&. .PP Here\*(Aqs an example\&. /etc/shorewall/zones: .PP /etc/shorewall/interfaces: .sp .if n \{\ .RS 4 .\} .nf #ZONE INTERFACE BROADCAST OPTIONS net ppp0 loc eth1 loc ppp+ dmz eth2 .fi .if n \{\ .RE .\} .PP Because the net zone is declared before the loc zone, net is an implicit sub\-zone of loc and in the absence of a net\->\&.\&.\&. CONTINUE policy, traffic from the net zone will not be passed through loc\->\&.\&.\&. rules\&. But DNAT and REDIRECT rules are an exception! .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} DNAT and REDIRECT rules generate two Netfilter rules: a \*(Aqnat\*(Aq table rule that rewrites the destination IP address and/or port number, and a \*(Aqfilter\*(Aq table rule that ACCEPTs the rewritten connection\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} Policies only affect the \*(Aqfilter\*(Aq table\&. .RE .PP As a consequence, the following rules will have unexpected behavior: .sp .if n \{\ .RS 4 .\} .nf #ACTION SOURCE DEST PROTO DPORT ACCEPT net dmz tcp 80 REDIRECT loc 3128 tcp 80 .fi .if n \{\ .RE .\} .PP The second rule is intended to redirect local web requests to a proxy running on the firewall and listening on TCP port 3128\&. But the \*(Aqnat\*(Aq part of that rule will cause all connection requests for TCP port 80 arriving on interface ppp+ (including ppp0!) to have their destination port rewritten to 3128\&. Hence, the web server running in the DMZ will be inaccessible from the web\&. .PP The above problem can be corrected in several ways\&. .PP The preferred way is to use the \fBifname\fR pppd option to change the \*(Aqnet\*(Aq interface to something other than ppp0\&. That way, it won\*(Aqt match ppp+\&. .PP If you are running Shorewall version 4\&.1\&.4 or later, a second way is to simply make the nested zones explicit: .sp .if n \{\ .RS 4 .\} .nf #ZONE TYPE OPTION fw firewall loc ipv4 net:loc ipv4 dmz ipv4 .fi .if n \{\ .RE .\} .PP If you take this approach, be sure to set IMPLICIT_CONTINUE=No in shorewall\&.conf\&. .PP When using other Shorewall versions, another way is to rewrite the DNAT rule (assume that the local zone is entirely within 192\&.168\&.2\&.0/23): .sp .if n \{\ .RS 4 .\} .nf #ACTION SOURCE DEST PROTO DPORT ACCEPT net dmz tcp 80 REDIRECT loc:192\&.168\&.2\&.0/23 3128 tcp 80 .fi .if n \{\ .RE .\} .PP Another way is to restrict the definition of the loc zone: .PP /etc/shorewall/interfaces: .sp .if n \{\ .RS 4 .\} .nf #ZONE INTERFACE BROADCAST OPTIONS net ppp0 loc eth1 \- ppp+ dmz eth2 .fi .if n \{\ .RE .\} .PP /etc/shorewall/hosts: .sp .if n \{\ .RS 4 .\} .nf #ZONE HOST(S) OPTIONS loc ppp+:192\&.168\&.2\&.0/23 .fi .if n \{\ .RE .\} .SH "FILES" .PP /etc/shorewall/zones .PP /etc/shorewall/interfaces .PP /etc/shorewall/hosts .PP /etc/shorewall/policy .PP /etc/shorewall/rules .PP /etc/shorewall6/zones .PP /etc/shorewall6/interfaces .PP /etc/shorewall6/hosts .PP /etc/shorewall6/policy .PP /etc/shorewall6/rules .SH "SEE ALSO" .PP shorewall(8), shorewall\-accounting(5), shorewall\-actions(5), shorewall\-blacklist(5), shorewall\-hosts(5), shorewall_interfaces(5), shorewall\-ipsets(5), shorewall\-maclist(5), shorewall\-masq(5), shorewall\-nat(5), shorewall\-netmap(5), shorewall\-params(5), shorewall\-policy(5), shorewall\-providers(5), shorewall\-proxyarp(5), shorewall\-rtrules(5), shorewall\-routestopped(5), shorewall\-rules(5), shorewall\&.conf(5), shorewall\-secmarks(5), shorewall\-tcclasses(5), shorewall\-tcdevices(5), shorewall\-mangle(5), shorewall\-tos(5), shorewall\-tunnels(5), shorewall\-zones(5) .SH "NOTES" .IP " 1." 