SHOREWALL6-RULES(5) | Configuration Files | SHOREWALL6-RULES(5) |
NAME¶
rules - Shorewall6 rules fileSYNOPSIS¶
/etc/shorewall6/rules
DESCRIPTION¶
Entries in this file govern connection establishment by defining exceptions to the policies laid out in shorewall6-policy[1](5). By default, subsequent requests and responses are automatically allowed using connection tracking. For any particular (source,dest) pair of zones, the rules are evaluated in the order in which they appear in this file and the first terminating match is the one that determines the disposition of the request. All rules are terminating except LOG and QUEUE rules. The rules file is divided into sections. Each section is introduced by a "Section Header" which is a line beginning with [?]SECTION and followed by the section name. The optional "?" was added in Shorewalll 4.6.0 and is preferred. Existing configurations may be converted to use this form using the shorewall6 update command. Sections are as follows and must appear in the order listed: ALLThis section was added in Shorewall 4.4.23. rules in this
section are applied, regardless of the connection tracking state of the
packet.
ESTABLISHED
Packets in the ESTABLISHED state are processed by rules
in this section.
The only ACTIONs allowed in this section are ACCEPT, DROP, REJECT, LOG and QUEUE
There is an implicit ACCEPT rule inserted at the end of this section.
RELATED
Packets in the RELATED state are processed by rules in
this section.
The only ACTIONs allowed in this section are ACCEPT, DROP, REJECT, LOG and QUEUE
There is an implicit rule added at the end of this section that invokes the
RELATED_DISPOSITION ( shorewall6.conf[2](5)).
INVALID
Added in Shorewall 4.5.13. Packets in the INVALID state
are processed by rules in this section.
The only Actions allowed in this section are ACCEPT, DROP, REJECT, LOG and
QUEUE.
There is an implicit rule added at the end of this section that invokes the
INVALID_DISPOSITION ( shorewall6.conf[2](5)).
UNTRACKED
Added in Shorewall 4.5.13. Packets in the UNTRACKED state
are processed by rules in this section.
The only Actions allowed in this section are ACCEPT, DROP, REJECT, LOG and
QUEUE.
There is an implicit rule added at the end of this section that invokes the
UNTRACKED_DISPOSITION ( shorewall6.conf[2](5)).
NEW
Packets in the NEW, INVALID and UNTRACKED states are
processed by rules in this section.
Specifies the action to be taken if the connection
request matches the rule. target must be one of the following.
ACCEPT
SOURCE -
{zone|zone-list[+]|{all|any}[+][-]}
[:
interface][:<{address-or-range[,
address-or-range]...[
exclusion]>|exclusion|+
ipset|^countrycode-list}
Allow the connection request.
ACCEPT+
like ACCEPT but also excludes the connection from any
subsequent matching DNAT[-] or REDIRECT[-] rules.
Requires Shorewall 4.5.14 or later.
ACCEPT!
like ACCEPT but exempts the rule from being suppressed by
OPTIMIZE=1 in shorewall6.conf[2](5).
action
The name of an action declared in
shorewall6-actions[3](5) or in /usr/share/shorewall/actions.std.
ADD(ipset:flags)
Added in Shorewall 4.4.12. Causes addresses and/or port
numbers to be added to the named ipset. The flags specify the
address or tuple to be added to the set and must match the type of ipset
involved. For example, for an iphash ipset, either the SOURCE or DESTINATION
address can be added using flags src or dst respectively
(see the -A command in ipset (8)).
ADD is non-terminating. Even if a packet matches the rule, it is passed on to
the next rule.
AUDIT[(accept|drop|reject)]
Added in Shorewall 4.5.10. Audits the packet with the
specified type; if the type is omitted, then drop is assumed. Require
AUDIT_TARGET support in the kernel and iptables.
A_ACCEPT, and A_ACCEPT!
Added in Shorewall 4.4.20. Audited versions of ACCEPT and
ACCEPT! respectively. Require AUDIT_TARGET support in the kernel and
iptables.
A_DROP and A_DROP!
Added in Shorewall 4.4.20. Audited versions of DROP and
DROP! respectively. Require AUDIT_TARGET support in the kernel and
iptables.
A_REJECT AND A_REJECT!
Added in Shorewall 4.4.20. Audited versions of REJECT and
REJECT! respectively. Require AUDIT_TARGET support in the kernel and
iptables.
