~ubuntu-branches/debian/sid/shorewall/sid

\fBno\fR, blacklists are consulted for every packet (will slow down your firewall noticably if you have large blacklists)\&. If the BLACKLISTNEWONLY option is not set or is set to the empty value then BLACKLISTNEWONLY=No is assumed\&.

368

\fBno\fR, blacklists are consulted for every packet (will slow down your firewall noticeably if you have large blacklists)\&. If the BLACKLISTNEWONLY option is not set or is set to the empty value then BLACKLISTNEWONLY=No is assumed\&.

369

.if n \{\

370

.sp

371

.\}

625

.RS 4

626

Normally, Shorewall defers accepting ESTABLISHED/RELATED packets until these packets reach the chain in which the original connection was accepted\&. So for packets going from the \*(Aqloc\*(Aq zone to the \*(Aqnet\*(Aq zone, ESTABLISHED/RELATED packets are ACCEPTED in the \*(Aqloc2net\*(Aq chain\&.

627

.sp

628

If you set FASTACCEPT=Yes, then ESTABLISHED/RELEATED packets are accepted early in the INPUT, FORWARD and OUTPUT chains\&. If you set FASTACCEPT=Yes then you may not include rules in the ESTABLISHED or RELATED sections of

628

If you set FASTACCEPT=Yes, then ESTABLISHED/RELATED packets are accepted early in the INPUT, FORWARD and OUTPUT chains\&. If you set FASTACCEPT=Yes then you may not include rules in the ESTABLISHED or RELATED sections of

629

\m[blue]\fBshorewall\-rules\fR\m[]\&\s-2\u[7]\d\s+2(5)\&.

630

.if n \{\

631

.sp

1007

(the modification times of the files in

1008

/etc/shorewall

1009

are compare with that of

1010

/var/lib/shorewall/restore)\&. If set to No, then the times are compared with that of /var/lib/shorewall/firewall, which is consistant with the way that

1010

/var/lib/shorewall/restore)\&. If set to No, then the times are compared with that of /var/lib/shorewall/firewall, which is consistent with the way that

1011

\fBrestart \-f\fR

1012

works\&.

1013

.RE

1412

.PP

1413

\fBNFACCT=\fR[\fIpathname\fR]

1414

.RS 4

1415

Added in Shorewall 4\&.5\&.7\&. Specifies the pathname of the nfacct utiliity\&. If not specified, Shorewall will use the PATH settting to find the program\&.

1415

Added in Shorewall 4\&.5\&.7\&. Specifies the pathname of the nfacct utility\&. If not specified, Shorewall will use the PATH setting to find the program\&.

1416

.RE

1417

.PP

1418

\fBNULL_ROUTE_RFC1918=\fR[\fBYes\fR|\fBNo\fR|\fBblackhole\fR|\fBunreachable\fR|\fBprohibit\fR]

1439

\fIvalue\fR

1440

enables certain optimizations\&. Each optimization category is associated with a power of two\&. To enable multiple optimization categories, simply add their corresponding numbers together\&.

1441

.sp

1442

Beginning with Shorewall 4\&.5\&.20, you may specify OPTIMIZE=All to enable all optimization categories, and you may also specify OPTIMIZE=None to disable optimization\&.

1443

.sp

1442

1444

.RS 4

1443

1445

.ie n \{\

1444

1446

\h'-04'\(bu\h'+03'\c

1453

1455

These extra rules can be eliminated by setting the 1 bit in OPTIMIZE\&.

1454

1456

.sp

1455

1457

The 1 bit setting also controls the suppression of redundant wildcard rules (those specifying "all" in the SOURCE or DEST column)\&. A wildcard rule is considered to be redundant when it has the same ACTION and Log Level as the applicable policy\&.

1458

.if n \{\

1459

.sp

1460

.\}

1461

.RS 4

1462

.it 1 an-trap

1463

.nr an-no-space-flag 1

1464

.nr an-break-flag 1

1465

.br

1466

.ps +1

1467

\fBNote\fR

1468

.ps -1

1469

.br

1470

Optimization level 1 is ignored when optimization level 4 is also selected, since level 4 performs similar optimizations in a more robust way\&.

1471

.sp .5v

1472

.RE

1456

1473

.RE

1457

1474

.sp

1458

1475

.RS 4

1463

1480

.sp -1

1464

1481

.IP \(bu 2.3

1465

1482

.\}

1466

Optimization category 2 \- Added in Shorewall 4\&.4\&.7\&. When set, suppresses superfluous ACCEPT rules in a policy chain that implements an ACCEPT policy\&. Any ACCEPT rules that immediately preceed the final blanket ACCEPT rule in the chain are now omitted\&.

