« back to all changes in this revision
Viewing changes to manpages/shorewall.conf.5
- browse files at revision 67
- compare with another revision
- download diff
- download tarball
- view history from revision 67
- Committer: Package Import Robot
- Author(s): Roberto C. Sanchez
- Date: 2013-05-03 08:17:42 UTC
- mfrom: (1.3.52)
- Revision ID: package-import@ubuntu.com-20130503081742-qo8p6k2z0dnbfqo8
Tags: 4.5.16.1-1
* New Upstream Version
* debian/patches/01_debian_configuration.patch: Refreshed
* debian/patches/02_correct_dnat_snat_behavior.patch: Removed
* Update lintian overrides
* debian/patches/01_debian_configuration.patch: Refreshed
* debian/patches/02_correct_dnat_snat_behavior.patch: Removed
* Update lintian overrides
- files added:
- Macros/macro.ActiveDir
- files removed:
- .pc/02_correct_dnat_snat_behavior.patch
- .pc/02_correct_dnat_snat_behavior.patch/Perl
- .pc/02_correct_dnat_snat_behavior.patch/Perl/Shorewall
- files modified:
- .pc/01_debian_configuration.patch/configfiles/shorewall.conf
- init.fedora.sh *
added
removed
manpages/shorewall.conf.5
2
2
.\" Title: shorewall.conf
3
3
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
4
4
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
5
.\" Date: 06/28/2012
5
.\" Date: 05/01/2013
6
6
.\" Manual: [FIXME: manual]
7
7
.\" Source: [FIXME: source]
8
8
.\" Language: English
9
9
.\"
10
.TH "SHOREWALL\&.CONF" "5" "06/28/2012" "[FIXME: source]" "[FIXME: manual]"
10
.TH "SHOREWALL\&.CONF" "5" "05/01/2013" "[FIXME: source]" "[FIXME: manual]"
11
11
.\" -----------------------------------------------------------------
12
12
.\" * Define some portability stuff
13
13
.\" -----------------------------------------------------------------
82
82
.PP
83
83
The following options may be set in shorewall\&.conf\&.
84
84
.PP
85
\fBACCEPT_DEFAULT=\fR{\fIaction\fR|\fBnone\fR}
86
.RS 4
87
.RE
88
.PP
89
\fBDROP_DEFAULT=\fR{\fIaction\fR|\fBnone\fR}
90
.RS 4
91
.RE
92
.PP
93
\fBNFQUEUE_DEFAULT=\fR{\fIaction\fR|\fBnone\fR}
94
.RS 4
95
.RE
96
.PP
97
\fBQUEUE_DEFAULT=\fR{\fIaction\fR|\fBnone\fR}
98
.RS 4
99
.RE
100
.PP
101
\fBREJECT_DEFAULT=\fR{\fIaction\fR|\fBnone\fR}
85
\fBACCEPT_DEFAULT=\fR{\fIaction\fR[(\fIparameters\fR)][:\fIlevel\fR]|\fBnone\fR}
86
.RS 4
87
.RE
88
.PP
89
\fBDROP_DEFAULT=\fR{\fIaction\fR[(\fIparameters\fR)][:\fIlevel\fR]|\fBnone\fR}
90
.RS 4
91
.RE
92
.PP
93
\fBNFQUEUE_DEFAULT=\fR{\fIaction\fR[(\fIparameters\fR)][:\fIlevel\fR]|\fBnone\fR}
94
.RS 4
95
.RE
96
.PP
97
\fBQUEUE_DEFAULT=\fR{\fIaction\fR[(\fIparameters\fR)][:\fIlevel\fR]|\fBnone\fR}
98
.RS 4
99
.RE
100
.PP
101
\fBREJECT_DEFAULT=\fR{\fIaction\fR[(\fIparameters\fR)][:\fIlevel\fR]|\fBnone\fR}
102
102
.RS 4
103
103
In earlier Shorewall versions, a "default action" for DROP and REJECT policies was specified in the file /usr/share/shorewall/actions\&.std\&.
104
104
.sp
105
To allow for default rules to be applied when USE_ACTIONS=No, the DROP_DEFAULT, REJECT_DEFAULT, ACCEPT_DEFAULT, QUEUE_DEFAULT and NFQUEUE_DEFAULT options have been added\&.
105
In Shorewall 4\&.4\&.0, the DROP_DEFAULT, REJECT_DEFAULT, ACCEPT_DEFAULT, QUEUE_DEFAULT and NFQUEUE_DEFAULT options were added\&.
106
106
.sp
107
107
DROP_DEFAULT describes the rules to be applied before a connection request is dropped by a DROP policy; REJECT_DEFAULT describes the rules to be applied if a connection request is rejected by a REJECT policy\&. The other three are similar for ACCEPT, QUEUE and NFQUEUE policies\&.
108
108
.sp
109
109
The value applied to these may be:
110
.RS 4
111
a) The name of an
112
\fIaction\fR\&.
113
.RE
114
.RS 4
115
b) \fBNone\fR or \fBnone\fR
116
.RE
110
.sp
117
111
The default values are:
118
112
.RS 4
119
113
DROP_DEFAULT="Drop"
130
124
.RS 4
131
125
NFQUEUE_DEFAULT="None"
132
126
.RE
133
If USE_ACTIONS=Yes, then these values refer to action\&.Drop and action\&.Reject respectively\&. If USE_ACTIONS=No, then these values refer to macro\&.Drop and macro\&.Reject\&.
134
.sp
135
127
If you set the value of either option to "None" then no default action will be used and the default action or macro must be specified in
136
128
\m[blue]\fBshorewall\-policy\fR\m[]\&\s-2\u[1]\d\s+2(5)\&.
129
.sp
130
You can pass
131
\fIparameters\fR
132
to the specified action (e\&.g\&.,
133
\fImyaction(audit,DROP)\fR)\&.
134
.sp
135
Beginning with Shorewall 4\&.5\&.10, the action name can be followed optionally by a colon and a log
136
\fIlevel\fR\&. The level will be applied to each rule in the action or body that does not already have a log level\&.
137
137
.RE
138
138
.PP
139
139
\fBACCOUNTING=\fR[\fBYes\fR|\fBNo\fR]
215
215
\m[blue]\fBshorewall\-routestopped\fR\m[]\&\s-2\u[5]\d\s+2(5), connections that were active when Shorewall stopped continue to work and all new connections from the firewall system itself are allowed\&. If this variable is not set or is given the empty value then ADMINISABSENTMINDED=No is assumed\&.
216
216
.RE
217
217
.PP
218
\fBAUTO_COMMENT=\fR[\fBYes\fR|\fBNo\fR]
219
.RS 4
220
If set, if there is not a current comment when a macro is invoked, the behavior is as if the first line of the macro file was "COMMENT <macro name>"\&. The AUTO_COMMENT option has a default value of \*(AqYes\*(Aq\&.
218
\fBARPTABLES=\fR[\fIpathname\fR]
219
.RS 4
220
Added in Shorewall 4\&.5\&.12\&. This parameter names the arptables executable to be used by Shorewall\&. If not specified or if specified as a null value, then the arptables executable located using the PATH option is used\&.
221
.sp
222
Regardless of how the arptables utility is located (specified via arptables= or located via PATH), Shorewall uses the arptables\-restore and arptables\-save utilities from that same directory\&.
223
.RE
224
.PP
225
\fBAUTOCOMMENT=\fR[\fBYes\fR|\fBNo\fR]
226
.RS 4
227
Formerly named AUTO_COMMENT\&. If set, if there is not a current comment when a macro is invoked, the behavior is as if the first line of the macro file was "COMMENT <macro name>"\&. The AUTO_COMMENT option has a default value of \*(AqYes\*(Aq\&.
221
228
.sp
222
229
The setting of the AUTOMAKE option is ignored if the
223
230
\fBstart\fR
226
233
command includes a directory name (e\&.g\&.,\fB shorewall restart /etc/shorewall\&.new\fR)\&.
227
234
.RE
228
235
.PP
236
\fBAUTOHELPERS=\fR[\fBYes\fR|\fBNo\fR]
237
.RS 4
238
Added in Shorewall 4\&.5\&.7\&. When set to
239
\fBYes\fR
240
(the default), the generated ruleset will automatically associate helpers with applications that require them (FTP, IRC, etc\&.)\&. When configuring your firewall on systems running kernel 3\&.5 or later, it is recommended that you:
241
.sp
242
.RS 4
243
.ie n \{\
244
\h'-04' 1.\h'+01'\c
245
.\}
246
.el \{\
247
.sp -1
248
.IP " 1." 4.2
249
.\}
250
Set AUTOHELPERS=No\&.
