85
85
###############################################################################
87
87
###############################################################################
90
# BLACKLIST_LOGLEVEL=[log-level]
92
# This parameter determines if packets from blacklisted hosts are logged and
93
# it determines the syslog level that they are to be logged at. Its value is
94
# a syslog level (Example: BLACKLIST_LOGLEVEL=debug). If you do not assign a
95
# value or if you assign an empty value then packets from blacklisted hosts
96
# are not logged. The BLACKLIST_LOGLEVEL setting has no effect on entries in
97
# the BLACKLIST section of shorewall-rules (5). It determines the log level
98
# of packets sent to the blacklog target of shorewall-blrules(5).
90
# BLACKLIST_LOG_LEVEL=[log-level]
92
# Formerly named BLACKLIST_LOGLEVEL. This parameter determines if packets
93
# from blacklisted hosts are logged and it determines the syslog level that
94
# they are to be logged at. Its value is a syslog level (Example:
95
# BLACKLIST_LOG_LEVEL=debug). If you do not assign a value or if you assign
96
# an empty value then packets from blacklisted hosts are not logged. The
97
# setting determines the log level of packets sent to the blacklog target of
98
# shorewall-blrules(5).
102
# INVALID_LOG_LEVEL=log-level
104
# Added in Shorewall 4.5.13. Packets in the INVALID state that do not match
105
# any rule in the INVALID section of shorewall-rules (5) are logged at this
106
# level. The default value is empty which means no logging is performed.
201
209
# specified then the tag is included in the log prefix in place of the chain
212
# Beginning with Shorewall 4.5.12, when LOGTAGONLY=Yes, you have more control
213
# over the generated log prefix. Beginning with that release, the tag is
214
# interpreted as a chain name and a disposition separated by a comma. So this
217
# #ACTION SOURCE DEST
218
# LOG:info:foo,bar net fw
220
# would generate the following log prefix when using the default LOGFORMAT
227
# #ACTION SOURCE DEST
228
# LOG:info:,bar net fw
232
# Shorewall:net2fw:bar:
206
236
# LOGLIMIT=[[{s|d}:]rate/{sec|min|hour|day}[:burst]]
231
261
# any rule in the RELATED section of shorewall-rules (5) are logged at this
232
262
# level. The default value is empty which means no logging is performed.
264
RPFILTER_LOG_LEVEL=info
266
# RPFILTER_LOG_LEVEL=log-level
268
# Added in shorewall 4.5.7. Determines the logging of packets disposed via
269
# the RPFILTER_DISPOSITION. The default value is info.
234
271
SFILTER_LOG_LEVEL=info
236
273
# SFILTER_LOG_LEVEL=log-level
238
275
# Added on Shorewall 4.4.20. Determines the logging of packets matching the
239
# filter option (see shorewall-interfaces(5)) and of hairpin packets on
276
# sfilter option (see shorewall-interfaces(5)) and of hairpin packets on
240
277
# interfaces without the routeback option.^[2] interfaces without the
241
278
# routeback option. The default is info. If you don't wish for these packets
242
279
# to be logged, use SFILTER_LOG_LEVEL=none.
266
303
# log level. If you don't want to log these packets, set to the empty value
267
304
# (e.g., TCP_FLAGS_LOG_LEVEL="").
308
# UNTRACKED_LOG_LEVEL=log-level
310
# Added in Shorewall 4.5.13. Packets in the UNTRACKED state that do not match
311
# any rule in the UNTRACKED section of shorewall-rules (5) are logged at this
312
