53
53
# The only ACTIONs allowed in this section are ACCEPT, DROP, REJECT, LOG and
56
# There is an implicit ACCEPT rule inserted at the end of this section.
56
# There is an implicit rule added at the end of this section that invokes the
57
# RELATED_DISPOSITION (shorewall.conf(5)).
61
# Added in Shorewall 4.5.13. Packets in the INVALID state are processed by
62
# rules in this section.
64
# The only Actions allowed in this section are ACCEPT, DROP, REJECT, LOG and
67
# There is an implicit rule added at the end of this section that invokes the
68
# INVALID_DISPOSITION (shorewall.conf(5)).
72
# Added in Shorewall 4.5.13. Packets in the UNTRACKED state are processed by
73
# rules in this section.
75
# The only Actions allowed in this section are ACCEPT, DROP, REJECT, LOG and
78
# There is an implicit rule added at the end of this section that invokes the
79
# UNTRACKED_DISPOSITION (shorewall.conf(5)).
116
139
# like ACCEPT but exempts the rule from being suppressed by OPTIMIZE=1 in
117
140
# shorewall.conf(5).
144
# The name of an action declared in shorewall-actions(5) or in /usr/share
145
# /shorewall/actions.std.
149
# Added in Shorewall 4.4.12. Causes addresses and/or port numbers to be
150
# added to the named ipset. The flags specify the address or tupple to be
151
# added to the set and must match the type of ipset involved. For
152
# example, for an iphash ipset, either the SOURCE or DESTINATION address
153
# can be added using flags src or dst respectively (see the -A command in
156
# ADD is non-terminating. Even if a packet matches the rule, it is passed
157
# on to the next rule.
159
# AUDIT[(accept|drop|reject)]
161
# Added in Shorewall 4.5.10. Audits the packet with the specified type;
162
# if the type is omitted, then drop is assumed. Require AUDIT_TARGET
163
# support in the kernel and iptables.
119
165
# A_ACCEPT, A_ACCEPT+ and A_ACCEPT!
121
167
# Added in Shorewall 4.4.20. Audited versions of ACCEPT, ACCEPT+ and
122
168
# ACCEPT! respectively. Require AUDIT_TARGET support in the kernel and
127
# Excludes the connection from any subsequent DNAT[-] or REDIRECT[-]
128
# rules but doesn't generate a rule to accept the traffic.
132
# Ignore the request.
136
# like DROP but exempts the rule from being suppressed by OPTIMIZE=1 in
139
171
# A_DROP and A_DROP!
141
173
# Added in Shorewall 4.4.20. Audited versions of DROP and DROP!
142
174
# respectively. Require AUDIT_TARGET support in the kernel and iptables.
146
# disallow the request and return an icmp-unreachable or an RST packet.
150
# like REJECT but exempts the rule from being suppressed by OPTIMIZE=1 in
153
176
# A_REJECT AND A_REJECT!
155
178
# Added in Shorewall 4.4.20. Audited versions of REJECT and REJECT!
156
179
# respectively. Require AUDIT_TARGET support in the kernel and iptables.
160
# Forward the request to another system (and optionally another port).
164
# Advanced users only.
166
# Like DNAT but only generates the DNAT iptables rule and not the
167
# companion ACCEPT rule.
171
# Redirect the request to a server running on the firewall.
175
# Advanced users only.
177
# Like REDIRECT but only generates the REDIRECT iptables rule and not the
178
# companion ACCEPT rule.
183
# the rest of the line will be attached as a comment to the Netfilter
184
# rule(s) generated by the following entries. The comment will appear
185
# delimited by "/* ... */" in the output of "shorewall show <chain>". To
186
# stop the comment from being attached to further rules, simply include
187
# COMMENT on a line by itself.
191
# Beginning with Shorewall 4.5.11, ?COMMENT is a synonym for COMMENT and
193
207
# like CONTINUE but exempts the rule from being suppressed by OPTIMIZE=1
194
208
# in shorewall.conf(5).
198
# Simply log the packet and continue with the next rule.
202
# Queue the packet to a user-space application such as ftwall (http://
203
# p2pwall.sf.net). The application may reinsert the packet for further
208
# like QUEUE but exempts the rule from being suppressed by OPTIMIZE=1 in
211
# NFLOG[(nflog-parameters)]
213