251
.RE
252
.sp
253
.RS 4
254
.ie n \{\
255
\h'-04' 2.\h'+01'\c
256
.\}
257
.el \{\
258
.sp -1
259
.IP " 2." 4.2
260
.\}
261
Either:
262
.sp
263
.RS 4
264
.ie n \{\
265
\h'-04' 1.\h'+01'\c
266
.\}
267
.el \{\
268
.sp -1
269
.IP " 1." 4.2
270
.\}
271
Modify
272
\m[blue]\fBshorewall\-conntrack\fR\m[]\&\s-2\u[6]\d\s+2
273
(5) to only apply helpers where they are required; or
274
.RE
275
.sp
276
.RS 4
277
.ie n \{\
278
\h'-04' 2.\h'+01'\c
279
.\}
280
.el \{\
281
.sp -1
282
.IP " 2." 4.2
283
.\}
284
Specify the appropriate helper in the HELPER column in
285
\m[blue]\fBshorewall\-rules\fR\m[]\&\s-2\u[7]\d\s+2
286
(5)\&.
287
.if n \{\
288
.sp
289
.\}
290
.RS 4
291
.it 1 an-trap
292
.nr an-no-space-flag 1
293
.nr an-break-flag 1
294
.br
295
.ps +1
296
\fBNote\fR
297
.ps -1
298
.br
299
The macros for those applications requiring a helper automatically specify the appropriate HELPER where required\&.
300
.sp .5v
301
.RE
302
.RE
303
.RE
304
.RE
305
.PP
229
306
\fBAUTOMAKE=\fR[\fBYes\fR|\fBNo\fR]
230
307
.RS 4
231
308
If set, the behavior of the \*(Aqstart\*(Aq command is changed; if no files in /etc/shorewall have been changed since the last successful
239
316
command is used\&. The default is AUTOMAKE=No\&.
240
317
.RE
241
318
.PP
319
\fBBLACKLIST=\fR[{\fBALL\fR|\fB\fIstate\fR\fR\fB[,\&.\&.\&.]\fR}]
320
.RS 4
321
where state is one of NEW, ESTABLISHED, RELATED, INVALID,or UNTRACKED\&.
322
.sp
323
Added in Shorewall 4\&.5\&.13 to replace the BLACKLISTNEWONLY option below\&. Specifies the connection tracking states that are to be subject to blacklist screening\&. If neither BLACKLIST nor BLACKLISTNEWONLY are specified then the states subject to blacklisting are NEW,ESTABLISHED,INVALID,UNTRACKED\&.
324
.sp
325
ALL sends all packets through the blacklist chains\&.
326
.sp
327
Note: The ESTABLISHED state may not be specified if FASTACCEPT is specified\&.
328
.RE
329
.PP
242
330
\fBBLACKLIST_DISPOSITION=\fR[\fBDROP\fR|A_DROP|\fBREJECT|A_REJECT\fR]
243
331
.RS 4
244
332
This parameter determines the disposition of packets from blacklisted hosts\&. It may have the value DROP if the packets are to be dropped or REJECT if the packets are to be replied with an ICMP port unreachable reply or a TCP RST (tcp only)\&. If you do not assign a value or if you assign an empty value then DROP is assumed\&.
246
334
A_DROP and A_REJECT are audited versions of DROP and REJECT respectively and were added in Shorewall 4\&.4\&.20\&. They require AUDIT_TARGET in the kernel and iptables\&.
247
335
.sp
248
336
The BLACKLIST_DISPOSITION setting has no effect on entries in the BLACKLIST section of
249
\m[blue]\fBshorewall\-rules\fR\m[]\&\s-2\u[6]\d\s+2
337
\m[blue]\fBshorewall\-rules\fR\m[]\&\s-2\u[7]\d\s+2
250
338
(5)\&. It determines the disposition of packets sent to the
251
339
\fBblacklog\fR
252
340
target of
253
\m[blue]\fBshorewall\-blrules\fR\m[]\&\s-2\u[7]\d\s+2(5)\&.
341
\m[blue]\fBshorewall\-blrules\fR\m[]\&\s-2\u[8]\d\s+2(5)\&.
254
342
.RE
255
343
.PP
256
\fBBLACKLIST_LOGLEVEL=\fR[\fIlog\-level\fR]
344
\fBBLACKLIST_LOG_LEVEL=\fR[\fIlog\-level\fR]
257
345
.RS 4
258
This parameter determines if packets from blacklisted hosts are logged and it determines the syslog level that they are to be logged at\&. Its value is a syslog level (Example: BLACKLIST_LOGLEVEL=debug)\&. If you do not assign a value or if you assign an empty value then packets from blacklisted hosts are not logged\&. The BLACKLIST_LOGLEVEL setting has no effect on entries in the BLACKLIST section of
259
\m[blue]\fBshorewall\-rules\fR\m[]\&\s-2\u[6]\d\s+2
260
(5)\&. It determines the log level of packets sent to the
346
Formerly named BLACKLIST_LOGLEVEL\&. This parameter determines if packets from blacklisted hosts are logged and it determines the syslog level that they are to be logged at\&. Its value is a syslog level (Example: BLACKLIST_LOG_LEVEL=debug)\&. If you do not assign a value or if you assign an empty value then packets from blacklisted hosts are not logged\&. The setting determines the log level of packets sent to the
261
347
\fBblacklog\fR
262
348
target of
263
\m[blue]\fBshorewall\-blrules\fR\m[]\&\s-2\u[7]\d\s+2(5)\&.
349
\m[blue]\fBshorewall\-blrules\fR\m[]\&\s-2\u[8]\d\s+2(5)\&.
264
350
.RE
265
351
.PP
266
352
\fBBLACKLISTNEWONLY=\fR{\fBYes\fR|\fBNo\fR}
267
353
.RS 4
354
Deprecated in Shorewall 4\&.5\&.13 in favor of BLACKLIST above\&.
355
.sp
268
356
When set to
269
357
\fBYes\fR
270
358
or
271
\fByes\fR, blacklists are only consulted for new connections\&. That includes entries in the
272
\m[blue]\fBshorewall\-blrules\fR\m[]\&\s-2\u[8]\d\s+2
359
\fByes\fR, blacklists are only consulted for new connections and for packets in the INVALID connection state (such as TCP SYN,ACK when there has been no corresponding SYN)\&. That includes entries in the
360
\m[blue]\fBshorewall\-blrules\fR\m[]\&\s-2\u[9]\d\s+2
273
361
(5) file and in the BLACKLIST section of
274
\m[blue]\fBshorewall\-rules\fR\m[]\&\s-2\u[6]\d\s+2
362
\m[blue]\fBshorewall\-rules\fR\m[]\&\s-2\u[7]\d\s+2
275
363
(5)\&.
276
364
.sp
277
365
When set to
295
383
.RE
296
384
.RE
297
385
.PP
386
\fBCHAIN_SCRIPTS=\fR{\fBYes\fR|\fBNo\fR}
387
.RS 4
388
Added in Shorewall 4\&.5\&.16\&. Prior to the availability of BEGIN PERL\&.\&.\&.\&.END PERL in configuration files, the only way to execute a chain\-specific script was to create a script file with the same name as the chain and place it in a directory on the CONFIG_PATH\&. That facility has the drawback that the compiler will attempt to run a non\-script file just because it has the same name as a chain\&. To disable this facility, set CHAIN_SCRIPTS=No\&. If not specified or specified as the empty value, CHAIN_SCRIPTS=Yes is assumed\&.
389
.RE
390
.PP
298
391
\fBCLAMPMSS=[\fR\fBYes\fR|\fBNo\fR|\fIvalue\fR]
299
392
.RS 4
300
393
This parameter enables the TCP Clamp MSS to PMTU feature of Netfilter and is usually required when your internet connection is through PPPoE or PPTP\&. If set to
319
412
If this option is set to
320
413
\fBNo\fR
321
414
then Shorewall won\*(Aqt clear the current traffic control rules during [re]start\&. This setting is intended for use by people who prefer to configure traffic shaping when the network interfaces come up rather than when the firewall is started\&. If that is what you want to do, set TC_ENABLED=Yes and CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file\&. That way, your traffic shaping rules can still use the \(lqfwmark\(rq classifier based on packet marking defined in
322
\m[blue]\fBshorewall\-tcrules\fR\m[]\&\s-2\u[9]\d\s+2(5)\&. If not specified, CLEAR_TC=Yes is assumed\&.