# level. The default value is empty which means no logging is performed.
269
314
###############################################################################
270
315
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
271
316
###############################################################################
319
# ARPTABLES=[pathname]
321
# Added in Shorewall 4.5.12. This parameter names the arptables executable to
322
# be used by Shorewall. If not specified or if specified as a null value,
323
# then the arptables executable located using the PATH option is used.
325
# Regardless of how the arptables utility is located (specified via arptables
326
# = or located via PATH), Shorewall uses the arptables-restore and
327
# arptables-save utilities from that same directory.
272
329
CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall
274
331
# CONFIG_PATH=[directory[:directory]...]
284
341
# ● Next, each directory in the CONFIG_PATH setting is searched in
287
# If CONFIG_PATH is not given or if it is set to the empty value then the
288
# contents of /usr/share/shorewall/configpath are used. As released from
289
# shorewall.net, that file sets the CONFIG_PATH to /etc/shorewall:/usr/
290
# share/shorewall but your particular distribution may set it
291
# differently. See the output of shorewall show config for the default on
294
# Note that the setting in /usr/share/shorewall/configpath is always used
295
# to locate shorewall.conf.
344
# If CONFIG_PATH is not given or if it is set to the empty value then the
345
# contents of /usr/share/shorewall/configpath are used. As released from
346
# shorewall.net, that file sets the CONFIG_PATH to /etc/shorewall:/usr/share/
347
# shorewall but your particular distribution may set it differently. See the
348
# output of shorewall show config for the default on your system.
297
350
GEOIPDIR=/usr/share/xt_geoip/LE
301
354
# Added in Shorewall 4.5.4. Specifies the pathname of the directory
302
355
# containing the GeoIP Match database. See http://www.shorewall.net/
303
# ISOCODES.html. If not specified, the default value is /usr/share/xt_geoip/
356
# ISO-3661.html. If not specified, the default value is /usr/share/xt_geoip/
304
357
# LE which is the default location of the little-endian database.
311
364
# not specified or if specified as a null value, then the iptables executable
312
365
# located using the PATH option is used.
314
# Regardless of how the IPTABLES utility is located (specified via IPTABLES=
367
# Regardless of how the iptables utility is located (specified via IPTABLES=
315
368
# or located via PATH), Shorewall uses the iptables-restore and iptables-save
316
369
# utilities from that same directory.
408
468
###############################################################################
409
469
ACCEPT_DEFAULT="none"
411
# ACCEPT_DEFAULT={action|none}
471
# ACCEPT_DEFAULT={action[(parameters)][:level]|none}
413
473
DROP_DEFAULT="Drop"
415
# DROP_DEFAULT={action|none}
475
# DROP_DEFAULT={action[(parameters)][:level]|none}
417
477
NFQUEUE_DEFAULT="none"
419
# NFQUEUE_DEFAULT={action|none}
479
# NFQUEUE_DEFAULT={action[(parameters)][:level]|none}
421
481
QUEUE_DEFAULT="none"
423
# QUEUE_DEFAULT={action|none}
483
# QUEUE_DEFAULT={action[(parameters)][:level]|none}
425
485
REJECT_DEFAULT="Reject"