# queues matching packets to a backend logging daemon via a netlink
214
# socket then continues to the next rule. See http://www.shorewall.net/
215
# shorewall_logging.html.
217
# NFQUEUE[(queuenumber)]
219
# Queues the packet to a user-space application using the nfnetlink_queue
220
# mechanism. If a queuenumber is not specified, queue zero (0) is
223
# NFQUEUE![(queuenumber)]
225
# like NFQUEUE but exempts the rule from being suppressed by OPTIMIZE=1
226
# in shorewall.conf(5).
230
212
# Simply increment the rule's packet and byte count and pass the packet
231
213
# to the next rule.
235
# the rest of the line will be attached as a comment to the Netfilter
236
# rule(s) generated by the following entries. The comment will appear
237
# delimited by "/* ... */" in the output of "shorewall show <chain>". To
238
# stop the comment from being attached to further rules, simply include
239
# COMMENT on a line by itself.
243
# The name of an action declared in shorewall-actions(5) or in /usr/share
244
# /shorewall/actions.std.
217
# Added in Shorewall 4.4.12. Causes an entry to be deleted from the named
218
# ipset. The flags specify the address or tupple to be deleted from the
219
# set and must match the type of ipset involved. For example, for an
220
# iphash ipset, either the SOURCE or DESTINATION address can be deletec
221
# using flags src or dst respectively (see the -D command in ipset (8)).
223
# DEL is non-terminating. Even if a packet matches the rule, it is passed
224
# on to the next rule.
228
# Forward the request to another system (and optionally another port).
232
# Advanced users only.
234
# Like DNAT but only generates the DNAT iptables rule and not the
235
# companion ACCEPT rule.
239
# Ignore the request.
243
# like DROP but exempts the rule from being suppressed by OPTIMIZE=1 in
248
# Added in Shorewall 4.5.7. This action requires that the HELPER column
249
# contains the name of the Netfilter helper to be associated with
250
# connections matching this connection. May only be specified in the NEW
251
# section and is useful for being able to specify a helper when the
252
# applicable policy is ACCEPT. No destination zone should be specified in
257
# Added in Shorewall 4.5.16. This action allows you to construct most of
258
# the rule yourself using iptables syntax. The part that you specify must
259
# follow a semicolon (';') and is completely free-form. If the target of
260
# the rule (the part following 'j') is something that Shorewall supports
261
# in the ACTION column, then you may enclose it in parentheses (e.g.,
262
# INLINE(ACCEPT)). Otherwise, you can include it after the semicolon. In
263
# this case, you must declare the target as a builtin action in
264
# shorewall-actions(5).
266
# Some considerations when using INLINE:
268
# ● The p, s, d, i, o, policy, and state match (state or conntrack
269
# --ctstate) matches will always appear in the front of the rule in
272
# ● When multiple matches are specified, the compiler will keep them in
273
# the order in which they appear (excluding the above listed ones),
274
# but they will not necessarily be at the end of the generated rule.
275
# For example, if addresses are specified in the SOURCE and/or DEST
276
# columns, their generated matches will appear after those specified
281
# Simply log the packet and continue with the next rule.
246
283
# macro[(macrotarget)]
256
293
# The older syntax where the macro name and the target are separated by a
257
294
# slash (e.g. FTP/ACCEPT) is still allowed but is deprecated.
261
# Added in Shorewall 4.4.12. Causes addresses and/or port numbers to be
262
# added to the named ipset. The flags specify the address or tupple to be
263
# added to the set and must match the type of ipset involved. For
264
# example, for an iphash ipset, either the SOURCE or DESTINATION address
265
# can be added using flags src or dst respectively (see the -A command in
268
# ADD is non-terminating. Even if a packet matches the rule, it is passed
269
# on to the next rule.
273
# Added in Shorewall 4.4.12. Causes an entry to be deleted from the named
274