4 shorewall-zones .RS 4 \%http://www.shorewall.org/manpages/shorewall-zones.html .RE .IP " 2." 4 shorewall-policy .RS 4 \%http://www.shorewall.org/manpages/shorewall-policy.html .RE .IP " 3." 4 shorewall.conf .RS 4 \%http://www.shorewall.org/manpages/shorewall.conf.html .RE shorewall-5.2.3.4/manpages/shorewall-snat.50000664000000000000000000005634313453771304017231 0ustar rootroot'\" t .\" Title: shorewall-snat .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 .\" Date: 04/11/2019 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" .TH "SHOREWALL\-SNAT" "5" "04/11/2019" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" snat \- Shorewall SNAT/Masquerade definition file .SH "SYNOPSIS" .HP \w'\fB/etc/shorewall[6]/snat\fR\ 'u \fB/etc/shorewall[6]/snat\fR .SH "DESCRIPTION" .PP This file is used to define dynamic NAT (Masquerading) and to define Source NAT (SNAT)\&. It superseded \m[blue]\fBshorewall\-masq\fR\m[]\&\s-2\u[1]\d\s+2(5) in Shorewall 5\&.0\&.14\&. .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBWarning\fR .ps -1 .br .PP The entries in this file are order\-sensitive\&. The first entry that matches a particular connection will be the one that is used\&. .sp .5v .RE .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBWarning\fR .ps -1 .br .PP If you have more than one ISP link, adding entries to this file will \fBnot\fR force connections to go out through a particular link\&. You must use entries in \m[blue]\fBshorewall\-rtrules\fR\m[]\&\s-2\u[2]\d\s+2(5) or PREROUTING entries in \m[blue]\fBshorewall\-mangle\fR\m[]\&\s-2\u[3]\d\s+2(5) to do that\&. .sp .5v .RE .PP The columns in the file are as follows\&. .PP \fBACTION\fR .RS 4 Defines the type of rule to generate\&. Beginning with Shorewall 5\&.1\&.9, with the exception of NFLOG and ULOG, the action may be followed by a colon (":") and a \fIlog level\fR (see \m[blue]\fBshorewall\-logging(5)\fR\m[]\&\s-2\u[4]\d\s+2)\&. .sp Choices for ACTION are: .PP \fB\fIaction\fR\fR[+][(\fIparameter\fR,\&.\&.\&.)][:\fIlevel\fR] .RS 4 where \fIaction\fR is an action declared in \m[blue]\fBshorewall\-actions(5)\fR\m[]\&\s-2\u[5]\d\s+2 with the \fBnat\fR option\&. See \m[blue]\fBwww\&.shorewall\&.net/Actions\&.html\fR\m[]\&\s-2\u[6]\d\s+2 for further information\&. .RE .PP \fBCONTINUE\fR[+]:\fIlevel\fR .RS 4 Causes matching packets to be exempted from any following rules in the file\&. .RE .PP \fBLOG:\fR\fB\fIlevel\fR\fR .RS 4 Added in Shorewall 5\&.1\&.9\&. Simply log the packet and continue with the next rule\&. .RE .PP \fBMASQUERADE[+]\fR[([\fIlowport\fR[\-\fIhighport\fR]][\fBrandom\fR])][:\fIlevel\fR] .RS 4 Causes matching outgoing packages to have their source IP address set to the primary IP address of the interface specified in the DEST column\&. if \fIlowport\fR\-\fIhighport\fR is given, that port range will be used to assign a source port\&. If only \fIlowport\fR is given, that port will be assigned, if possible\&. If option \fBrandom\fR is used then port mapping will be randomized\&. MASQUERADE should only be used when the