[?]COMMENT
the rest of the line will be attached as a comment to the
Netfilter rule(s) generated by the following entries. The comment will appear
delimited by "/* ... */" in the output of "shorewall show
<chain>". To stop the comment from being attached to further rules,
simply include COMMENT on a line by itself.
Note
Beginning with Shorewall 4.5.11, ?COMMENT is a synonym for COMMENT and is
preferred.
CONTINUE
For experts only.
Do not process any of the following rules for this (source zone,destination
zone). If the source and/or destination IP address falls into a zone defined
later in shorewall6-zones[4](5) or in a parent zone of the source or
destination zones, then this connection request will be passed to the rules
defined for that (those) zone(s). See shorewall6-nesting[5](5) for
additional information.
CONTINUE!
like CONTINUE but exempts the rule from being suppressed
by OPTIMIZE=1 in shorewall6.conf[2](5).
COUNT
Simply increment the rule's packet and byte count and
pass the packet to the next rule.
DEL(ipset:flags)
Added in Shorewall 4.4.12. Causes an entry to be deleted
from the named ipset. The flags specify the address or tuple to
be deleted from the set and must match the type of ipset involved. For
example, for an iphash ipset, either the SOURCE or DESTINATION address can be
deleted using flags src or dst respectively (see the -D
command in ipset (8)).
DEL is non-terminating. Even if a packet matches the rule, it is passed on to
the next rule.
DNAT
Forward the request to another system (and optionally
another port). Requires Shorewall 4.5.14 or later.
DNAT-
Advanced users only.
Like DNAT but only generates the DNAT iptables rule and not the
companion ACCEPT rule. Requires Shorewall 4.5.14 or later.
DROP
Ignore the request.
DROP!
like DROP but exempts the rule from being suppressed by
OPTIMIZE=1 in shorewall6.conf[2](5).
HELPER
Added in Shorewall 4.5.7. This action requires that the
HELPER column contains the name of the Netfilter helper to be associated with
connections matching this connection. May only be specified in the NEW section
and is useful for being able to specify a helper when the applicable policy is
ACCEPT. No destination zone should be specified in HELPER rules.
INLINE[(action)]
Added in Shorewall 4.5.16. This action allows you to
construct most of the rule yourself using ip6tables syntax. The part that you
specify must follow a semicolon (';') and is completely free-form. If the
target of the rule (the part following 'j') is something that Shorewall
supports in the ACTION column, then you may enclose it in parentheses (e.g.,
INLINE(ACCEPT)). Otherwise, you can include it after the semicolon. In this
case, you must declare the target as a builtin action in
shorewall6-actions[3](5).
Some considerations when using INLINE:
IP6TABLES({ ip6tables-target [option ...])
•The p, s, d, i,
o, policy, and state match (state or conntrack
--ctstate) matches will always appear in the front of the rule in that
order.
•When multiple matches are specified, the compiler
will keep them in the order in which they appear (excluding the above listed
ones), but they will not necessarily be at the end of the generated rule. For
example, if addresses are specified in the SOURCE and/or DEST columns, their
generated matches will appear after those specified using ';'.
This action allows you to specify an ip6tables target
with options (e.g., 'IPTABLES(MARK --set-xmark 0x01/0xff)'. If the
ip6tables-target is not one recognized by Shorewall, the following
error message will be issued:
This error message may be eliminated by adding the
ip6tables-target as a builtin action in
shorewall6-actions[6](5).
Important
If you specify REJECT as the ip6tables-target, the target of the rule
will be the i6ptables REJECT target and not Shorewall's builtin 'reject' chain
which is used when REJECT (see below) is specified as the target in the
ACTION column.
LOG:level
ERROR: Unknown target ( ip6tables-target)
Simply log the packet and continue with the next
rule.
macro[(macrotarget)]
The name of a macro defined in a file named
macro.macro. If the macro accepts an action parameter (Look at the
macro source to see if it has PARAM in the TARGET column) then the
macro name is followed by the parenthesized macrotarget (
ACCEPT, DROP, REJECT, ...) to be substituted for the
parameter.
Example: FTP(ACCEPT).
The older syntax where the macro name and the target are separated by a slash
(e.g. FTP/ACCEPT) is still allowed but is deprecated.
NFLOG[(nflog-parameters)]
Added in Shorewall 4.5.9.3. Queues matching packets to a
back end logging daemon via a netlink socket then continues to the next rule.