415
\m[blue]\fBshorewall\-tcrules\fR\m[]\&\s-2\u[10]\d\s+2(5)\&. If not specified, CLEAR_TC=Yes is assumed\&.
323
416
.RE
324
417
.PP
325
418
\fBCOMPLETE=\fR[\fBYes\fR|\fBNo\fR]
388
481
.RE
389
482
.sp
390
483
If CONFIG_PATH is not given or if it is set to the empty value then the contents of /usr/share/shorewall/configpath are used\&. As released from shorewall\&.net, that file sets the CONFIG_PATH to /etc/shorewall:/usr/share/shorewall but your particular distribution may set it differently\&. See the output of shorewall show config for the default on your system\&.
391
.sp
392
Note that the setting in /usr/share/shorewall/configpath is always used to locate shorewall\&.conf\&.
484
.RE
485
.PP
486
\fBDEFER_DNS_RESOLUTION=\fR[\fBYes\fR|\fBNo\fR]
487
.RS 4
488
Added in Shorewall 4\&.5\&.12\&. When set to \*(AqYes\*(Aq (the default), DNS names are validated in the compiler and then passed on to the generated script where they are resolved by iptables\-restore\&. This is an advantage if you use AUTOMAKE=Yes and the IP address associated with the DNS name is subject to change\&. When DEFER_DNS_RESOLUTION=No, DNS names are converted into IP addresses by the compiler\&. This has the advantage that when AUTOMAKE=Yes, the
489
\fBstart\fR
490
and
491
\fBrestart\fR
492
commands will succeed even if no DNS server is reachable (assuming that the configuration hasn\*(Aqt changed since the compiled script was last generated)\&.
393
493
.RE
394
494
.PP
395
495
\fBDELETE_THEN_ADD=\fR{\fBYes\fR|\fBNo\fR}
417
517
\fBNo\fR
418
518
or
419
519
\fBno\fR, Shorewall will take no action with respect to allowing or disallowing IPv6 traffic\&. If not specified or empty, \(lqDISABLE_IPV6=No\(rq is assumed\&.
520
.sp
521
It is important to note that changing DISABLE_IPV6=Yes to DISABLE_IPV6=No does
522
\fInot\fR
523
enable IPV6\&. The recommended approach for enabling IPv6 on your system is:
524
.sp
525
.RS 4
526
.ie n \{\
527
\h'-04'\(bu\h'+03'\c
528
.\}
529
.el \{\
530
.sp -1
531
.IP \(bu 2.3
532
.\}
533
Install, configure and start
534
\m[blue]\fBShorewall6\fR\m[]\&\s-2\u[11]\d\s+2\&.
535
.RE
536
.sp
537
.RS 4
538
.ie n \{\
539
\h'-04'\(bu\h'+03'\c
540
.\}
541
.el \{\
542
.sp -1
543
.IP \(bu 2.3
544
.\}
545
Change DISABLE_IPV6=Yes to DISABLE_IPV6=No
546
.RE
547
.sp
548
.RS 4
549
.ie n \{\
550
\h'-04'\(bu\h'+03'\c
551
.\}
552
.el \{\
553
.sp -1
554
.IP \(bu 2.3
555
.\}
556
Restart Shorewall
557
.RE
420
558
.RE
421
559
.PP
422
560
\fBDONT_LOAD=\fR[\fImodule\fR[,\fImodule\fR]\&.\&.\&.]
488
626
Normally, Shorewall defers accepting ESTABLISHED/RELATED packets until these packets reach the chain in which the original connection was accepted\&. So for packets going from the \*(Aqloc\*(Aq zone to the \*(Aqnet\*(Aq zone, ESTABLISHED/RELATED packets are ACCEPTED in the \*(Aqloc2net\*(Aq chain\&.
489
627
.sp
490
628
If you set FASTACCEPT=Yes, then ESTABLISHED/RELEATED packets are accepted early in the INPUT, FORWARD and OUTPUT chains\&. If you set FASTACCEPT=Yes then you may not include rules in the ESTABLISHED or RELATED sections of
491
\m[blue]\fBshorewall\-rules\fR\m[]\&\s-2\u[6]\d\s+2(5)\&.
629
\m[blue]\fBshorewall\-rules\fR\m[]\&\s-2\u[7]\d\s+2(5)\&.
492
630
.if n \{\
493
631
.sp
494
632
.\}
516
654
Added in Shorewall 4\&.5\&.4\&. Specifies the pathname of the directory containing the
517
655
GeoIP Match
518
656
database\&. See
519
\m[blue]\fBhttp://www\&.shorewall\&.net/ISOCODES\&.html\fR\m[]\&. If not specified, the default value is
657
\m[blue]\fBhttp://www\&.shorewall\&.net/ISO\-3661\&.html\fR\m[]\&. If not specified, the default value is
520
658
/usr/share/xt_geoip/LE
521
659
which is the default location of the little\-endian database\&.
522
660
.RE
523
661
.PP
662
\fBHELPERS\fR=[\fIhelper\fR[,\fIhelper\fR\&.\&.\&.]]
663
.RS 4
664
Added in Shorewall 4\&.5\&.7\&. This option lists the Netfilter application helps that are to be enabled\&. If not specified, the default is to enable all helpers\&.
665
.sp
666
Possible values for
667
\fIhelper\fR
668
are:
669
.sp
670
.RS 4
671
.ie n \{\
672
\h'-04'\(bu\h'+03'\c
673
.\}
674
.el \{\
675
.sp -1
676
.IP \(bu 2.3
677
.\}
678
\fBamanda\fR
679
.RE
680
.sp
681
.RS 4
682
.ie n \{\
683
\h'-04'\(bu\h'+03'\c
684
.\}
685
.el \{\
686
.sp -1
687
.IP \(bu 2.3
688
.\}
689
\fBftp\fR
690
.RE
691
.sp
692
.RS 4
693
.ie n \{\
694
\h'-04'\(bu\h'+03'\c
695
.\}
696
.el \{\
697
.sp -1
698
.IP \(bu 2.3
699
.\}
700
\fBh323\fR
701
.RE
702
.sp
703
.RS 4
704
.ie n \{\
705
\h'-04'\(bu\h'+03'\c
706
.\}
707
.el \{\
708
.sp -1
709
.IP \(bu 2.3
710
.\}
711
\fBirc\fR
712
.RE
713
.sp
714
.RS 4
715
.ie n \{\
716
\h'-04'\(bu\h'+03'\c
717
.\}
718
.el \{\
719
.sp -1
720
.IP \(bu 2.3
721
.\}
722
\fBnetbios\-ns\fR
723
.RE
724
.sp
725
.RS 4
726
.ie n \{\
727
\h'-04'\(bu\h'+03'\c
728
.\}
729
.el \{\
730
.sp -1
731
.IP \(bu 2.3
732
.\}
733
\fBnone\fR
734
\- This special value was added in Shorewall 4\&.5\&.16 and indicates that no helpers are to be enabled\&. It also prevents the compiler for probing for helper support; such probing generates messages on the system log of the form "xt_CT: No such helper XXX" where XXX is the helper name\&. When used,
735
\fBnone\fR
736
must be the only helper specified\&.