# ipset. The flags specify the address or tupple to be deleted from the
275
# set and must match the type of ipset involved. For example, for an
276
# iphash ipset, either the SOURCE or DESTINATION address can be deletec
277
# using flags src or dst respectively (see the -D command in ipset (8)).
279
# DEL is non-terminating. Even if a packet matches the rule, it is passed
280
# on to the next rule.
296
# NFLOG[(nflog-parameters)]
298
# Added in Shorewall 4.5.9.3. Queues matching packets to a backend
299
# logging daemon via a netlink socket then continues to the next rule.
300
# See http://www.shorewall.net/shorewall_logging.html.
302
# Similar to LOG:NFLOG[(nflog-parameters)], except that the log level is
303
# not changed when this ACTION is used in an action or macro body and the
304
# invocation of that action or macro specifies a log level.
306
# NFQUEUE[(queuenumber)]
308
# Queues the packet to a user-space application using the nfnetlink_queue
309
# mechanism. If a queuenumber is not specified, queue zero (0) is
312
# NFQUEUE![(queuenumber)]
314
# like NFQUEUE but exempts the rule from being suppressed by OPTIMIZE=1
315
# in shorewall.conf(5).
319
# Excludes the connection from any subsequent DNAT[-] or REDIRECT[-]
320
# rules but doesn't generate a rule to accept the traffic.
324
# Queue the packet to a user-space application such as ftwall (http://
325
# p2pwall.sf.net). The application may reinsert the packet for further
330
# like QUEUE but exempts the rule from being suppressed by OPTIMIZE=1 in
335
# disallow the request and return an icmp-unreachable or an RST packet.
339
# like REJECT but exempts the rule from being suppressed by OPTIMIZE=1 in
344
# Redirect the request to a server running on the firewall.
348
# Advanced users only.
350
# Like REDIRECT but only generates the REDIRECT iptables rule and not the
351
# companion ACCEPT rule.
353
# ULOG[(ulog-parameters)]
355
# Added in Shorewall 4.5.10. Queues matching packets to a backend logging
356
# daemon via a netlink socket then continues to the next rule. See http:/
357
# /www.shorewall.net/shorewall_logging.html.
359
# Similar to LOG:ULOG[(ulog-parameters)], except that the log level is
360
# not changed when this ACTION is used in an action or macro body and the
361
# invocation of that action or macro specifies a log level.
282
363
# The target may optionally be followed by ":" and a syslog log level (e.g,
283
364
# REJECT:info or Web(ACCEPT):debug). This causes the packet to be logged at
443
524
# c. the SOURCE zone must be an ipv4 zone that is associated with only the
446
# Except when all[+]|[-] is specified, the server may be further
447
# restricted to a particular network, host or interface by appending ":"
448
# and the network, host or interface. See SOURCE above.
450
# You may exclude certain hosts from the set already defined through use
451
# of an exclusion (see shorewall-exclusion(5)).
455
# 1. MAC addresses are not allowed (this is a Netfilter restriction).
457
# 2. You may not specify both an interface and an address.
459
# Like in the SOURCE column, you may specify a range of IP addresses
460
# using the syntax lowaddress-highaddress. When the ACTION is DNAT or
461
# DNAT-, the connections will be assigned to addresses in the range in a
462
# round-robin fashion.
464
# If you kernel and iptables have ipset match support then you may give
465
# the name of an ipset prefaced by "+". The ipset name may be optionally
466
# followed by a number from 1 to 6 enclosed in square brackets ([]) to
467
# indicate the number of levels of destination bindings to be matched.
468
# Only one of the SOURCE and DEST columns may specify an ipset name.
470
# Beginning with Shorewall 4.4.17, the primary IP address of a firewall
471
# interface can be specified by an apersand ('&') followed by the logical
472
# name of the interface as found in the INTERFACE column of
473
# shorewall-interfaces (5).
475
# The port that the server is listening on may be included and separated
476
# from the server's IP address by ":". If omitted, the firewall will not
477