See http://www.shorewall.net/shorewall_logging.html[7].
Similar to LOG:NFLOG[(nflog-parameters)], except that the log
level is not changed when this ACTION is used in an action or macro and the
invocation of that action or macro specifies a log level.
NFQUEUE[(queuenumber)]
Queues the packet to a user-space application using the
nfnetlink_queue mechanism. If a queuenumber is not specified, queue
zero (0) is assumed.
NFQUEUE![(queuenumber)]
like NFQUEUE but exempts the rule from being suppressed
by OPTIMIZE=1 in shorewall6.conf[2](5).
NONAT
Excludes the connection from any subsequent
DNAT[-] or REDIRECT[-] rules but doesn't generate a rule to
accept the traffic. Requires Shorewall 4.5.14 or later.
QUEUE
Queue the packet to a user-space application such as
ftwall (http://p2pwall.sf.net). The application may reinsert the packet for
further processing.
QUEUE!
like QUEUE but exempts the rule from being suppressed by
OPTIMIZE=1 in shorewall6.conf[2](5).
REDIRECT
Redirect the request to a server running on the firewall.
Requires Shorewall 4.5.14 or later.
REDIRECT-
Advanced users only.
Like REDIRECT but only generates the REDIRECT iptables rule and
not the companion ACCEPT rule. Requires Shorewall 4.5.14 or
later.
REJECT
disallow the request and return an icmp-unreachable or an
RST packet.
REJECT!
like REJECT but exempts the rule from being suppressed by
OPTIMIZE=1 in shorewall6.conf[2](5).
The target may optionally be followed by ":" and a syslog log
level (e.g, REJECT:info or Web(ACCEPT):debug). This causes the packet to be
logged at the specified level. Note that if the ACTION involves
destination network address translation (DNAT, REDIRECT, etc.) then the packet
is logged before the destination address is rewritten.
If the ACTION names an action declared in
shorewall-actions[8](5) or in /usr/share/shorewall/actions.std then:
•If the log level is followed by "!' then all
rules in the action are logged at the log level.
•If the log level is not followed by "!"
then only those rules in the action that do not specify logging are logged at
the specified level.
•The special log level none! suppresses
logging by the action.
You may also specify ULOG or NFLOG (must be in upper case) as a
log level.This will log to the ULOG or NFLOG target for routing to a separate
log through use of ulogd (
http://www.netfilter.org/projects/ulogd/index.html).
Actions specifying logging may be followed by a log tag (a string of
alphanumeric characters) which is appended to the string generated by the
LOGPREFIX (in shorewall6.conf[2](5)).
Example: ACCEPT:info:ftp would include 'ftp ' at the end of the log prefix
generated by the LOGPREFIX setting.Source hosts to which the rule applies. May be a zone
declared in /etc/shorewall6/zones, $FW to indicate the firewall itself,
all, all+, all-, all+- or none.
Beginning with Shorewall 4.4.13, you may use a zone-list which consists
of a comma-separated list of zones declared in shorewall6-zones[4] (5).
This zone-list may be optionally followed by "+" to indicate
that the rule is to apply to intra-zone traffic as well as inter-zone traffic.
When none is used either in the SOURCE or DEST column, the
rule is ignored.
all means "All Zones", including the firewall itself.
all- means "All Zones, except the firewall itself". When
all[ -] is used either in the SOURCE or DEST
column intra-zone traffic is not affected. When all+[-] is
"used, intra-zone traffic is affected. Beginning with Shorewall 4.4.13,
exclusion is supported -- see see shorewall6-exclusion[9](5).
Except when all[+][-] or any[+][-] is
specified, clients may be further restricted to a list of networks and/or
hosts by appending ":" and a comma-separated list of network and/or
host addresses. Hosts may be specified by IP or MAC address; mac addresses
must begin with "~" and must use "-" as a separator.
any is equivalent to all when there are no nested zones. When
there are nested zones, any only refers to top-level zones (those with
no parent zones). Note that any excludes all vserver zones, since those
zones are nested within the firewall zone.
Hosts may also be specified as an IP address range using the syntax
lowaddress- highaddress. This requires that your kernel and
ip6tables contain iprange match support. If your kernel and ip6tables have
ipset match support then you may give the name of an ipset prefaced by
"+". The ipset name may be optionally followed by a number from 1 to
6 enclosed in square brackets ([]) to indicate the number of levels of source
bindings to be matched.