737
.RE
738
.sp
739
.RS 4
740
.ie n \{\
741
\h'-04'\(bu\h'+03'\c
742
.\}
743
.el \{\
744
.sp -1
745
.IP \(bu 2.3
746
.\}
747
\fBpptp\fR
748
.RE
749
.sp
750
.RS 4
751
.ie n \{\
752
\h'-04'\(bu\h'+03'\c
753
.\}
754
.el \{\
755
.sp -1
756
.IP \(bu 2.3
757
.\}
758
\fBsane\fR
759
.RE
760
.sp
761
.RS 4
762
.ie n \{\
763
\h'-04'\(bu\h'+03'\c
764
.\}
765
.el \{\
766
.sp -1
767
.IP \(bu 2.3
768
.\}
769
\fBsip\fR
770
.RE
771
.sp
772
.RS 4
773
.ie n \{\
774
\h'-04'\(bu\h'+03'\c
775
.\}
776
.el \{\
777
.sp -1
778
.IP \(bu 2.3
779
.\}
780
\fBsnmp\fR
781
.RE
782
.sp
783
.RS 4
784
.ie n \{\
785
\h'-04'\(bu\h'+03'\c
786
.\}
787
.el \{\
788
.sp -1
789
.IP \(bu 2.3
790
.\}
791
\fBtftp\fR
792
.RE
793
.sp
794
When HELPERS is specified on a system running Kernel 3\&.5\&.0 or later, automatic association of helpers to connections is disabled\&.
795
.RE
796
.PP
524
797
\fBHIGH_ROUTE_MARKS=\fR{\fBYes\fR|\fBNo\fR}
525
798
.RS 4
526
799
Deprecated in Shorewall 4\&.4\&.26 in favor of PROVIDER_OFFSET\&.
527
800
.sp
528
801
Prior to version 3\&.2\&.0, it was not possible to use connection marking in
529
\m[blue]\fBshorewall\-tcrules\fR\m[]\&\s-2\u[9]\d\s+2(5) if you had a multi\-ISP configuration that uses the track option\&.
802
\m[blue]\fBshorewall\-tcrules\fR\m[]\&\s-2\u[10]\d\s+2(5) if you had a multi\-ISP configuration that uses the track option\&.
530
803
.sp
531
804
You may set HIGH_ROUTE_MARKS=Yes in to effectively divide the packet mark and connection mark into two mark fields\&.
532
805
.sp
603
876
Regardless of the setting of WIDE_TC_MARKS, when you SAVE or RESTORE in tcrules, only the TC mark value is saved or restored\&. Shorewall handles saving and restoring the routing (provider) marks\&.
604
877
.RE
605
878
.PP
879
\fBIGNOREUNKNOWNVARIABLES=\fR[\fBYes\fR|\fBNo\fR]
880
.RS 4
881
Added in Shorewall 4\&.5\&.11\&. Normally, if an unknown shell variable is encountered in a configuration file (except in ?IF and ?ELSIF directives), the compiler raises a fatal error\&. If IGNOREUNKNOWNVARIABLES is set to
882
\fBYes\fR, then such variables simply expand to an empty string\&. Default is
883
\fBNo\fR\&.
884
.RE
885
.PP
606
886
\fBIMPLICIT_CONTINUE=\fR{\fBYes\fR|\fBNo\fR}
607
887
.RS 4
608
888
When this option is set to
609
889
\fBYes\fR, it causes subzones to be treated differently with respect to policies\&.
610
890
.sp
611
891
Subzones are defined by following their name with ":" and a list of parent zones (in
612
\m[blue]\fBshorewall\-zones\fR\m[]\&\s-2\u[10]\d\s+2(5))\&. Normally, you want to have a set of special rules for the subzone and if a connection doesn\*(Aqt match any of those subzone\-specific rules then you want the parent zone rules and policies to be applied; see
613
\m[blue]\fBshorewall\-nesting\fR\m[]\&\s-2\u[11]\d\s+2(5)\&. With IMPLICIT_CONTINUE=Yes, that happens automatically\&.
892
\m[blue]\fBshorewall\-zones\fR\m[]\&\s-2\u[12]\d\s+2(5))\&. Normally, you want to have a set of special rules for the subzone and if a connection doesn\*(Aqt match any of those subzone\-specific rules then you want the parent zone rules and policies to be applied; see
893
\m[blue]\fBshorewall\-nesting\fR\m[]\&\s-2\u[13]\d\s+2(5)\&. With IMPLICIT_CONTINUE=Yes, that happens automatically\&.
614
894
.sp
615
895
If IMPLICIT_CONTINUE=No or if IMPLICIT_CONTINUE is not set, then subzones are not subject to this special treatment\&. With IMPLICIT_CONTINUE=Yes, an implicit CONTINUE policy may be overridden by including an explicit policy (one that does not specify "all" in either the SOURCE or the DEST columns)\&.
616
896
.RE
617
897
.PP
898
\fBINVALID_DISPOSITION=[A_DROP|A_REJECT|DROP|REJECT|CONTINUE]\fR
899
.RS 4
900
Added in Shorewall 4\&.5\&.13\&. Shorewall has traditionally passed INVALID packets through the NEW section of
901
\m[blue]\fBshorewall\-rules\fR\m[]\&\s-2\u[7]\d\s+2
902
(5)\&. When a packet in INVALID state fails to match any rule in the INVALID section, the packet is disposed of based on this setting\&. The default value is CONTINUE for compatibility with earlier versions\&.
903
.RE
904
.PP
905
\fBINVALID_LOG_LEVEL=\fR\fIlog\-level\fR
906
.RS 4
907
Added in Shorewall 4\&.5\&.13\&. Packets in the INVALID state that do not match any rule in the INVALID section of
908
\m[blue]\fBshorewall\-rules\fR\m[]\&\s-2\u[14]\d\s+2
909
(5) are logged at this level\&. The default value is empty which means no logging is performed\&.
910
.RE
911
.PP
618
912
\fBIP\fR=[\fIpathname\fR]
619
913
.RS 4
620
914
If specified, gives the pathname of the \*(Aqip\*(Aq executable\&. If not specified, \*(Aqip\*(Aq is assumed and the utility will be located using the current PATH setting\&.
645
939
.PP
646
940
\fBIPSECFILE=zones\fR
647
941
.RS 4
648
This option indicates that zone\-related ipsec information is found in the zones file (\m[blue]\fBshorewall\-zones\fR\m[]\&\s-2\u[10]\d\s+2(5))\&. The option indicates to the compiler that this is not a legacy configuration where the ipsec information was contained in a separate file\&. The value of this option must not be changed and the option must not be deleted\&.
942
This option indicates that zone\-related ipsec information is found in the zones file (\m[blue]\fBshorewall\-zones\fR\m[]\&\s-2\u[12]\d\s+2(5))\&. The option indicates to the compiler that this is not a legacy configuration where the ipsec information was contained in a separate file\&. The value of this option must not be changed and the option must not be deleted\&.
649
943
.RE
650
944
.PP
651
945
\fBIPSET\fR=[\fIpathname\fR]
684
978
.RS 4
685
979
This parameter names the iptables executable to be used by Shorewall\&. If not specified or if specified as a null value, then the iptables executable located using the PATH option is used\&.
686
980
.sp
687
Regardless of how the IPTABLES utility is located (specified via IPTABLES= or located via PATH), Shorewall uses the iptables\-restore and iptables\-save utilities from that same directory\&.
981
Regardless of how the iptables utility is located (specified via IPTABLES= or located via PATH), Shorewall uses the iptables\-restore and iptables\-save utilities from that same directory\&.
688
982
.RE
689
983
.PP
690
984
\fBKEEP_RT_TABLES=\fR{\fBYes\fR|\fBNo\fR}
742
1036
which sets both of the above to one\&. If you do not enable martian logging for all interfaces, you may still enable it for individual interfaces using the
743
1037
\fBlogmartians\fR
744
1038
interface option in
745
\m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[12]\d\s+2(5)\&.
1039
\m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[15]\d\s+2(5)\&.
746
1040
.sp
747
1041
The value
748
1042
\fBKeep\fR
749
1043
causes Shorewall to ignore the option\&. If the option is set to
750
1044
\fBYes\fR, then martians are logged on all interfaces\&. If the option is set to
751
1045
\fBNo\fR, then martian logging is disabled on all interfaces except those specified in
752
\m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[12]\d\s+2(5)\&.
1046
\m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[15]\d\s+2(5)\&.
753
1047
.RE
754
1048
.PP
755
1049
\fBLOG_VERBOSITY=\fR[\fInumber\fR]
883
1177
.ps -1
884
1178
.br
885
1179
The setting of LOGFORMAT has an effect of the permitted length of zone names\&. See
886
\m[blue]\fBshorewall\-zones\fR\m[]\&\s-2\u[10]\d\s+2
1180
\m[blue]\fBshorewall\-zones\fR\m[]\&\s-2\u[12]\d\s+2
887
1181
(5)\&.