# modifiy the destination port. A destination port may only be included
478
# if the ACTION is DNAT or REDIRECT.
482
# loc:192.168.1.3:3128 specifies a local server at IP address
483
# 192.168.1.3 and listening on port 3128.
485
# The port may be specified as a service name. You may specify a port
486
# range in the form lowport-highport to cause connections to be assigned
487
# to ports in the range in round-robin fashion. When a port range is
488
# specified, lowport and highport must be given as integers; service
489
# names are not permitted. Additionally, the port range may be optionally
490
# followed by :random which causes assignment to ports in the list to be
493
# If the ACTION is REDIRECT or REDIRECT-, this column needs only to
494
# contain the port number on the firewall that the request should be
495
# redirected to. That is equivalent to specifying $FW::port.
527
# Except when all[+]|[-] is specified, the server may be further restricted
528
# to a particular network, host or interface by appending ":" and the
529
# network, host or interface. See SOURCE above.
531
# You may exclude certain hosts from the set already defined through use of
532
# an exclusion (see shorewall-exclusion(5)).
534
# Restriction: MAC addresses are not allowed (this is a Netfilter
537
# Like in the SOURCE column, you may specify a range of IP addresses using
538
# the syntax lowaddress-highaddress. When the ACTION is DNAT or DNAT-, the
539
# connections will be assigned to addresses in the range in a round-robin
542
# If you kernel and iptables have ipset match support then you may give the
543
# name of an ipset prefaced by "+". The ipset name may be optionally followed
544
# by a number from 1 to 6 enclosed in square brackets ([]) to indicate the
545
# number of levels of destination bindings to be matched. Only one of the
546
# SOURCE and DEST columns may specify an ipset name.
548
# Beginning with Shorewall 4.4.17, the primary IP address of a firewall
549
# interface can be specified by an apersand ('&') followed by the logical
550
# name of the interface as found in the INTERFACE column of
551
# shorewall-interfaces (5).
553
# The port that the server is listening on may be included and separated from
554
# the server's IP address by ":". If omitted, the firewall will not modifiy
555
# the destination port. A destination port may only be included if the ACTION
556
# is DNAT or REDIRECT.
560
# loc:192.168.1.3:3128 specifies a local server at IP address 192.168.1.3
561
# and listening on port 3128.
563
# The port may be specified as a service name. You may specify a port range
564
# in the form lowport-highport to cause connections to be assigned to ports
565
# in the range in round-robin fashion. When a port range is specified,
566
# lowport and highport must be given as integers; service names are not
567
# permitted. Additionally, the port range may be optionally followed by
568
# :random which causes assignment to ports in the list to be random.
570
# If the ACTION is REDIRECT or REDIRECT-, this column needs only to contain
571
# the port number on the firewall that the request should be redirected to.
572
# That is equivalent to specifying $FW::port.
497
574
# PROTO- {-|tcp:syn|ipp2p|ipp2p:udp|ipp2p:all|protocol-number|protocol-name|all}
540
617
# acceptable. Specified as a comma- separated list of port names, port
541
618
# numbers or port ranges.
620
# Beginning with Shorewall 4.5.15, you may place '=' in this column, provided
621
# that the DEST PORT(S) column is non-empty. This causes the rule to match
622
# when either the source port or the destination port in a packet matches one
623
# of the ports specified in DEST PORTS(S). Use of '=' requires multiport
624
# match in your iptables and kernel.
545
628
# Unless you really understand IP, you should leave this column empty or
546
629
# place a dash (-) in the column. Most people who try to use this column get
549
# If you don't want to restrict client ports but need to specify an
550
# ORIGINAL DEST in the next column, then place "-" in this column.
552