Beginning with Shorewall6 4.4.17, the primary IP address of a firewall interface
can be specified by an ampersand ('&') followed by the logical name of the
interface as found in the INTERFACE column of shorewall6-interfaces[10]
(5).
Beginning with Shorewall 4.5.4, A countrycode-list may be specified. A
countrycode-list is a comma-separated list of up to 15 two-character ISO-3661
country codes enclosed in square brackets ('[...]') and preceded by a caret
('^'). When a single country code is given, the square brackets may be
omitted. A list of country codes supported by Shorewall may be found at
http://www.shorewall.net/ISO-3661.html[11]. Specifying a
countrycode-list requires GeoIP Match support in your ip6tables and
Kernel.
When an interface is not specified, you may omit the angled brackets
('<' and '>') around the address(es) or you may supply them to improve
readability.
You may exclude certain hosts from the set already defined through use of an
exclusion (see shorewall6-exclusion[9](5)).
Examples:
dmz:2002:ce7c::92b4:1::2
DEST -
{zone|zone-list[+]|all
[+][-]}[:interface][:<{address-or-range[,address-or-range]...[exclusion]>|exclusion|+ipset|^countrycode-list}[:port[:random]]
Host 2002:ce7c:92b4:1::2 in the DMZ
net:2001:4d48:ad51:24::/64
Subnet 2001:4d48:ad51:24::/64 on the Internet
loc:<2002:cec792b4:1::2,2002:cec792b4:1::44>
Hosts 2002:cec792b4:1::2 and 2002:cec792b4:1::44 in the
local zone.
loc:~00-A0-C9-15-39-78
Host in the local zone with MAC address
00:A0:C9:15:39:78.
net:2001:4d48:ad51:24::/64!2001:4d48:ad51:24:6:/80!2001:4d48:ad51:24:6:/80
Subnet 2001:4d48:ad51:24::/64 on the Internet except for
2001:4d48:ad51:24:6:/80.
$FW:ð0
The primary IP address of eth0 in the firewall zone
(Shorewall6 4.4.17 and later).
Alternatively, clients may be specified by interface by appending ":"
to the zone name followed by the interface name. For example, loc:eth1
specifies a client that communicates with the firewall system through eth1.
This may be optionally followed by another colon (":") and an
IP/MAC/subnet address as described above (e.g.,
loc:eth1:<2002:ce7c::92b4:1::2>).
Examples:
loc:eth1:<2002:cec792b4:1::2,2002:cec792b4:1::44>
Hosts 2002:cec792b4:1::2 and 2002:cec792b4:1::44 in the
Local zone, with both originating from eth1
Location of Server. May be a zone declared in
shorewall6-zones[4](5), $ FW to indicate the firewall itself,
all. all+ or none.
Beginning with Shorewall 4.4.13, you may use a zone-list which consists
of a comma-separated list of zones declared in shorewall6-zones[4] (5).
Ths zone-list may be optionally followed by "+" to indicate
that the rule is to apply to intra-zone traffic as well as inter-zone traffic.
Beginning with Shorewall-4.4.13, exclusion is supported -- see see
shorewall6-exclusion[9](5).
Beginning with Shorewall6 4.4.17, the primary IP address of a firewall interface
can be specified by an ampersand ('&') followed by the logical name of the
interface as found in the INTERFACE column of shorewall6-interfaces[10]
(5).
Beginning with Shorewall 4.5.4, A countrycode-list may be specified. A
countrycode-list is a comma-separated list of up to 15 two-character ISO-3661
country codes enclosed in square brackets ('[...]') and preceded by a caret
('^'). When a single country code is given, the square brackets may be
omitted. A list of country codes supported by Shorewall may be found at
http://www.shorewall.net/ISO-3661.html[11]. Specifying a
countrycode-list requires GeoIP Match support in your ip6tables and
Kernel.
When none is used either in the SOURCE or DEST column, the
rule is ignored.
When all is used either in the SOURCE or DEST column
intra-zone traffic is not affected. When all+ is used, intra-zone
traffic is affected.
If the DEST zone is a bport zone, then either:
PROTO -
{-|tcp:syn|ipp2p|ipp2p:udp|ipp2p:all|
protocol-number| protocol-name|all}
1.the SOURCE must be all[+][-], or
2.the SOURCE zone must be another bport zone
associated with the same bridge, or
3.the SOURCE zone must be an ipv4 zone that is
associated with only the same bridge.
