9
9
######################################################################################################################################################################################################
11
11
# Entries in this file govern connection establishment by defining exceptions to
12
# the policies layed out in shorewall-policy(5). By default, subsequent requests
12
# the policies laid out in shorewall-policy(5). By default, subsequent requests
13
13
# and responses are automatically allowed using connection tracking. For any
14
14
# particular (source,dest) pair of zones, the rules are evaluated in the order in
15
15
# which they appear in this file and the first terminating match is the one that
93
93
# and RELATED sections must be empty.
95
95
# An except is made if you are running Shorewall 4.4.27 or later and you have
96
# specified a non-defualt value for RELATED_DISPOSITION or RELATED_LOG_LEVEL. In
96
# specified a non-default value for RELATED_DISPOSITION or RELATED_LOG_LEVEL. In
97
97
# that case, you may have rules in the RELATED section of this file.
99
99
# You may omit any section that you don't need. If no Section Headers appear in
143
143
# ADD(ipset:flags)
145
145
# Added in Shorewall 4.4.12. Causes addresses and/or port numbers to be
146
# added to the named ipset. The flags specify the address or tupple to be
146
# added to the named ipset. The flags specify the address or tuple to be
147
147
# added to the set and must match the type of ipset involved. For
148
148
# example, for an iphash ipset, either the SOURCE or DESTINATION address
149
149
# can be added using flags src or dst respectively (see the -A command in
211
211
# DEL(ipset:flags)
213
213
# Added in Shorewall 4.4.12. Causes an entry to be deleted from the named
214
# ipset. The flags specify the address or tupple to be deleted from the
214
# ipset. The flags specify the address or tuple to be deleted from the
215
215
# set and must match the type of ipset involved. For example, for an
216
# iphash ipset, either the SOURCE or DESTINATION address can be deletec
216
# iphash ipset, either the SOURCE or DESTINATION address can be deleted
217
217
# using flags src or dst respectively (see the -D command in ipset (8)).
219
219
# DEL is non-terminating. Even if a packet matches the rule, it is passed
292
292
# NFLOG[(nflog-parameters)]
294
# Added in Shorewall 4.5.9.3. Queues matching packets to a backend
294
# Added in Shorewall 4.5.9.3. Queues matching packets to a back end
295
295
# logging daemon via a netlink socket then continues to the next rule.
296
296
# See http://www.shorewall.net/shorewall_logging.html.
349
349
# ULOG[(ulog-parameters)]
351
# Added in Shorewall 4.5.10. Queues matching packets to a backend logging
352
# daemon via a netlink socket then continues to the next rule. See http:/
353
# /www.shorewall.net/shorewall_logging.html.
351
# Added in Shorewall 4.5.10. Queues matching packets to a back end
352
# logging daemon via a netlink socket then continues to the next rule.
353
# See http://www.shorewall.net/shorewall_logging.html.
355
355
# Similar to LOG:ULOG[(ulog-parameters)], except that the log level is
356
356
# not changed when this ACTION is used in an action or macro body and the
389
389
# address-or-range]...[exclusion]|exclusion|+ipset|^countrycode-list}
391
391
# Source hosts to which the rule applies. May be a zone declared in /etc/
392
# shorewall/zones, $FW to indicate the firewall itself, all, all+, all-,
392
# shorewall/zones, $FW to indicate the firewall itself, all, all+, all-,
395
395
# Beginning with Shorewall 4.4.13, you may use a zone-list which consists of
396
# a comma-separated list of zones declared in shorewall-zones (5). Ths
396
# a comma-separated list of zones declared in shorewall-zones (5). This
397
397
# zone-list may be optionally followed by "+" to indicate that the rule is to
398
398
# apply to intra-zone traffic as well as inter-zone traffic.
400
400
# When none is used either in the SOURCE or DEST column, the rule is ignored.
402
402
# all means "All Zones", including the firewall itself. all- means "All
403
# Zones, except the firewall itself". When all[-] is used either in the
403
# Zones, except the firewall itself". When all[-] is used either in the
404
404
# SOURCE or DEST column intra-zone traffic is not affected. When all+[-] is
405
405
# "used, intra-zone traffic is affected. Beginning with Shorewall 4.4.13,
406
406
# exclusion is supported -- see see shorewall-exclusion(5).
419
419
# zones). Note that any excludes all vserver zones, since those zones are
420
420
# nested within the firewall zone.
422
# Hosts may also be specified as an IP address range using the syntax
422
# Hosts may also be specified as an IP address range using the syntax
423
423
# lowaddress-highaddress. This requires that your kernel and iptables contain
424
424
# iprange match support. If your kernel and iptables have ipset match support
425
425
# then you may give the name of an ipset prefaced by "+". The ipset name may
427
427
# ([]) to indicate the number of levels of source bindings to be matched.
429
429
# Beginning with Shorewall 4.4.17, the primary IP address of a firewall
430
# interface can be specified by an apersand ('&') followed by the logican
430
# interface can be specified by an ampersand ('&') followed by the logical
431
431
# name of the interface as found in the INTERFACE column of
432
432
# shorewall-interfaces (5).
485
485
# indicate the firewall itself, all. all+ or none.
487
487
# Beginning with Shorewall 4.4.13, you may use a zone-list which consists of
488
# a comma-separated list of zones declared in shorewall-zones (5). Ths
488