DEST interface has a dynamic IP address\&. Otherwise, SNAT should be used and should specify the interface\*(Aqs static address\&. .RE .PP \fBNFLOG\fR[(\fInflog\-parameters\fR)] .RS 4 Added in Shorewall 5\&.1\&.9\&. Queues matching packets to a back end logging daemon via a netlink socket then continues to the next rule\&. See \m[blue]\fBshorewall\-logging(5)\fR\m[]\&\s-2\u[4]\d\s+2\&. .sp The \fInflog\-parameters\fR are a comma\-separated list of up to 3 numbers: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} The first number specifies the netlink group (0\-65535)\&. If omitted (e\&.g\&., NFLOG(,0,10)) then a value of 0 is assumed\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} The second number specifies the maximum number of bytes to copy\&. If omitted, 0 (no limit) is assumed\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} The third number specifies the number of log messages that should be buffered in the kernel before they are sent to user space\&. The default is 1\&. .RE .sp NFLOG is similar to\fB LOG:NFLOG\fR[(\fInflog\-parameters\fR)], except that the log level is not changed when this ACTION is used in an action or macro body and the invocation of that action or macro specifies a log level\&. .RE .PP \fBSNAT[+]\fR([\fIaddress\-or\-address\-range\fR][:\fIlowport\fR\fB[\-\fR\fIhighport\fR]][\fB:random\fR][:\fBpersistent\fR]|\fBdetect\fR)[:\fIlevel\fR] .RS 4 If you specify an address here, matching packets will have their source address set to that address\&. If ADD_SNAT_ALIASES is set to Yes or yes in \m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[7]\d\s+2(5) then Shorewall will automatically add this address to the INTERFACE named in the first column (IPv4 only)\&. .sp You may also specify a range of up to 256 IP addresses if you want the SNAT address to be assigned from that range in a round\-robin fashion by connection\&. The range is specified by \fIfirst\&.ip\&.in\&.range\fR\-\fIlast\&.ip\&.in\&.range\fR\&. You may follow the port range with\fB :random\fR in which case assignment of ports from the list will be random\&. \fBrandom\fR may also be specified by itself in this column in which case random local port assignments are made for the outgoing connections\&. .sp Example: 206\&.124\&.146\&.177\-206\&.124\&.146\&.180 .sp You may follow the port range (or \fB:random\fR) with \fB:persistent\fR\&. This is only useful when an address range is specified and causes a client to be given the same source/destination IP pair\&. .sp You may also use the special value \fBdetect\fR which causes Shorewall to determine the IP addresses configured on the interface named in the DEST column and substitute them in this column\&. .sp Finally, you may also specify a comma\-separated list of ranges and/or addresses in this column\&. .sp DNS Names names are not allowed\&. .sp Normally, Netfilter will attempt to retain the source port number\&. You may cause netfilter to remap the source port by following an address or range (if any) by ":" and a port range with the format \fIlowport\fR\-\fIhighport\fR\&. If this is done, you must specify "tcp", "udp", "dccp" or "stcp" in the PROTO column\&. .sp Examples: .sp .if n \{\ .RS 4 .\} .nf 192\&.0\&.2\&.4:5000\-6000 :4000\-5000 .fi .if n \{\ .RE .