427
# REJECT_DEFAULT={action|none}
487
# REJECT_DEFAULT={action[(parameters)][:level]|none}
429
489
# In earlier Shorewall versions, a "default action" for DROP and REJECT
430
490
# policies was specified in the file /usr/share/shorewall/actions.std.
432
# To allow for default rules to be applied when USE_ACTIONS=No, the
433
# DROP_DEFAULT, REJECT_DEFAULT, ACCEPT_DEFAULT, QUEUE_DEFAULT and
434
# NFQUEUE_DEFAULT options have been added.
492
# In Shorewall 4.4.0, the DROP_DEFAULT, REJECT_DEFAULT, ACCEPT_DEFAULT,
493
# QUEUE_DEFAULT and NFQUEUE_DEFAULT options were added.
436
495
# DROP_DEFAULT describes the rules to be applied before a connection request
437
496
# is dropped by a DROP policy; REJECT_DEFAULT describes the rules to be
451
507
# QUEUE_DEFAULT="none"
452
508
# NFQUEUE_DEFAULT="None"
454
# If USE_ACTIONS=Yes, then these values refer to action.Drop and
455
# action.Reject respectively. If USE_ACTIONS=No, then these values refer to
456
# macro.Drop and macro.Reject.
458
510
# If you set the value of either option to "None" then no default action will
459
511
# be used and the default action or macro must be specified in
460
512
# shorewall-policy(5).
514
# You can pass parameters to the specified action (e.g., myaction(audit,DROP)
517
# Beginning with Shorewall 4.5.10, the action name can be followed optionally
518
# by a colon and a log level. The level will be applied to each rule in the
519
# action or body that does not already have a log level.
462
521
###############################################################################
463
522
# R S H / R C P C O M M A N D S
464
523
###############################################################################
567
626
# itself are allowed. If this variable is not set or is given the empty value
568
627
# then ADMINISABSENTMINDED=No is assumed.
572
# AUTO_COMMENT=[Yes|No]
574
# If set, if there is not a current comment when a macro is invoked, the
575
# behavior is as if the first line of the macro file was "COMMENT <macro
576
# name>". The AUTO_COMMENT option has a default value of 'Yes'.
629
IGNOREUNKNOWNVARIABLES=No
631
# IGNOREUNKNOWNVARIABLES=[Yes|No]
633
# Added in Shorewall 4.5.11. Normally, if an unknown shell variable is
634
# encountered in a configuration file (except in ?IF and ?ELSIF directives),
635
# the compiler raises a fatal error. If IGNOREUNKNOWNVARIABLES is set to Yes,
636
# then such variables simply expand to an empty string. Default is No.
640
# AUTOCOMMENT=[Yes|No]
642
# Formerly named AUTO_COMMENT. If set, if there is not a current comment when
643
# a macro is invoked, the behavior is as if the first line of the macro file
644
# was "COMMENT <macro name>". The AUTO_COMMENT option has a default value of
578
647
# The setting of the AUTOMAKE option is ignored if the start or restart
579
648
# command includes a directory name (e.g., shorewall restart /etc/
580
649
# shorewall.new).
653
# AUTOHELPERS=[Yes|No]
655
# Added in Shorewall 4.5.7. When set to Yes (the default), the generated
656
# ruleset will automatically associate helpers with applications that require
657
# them (FTP, IRC, etc.). When configuring your firewall on systems running
658
# kernel 3.5 or later, it is recommended that you:
660
# 1. Set AUTOHELPERS=No.
664
# a. Modify shorewall-conntrack (5) to only apply helpers where they are
667
# b. Specify the appropriate helper in the HELPER column in
668
# shorewall-rules (5).
672
# The macros for those applications requiring a helper automatically
673
# specify the appropriate HELPER where required.
584
677
# AUTOMAKE=[Yes|No]
589
682
# executed the last start or restart command is used. The default is AUTOMAKE
594
# BLACKLISTNEWONLY={Yes|No}
596
# When set to Yes or yes, blacklists are only consulted for new connections.
597
# That includes entries in the shorewall-blrules (5) file and in the
598
# BLACKLIST section of shorewall-rules (5).
600
# When set to No or no, blacklists are consulted for every packet (will slow
601
# down your firewall noticably if you have large blacklists). If the
602
# BLACKLISTNEWONLY option is not set or is set to the empty value then
603
# BLACKLISTNEWONLY=No is assumed.
607
# BLACKLISTNEWONLY=No is incompatible with FASTACCEPT=Yes.
685
BLACKLIST="NEW,INVALID,UNTRACKED"