# a comma-separated list of zones declared in shorewall-zones (5). This
489
489
# zone-list may be optionally followed by "+" to indicate that the rule is to
490
490
# apply to intra-zone traffic as well as inter-zone traffic.
538
538
# If you kernel and iptables have ipset match support then you may give the
539
539
# name of an ipset prefaced by "+". The ipset name may be optionally followed
540
540
# by a number from 1 to 6 enclosed in square brackets ([]) to indicate the
541
# number of levels of destination bindings to be matched. Only one of the
541
# number of levels of destination bindings to be matched. Only one of the
542
542
# SOURCE and DEST columns may specify an ipset name.
544
544
# Beginning with Shorewall 4.4.17, the primary IP address of a firewall
545
# interface can be specified by an apersand ('&') followed by the logical
545
# interface can be specified by an ampersand ('&') followed by the logical
546
546
# name of the interface as found in the INTERFACE column of
547
547
# shorewall-interfaces (5).
549
549
# The port that the server is listening on may be included and separated from
550
# the server's IP address by ":". If omitted, the firewall will not modifiy
550
# the server's IP address by ":". If omitted, the firewall will not modify
551
551
# the destination port. A destination port may only be included if the ACTION
552
552
# is DNAT or REDIRECT.
559
559
# The port may be specified as a service name. You may specify a port range
560
560
# in the form lowport-highport to cause connections to be assigned to ports
561
# in the range in round-robin fashion. When a port range is specified,
561
# in the range in round-robin fashion. When a port range is specified,
562
562
# lowport and highport must be given as integers; service names are not
563
# permitted. Additionally, the port range may be optionally followed by
563
# permitted. Additionally, the port range may be optionally followed by
564
564
# :random which causes assignment to ports in the list to be random.
566
566
# If the ACTION is REDIRECT or REDIRECT-, this column needs only to contain
582
582
# Optional destination Ports. A comma-separated list of Port names (from
583
583
# services(5)), port numbers or port ranges; if the protocol is icmp, this
584
584
# column is interpreted as the destination icmp-type(s). ICMP types may be
585
# specified as a numeric type, a numberic type and code separated by a slash
585
# specified as a numeric type, a numeric type and code separated by a slash
586
586
# (e.g., 3/4), or a typename. See http://www.shorewall.net/
587
587
# configuration_file_basics.htm#ICMP. Note that prior to Shorewall 4.4.19,
588
# only a single ICMP type may be listsed.
588
# only a single ICMP type may be listed.
590
590
# If the protocol is ipp2p, this column is interpreted as an ipp2p option
591
591
# without the leading "--" (example bit for bit-torrent). If no port is
604
604
# 1. There are 15 or less ports listed.
606
606
# 2. No port ranges are included or your kernel and iptables contain extended
607
# multiport match support.
607
# multi-port match support.
609
609
# SOURCE PORT(S) (sport) - {-|port-name-number-or-range[,
610
610
# port-name-number-or-range]...}
616
616
# Beginning with Shorewall 4.5.15, you may place '=' in this column, provided
617
617
# that the DEST PORT(S) column is non-empty. This causes the rule to match
618
618
# when either the source port or the destination port in a packet matches one
619
# of the ports specified in DEST PORTS(S). Use of '=' requires multiport
619
# of the ports specified in DEST PORTS(S). Use of '=' requires multi-port
620
620
# match in your iptables and kernel.
635
635
# 1. There are 15 or less ports listed.
637
637
# 2. No port ranges are included or your kernel and iptables contain extended
638
# multiport match support.
638
# multi-port match support.
640
640
# ORIGINAL DEST (origdest) - [-|address[,address]...[exclusion]|exclusion]
654
654
# Beginning with Shorewall 4.4.17, the primary IP address of a firewall
655
# interface can be specified by an apersand ('&') followed by the logical
655
# interface can be specified by an ampersand ('&') followed by the logical
656
656
# name of the interface as found in the INTERFACE column of
657
657
# shorewall-interfaces (5).
679
679
# rate is the number of connections per interval (sec or min) and burst is
680
680
# the largest burst permitted. If no burst is given, a value of 5 is assumed.
681
# There may be no no whitespace embedded in the specification.
681
# There may be no no white-space embedded in the specification.
683
683
# Example: 10/sec:20
760
760
# the subnet source-address/mask. When ! is specified, the rule matches when
761
761
# the number of connection exceeds the limit.
763
# TIME - timeelement[&timelement...]
763
# TIME - timeelement[&timeelement...]
765
765
# May be used to limit the rule to a particular time period each day, to
766
766
# particular days of the week or month, or to a range defined by dates and
838
838
# Switch settings are retained over shorewall restart.
840
# Beginning with Shoreawll 4.5.10, when the switch-name is followed by =0 or
840
# Beginning with Shorewall 4.5.10, when the switch-name is followed by =0 or
841
841
# =1, then the switch is initialized to off or on respectively by the start
842
842
# command. Other commands do not affect the switch setting.
999
# Add the tupple (source IP, dest port, dest IP) of an incoming SSH
1000
# connection to the ipset S:
999
# Add the tuple (source IP, dest port, dest IP) of an incoming SSH connection
1002
1002
# #ACTION SOURCE DEST PROTO DEST