\} .sp You may also specify a single port number, which will be assigned to the outgoing connection, if possible\&. .RE .PP \fBULOG\fR[(\fIulog\-parameters\fR)] .RS 4 IPv4 only\&. Added in Shorewall 5\&.1\&.9\&. Queues matching packets to a back end logging daemon via a netlink socket then continues to the next rule\&. See \m[blue]\fBshorewall\-logging(5)\fR\m[]\&\s-2\u[4]\d\s+2\&. .sp Similar to\fB LOG:ULOG\fR[(\fIulog\-parameters\fR)], except that the log level is not changed when this ACTION is used in an action or macro body and the invocation of that action or macro specifies a log level\&. .RE .sp Normally Masq/SNAT rules are evaluated after those for one\-to\-one NAT (defined in \m[blue]\fBshorewall\-nat\fR\m[]\&\s-2\u[8]\d\s+2(5))\&. If you want the rule to be applied before one\-to\-one NAT rules, follow the action name with "+": This feature should only be required if you need to insert rules in this file that preempt entries in \m[blue]\fBshorewall\-nat\fR\m[]\&\s-2\u[8]\d\s+2(5)\&. .RE .PP \fBSOURCE\fR (Optional) \- [\fIinterface\fR|\fIaddress\fR[\fB,\fR\fIaddress\fR\&.\&.\&.][\fIexclusion\fR]] .RS 4 Set of hosts that you wish to masquerade\&. You can specify this as an \fIaddress\fR (net or host) or as an \fIinterface\fR\&. Unless you want to perform SNAT in the INPUT chain (see DEST below), if you give the name of an interface (deprecated), the interface must be up before you start the firewall and the Shorewall rules compiler will warn you of that fact\&. (Shorewall will use your main routing table to determine the appropriate addresses to masquerade)\&. .sp The preferred way to specify the SOURCE is to supply one or more host or network addresses separated by comma\&. You may use ipset names preceded by a plus sign (+) to specify a set of hosts\&. .RE .PP \fBDEST\fR \- {\fIinterface\fR[\fB:\fR\fIdigit][,\fR\fIinterface\fR[\fB:\fR\fIdigit\fR]]\&.\&.\&.|$FW}[\fB:\fR[\fIdest\-address\fR[\fB,\fR\fIdest\-address\fR]\&.\&.\&.[\fIexclusion\fR]] .RS 4 Outgoing \fIinterface\fRs and destination networks\&. Multiple interfaces may be listed when the ACTION is MASQUERADE, but this is usually just your internet interface\&. If ADD_SNAT_ALIASES=Yes in \m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[7]\d\s+2(5), you may add ":" and a \fIdigit\fR to indicate that you want the alias added with that name (e\&.g\&., eth0:0)\&. This will allow the alias to be displayed with ifconfig\&. \fBThat is the only use for the alias name; it may not appear in any other place in your Shorewall configuration\&.\fR .sp Beginning with Shorewall 5\&.1\&.12, SNAT may be performed in the nat table\*(Aqs INPUT chain by specifying $FW rather than one or more interfaces\&. .sp Each interface must match an entry in \m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[9]\d\s+2(5)\&. Shorewall allows loose matches to wildcard entries in \m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[9]\d\s+2(5)\&. For example, ppp0 in this file will match a \m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[9]\d\s+2(5) entry that defines ppp+\&. .sp Where \m[blue]\fBmore that one internet provider share a single interface\fR\m[]\&\s-2\u[10]\d\s+2, the provider is specified by including the provider name or number in parentheses: .sp .if n \{\ .RS 4 .\} .nf eth0(Avvanta) .fi .if n \{\ .RE .