888
1182
.sp .5v
889
1183
.RE
930
1224
\fBLOGTAGONLY=\fR[\fBYes\fR|\fBNo\fR]
931
1225
.RS 4
932
1226
Using the default LOGFORMAT, chain names may not exceed 11 characters or truncation of the log prefix may occur\&. Longer chain names may be used with log tags if you set LOGTAGONLY=Yes\&. With LOGTAGONLY=Yes, if a log tag is specified then the tag is included in the log prefix in place of the chain name\&.
1227
.sp
1228
Beginning with Shorewall 4\&.5\&.12, when LOGTAGONLY=Yes, you have more control over the generated log prefix\&. Beginning with that release, the tag is interpreted as a
1229
\fIchain name\fR
1230
and a
1231
\fIdisposition\fR
1232
separated by a comma\&. So this rule:
1233
.sp
1234
.if n \{\
1235
.RS 4
1236
.\}
1237
.nf
1238
#ACTION SOURCE DEST
1239
LOG:info:foo,bar net fw
1240
.fi
1241
.if n \{\
1242
.RE
1243
.\}
1244
.sp
1245
would generate the following log prefix when using the default LOGFORMAT setting:
1246
.RS 4
1247
Shorewall:foo:bar:
1248
.RE
1249
Similarly,
1250
.sp
1251
.if n \{\
1252
.RS 4
1253
.\}
1254
.nf
1255
#ACTION SOURCE DEST
1256
LOG:info:,bar net fw
1257
.fi
1258
.if n \{\
1259
.RE
1260
.\}
1261
.sp
1262
would generate
1263
.RS 4
1264
Shorewall:net2fw:bar:
1265
.RE
933
1266
.RE
934
1267
.PP
935
1268
\fBMACLIST_DISPOSITION=\fR[\fBACCEPT\fR|\fBDROP\fR|\fBREJECT\fR|A_DROP|A_REJECT]
954
1287
\fBMACLIST_TTL=[\fR\fInumber\fR]
955
1288
.RS 4
956
1289
The performance of configurations with a large numbers of entries in
957
\m[blue]\fBshorewall\-maclist\fR\m[]\&\s-2\u[13]\d\s+2(5) can be improved by setting the MACLIST_TTL variable in
958
\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[14]\d\s+2(5)\&.
1290
\m[blue]\fBshorewall\-maclist\fR\m[]\&\s-2\u[16]\d\s+2(5) can be improved by setting the MACLIST_TTL variable in
1291
\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[17]\d\s+2(5)\&.
959
1292
.sp
960
1293
If your iptables and kernel support the "Recent Match" (see the output of "shorewall check" near the top), you can cache the results of a \*(Aqmaclist\*(Aq file lookup and thus reduce the overhead associated with MAC Verification\&.
961
1294
.sp
962
1295
When a new connection arrives from a \*(Aqmaclist\*(Aq interface, the packet passes through then list of entries for that interface in
963
\m[blue]\fBshorewall\-maclist\fR\m[]\&\s-2\u[13]\d\s+2(5)\&. If there is a match then the source IP address is added to the \*(AqRecent\*(Aq set for that interface\&. Subsequent connection attempts from that IP address occurring within $MACLIST_TTL seconds will be accepted without having to scan all of the entries\&. After $MACLIST_TTL from the first accepted connection request from an IP address, the next connection request from that IP address will be checked against the entire list\&.
1296
\m[blue]\fBshorewall\-maclist\fR\m[]\&\s-2\u[16]\d\s+2(5)\&. If there is a match then the source IP address is added to the \*(AqRecent\*(Aq set for that interface\&. Subsequent connection attempts from that IP address occurring within $MACLIST_TTL seconds will be accepted without having to scan all of the entries\&. After $MACLIST_TTL from the first accepted connection request from an IP address, the next connection request from that IP address will be checked against the entire list\&.
964
1297
.sp
965
1298
If MACLIST_TTL is not specified or is specified as empty (e\&.g, MACLIST_TTL="" or is specified as zero then \*(Aqmaclist\*(Aq lookups will not be cached)\&.
966
1299
.RE
1077
1410
command\&.
1078
1411
.RE
1079
1412
.PP
1080
\fBNULL_ROUTE_RFC1918=\fR[\fBYes\fR|\fBNo\fR]
1413
\fBNFACCT=\fR[\fIpathname\fR]
1414
.RS 4
1415
Added in Shorewall 4\&.5\&.7\&. Specifies the pathname of the nfacct utiliity\&. If not specified, Shorewall will use the PATH settting to find the program\&.
1416
.RE
1417
.PP
1418
\fBNULL_ROUTE_RFC1918=\fR[\fBYes\fR|\fBNo\fR|\fBblackhole\fR|\fBunreachable\fR|\fBprohibit\fR]
1081
1419
.RS 4
1082
1420
When set to Yes, causes Shorewall to null\-route the IPv4 address ranges reserved by RFC1918\&. The default value is \*(AqNo\*(Aq\&.
1083
1421
.sp
1084
1422
When combined with route filtering (ROUTE_FILTER=Yes or
1085
1423
\fBroutefilter\fR
1086
1424
in
1087
\m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[12]\d\s+2(5)), this option ensures that packets with an RFC1918 source address are only accepted from interfaces having known routes to networks using such addresses\&.
1425
\m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[15]\d\s+2(5)), this option ensures that packets with an RFC1918 source address are only accepted from interfaces having known routes to networks using such addresses\&.
1426
.sp
1427
Beginning with Shorewall 4\&.5\&.15, you may specify
1428
\fBblackhole\fR,
1429
\fBunreachable\fR
1430
or
1431
\fBprohibit\fR
1432
to set the type of route to be created\&. See
1433
\m[blue]\fBhttp://www\&.shorewall\&.net/MultiISP\&.html#null_routing\fR\m[]\&.
1088
1434
.RE
1089
1435
.PP
1090
1436
\fBOPTIMIZE=\fR[\fIvalue\fR]
1102
1448
.IP \(bu 2.3
1103
1449
.\}
1104
1450
Optimization category 1 \- Traditionally, Shorewall has created rules for
1105
\m[blue]\fBthe complete matrix of host groups defined by the zones, interfaces and hosts files\fR\m[]\&\s-2\u[15]\d\s+2\&. Any traffic that didn\*(Aqt correspond to an element of that matrix was rejected in one of the built\-in chains\&. When the matrix is sparse, this results in lots of largely useless rules\&.
1451
\m[blue]\fBthe complete matrix of host groups defined by the zones, interfaces and hosts files\fR\m[]\&\s-2\u[18]\d\s+2\&. Any traffic that didn\*(Aqt correspond to an element of that matrix was rejected in one of the built\-in chains\&. When the matrix is sparse, this results in lots of largely useless rules\&.
1106
1452
.sp
1107
1453
These extra rules can be eliminated by setting the 1 bit in OPTIMIZE\&.
1108
1454
.sp
1312
1658
.RE
1313
1659
.sp
1314
1660
When either of these limits would be exceeded, the current combined rule is emitted and the compiler attemts to combine rules beginning with the one that would have exceeded the limit\&. Adjacent combined comments are separated by \*(Aq, \*(Aq\&. Empty comments at the front of a group of combined comments are replaced by \*(AqOthers and\*(Aq\&. Empty comments at the end of a group of combined comments are replaced by \*(Aqand others\*(Aq\&.
1661
.sp
1662
Beginning in Shorewall 4\&.5\&.10, this option also suppresses duplicate adjacent rules and duplicate non\-adjacent rules that don\*(Aqt include
1663
\fBmark\fR,
1664
\fBconnmark\fR,
1665
\fBdscp\fR,
1666
\fBecn\fR,
1667
\fBset\fR,
1668
\fBtos\fR
1669
or
1670
\fBu32\fR
1671
matches\&.