687
# BLACKLIST=[{ALL|state[,...]}]
689
# where state is one of NEW, ESTABLISHED, RELATED, INVALID,or UNTRACKED.
691
# Added in Shorewall 4.5.13 to replace the BLACKLISTNEWONLY option below.
692
# Specifies the connection tracking states that are to be subject to
693
# blacklist screening. If neither BLACKLIST nor BLACKLISTNEWONLY are
694
# specified then the states subject to blacklisting are
695
# NEW,ESTABLISHED,INVALID,UNTRACKED.
697
# ALL sends all packets through the blacklist chains.
699
# Note: The ESTABLISHED state may not be specified if FASTACCEPT is
704
# CHAIN_SCRIPTS={Yes|No}
706
# Added in Shorewall 4.5.16. Prior to the availability of BEGIN PERL....END
707
# PERL in configuration files, the only way to execute a chain-specific
708
# script was to create a script file with the same name as the chain and
709
# place it in a directory on the CONFIG_PATH. That facility has the drawback
710
# that the compiler will attempt to run a non-script file just because it has
711
# the same name as a chain. To disable this facility, set CHAIN_SCRIPTS=No.
712
# If not specified or specified as the empty value, CHAIN_SCRIPTS=Yes is
652
758
# ● You have no CONTINUE policies or rules.
760
DEFER_DNS_RESOLUTION=Yes
762
# DEFER_DNS_RESOLUTION=[Yes|No]
764
# Added in Shorewall 4.5.12. When set to 'Yes' (the default), DNS names are
765
# validated in the compiler and then passed on to the generated script where
766
# they are resolved by iptables-restore. This is an advantage if you use
767
# AUTOMAKE=Yes and the IP address associated with the DNS name is subject to
768
# change. When DEFER_DNS_RESOLUTION=No, DNS names are converted into IP
769
# addresses by the compiler. This has the advantage that when AUTOMAKE=Yes,
770
# the start and restart commands will succeed even if no DNS server is
771
# reachable (assuming that the configuration hasn't changed since the
772
# compiled script was last generated).
656
776
# DISABLE_IPV6=[Yes|No]
660
780
# to allowing or disallowing IPv6 traffic. If not specified or empty,
661
781
# “DISABLE_IPV6=No” is assumed.
783
# It is important to note that changing DISABLE_IPV6=Yes to DISABLE_IPV6=No
784
# does not enable IPV6. The recommended approach for enabling IPv6 on your
787
# ● Install, configure and start Shorewall6.
789
# ● Change DISABLE_IPV6=Yes to DISABLE_IPV6=No
791
# ● Restart Shorewall
663
793
DELETE_THEN_ADD=Yes
665
795
# DELETE_THEN_ADD={Yes|No}
755
885
# Yes). If FORWARD_CLEAR_MARK is set to 'No', packet marks set in the mangle
756
886
# PREROUTING chain are retained in the FORWARD chains.
890
# HELPERS=[helper[,helper...]]
892
# Added in Shorewall 4.5.7. This option lists the Netfilter application helps
893
# that are to be enabled. If not specified, the default is to enable all
896
# Possible values for helper are:
908
# ● none - This special value was added in Shorewall 4.5.16 and indicates
909
# that no helpers are to be enabled. It also prevents the compiler for
910
# probing for helper support; such probing generates messages on the
911
# system log of the form "xt_CT: No such helper XXX" where XXX is the
912
# helper name. When used, none must be the only helper specified.
924
# When HELPERS is specified on a system running Kernel 3.5.0 or later,
925
# automatic association of helpers to connections is disabled.
758
927
IMPLICIT_CONTINUE=No
760
929
# IMPLICIT_CONTINUE={Yes|No}
951
1120
NULL_ROUTE_RFC1918=No
953
# NULL_ROUTE_RFC1918=[Yes|No]
1122
# NULL_ROUTE_RFC1918=[Yes|No|blackhole|unreachable|prohibit]
955
1124
# When set to Yes, causes Shorewall to null-route the IPv4 address ranges
956
1125
# reserved by RFC1918. The default value is 'No'.
960
1129
# source address are only accepted from interfaces having known routes to
961
1130
# networks using such addresses.
1132
# Beginning with Shorewall 4.5.15, you may specify blackhole, unreachable or
1133
# prohibit to set the type of route to be created. See http://
1134
# www.shorewall.net/MultiISP.html#null_routing.
965
1138
# OPTIMIZE=[value]
1058
1231
# of combined comments are replaced by 'Others and'. Empty comments at
1059
1232
# the end of a group of combined comments are replaced by 'and others'.
1234
# Beginning in Shorewall 4.5.10, this option also suppresses duplicate
1235
# adjacent rules and duplicate non-adjacent rules that don't include mark
1236
# , connmark, dscp, ecn, set, tos or u32 matches.
1063
1240
# Rules with comments "FOO", <empty> and "BAR" would result in the
1103
1280
# case, RESTORE_DEFAULT_ROUTE=No will cause any default route in the relevant
1104
1281
# table to be deleted.
1283
RESTORE_ROUTEMARKS=Yes
1285
# RESTORE_ROUTEMARKS=[Yes|No]
1287
# Added in Shorewall 4.5.9. When set to Yes (the default), provider marks are
1288