\} .sp In that case, you will want to specify the interface\*(Aqs address for that provider as the SNAT parameter\&. .sp The interface may be qualified by adding the character ":" followed by a comma\-separated list of destination host or subnet addresses to indicate that you only want to change the source IP address for packets being sent to those particular destinations\&. Exclusion is allowed (see \m[blue]\fBshorewall\-exclusion\fR\m[]\&\s-2\u[11]\d\s+2(5)) as are ipset names preceded by a plus sign \*(Aq+\*(Aq; .sp If you wish to inhibit the action of ADD_SNAT_ALIASES for this entry then include the ":" but omit the digit: .sp .if n \{\ .RS 4 .\} .nf eth0(Avvanta): eth2::192\&.0\&.2\&.32/27 .fi .if n \{\ .RE .\} .sp Comments may be attached to Netfilter rules generated from entries in this file through the use of ?COMMENT lines\&. These lines begin with ?COMMENT; the remainder of the line is treated as a comment which is attached to subsequent rules until another ?COMMENT line is found or until the end of the file is reached\&. To stop adding comments to rules, use a line containing only ?COMMENT\&. .RE .PP \fBPROTO\fR (Optional) \- {\fB\-\fR|[!]{\fIprotocol\-name\fR|\fIprotocol\-number\fR}[,\&.\&.\&.]|+\fIipset\fR} .RS 4 If you wish to restrict this entry to a particular protocol then enter the protocol name (from protocols(5)) or number here\&. See \m[blue]\fBshorewall\-rules(5)\fR\m[]\&\s-2\u[12]\d\s+2 for details\&. .sp Beginning with Shorewall 4\&.5\&.12, this column can accept a comma\-separated list of protocols\&. .sp Beginning with Shorewall 4\&.6\&.0, an \fIipset\fR name can be specified in this column\&. This is intended to be used with bitmap:port ipsets\&. .RE .PP \fBPORT\fR (Optional) \- {\-|[!]\fIport\-name\-or\-number\fR[,\fIport\-name\-or\-number\fR]\&.\&.\&.|+\fIipset\fR} .RS 4 If the PROTO column specifies TCP (6), UDP (17), DCCP (33), SCTP (132) or UDPLITE (136) then you may list one or more port numbers (or names from services(5)) or port ranges separated by commas\&. .sp Port ranges are of the form \fIlowport\fR:\fIhighport\fR\&. .sp Beginning with Shorewall 4\&.6\&.0, an \fIipset\fR name can be specified in this column\&. This is intended to be used with bitmap:port ipsets\&. .RE .PP \fBIPSEC\fR (Optional) \- [\fIoption\fR[\fB,\fR\fIoption\fR]\&.\&.\&.] .RS 4 If you specify a value other than "\-" in this column, you must be running kernel 2\&.6 and your kernel and iptables must include policy match support\&. .sp Comma\-separated list of options from the following\&. Only packets that will be encrypted via an SA that matches these options will have their source address changed\&. .PP \fBreqid=\fR\fInumber\fR .RS 4 where \fInumber\fR is specified using setkey(8) using the \*(Aqunique:\fInumber\fR option for the SPD level\&. .RE .PP \fBspi=\fR .RS 4 where \fInumber\fR is the SPI of the SA used to encrypt/decrypt packets\&. .RE .PP \fBproto=\fR\fBah\fR|\fBesp\fR|\fBipcomp\fR .RS 4 IPSEC Encapsulation Protocol .RE .PP \fBmss=\fR\fInumber\fR .RS 4 sets the MSS field in TCP packets .RE .PP \fBmode=\fR\fBtransport\fR|\fBtunnel\fR .RS 4 IPSEC mode .RE .PP \fBtunnel\-src=\fR\fIaddress\fR[/\fImask\fR] .RS 4 only available with mode=tunnel .RE .PP \fBtunnel\-dst=\fR\fIaddress\fR[/\fImask\fR] .RS 4 only available with mode=tunnel .RE .PP \fBstrict\fR .RS 4 Means that packets must match all rules\&. .RE .PP \fBnext\fR .RS 4 Separates rules; can only be used with strict .RE .PP \fByes\fR .RS 4 When used by itself, causes all traffic that will be encrypted/encapsulated to match the rule\&. .RE .RE .PP \fBMARK\fR \- [\fB!