1315
1672
.PP
1316
1673
Example 1:
1317
1674
.RS 4
1406
1763
.RE
1407
1764
.RE
1408
1765
.PP
1409
\fBRELATED_DISPOSITION=[ACCEPT|A_ACCEPT|A_DROP|A_REJECT|DROP|REJECT]\fR
1766
\fBRELATED_DISPOSITION=[ACCEPT|A_ACCEPT|A_DROP|A_REJECT|DROP|REJECT|CONTINUE]\fR
1410
1767
.RS 4
1411
1768
Added in Shorewall 4\&.4\&.27\&. Shorewall has traditionally ACCEPTed RELATED packets that don\*(Aqt match any rule in the RELATED section of
1412
\m[blue]\fBshorewall\-rules\fR\m[]\&\s-2\u[16]\d\s+2
1769
\m[blue]\fBshorewall\-rules\fR\m[]\&\s-2\u[7]\d\s+2
1413
1770
(5)\&. Concern about the safety of this practice resulted in the addition of this option\&. When a packet in RELATED state fails to match any rule in the RELATED section, the packet is disposed of based on this setting\&. The default value is ACCEPT for compatibility with earlier versions\&.
1414
1771
.RE
1415
1772
.PP
1416
1773
\fBRELATED_LOG_LEVEL=\fR\fIlog\-level\fR
1417
1774
.RS 4
1418
1775
Added in Shorewall 4\&.4\&.27\&. Packets in the related state that do not match any rule in the RELATED section of
1419
\m[blue]\fBshorewall\-rules\fR\m[]\&\s-2\u[16]\d\s+2
1776
\m[blue]\fBshorewall\-rules\fR\m[]\&\s-2\u[7]\d\s+2
1420
1777
(5) are logged at this level\&. The default value is empty which means no logging is performed\&.
1421
1778
.RE
1422
1779
.PP
1423
1780
\fBREQUIRE_INTERFACE=\fR[\fBYes\fR|\fBNo\fR]
1424
1781
.RS 4
1425
1782
Added in Shorewall 4\&.4\&.10\&. The default is No\&. If set to Yes, at least one optional interface must be up in order for the firewall to be in the started state\&. Intended to be used with the
1426
\m[blue]\fBShorewall Init Package\fR\m[]\&\s-2\u[17]\d\s+2\&.
1783
\m[blue]\fBShorewall Init Package\fR\m[]\&\s-2\u[19]\d\s+2\&.
1427
1784
.RE
1428
1785
.PP
1429
1786
\fBRESTORE_DEFAULT_ROUTE=\fR[\fBYes\fR|\fBNo\fR]
1435
1792
RESTORE_DEFAULT_ROUTE=No is appropriate when you don\*(Aqt want a default route in the main table (USE_DEFAULT_RT=No) or in the default table (USE_DEFAULT_RT=Yes) when there are no balance providers available\&. In that case, RESTORE_DEFAULT_ROUTE=No will cause any default route in the relevant table to be deleted\&.
1436
1793
.RE
1437
1794
.PP
1795
\fBRESTORE_ROUTEMARKS=\fR[\fBYes\fR|\fBNo\fR]
1796
.RS 4
1797
Added in Shorewall 4\&.5\&.9\&. When set to
1798
\fBYes\fR
1799
(the default), provider marks are restored unconditionally at the top of the mangle OUTPUT and PREROUTING chains, even if the saved mark is zero\&. When this option is set to
1800
\fBNo\fR, the mark is restored even when it is zero\&. If you have problems with IPSEC ESP packets not being routed correctly on output, try setting this option to
1801
\fBNo\fR\&.
1802
.RE
1803
.PP
1438
1804
\fBRESTOREFILE=\fR\fIfilename\fR
1439
1805
.RS 4
1440
1806
Specifies the simple name of a file in /var/lib/shorewall to be used as the default restore script in the
1472
1838
causes Shorewall to ignore the option\&. If the option is set to
1473
1839
\fBYes\fR, then route filtering occurs on all interfaces\&. If the option is set to
1474
1840
\fBNo\fR, then route filtering is disabled on all interfaces except those specified in
1475
\m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[12]\d\s+2(5)\&.
1841
\m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[15]\d\s+2(5)\&.
1842
.RE
1843
.PP
1844
\fBRPFILTER_DISPOSITION=\fR[\fBDROP\fR|\fBREJECT\fR|A_DROP|A_REJECT]
1845
.RS 4
1846
Added in Shorewall 4\&.5\&.7\&. Determines the disposition of packets entering from interfaces the
1847
\fBrpfilter\fR
1848
option (see
1849
\m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[15]\d\s+2(5))\&. Packets disposed of by this option are those whose response packets would not be sent through the same interface receiving the packet\&.
1850
.RE
1851
.PP
1852
\fBRPFILTER_LOG_LEVEL=\fR\fIlog\-level\fR
1853
.RS 4
1854
Added in shorewall 4\&.5\&.7\&. Determines the logging of packets disposed via the RPFILTER_DISPOSITION\&. The default value is
1855
\fBinfo\fR\&.
1856
.RE
1857
.PP
1858
\fBSAVE_ARPTABLES=\fR{\fBYes\fR|\fBNo\fR}
1859
.RS 4
1860
Added in Shorewall 4\&.5\&.12\&. If SAVE_ARPTABLES=Yes, then the current arptables contents will be saved by
1861
\fBshorewall save\fR
1862
command and restored by
1863
\fBshorewall restore\fR
1864
command\&. Default value is No\&.
1476
1865
.RE
1477
1866
.PP
1478
1867
\fBSAVE_IPSETS=\fR{\fBYes\fR|\fBNo\fR}
1491
1880
\fBSFILTER_DISPOSITION=\fR[\fBDROP\fR|\fBREJECT\fR|A_DROP|A_REJECT]
1492
1881
.RS 4
1493
1882
Added in Shorewall 4\&.4\&.20\&. Determines the disposition of packets matching the
1494
\fBfilter\fR
1883
\fBsfilter\fR
1495
1884
option (see
1496
\m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[12]\d\s+2(5)) and of
1885
\m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[15]\d\s+2(5)) and of
1497
1886
hairpin
1498
1887
packets on interfaces without the
1499
1888
\fBrouteback\fR
1500
option\&.\&\s-2\u[18]\d\s+2
1889
option\&.\&\s-2\u[20]\d\s+2
1501
1890
interfaces without the routeback option\&.
1502
1891
.RE
1503
1892
.PP
1504
1893
\fBSFILTER_LOG_LEVEL=\fR\fIlog\-level\fR
1505
1894
.RS 4
1506
1895
Added on Shorewall 4\&.4\&.20\&. Determines the logging of packets matching the
1507
\fBfilter\fR
1896
\fBsfilter\fR
1508
1897
option (see
1509
\m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[12]\d\s+2(5)) and of
1898
\m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[15]\d\s+2(5)) and of
1510
1899
hairpin
1511
1900
packets on interfaces without the
1512
1901
\fBrouteback\fR
1513
option\&.\&\s-2\u[19]\d\s+2
1902
option\&.\&\s-2\u[21]\d\s+2
1514
1903
interfaces without the routeback option\&. The default is
1515
1904
\fBinfo\fR\&. If you don\*(Aqt wish for these packets to be logged, use SFILTER_LOG_LEVEL=none\&.
1516
1905
.RE
1523
1912
\fBSMURF_DISPOSITION=\fR[\fBDROP\fR|A_DROP]
1524
1913
.RS 4
1525
1914
Added in Shorewall 4\&.4\&.20\&. The default setting is DROP which causes smurf packets (see the nosmurfs option in
1526
\m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[12]\d\s+2(5)) to be dropped\&. A_DROP causes the packets to be audited prior to being dropped and requires AUDIT_TARGET support in the kernel and iptables\&.
1915
\m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[15]\d\s+2(5)) to be dropped\&. A_DROP causes the packets to be audited prior to being dropped and requires AUDIT_TARGET support in the kernel and iptables\&.
1527
1916
.RE
1528
1917
.PP
1529
1918
\fBSMURF_LOG_LEVEL=\fR[\fIlog\-level\fR]
1530
1919
.RS 4
1531
1920
Specifies the logging level for smurf packets (see the nosmurfs option in
1532
\m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[12]\d\s+2(5))\&. If set to the empty value ( SMURF_LOG_LEVEL="" ) then smurfs are not logged\&.
1921
\m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[15]\d\s+2(5))\&. If set to the empty value ( SMURF_LOG_LEVEL="" ) then smurfs are not logged\&.
1533
1922
.RE
1534
1923
.PP
1535
1924
\fBSTARTUP_ENABLED=\fR{\fBYes\fR|\fBNo\fR}
1583
1972
then traffic shaping is not enabled\&.
