13
13
######################################################################################################################################################################################################
15
15
# Entries in this file govern connection establishment by defining exceptions to
16
# the policies layed out in shorewall-policy(5). By default, subsequent requests
16
# the policies laid out in shorewall-policy(5). By default, subsequent requests
17
17
# and responses are automatically allowed using connection tracking. For any
18
18
# particular (source,dest) pair of zones, the rules are evaluated in the order in
19
19
# which they appear in this file and the first terminating match is the one that
97
97
# and RELATED sections must be empty.
99
99
# An except is made if you are running Shorewall 4.4.27 or later and you have
100
# specified a non-defualt value for RELATED_DISPOSITION or RELATED_LOG_LEVEL. In
100
# specified a non-default value for RELATED_DISPOSITION or RELATED_LOG_LEVEL. In
101
101
# that case, you may have rules in the RELATED section of this file.
103
103
# You may omit any section that you don't need. If no Section Headers appear in
147
147
# ADD(ipset:flags)
149
149
# Added in Shorewall 4.4.12. Causes addresses and/or port numbers to be
150
# added to the named ipset. The flags specify the address or tupple to be
150
# added to the named ipset. The flags specify the address or tuple to be
151
151
# added to the set and must match the type of ipset involved. For
152
152
# example, for an iphash ipset, either the SOURCE or DESTINATION address
153
153
# can be added using flags src or dst respectively (see the -A command in
215
215
# DEL(ipset:flags)
217
217
# Added in Shorewall 4.4.12. Causes an entry to be deleted from the named
218
# ipset. The flags specify the address or tupple to be deleted from the
218
# ipset. The flags specify the address or tuple to be deleted from the
219
219
# set and must match the type of ipset involved. For example, for an
220
# iphash ipset, either the SOURCE or DESTINATION address can be deletec
220
# iphash ipset, either the SOURCE or DESTINATION address can be deleted
221
221
# using flags src or dst respectively (see the -D command in ipset (8)).
223
223
# DEL is non-terminating. Even if a packet matches the rule, it is passed
296
296
# NFLOG[(nflog-parameters)]
298
# Added in Shorewall 4.5.9.3. Queues matching packets to a backend
298
# Added in Shorewall 4.5.9.3. Queues matching packets to a back end
299
299
# logging daemon via a netlink socket then continues to the next rule.
300
300
# See http://www.shorewall.net/shorewall_logging.html.
353
353
# ULOG[(ulog-parameters)]
355
# Added in Shorewall 4.5.10. Queues matching packets to a backend logging
356
# daemon via a netlink socket then continues to the next rule. See http:/
357
# /www.shorewall.net/shorewall_logging.html.
355
# Added in Shorewall 4.5.10. Queues matching packets to a back end
356
# logging daemon via a netlink socket then continues to the next rule.
357
# See http://www.shorewall.net/shorewall_logging.html.
359
359
# Similar to LOG:ULOG[(ulog-parameters)], except that the log level is
360
360
# not changed when this ACTION is used in an action or macro body and the
393
393
# address-or-range]...[exclusion]|exclusion|+ipset|^countrycode-list}
395
395
# Source hosts to which the rule applies. May be a zone declared in /etc/
396
# shorewall/zones, $FW to indicate the firewall itself, all, all+, all-,
396
# shorewall/zones, $FW to indicate the firewall itself, all, all+, all-,
399
399
# Beginning with Shorewall 4.4.13, you may use a zone-list which consists of
400
# a comma-separated list of zones declared in shorewall-zones (5). Ths
400
# a comma-separated list of zones declared in shorewall-zones (5). This
401
401
# zone-list may be optionally followed by "+" to indicate that the rule is to
402
402
# apply to intra-zone traffic as well as inter-zone traffic.
404
404
# When none is used either in the SOURCE or DEST column, the rule is ignored.
406
406
# all means "All Zones", including the firewall itself. all- means "All
407
# Zones, except the firewall itself". When all[-] is used either in the
407
# Zones, except the firewall itself". When all[-] is used either in the
408
408
# SOURCE or DEST column intra-zone traffic is not affected. When all+[-] is
409
409
# "used, intra-zone traffic is affected. Beginning with Shorewall 4.4.13,
410
410
# exclusion is supported -- see see shorewall-exclusion(5).
423
423
# zones). Note that any excludes all vserver zones, since those zones are
424
424
# nested within the firewall zone.
426
# Hosts may also be specified as an IP address range using the syntax
426
# Hosts may also be specified as an IP address range using the syntax
427
427
# lowaddress-highaddress. This requires that your kernel and iptables contain
428
428
# iprange match support. If your kernel and iptables have ipset match support
429
429
# then you may give the name of an ipset prefaced by "+". The ipset name may
431
431
# ([]) to indicate the number of levels of source bindings to be matched.
433
433
# Beginning with Shorewall 4.4.17, the primary IP address of a firewall
434
# interface can be specified by an apersand ('&') followed by the logican
434
# interface can be specified by an ampersand ('&') followed by the logical
435
435
# name of the interface as found in the INTERFACE column of
436
436
# shorewall-interfaces (5).
489
489
# indicate the firewall itself, all. all+ or none.
491
491
# Beginning with Shorewall 4.4.13, you may use a zone-list which consists of
492
# a comma-separated list of zones declared in shorewall-zones (5). Ths
492