\fR]\fIvalue\fR[/\fImask\fR][\fB:C\fR] .RS 4 Defines a test on the existing packet or connection mark\&. The rule will match only if the test returns true\&. .sp If you don\*(Aqt want to define a test but need to specify anything in the following columns, place a "\-" in this field\&. .PP ! .RS 4 Inverts the test (not equal) .RE .PP \fIvalue\fR .RS 4 Value of the packet or connection mark\&. .RE .PP \fImask\fR .RS 4 A mask to be applied to the mark before testing\&. .RE .PP \fB:C\fR .RS 4 Designates a connection mark\&. If omitted, the packet mark\*(Aqs value is tested\&. .RE .RE .PP \fBUSER\fR (Optional) \- [\fB!\fR][\fIuser\-name\-or\-number\fR][\fB:\fR\fIgroup\-name\-or\-number\fR][\fB+\fR\fIprogram\-name\fR] .RS 4 This column was formerly labelled USER/GROUP\&. .sp Only locally\-generated connections will match if this column is non\-empty\&. .sp When this column is non\-empty, the rule matches only if the program generating the output is running under the effective \fIuser\fR and/or \fIgroup\fR specified (or is NOT running under that id if "!" is given)\&. .sp Examples: .PP joe .RS 4 program must be run by joe .RE .PP :kids .RS 4 program must be run by a member of the \*(Aqkids\*(Aq group .RE .PP !:kids .RS 4 program must not be run by a member of the \*(Aqkids\*(Aq group .RE .PP +upnpd .RS 4 #program named upnpd .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBImportant\fR .ps -1 .br The ability to specify a program name was removed from Netfilter in kernel version 2\&.6\&.14\&. .sp .5v .RE .RE .RE .PP \fBSWITCH \- [!]\fR\fB\fIswitch\-name\fR\fR\fB[={0|1}]\fR .RS 4 Added in Shorewall 4\&.5\&.1 and allows enabling and disabling the rule without requiring \fBshorewall restart\fR\&. .sp The rule is enabled if the value stored in /proc/net/nf_condition/\fIswitch\-name\fR is 1\&. The rule is disabled if that file contains 0 (the default)\&. If \*(Aq!\*(Aq is supplied, the test is inverted such that the rule is enabled if the file contains 0\&. .sp Within the \fIswitch\-name\fR, \*(Aq@0\*(Aq and \*(Aq@{0}\*(Aq are replaced by the name of the chain to which the rule is a added\&. The \fIswitch\-name\fR (after \*(Aq@\&.\&.\&.\*(Aq expansion) must begin with a letter and be composed of letters, decimal digits, underscores or hyphens\&. Switch names must be 30 characters or less in length\&. .sp Switches are normally \fBoff\fR\&. To turn a switch \fBon\fR: .RS 4 \fBecho 1 > /proc/net/nf_condition/\fR\fB\fIswitch\-name\fR\fR .RE To turn it \fBoff\fR again: .RS 4 \fBecho 0 > /proc/net/nf_condition/\fR\fB\fIswitch\-name\fR\fR .RE Switch settings are retained over \fBshorewall restart\fR\&. .sp Beginning with Shorewall 4\&.5\&.10, when the \fIswitch\-name\fR is followed by \fB=0\fR or \fB=1\fR, then the switch is initialized to off or on respectively by the \fBstart\fR command\&. Other commands do not affect the switch setting\&. .RE .PP \fBORIGDEST\fR \- [\fB\-\fR|\fIaddress\fR[,\fIaddress\fR]\&.\&.\&.