Except when all[+]|[-] is specified, the server may be further
restricted to a particular network, host or interface by appending
":" and the network, host or interface. See SOURCE above.
You may exclude certain hosts from the set already defined through use of an
exclusion (see shorewall6-exclusion[9](5)).
Restriction: MAC addresses are not allowed (this is a Netfilter restriction).
If you kernel and ip6tables have ipset match support then you may give the name
of an ipset prefaced by "+". The ipset name may be optionally
followed by a number from 1 to 6 enclosed in square brackets ([]) to indicate
the number of levels of destination bindings to be matched. Only one of the
SOURCE and DEST columns may specify an ipset name.
The port that the server is listening on may be included and separated
from the server's IP address by ":". If omitted, the firewall will
not modify the destination port. A destination port may only be included if
the ACTION is DNAT or REDIRECT.
Example 1:
loc:[2001:470:b:227::44]:3128 specifies a local
server at IP address 2001:470:b:227::44 and listening on port 3128.
Example 2:
loc:[]:3128 specifies that the destination port
should be changed to 3128 but the IP address should remain the same.
The port may be specified as a service name. You may specify a port range
in the form lowport-highport to cause connections to be assigned to
ports in the range in round-robin fashion. When a port range is specified,
lowport and highport must be given as integers; service names
are not permitted. Additionally, the port range may be optionally followed by
:random which causes assignment to ports in the list to be random.
If the ACTION is REDIRECT or REDIRECT-, this column needs
only to contain the port number on the firewall that the request should be
redirected to. That is equivalent to specifying $FW::port.Optional protocol - ipp2p* requires ipp2p match
support in your kernel and ip6tables. tcp:syn implies tcp plus
the SYN flag must be set and the RST,ACK and FIN flags must be reset.
Beginning with Shorewall6 4.4.19, this column can contain a comma-separated list
of protocol-numbers and/or protocol names (e.g., tcp,udp).
DEST PORT(S) (dport) -
{-|port-name-number-or-range[,
port-name-number-or-range]...|+ ipset}
Optional destination Ports. A comma-separated list of
Port names (from services(5)), port numbers or port ranges; if the protocol is
icmp, this column is interpreted as the destination icmp-type(s). ICMP
types may be specified as a numeric type, a numeric type and code separated by
a slash (e.g., 3/4), or a typename. See
http://www.shorewall.net/configuration_file_basics.htm#ICMP[12]. Note
that prior to Shorewall6 4.4.19, only a single ICMP type may be listed.
If the protocol is ipp2p, this column is interpreted as an ipp2p option
without the leading "--" (example bit for bit-torrent). If no
port is given, ipp2p is assumed.
A port range is expressed as lowport:highport.
This column is ignored if PROTO = all but must be entered if any
of the following columns are supplied. In that case, it is suggested that this
field contain a dash ( -).
If your kernel contains multi-port match support, then only a single Netfilter
rule will be generated in this list and the CLIENT PORT(S) list below
if:
1. There are 15 or less ports listed.
2. No port ranges are included or your kernel and ip6tables contain extended
multi-port match support.
Beginning with Shorewall 4.6.0, an ipset name can be specified in this
column. This is intended to be used with bitmap:port ipsets.
SOURCE PORT(S) (sport) -
{-|port-name-number-or-range[,
port-name-number-or-range]...|+ ipset}
Optional source port(s). If omitted, any source port is
acceptable. Specified as a comma- separated list of port names, port numbers
or port ranges.
Beginning with Shorewall 4.5.15, you may place '=' in this column, provided that
the DEST PORT(S) column is non-empty. This causes the rule to match when
either the source port or the destination port in a packet matches one of the
ports specified in DEST PORTS(S). Use of '=' requires multi-port match in your
iptables and kernel.
Warning
Unless you really understand IP, you should leave this column empty or place a
dash ( -) in the column. Most people who try to use this column get it
wrong.
If you don't want to restrict client ports but need to specify a later column,
then place "-" in this column.
If your kernel contains multi-port match support, then only a single Netfilter
rule will be generated if in this list and the DEST PORT(S) list above:
1. There are 15 or less ports listed.
2. No port ranges are included or your kernel and ip6tables contain extended
multi-port match support.
Beginning with Shorewall 4.6.0, an ipset name can be specified in this column.
This is intended to be used with bitmap:port ipsets.