1483

Optimization category 2 \- Added in Shorewall 4\&.4\&.7\&. When set, suppresses superfluous ACCEPT rules in a policy chain that implements an ACCEPT policy\&. Any ACCEPT rules that immediately precede the final blanket ACCEPT rule in the chain are now omitted\&.

1467

1484

.RE

1468

1485

.sp

1469

1486

.RS 4

1631

1648

compatible

1632

1649

rules to be combined into a single rule\&. Rules are considered compatible if they differ only in their destination ports and comments\&.

1633

1650

.sp

1634

A sequence of combatible rules is often generated when macros are invoked in sequence\&.

1651

A sequence of compatible rules is often generated when macros are invoked in sequence\&.

1635

1652

.sp

1636

1653

The ability to combine adjacent rules is limited by two factors:

1637

1654

.sp

1654

1671

.sp -1

1655

1672

.IP \(bu 2.3

1656

1673

.\}

1657

Rules may only be combined until the length of their concatinated comment reaches 255 characters\&.

1674

Rules may only be combined until the length of their concatenated comment reaches 255 characters\&.

1658

1675

.RE

1659

1676

.sp

1660

When either of these limits would be exceeded, the current combined rule is emitted and the compiler attemts to combine rules beginning with the one that would have exceeded the limit\&. Adjacent combined comments are separated by \*(Aq, \*(Aq\&. Empty comments at the front of a group of combined comments are replaced by \*(AqOthers and\*(Aq\&. Empty comments at the end of a group of combined comments are replaced by \*(Aqand others\*(Aq\&.

1677

When either of these limits would be exceeded, the current combined rule is emitted and the compiler attempts to combine rules beginning with the one that would have exceeded the limit\&. Adjacent combined comments are separated by \*(Aq, \*(Aq\&. Empty comments at the front of a group of combined comments are replaced by \*(AqOthers and\*(Aq\&. Empty comments at the end of a group of combined comments are replaced by \*(Aqand others\*(Aq\&.

1661

1678

.sp

1662

1679

Beginning in Shorewall 4\&.5\&.10, this option also suppresses duplicate adjacent rules and duplicate non\-adjacent rules that don\*(Aqt include

1663

1680

\fBmark\fR,

1677

1694

.PP

1678

1695

Example 2:

1679

1696

.RS 4

1680

Rules with comments <empty>, "FOO" and "BAR" would reult in the combined comment "Others and FOO, BAR"\&. Note: Optimize level 16 requires "Extended Multi\-port Match" in your iptables and kernel\&.

1697

Rules with comments <empty>, "FOO" and "BAR" would result in the combined comment "Others and FOO, BAR"\&. Note: Optimize level 16 requires "Extended Multi\-port Match" in your iptables and kernel\&.

1681

1698

.RE

1682

1699

.RE

1683

1700

.sp

1721

1738

.PP

1722

1739

\fBRSH_COMMAND="\fR\fIcommand\fR\fB"\fR

1723

1740

.RS 4

1724

Eariler generations of Shorewall Lite required that remote root login via ssh be enabled in order to use the

1741

Earlier generations of Shorewall Lite required that remote root login via ssh be enabled in order to use the

1725

1742

\fBload\fR

1726

1743

and

1727

1744

\fBreload\fR

1738

1755

RCP_COMMAND: scp ${files}

1739

1756

${root}@${system}:${destination}

1740

1757

.RE

1741

Shell variables that will be set when the commands are envoked are as follows:.RS 4

1758

Shell variables that will be set when the commands are invoked are as follows:.RS 4

1742

1759

\fIroot\fR \- root user\&. Normally

1743

1760

\fBroot\fR but may be overridden using the \*(Aq\-r\*(Aq

1744

1761

option\&.

1839

1856

\fBYes\fR, then route filtering occurs on all interfaces\&. If the option is set to

1840

1857

\fBNo\fR, then route filtering is disabled on all interfaces except those specified in

1841

1858

\m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[15]\d\s+2(5)\&.

1859

.if n \{\

1860

.sp

1861

.\}

1862

.RS 4

1863

.it 1 an-trap

1864

.nr an-no-space-flag 1

1865

.nr an-break-flag 1

1866

.br

1867

.ps +1

1868

\fBImportant\fR

1869

.ps -1

1870

.br

1871

If you need to disable route filtering on any interface, then you must set ROUTE_FILTER=No then set routefilter=1 or routefilter=2 on those interfaces where you want route filtering\&. See

1872

\m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[15]\d\s+2(5) for additional details\&.