# If your kernel contains multi-port match support, then only a single
553
# Netfilter rule will be generated if in this list and the DEST PORT(S)
556
# 1. There are 15 or less ports listed.
558
# 2. No port ranges are included or your kernel and iptables contain
559
# extended multiport match support.
632
# If you don't want to restrict client ports but need to specify an ORIGINAL
633
# DEST in the next column, then place "-" in this column.
635
# If your kernel contains multi-port match support, then only a single
636
# Netfilter rule will be generated if in this list and the DEST PORT(S) list
639
# 1. There are 15 or less ports listed.
641
# 2. No port ranges are included or your kernel and iptables contain extended
642
# multiport match support.
561
644
# ORIGINAL DEST (origdest) - [-|address[,address]...[exclusion]|exclusion]
743
823
# The rule is enabled if the value stored in /proc/net/nf_condition/
744
824
# switch-name is 1. The rule is disabled if that file contains 0 (the
745
825
# default). If '!' is supplied, the test is inverted such that the rule is
746
# enabled if the file contains 0. switch-name must begin with a letter and be
747
# composed of letters, decimal digits, underscores or hyphens. Switch names
748
# must be 30 characters or less in length.
826
# enabled if the file contains 0.
828
# Within the switch-name, '@0' and '@{0}' are replaced by the name of the
829
# chain to which the rule is a added. The switch-name (after '@...'
830
# expansion) must begin with a letter and be composed of letters, decimal
831
# digits, underscores or hyphens. Switch names must be 30 characters or less
750
834
# Switches are normally off. To turn a switch on:
758
842
# Switch settings are retained over shorewall restart.
844
# Beginning with Shoreawll 4.5.10, when the switch-name is followed by =0 or
845
# =1, then the switch is initialized to off or on respectively by the start
846
# command. Other commands do not affect the switch setting.
850
# Added in Shorewall 4.5.7.
852
# In the NEW section, causes the named conntrack helper to be associated with
853
# this connection; the contents of this column are ignored unless ACTION is
854
# ACCEPT*, DNAT* or REDIRECT*.
856
# In the RELATED section, will only match if the related connection has the
857
# named helper associated with it.
859
# The helper may be one of:
873
# If the HELPERS option is specified in shorewall.conf(5), then any module
874
# specified in this column must be listed in the HELPERS setting.
916
1032
# #ACTION SOURCE DEST PROTO DEST
918
# DROP net:^A1,A2 fw tcp 22
920
######################################################################################################################################################################################
921
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH
1034
# DROP net:^A1,A2 fw tcp 25
1038
# You want to generate your own rule involving iptables targets and matches
1039
# not supported by Shorewall.
1041
# #ACTION SOURCE DEST PROTO DEST
1043
# INLINE $FW net ; -p 6 -m mickey-mouse --name test -m set --match-set set1 src -m mickey-mouse --name test2 -j SECCTX --name test3
1045
# The above will generate the following iptables-restore input:
1047
# -A fw2net -p 6 -m mickey-mouse --name test -m set --match-set set1 src -m mickey-mouse --name test2 -j SECCTX --name test3
1049
# Note that SECCTX must be defined as a builtin action in shorewall-actions
1055
######################################################################################################################################################################################################
1056
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
922
1057
# PORT PORT(S) DEST LIMIT GROUP
924
1059
#SECTION ESTABLISHED
925
1060
#SECTION RELATED
1064
# Drop packets in the INVALID state
1065
Invalid(DROP) net $FW tcp
927
1066
# Drop Ping from the "bad" net zone.. and prevent your log from being flooded..
928
1067
Ping(DROP) net $FW
929
1068
# Permit all ICMP traffic FROM the firewall TO the net zone
added
removed
Samples/one-interface/rules.annotated