[\fIexclusion\fR]|\fIexclusion\fR] .RS 4 (Optional) Added in Shorewall 4\&.5\&.6\&. This column may be included and may contain one or more addresses (host or network) separated by commas\&. Address ranges are not allowed\&. When this column is supplied, rules are generated that require that the original destination address matches one of the listed addresses\&. It is useful for specifying that SNAT should occur only for connections that were acted on by a DNAT when they entered the firewall\&. .sp This column was formerly labelled ORIGINAL DEST\&. .RE .PP \fBPROBABILITY\fR \- [\fIprobability\fR] .RS 4 Added in Shorewall 5\&.0\&.0\&. When non\-empty, requires the Statistics Match capability in your kernel and ip6tables and causes the rule to match randomly but with the given \fIprobability\fR\&. The \fIprobability\fR is a number 0 < \fIprobability\fR <= 1 and may be expressed at up to 8 decimal points of precision\&. .RE .SH "EXAMPLES" .PP IPv4 Example 1: .RS 4 You have a simple masquerading setup where eth0 connects to a DSL or cable modem and eth1 connects to your local network with subnet 192\&.168\&.0\&.0/24\&. .sp Your entry in the file will be: .sp .if n \{\ .RS 4 .\} .nf #ACTION SOURCE DEST MASQUERADE 192\&.168\&.0\&.0/24 eth0 .fi .if n \{\ .RE .\} .RE .PP IPv4 Example 2: .RS 4 You add a router to your local network to connect subnet 192\&.168\&.1\&.0/24 which you also want to masquerade\&. You then add a second entry for eth0 to this file: .sp .if n \{\ .RS 4 .\} .nf #ACTION SOURCE DEST MASQUERADE 192\&.168\&.0\&.0/24 eth0 MASQUERADE 192\&.168\&.1\&.0/24 eth0 .fi .if n \{\ .RE .\} .RE .PP IPv4 Example 3: .RS 4 You want all outgoing traffic from 192\&.168\&.1\&.0/24 through eth0 to use source address 206\&.124\&.146\&.176 which is NOT the primary address of eth0\&. You want 206\&.124\&.146\&.176 to be added to eth0 with name eth0:0\&. .sp .if n \{\ .RS 4 .\} .nf #ACTION SOURCE DEST SNAT(206\&.124\&.146\&.176) 192\&.168\&.1\&.0/24 eth0:0 .fi .if n \{\ .RE .\} .RE .PP IPv4 Example 4: .RS 4 You want all outgoing SMTP traffic entering the firewall from 172\&.20\&.1\&.0/29 to be sent from eth0 with source IP address 206\&.124\&.146\&.177\&. You want all other outgoing traffic from 172\&.20\&.1\&.0/29 to be sent from eth0 with source IP address 206\&.124\&.146\&.176\&. .sp .if n \{\ .RS 4 .\} .nf #INTERFACE SOURCE ADDRESS PROTO DPORT eth0 172\&.20\&.1\&.0/29 206\&.124\&.146\&.177 tcp smtp eth0 172\&.20\&.1\&.0/29 206\&.124\&.146\&.176 .fi .if n \{\ .RE .\} .sp .if n \{\ .RS 4 .\} .nf #ACTION SOURCE DEST PROTO PORT SNAT(206\&.124\&.146\&.177) 172\&.20\&.1\&.0/29 eth0 tcp smtp SNAT(206\&.124\&.146\&.176) 172\&.20\&.1\&.0/29 eth0 .fi .if n \{\ .RE .\} .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBWarning\fR .ps -1 .br The order of the above two rules is significant! .sp .5v .RE .RE .PP IPv4 Example 5: .RS 4 Connections leaving on eth0 and destined to any host defined in the ipset \fImyset\fR should have the source IP address changed to 206\&.124\&.146\&.177\&. .sp .if n \{\ .RS 4 .\} .nf #ACTION SOURCE DEST SNAT(206\&.124\&.146\&.177) \- eth0:+myset[dst] .fi .if n \{\ .RE .\} .RE .PP IPv4 Example 6: .RS 4 SNAT outgoing connections on eth0 from 192\&.168\&.1\&.0/24 in round\-robin fashion between addresses 1\&.1\&.1\&.1, 1\&.1\&.1\&.3, and 1\&.1\&.1\&.9 (Shorewall 4\&.5\&.9 and later)\&. .sp .if n \{\ .RS 4 .