# a comma-separated list of zones declared in shorewall-zones (5). This
493
493
# zone-list may be optionally followed by "+" to indicate that the rule is to
494
494
# apply to intra-zone traffic as well as inter-zone traffic.
542
542
# If you kernel and iptables have ipset match support then you may give the
543
543
# name of an ipset prefaced by "+". The ipset name may be optionally followed
544
544
# by a number from 1 to 6 enclosed in square brackets ([]) to indicate the
545
# number of levels of destination bindings to be matched. Only one of the
545
# number of levels of destination bindings to be matched. Only one of the
546
546
# SOURCE and DEST columns may specify an ipset name.
548
548
# Beginning with Shorewall 4.4.17, the primary IP address of a firewall
549
# interface can be specified by an apersand ('&') followed by the logical
549
# interface can be specified by an ampersand ('&') followed by the logical
550
550
# name of the interface as found in the INTERFACE column of
551
551
# shorewall-interfaces (5).
553
553
# The port that the server is listening on may be included and separated from
554
# the server's IP address by ":". If omitted, the firewall will not modifiy
554
# the server's IP address by ":". If omitted, the firewall will not modify
555
555
# the destination port. A destination port may only be included if the ACTION
556
556
# is DNAT or REDIRECT.
563
563
# The port may be specified as a service name. You may specify a port range
564
564
# in the form lowport-highport to cause connections to be assigned to ports
565
# in the range in round-robin fashion. When a port range is specified,
565
# in the range in round-robin fashion. When a port range is specified,
566
566
# lowport and highport must be given as integers; service names are not
567
# permitted. Additionally, the port range may be optionally followed by
567
# permitted. Additionally, the port range may be optionally followed by
568
568
# :random which causes assignment to ports in the list to be random.
570
570
# If the ACTION is REDIRECT or REDIRECT-, this column needs only to contain
586
586
# Optional destination Ports. A comma-separated list of Port names (from
587
587
# services(5)), port numbers or port ranges; if the protocol is icmp, this
588
588
# column is interpreted as the destination icmp-type(s). ICMP types may be
589
# specified as a numeric type, a numberic type and code separated by a slash
589
# specified as a numeric type, a numeric type and code separated by a slash
590
590
# (e.g., 3/4), or a typename. See http://www.shorewall.net/
591
591
# configuration_file_basics.htm#ICMP. Note that prior to Shorewall 4.4.19,
592
# only a single ICMP type may be listsed.
592
# only a single ICMP type may be listed.
594
594
# If the protocol is ipp2p, this column is interpreted as an ipp2p option
595
595
# without the leading "--" (example bit for bit-torrent). If no port is
608
608
# 1. There are 15 or less ports listed.
610
610
# 2. No port ranges are included or your kernel and iptables contain extended
611
# multiport match support.
611
# multi-port match support.
613
613
# SOURCE PORT(S) (sport) - {-|port-name-number-or-range[,
614
614
# port-name-number-or-range]...}
620
620
# Beginning with Shorewall 4.5.15, you may place '=' in this column, provided
621
621
# that the DEST PORT(S) column is non-empty. This causes the rule to match
622
622
# when either the source port or the destination port in a packet matches one
623
# of the ports specified in DEST PORTS(S). Use of '=' requires multiport
623
# of the ports specified in DEST PORTS(S). Use of '=' requires multi-port
624
624
# match in your iptables and kernel.
639
639
# 1. There are 15 or less ports listed.
641
641
# 2. No port ranges are included or your kernel and iptables contain extended
642
# multiport match support.
642
# multi-port match support.
644
644
# ORIGINAL DEST (origdest) - [-|address[,address]...[exclusion]|exclusion]
658
658
# Beginning with Shorewall 4.4.17, the primary IP address of a firewall
659
# interface can be specified by an apersand ('&') followed by the logical
659
# interface can be specified by an ampersand ('&') followed by the logical
660
660
# name of the interface as found in the INTERFACE column of
661
661
# shorewall-interfaces (5).
683
683
# rate is the number of connections per interval (sec or min) and burst is
684
684
# the largest burst permitted. If no burst is given, a value of 5 is assumed.
685
# There may be no no whitespace embedded in the specification.
685
# There may be no no white-space embedded in the specification.
687
687
# Example: 10/sec:20
764
764
# the subnet source-address/mask. When ! is specified, the rule matches when
765
765
# the number of connection exceeds the limit.
767
# TIME - timeelement[&timelement...]
767
# TIME - timeelement[&timeelement...]
769
769
# May be used to limit the rule to a particular time period each day, to
770
770
# particular days of the week or month, or to a range defined by dates and
842
842
# Switch settings are retained over shorewall restart.
844
# Beginning with Shoreawll 4.5.10, when the switch-name is followed by =0 or
844
# Beginning with Shorewall 4.5.10, when the switch-name is followed by =0 or
845
845
# =1, then the switch is initialized to off or on respectively by the start
846
846
# command. Other commands do not affect the switch setting.
1003
# Add the tupple (source IP, dest port, dest IP) of an incoming SSH
1004
# connection to the ipset S:
1003
# Add the tuple (source IP, dest port, dest IP) of an incoming SSH connection
1006
1006
# #ACTION SOURCE DEST PROTO DEST