1584
1973
.sp
1585
1974
If you set TC_ENABLED=Simple (Shorewall 4\&.4\&.6 and later), simple traffic shaping using
1586
\m[blue]\fBshorewall\-tcinterfaces\fR\m[]\&\s-2\u[20]\d\s+2(5) and
1587
\m[blue]\fBshorewall\-tcpri\fR\m[]\&\s-2\u[21]\d\s+2(5) is enabled\&.
1975
\m[blue]\fBshorewall\-tcinterfaces\fR\m[]\&\s-2\u[22]\d\s+2(5) and
1976
\m[blue]\fBshorewall\-tcpri\fR\m[]\&\s-2\u[23]\d\s+2(5) is enabled\&.
1588
1977
.sp
1589
1978
If you set TC_ENABLED=Internal or internal or leave the option empty then Shorewall will use its builtin traffic shaper (tc4shorewall written by Arne Bernin\&.
1590
1979
.sp
1594
1983
\fBTC_EXPERT=\fR{\fBYes\fR|\fBNo\fR}
1595
1984
.RS 4
1596
1985
Normally, Shorewall tries to protect users from themselves by preventing PREROUTING and OUTPUT tcrules from being applied to packets that have been marked by the \*(Aqtrack\*(Aq option in
1597
\m[blue]\fBshorewall\-providers\fR\m[]\&\s-2\u[22]\d\s+2(5)\&.
1986
\m[blue]\fBshorewall\-providers\fR\m[]\&\s-2\u[24]\d\s+2(5)\&.
1598
1987
.sp
1599
1988
If you know what you are doing, you can set TC_EXPERT=Yes and Shorewall will not include these cautionary checks\&.
1600
1989
.RE
1602
1991
\fBTC_PRIOMAP\fR=\fImap\fR
1603
1992
.RS 4
1604
1993
Added in Shorewall 4\&.4\&.6\&. Determines the mapping of a packet\*(Aqs TOS field to priority bands\&. See
1605
\m[blue]\fBshorewall\-tcpri\fR\m[]\&\s-2\u[21]\d\s+2(5)\&. The
1994
\m[blue]\fBshorewall\-tcpri\fR\m[]\&\s-2\u[23]\d\s+2(5)\&. The
1606
1995
\fImap\fR
1607
1996
consists of 16 space\-separated digits with values 1, 2 or 3\&. A value of 1 corresponds to Linux priority 0, 2 to Linux priority 1, and 3 to Linux Priority 2\&. The first entry gives the priority of TOS value 0, the second of TOS value 1, and so on\&. See tc\-prio(8) for additional information\&.
1608
1997
.sp
1614
2003
Determines the disposition of TCP packets that fail the checks enabled by the
1615
2004
\fBtcpflags\fR
1616
2005
interface option (see
1617
\m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[12]\d\s+2(5)) and must have a value of ACCEPT (accept the packet), REJECT (send an RST response) or DROP (ignore the packet)\&. If not set or if set to the empty value (e\&.g\&., TCP_FLAGS_DISPOSITION="") then TCP_FLAGS_DISPOSITION=DROP is assumed\&.
2006
\m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[15]\d\s+2(5)) and must have a value of ACCEPT (accept the packet), REJECT (send an RST response) or DROP (ignore the packet)\&. If not set or if set to the empty value (e\&.g\&., TCP_FLAGS_DISPOSITION="") then TCP_FLAGS_DISPOSITION=DROP is assumed\&.
1618
2007
.sp
1619
2008
A_DROP and A_REJECT are audited versions of DROP and REJECT respectively and were added in Shorewall 4\&.4\&.20\&. They require AUDIT_TARGET in the kernel and iptables\&.
1620
2009
.RE
1629
2018
Added in Shorewall 4\&.4\&.3\&. When set to Yes, causes the
1630
2019
\fBtrack\fR
1631
2020
option to be assumed on all providers defined in
1632
\m[blue]\fBshorewall\-providers\fR\m[]\&\s-2\u[22]\d\s+2(5)\&. May be overridden on an individual provider through use of the
2021
\m[blue]\fBshorewall\-providers\fR\m[]\&\s-2\u[24]\d\s+2(5)\&. May be overridden on an individual provider through use of the
1633
2022
\fBnotrack\fR
1634
2023
option\&. The default value is \*(AqNo\*(Aq\&.
1635
2024
.sp
1636
2025
Beginning in Shorewall 4\&.4\&.6, setting this option to \*(AqYes\*(Aq also simplifies PREROUTING rules in
1637
\m[blue]\fBshorewall\-tcrules\fR\m[]\&\s-2\u[9]\d\s+2(5)\&. Previously, when TC_EXPERT=No, packets arriving through \*(Aqtracked\*(Aq provider interfaces were unconditionally passed to the PREROUTING tcrules\&. This was done so that tcrules could reset the packet mark to zero, thus allowing the packet to be routed using the \*(Aqmain\*(Aq routing table\&. Using the main table allowed dynamic routes (such as those added for VPNs) to be effective\&. The rtrules file was created to provide a better alternative to clearing the packet mark\&. As a consequence, passing these packets to PREROUTING complicates things without providing any real benefit\&. Beginning with Shorewall 4\&.4\&.6, when TRACK_PROVIDERS=Yes and TC_EXPERT=No, packets arriving through \*(Aqtracked\*(Aq interfaces will not be passed to the PREROUTING rules\&. Since TRACK_PROVIDERS was just introduced in 4\&.4\&.3, this change should be transparent to most, if not all, users\&.
2026
\m[blue]\fBshorewall\-tcrules\fR\m[]\&\s-2\u[10]\d\s+2(5)\&. Previously, when TC_EXPERT=No, packets arriving through \*(Aqtracked\*(Aq provider interfaces were unconditionally passed to the PREROUTING tcrules\&. This was done so that tcrules could reset the packet mark to zero, thus allowing the packet to be routed using the \*(Aqmain\*(Aq routing table\&. Using the main table allowed dynamic routes (such as those added for VPNs) to be effective\&. The rtrules file was created to provide a better alternative to clearing the packet mark\&. As a consequence, passing these packets to PREROUTING complicates things without providing any real benefit\&. Beginning with Shorewall 4\&.4\&.6, when TRACK_PROVIDERS=Yes and TC_EXPERT=No, packets arriving through \*(Aqtracked\*(Aq interfaces will not be passed to the PREROUTING rules\&. Since TRACK_PROVIDERS was just introduced in 4\&.4\&.3, this change should be transparent to most, if not all, users\&.
2027
.RE
2028
.PP
2029
\fBUNTRACKED_DISPOSITION=[ACCEPT|A_ACCEPT|A_DROP|A_REJECT|DROP|REJECT|CONTINUE]\fR
2030
.RS 4
2031
Added in Shorewall 4\&.5\&.13\&. Shorewall has traditionally passed UNTRACKED packets through the NEW section of
2032
\m[blue]\fBshorewall\-rules\fR\m[]\&\s-2\u[7]\d\s+2
2033
(5)\&. When a packet in UNTRACKED state fails to match any rule in the UNTRACKED section, the packet is disposed of based on this setting\&. The default value is CONTINUE for compatibility with earlier versions\&.
2034
.RE
2035
.PP
2036
\fBUNTRACKED_LOG_LEVEL=\fR\fIlog\-level\fR
2037
.RS 4
2038
Added in Shorewall 4\&.5\&.13\&. Packets in the UNTRACKED state that do not match any rule in the UNTRACKED section of
2039
\m[blue]\fBshorewall\-rules\fR\m[]\&\s-2\u[7]\d\s+2
2040
(5) are logged at this level\&. The default value is empty which means no logging is performed\&.
1638
2041
.RE
1639
2042
.PP
1640
2043
\fBUSE_DEFAULT_RT=\fR[\fBYes\fR|\fBNo\fR]
1652
2055
.IP " 1." 4.2
1653
2056
.\}
1654
2057
Both the DUPLICATE and the COPY columns in
1655
\m[blue]\fBproviders\fR\m[]\&\s-2\u[22]\d\s+2(5) file must remain empty (or contain "\-")\&.
2058
\m[blue]\fBproviders\fR\m[]\&\s-2\u[24]\d\s+2(5) file must remain empty (or contain "\-")\&.