\} .nf /etc/shorewall/tcrules: #ACTION SOURCE DEST PROTO DPORT SPORT USER TEST 1\-3:CF 192\&.168\&.1\&.0/24 eth0 ; state=NEW /etc/shorewall/snat: #ACTION SOURCE DEST SNAT(1\&.1\&.1\&.1) 192\&.168\&.1\&.0/24 eth0 { mark=1:C } SNAT(1\&.1\&.1\&.3) 192\&.168\&.1\&.0/24 eth0 { mark=2:C } SNAT(1\&.1\&.1\&.9) 192\&.168\&.1\&.0/24 eth0 { mark=3:C } .fi .if n \{\ .RE .\} .RE .PP IPv6 Example 1: .RS 4 You have a simple \*(Aqmasquerading\*(Aq setup where eth0 connects to a DSL or cable modem and eth1 connects to your local network with subnet 2001:470:b:787::0/64 .sp Your entry in the file will be: .sp .if n \{\ .RS 4 .\} .nf #ACTION SOURCE DEST MASQUERADE 2001:470:b:787::0/64 eth0 .fi .if n \{\ .RE .\} .RE .PP IPv6 Example 2: .RS 4 Your sit1 interface has two public IP addresses: 2001:470:a:227::1 and 2001:470:b:227::1\&. You want to use the iptables statistics match to masquerade outgoing connections evenly between these two addresses\&. .sp .if n \{\ .RS 4 .\} .nf /etc/shorewall/snat: #ACTION SOURCE DEST SNAT(2001:470:a:227::1) ::/0 sit1 { probability=0\&.50 } SNAT(2001:470:a:227::2) ::/0 sit .fi .if n \{\ .RE .\} .RE .SH "FILES" .PP /etc/shorewall/snat .PP /etc/shorewall6/snat .SH "SEE ALSO" .PP \m[blue]\fBhttp://www\&.shorewall\&.net/configuration_file_basics\&.htm#Pairs\fR\m[]\&\s-2\u[13]\d\s+2 .PP shorewall(8) .SH "NOTES" .IP " 1." 4 shorewall-masq .RS 4 \%http://www.shorewall.org/manpages/shorewall-masq.html .RE .IP " 2." 4 shorewall-rtrules .RS 4 \%http://www.shorewall.org/manpages/shorewall-rtrules.html .RE .IP " 3." 4 shorewall-mangle .RS 4 \%http://www.shorewall.org/manpages/shorewall-mangle.html .RE .IP " 4." 4 shorewall-logging(5) .RS 4 \%http://www.shorewall.orgshorewall-logging.html .RE .IP " 5." 4 shorewall-actions(5) .RS 4 \%http://www.shorewall.org/manpages/shorewall-actions.html .RE .IP " 6." 4 www.shorewall.net/Actions.html .RS 4 \%http://www.shorewall.org/Actions.html .RE .IP " 7." 4 shorewall.conf .RS 4 \%http://www.shorewall.org/manpages/shorewall.conf.html .RE .IP " 8." 4 shorewall-nat .RS 4 \%http://www.shorewall.org/manpages/shorewall-nat.html .RE .IP " 9." 4 shorewall-interfaces .RS 4 \%http://www.shorewall.org/manpages/shorewall-interfaces.html .RE .IP "10." 4 more that one internet provider share a single interface .RS 4 \%http://www.shorewall.org/4.4/MultiISP.html#Shared .RE .IP "11." 4 shorewall-exclusion .RS 4 \%http://www.shorewall.org/manpages/shorewall-exclusion.html .RE .IP "12." 4 shorewall-rules(5) .RS 4 \%http://www.shorewall.org/manpages/shorewall-rules.html .RE .IP "13." 4 http://www.shorewall.net/configuration_file_basics.htm#Pairs .RS 4 \%http://www.shorewall.org/configuration_file_basics.htm#Pairs .RE shorewall-5.2.3.4/configure.pl0000775000000000000000000001405313531077634014720 0ustar rootroot#! /usr/bin/perl -w # # Shorewall Packet Filtering Firewall configuration program - V5.2 # # (c) 2012, 2014 - Tom Eastep (teastep@shorewall.net) # # Shorewall documentation is available at http://www.shorewall.net # # This program is part of Shorewall. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by the # Free Software Foundation, either version 2 of the license or, at your # option, any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, see . # # Usage: ./configure.pl