1873

.sp .5v

1874

.RE

1842

1875

.RE

1843

1876

.PP

1844

1877

\fBRPFILTER_DISPOSITION=\fR[\fBDROP\fR|\fBREJECT\fR|A_DROP|A_REJECT]

1942

1975

.PP

1943

1976

\fBSUBSYSLOCK=\fR[\fIpathname\fR]

1944

1977

.RS 4

1945

This parameter should be set to the name of a file that the firewall should create if it starts successfully and remove when it stops\&. Creating and removing this file allows Shorewall to work with your distribution\*(Aqs initscripts\&. For RedHat and OpenSuSE, this should be set to /var/lock/subsys/shorewall\&. For Debian, the value is /var/lock/shorewall and in LEAF it is /var/run/shorwall\&.

1978

1946

1979

.RE

1947

1980

.PP

1948

1981

\fBTC\fR=[\fIpathname\fR]

2026

2059

\m[blue]\fBshorewall\-tcrules\fR\m[]\&\s-2\u[10]\d\s+2(5)\&. Previously, when TC_EXPERT=No, packets arriving through \*(Aqtracked\*(Aq provider interfaces were unconditionally passed to the PREROUTING tcrules\&. This was done so that tcrules could reset the packet mark to zero, thus allowing the packet to be routed using the \*(Aqmain\*(Aq routing table\&. Using the main table allowed dynamic routes (such as those added for VPNs) to be effective\&. The rtrules file was created to provide a better alternative to clearing the packet mark\&. As a consequence, passing these packets to PREROUTING complicates things without providing any real benefit\&. Beginning with Shorewall 4\&.4\&.6, when TRACK_PROVIDERS=Yes and TC_EXPERT=No, packets arriving through \*(Aqtracked\*(Aq interfaces will not be passed to the PREROUTING rules\&. Since TRACK_PROVIDERS was just introduced in 4\&.4\&.3, this change should be transparent to most, if not all, users\&.

2027

2060

.RE

2028

2061

.PP

2062

\fBTRACK_RULES=\fR{\fBYes\fR|\fBNo\fR}

2063

.RS 4

2064

Added in Shorewall 4\&.5\&.20\&. If set to

2065

\fBYes\fR, causes the compiler to add a comment to iptables rules to indicate the file name and line number of the configuration entry that generated the rule\&. If set to

2066

\fBNo\fR

2067

(the default), then no such comments are added\&.

2068

.sp

2069

Setting this option to

2070

\fBYes\fR

2071

requires the

2072

Comments

2073

capability in iptables and kernel\&.

2074

.RE

2075

.PP

2029

2076

2030

2077

.RS 4

2031

2078

Added in Shorewall 4\&.5\&.13\&. Shorewall has traditionally passed UNTRACKED packets through the NEW section of

2118

2165

.ps -1

2119

2166

.br

2120

2167

\fBdetect\fR

2121

may be specified for interfaces whose configuration is managed by dhcpcd\&. Shorewall will use dhcpcd\*(Aqs database to find the interfaces\*(Aqs gateway\&.

2168

may be specified for interfaces whose configuration is managed by dhcpcd\&. Shorewall will use dhcpcd\*(Aqs database to find the interface\*(Aqs gateway\&.

2122

2169

.sp .5v

2123

2170

.RE

2124

2171

.RE

2139

2186

.PP

2140

2187

\fBUSE_PHYSICAL_NAMES=\fR[\fBYes\fR|\fBNo\fR]

2141

2188

.RS 4

2142

Added in Shorewall 4\&.4\&.27\&. Normally, when Shorewall creates a Netfilter chain that relates to an interface, it uses the interfaces\*(Aqs logical name as the base of the chain name\&. For example, if the logical name for an interface is OAKLAND, then the input chain for traffic arriving on that interface would be \*(AqOAKLAND_in\*(Aq\&. If this option is set to Yes, then the physical name of the interface will be used the base of the chain name\&.

2189

Added in Shorewall 4\&.4\&.27\&. Normally, when Shorewall creates a Netfilter chain that relates to an interface, it uses the interface\*(Aqs logical name as the base of the chain name\&. For example, if the logical name for an interface is OAKLAND, then the input chain for traffic arriving on that interface would be \*(AqOAKLAND_in\*(Aq\&. If this option is set to Yes, then the physical name of the interface will be used the base of the chain name\&.

2143

2190

.RE

2144

2191

.PP

2145

2192

\fBUSE_RT_NAMES=\fR[\fBYes\fR|\fBNo\fR]

Older »