1656
2059
.RE
1657
2060
.sp
1658
2061
.RS 4
1689
2092
.IP " 4." 4.2
1690
2093
.\}
1691
2094
Packets are sent through the main routing table by a rule with priority 999\&. In
1692
\m[blue]\fBrouting_rules\fR\m[]\&\s-2\u[23]\d\s+2(5), the range 1\-998 may be used for inserting rules that bypass the main table\&.
2095
\m[blue]\fBrouting_rules\fR\m[]\&\s-2\u[25]\d\s+2(5), the range 1\-998 may be used for inserting rules that bypass the main table\&.
1693
2096
.RE
1694
2097
.sp
1695
2098
.RS 4
1739
2142
Added in Shorewall 4\&.4\&.27\&. Normally, when Shorewall creates a Netfilter chain that relates to an interface, it uses the interfaces\*(Aqs logical name as the base of the chain name\&. For example, if the logical name for an interface is OAKLAND, then the input chain for traffic arriving on that interface would be \*(AqOAKLAND_in\*(Aq\&. If this option is set to Yes, then the physical name of the interface will be used the base of the chain name\&.
1740
2143
.RE
1741
2144
.PP
2145
\fBUSE_RT_NAMES=\fR[\fBYes\fR|\fBNo\fR]
2146
.RS 4
2147
Added in Shorewall 4\&.5\&.15\&. When set to \*(AqYes\*(Aq, Shorewall will use routing table (provider) names in the generated script rather than table numbers\&. When set to \*(AqNo\*(Aq (the default), routing table numbers will be used\&.
2148
.if n \{\
2149
.sp
2150
.\}
2151
.RS 4
2152
.it 1 an-trap
2153
.nr an-no-space-flag 1
2154
.nr an-break-flag 1
2155
.br
2156
.ps +1
2157
\fBCaution\fR
2158
.ps -1
2159
.br
2160
If you set USE_RT_NAMES=Yes and KEEP_RT_TABLES=Yes, then you must insure that all of your providers have entries in /etc/iproute2/rt_tables as well as the following entries:
2161
.RS 4
2162
255 local
2163
.RE
2164
.RS 4
2165
254 main
2166
.RE
2167
.RS 4
2168
253 default
2169
.RE
2170
.RS 4
2171
250 balance
2172
.RE
2173
.RS 4
2174
0 unspec
2175
.RE
2176
Without these entries, the firewall will fail to start\&.
2177
.sp .5v
2178
.RE
2179
.RE
2180
.PP
1742
2181
\fBVERBOSITY=\fR[\fInumber\fR]
1743
2182
.RS 4
1744
2183
Shorewall has traditionally been very noisy (produced lots of output)\&. You may set the default level of verbosity using the VERBOSITY OPTION\&.
1758
2197
If not specified, then 2 is assumed\&.
1759
2198
.RE
1760
2199
.PP
2200
\fBWARNOLDCAPVERSION=\fR[\fBYes\fR|\fBNo\fR]
2201
.RS 4
2202
Added in Shorewall 4\&.5\&.12\&. When set to
2203
\fBYes\fR
2204
(the default), the compiler issues a warning when it finds a capabilities file that doesn\*(Aqt specify all of the capabilities supported by the compiler\&. When WARNOLDCAPVERSION is set to
2205
\fBNo\fR, no warning is issued\&.
2206
.RE
2207
.PP
1761
2208
\fBWIDE_TC_MARKS=\fR{\fBYes\fR|\fBNo\fR}
1762
2209
.RS 4
1763
2210
Deprecated in Shorewall 4\&.4\&.26 in favor of TC_BITS and MASK_BITS\&.
1807
2254
\%http://www.shorewall.net/manpages/shorewall-routestopped.html
1808
2255
.RE
1809
2256
.IP " 6." 4
2257
shorewall-conntrack
2258
.RS 4
2259
\%http://www.shorewall.net/manpages/shorewall-conntrack.html
2260
.RE
2261
.IP " 7." 4
1810
2262
shorewall-rules
1811
2263
.RS 4
1812
2264
\%http://www.shorewall.net/manpages/shorewall-rules.html
1813
2265
.RE
1814
.IP " 7." 4
2266
.IP " 8." 4
1815
2267
shorewall-blrules
1816
2268
.RS 4
1817
2269
\%http://www.shorewall.net/manpages/shorewall-blrules.html
1818
2270
.RE
1819
.IP " 8." 4
2271
.IP " 9." 4
1820
2272
shorewall-blrules
1821
2273
.RS 4
1822
2274
\%http://www.shorewall.net/manpages/???
1823
2275
.RE
1824
.IP " 9." 4
2276
.IP "10." 4
1825
2277
shorewall-tcrules
1826
2278
.RS 4
1827
2279
\%http://www.shorewall.net/manpages/shorewall-tcrules.html
1828
2280
.RE
1829
.IP "10." 4
2281
.IP "11." 4
2282
Shorewall6
2283
.RS 4
2284
\%http://www.shorewall.net/manpages/../IPv6Support.html
2285
.RE
2286
.IP "12." 4
1830
2287
shorewall-zones
1831
2288
.RS 4
1832
2289
\%http://www.shorewall.net/manpages/shorewall-zones.html
1833
2290
.RE
1834
.IP "11." 4
2291
.IP "13." 4
1835
2292
shorewall-nesting
1836
2293
.RS 4
1837
2294
\%http://www.shorewall.net/manpages/shorewall-nesting.html
1838
2295
.RE
1839
.IP "12." 4
2296
.IP "14." 4
2297
shorewall-rules
2298
.RS 4
2299
\%http://www.shorewall.net/manpages/manpages/shorewall-rules.html
2300
.RE
2301
.IP "15." 4
1840
2302
shorewall-interfaces
1841
2303
.RS 4
1842
2304
\%http://www.shorewall.net/manpages/shorewall-interfaces.html
1843
2305
.RE
1844
.IP "13." 4
2306
.IP "16." 4
1845
2307
shorewall-maclist
1846
2308
.RS 4
1847
2309
\%http://www.shorewall.net/manpages/shorewall-maclist.html
1848
2310
.RE
1849
.IP "14." 4
2311
.IP "17." 4
1850
2312
shorewall.conf
1851
2313
.RS 4
1852
2314
\%http://www.shorewall.net/manpages/shorewall.conf.html
1853
2315
.RE
1854
.IP "15." 4
2316
.IP "18." 4
1855
2317
the complete matrix of host groups defined by the zones, interfaces and hosts files
1856
2318
.RS 4
1857
2319
\%http://www.shorewall.net/manpages/../ScalabilityAndPerformance.html
1858
2320
.RE
1859
.IP "16." 4
1860
shorewall-rules
1861
.RS 4
1862
\%http://www.shorewall.net/manpages/manpages/shorewall-rules.html
1863
.RE
1864
.IP "17." 4
2321
.IP "19." 4
1865
2322
Shorewall Init Package
1866
2323
.RS 4
1867
2324
\%http://www.shorewall.net/manpages/shorewall-init.html
1868
2325
.RE
1869
.IP "18." 4
1870
Hairpin packets are packets that are routed out of the same interface that they arrived on.
1871
.IP "19." 4
1872
Hairpin packets are packets that are routed out of the same interface that they arrived on.
1873
2326
.IP "20." 4
2327
Hairpin packets are packets that are routed out of the same interface that they arrived on.
2328
.IP "21." 4
2329
Hairpin packets are packets that are routed out of the same interface that they arrived on.
2330
.IP "22." 4
1874
2331
shorewall-tcinterfaces
1875
2332
.RS 4
1876
2333
\%http://www.shorewall.net/manpages/shorewall-tcinterfaces.html
1877
2334
.RE
1878
.IP "21." 4
2335
.IP "23." 4
1879
2336
shorewall-tcpri
1880
2337
.RS 4
1881
2338
\%http://www.shorewall.net/manpages/shorewall-tcpri.html
1882
2339
.RE
1883
.IP "22." 4
2340
.IP "24." 4
1884
2341
shorewall-providers
1885
2342
.RS 4
1886
2343
\%http://www.shorewall.net/manpages/shorewall-providers.html
1887
2344
.RE
1888
.IP "23." 4
2345
.IP "25." 4
1889
2346
routing_rules
1890
2347
.RS 4
1891
2348
\%http://www.shorewall.net/manpages/shorewall-routing_rules.html
Loggerhead is a web-based interface for Breezy
Version: 2.0.1