# restored unconditionally at the top of the mangle OUTPUT and PREROUTING
1289
# chains, even if the saved mark is zero. When this option is set to No, the
1290
# mark is restored even when it is zero. If you have problems with IPSEC ESP
1291
# packets not being routed correctly on output, try setting this option to No
1106
1294
RETAIN_ALIASES=No
1108
1296
# RETAIN_ALIASES={Yes|No}
1130
1318
# to No, then route filtering is disabled on all interfaces except those
1131
1319
# specified in shorewall-interfaces(5).
1323
# SAVE_ARPTABLES={Yes|No}
1325
# Added in Shorewall 4.5.12. If SAVE_ARPTABLES=Yes, then the current
1326
# arptables contents will be saved by shorewall save command and restored by
1327
# shorewall restore command. Default value is No.
1135
1331
# SAVE_IPSETS={Yes|No}
1265
1461
# interface would be 'OAKLAND_in'. If this option is set to Yes, then the
1266
1462
# physical name of the interface will be used the base of the chain name.
1466
# USE_RT_NAMES=[Yes|No]
1468
# Added in Shorewall 4.5.15. When set to 'Yes', Shorewall will use routing
1469
# table (provider) names in the generated script rather than table numbers.
1470
# When set to 'No' (the default), routing table numbers will be used.
1474
# If you set USE_RT_NAMES=Yes and KEEP_RT_TABLES=Yes, then you must insure
1475
# that all of your providers have entries in /etc/iproute2/rt_tables as well
1476
# as the following entries:
1484
# Without these entries, the firewall will fail to start.
1486
WARNOLDCAPVERSION=Yes
1488
# WARNOLDCAPVERSION=[Yes|No]
1490
# Added in Shorewall 4.5.12. When set to Yes (the default), the compiler
1491
# issues a warning when it finds a capabilities file that doesn't specify all
1492
# of the capabilities supported by the compiler. When WARNOLDCAPVERSION is
1493
# set to No, no warning is issued.
1270
1497
# ZONE2ZONE={2|-}
1294
1521
# section of shorewall-rules (5). It determines the disposition of packets
1295
1522
# sent to the blacklog target of shorewall-blrules (5).
1524
INVALID_DISPOSITION=CONTINUE
1526
# INVALID_DISPOSITION=[A_DROP|A_REJECT|DROP|REJECT|CONTINUE]
1528
# Added in Shorewall 4.5.13. Shorewall has traditionally passed INVALID
1529
# packets through the NEW section of shorewall-rules (5). When a packet in
1530
# INVALID state fails to match any rule in the INVALID section, the packet is
1531
# disposed of based on this setting. The default value is CONTINUE for
1532
# compatibility with earlier versions.
1297
1534
MACLIST_DISPOSITION=REJECT
1299
1536
# MACLIST_DISPOSITION=[ACCEPT|DROP|REJECT|A_DROP|A_REJECT]
1311
1548
RELATED_DISPOSITION=ACCEPT
1313
# RELATED_DISPOSITION=[ACCEPT|A_ACCEPT|A_DROP|A_REJECT|DROP|REJECT]
1550
# RELATED_DISPOSITION=[ACCEPT|A_ACCEPT|A_DROP|A_REJECT|DROP|REJECT|CONTINUE]
1315
1552
# Added in Shorewall 4.4.27. Shorewall has traditionally ACCEPTed RELATED
1316
1553
# packets that don't match any rule in the RELATED section of shorewall-rules
1319
1556
# RELATED section, the packet is disposed of based on this setting. The
1320
1557
# default value is ACCEPT for compatibility with earlier versions.
1559
RPFILTER_DISPOSITION=DROP
1561
# RPFILTER_DISPOSITION=[DROP|REJECT|A_DROP|A_REJECT]
1563
# Added in Shorewall 4.5.7. Determines the disposition of packets entering
1564
# from interfaces the rpfilter option (see shorewall-interfaces(5)). Packets
1565
# disposed of by this option are those whose response packets would not be
1566
# sent through the same interface receiving the packet.
1322
1568
SMURF_DISPOSITION=DROP
1324
1570
# SMURF_DISPOSITION=[DROP|A_DROP]
1333
1579
# SFILTER_DISPOSITION=[DROP|REJECT|A_DROP|A_REJECT]
1335
1581
# Added in Shorewall 4.4.20. Determines the disposition of packets matching
1336
# the filter option (see shorewall-interfaces(5)) and of hairpin packets on
1582
# the sfilter option (see shorewall-interfaces(5)) and of hairpin packets on
1337
1583
# interfaces without the routeback option.^[1] interfaces without the
1338
1584
# routeback option.
1351
1597
# and were added in Shorewall 4.4.20. They require AUDIT_TARGET in the kernel
1352
1598
# and iptables.
1600
UNTRACKED_DISPOSITION=CONTINUE
1602
# UNTRACKED_DISPOSITION=[ACCEPT|A_ACCEPT|A_DROP|A_REJECT|DROP|REJECT|CONTINUE]
1604
# Added in Shorewall 4.5.13. Shorewall has traditionally passed UNTRACKED
1605
# packets through the NEW section of shorewall-rules (5). When a packet in
1606
# UNTRACKED state fails to match any rule in the UNTRACKED section, the
1607
# packet is disposed of based on this setting. The default value is CONTINUE
1608
# for compatibility with earlier versions.
1354
1610
################################################################################
1355
1611
# P A C K E T M A R K L A Y O U T
1356
1612
################################################################################