ORIGINAL DEST (origdest) - [-]
Included for compatibility with Shorewall. Enter '-' in
this column if you need to specify one of the later columns.
RATE LIMIT (rate) -
[-|[{s|d}:[[name]:]]]rate
/{sec| min|hour|day}[:burst]
You may optionally rate-limit the rule by placing a value
in this column:
rate is the number of connections per interval ( sec or
min) and burst is the largest burst permitted. If no
burst is given, a value of 5 is assumed. There may be no no white-space
embedded in the specification.
Example: 10/sec:20
When s: or d: is specified, the rate applies per source IP address
or per destination IP address respectively. The name may be chosen by
the user and specifies a hash table to be used to count matching connections.
If not given, the name shorewallN (where N is a unique integer) is
assumed. Where more than one POLICY specifies the same name, the connections
counts for the rules are aggregated and the individual rates apply to the
aggregated count.
USER/GROUP (user) -
[!][user-name-or-number-or-range][:
group-name-or-number-or-range]
This optional column may only be non-empty if the SOURCE
is the firewall itself.
When this column is non-empty, the rule applies only if the program generating
the output is running under the effective user and/or group
specified (or is NOT running under that id if "!" is given).
Beginning with Shorewall 4.5.8, multiple user or group names/ids separated by
commas may be specified.
Examples:
joe
MARK - [!]value[/mask][:C]
program must be run by joe
:kids
program must be run by a member of the 'kids' group
!:kids
program must not be run by a member of the 'kids'
group
2001-2099
UIDs 2001 through 2099 (Shorewall 4.5.6 and later)
Defines a test on the existing packet or connection mark.
The rule will match only if the test returns true.
If you don't want to define a test but need to specify anything in the following
columns, place a "-" in this field.
!
CONNLIMIT - [!]limit[:mask]
Inverts the test (not equal)
value
Value of the packet or connection mark.
mask
A mask to be applied to the mark before testing.
:C
Designates a connection mark. If omitted, the packet
mark's value is tested.
May be used to limit the number of simultaneous
connections from each individual host to limit connections. Requires
connlimit match in your kernel and ip6tables. While the limit is only checked
on rules specifying CONNLIMIT, the number of current connections is calculated
over all current connections from the SOURCE host. By default, the limit is
applied to each host but can be made to apply to networks of hosts by
specifying a mask. The mask specifies the width of a VLSM mask
to be applied to the source address; the number of current connections is then
taken over all hosts in the subnet source-address/mask. When
! is specified, the rule matches when the number of connection exceeds the
limit.
TIME - timeelement[&timeelement...]
May be used to limit the rule to a particular time period
each day, to particular days of the week or month, or to a range defined by
dates and times. Requires time match support in your kernel and ip6tables.
timeelement may be:
timestart= hh:mm[:ss]
HEADERS - [!][any:|exactly:]header-list (Optional - Added in
Shorewall 4.4.15)
Defines the starting time of day.
timestop= hh:mm[:ss]
Defines the ending time of day.
utc
Times are expressed in Greenwich Mean Time.
localtz
Deprecated by the Netfilter team in favor of
kerneltz. Times are expressed in Local Civil Time (default).
kerneltz
Added in Shorewall 4.5.2. Times are expressed in Local
Kernel Time (requires iptables 1.4.12 or later).
weekdays=ddd[,ddd]...
where ddd is one of Mon, Tue,
Wed, Thu, Fri, Sat or Sun
monthdays=dd[,dd],...
where dd is an ordinal day of the month
datestart=
yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
Defines the starting date and time.
datestop=
yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
Defines the ending date and time.
The header-list consists of a comma-separated list
of headers from the following list.
auth, ah, or 51
SWITCH - [!]switch-name[={0|1}]
Authentication Headers extension header.
esp, or 50
Encrypted Security Payload extension header.
hop, hop-by-hop or 0
Hop-by-hop options extension header.
route, ipv6-route or 41
IPv6 Route extension header.
frag, ipv6-frag or 44
IPv6 fragmentation extension header.
none, ipv6-nonxt or 59
No next header
proto, protocol or 255
Any protocol header.
If any: is specified, the rule will match if any of the listed headers
are present. If exactly: is specified, the will match packets that
exactly include all specified headers. If neither is given, any: is
assumed.
If ! is entered, the rule will match those packets which would not be
matched when ! is omitted.Added in Shorewall6 4.4.24 and allows enabling and
disabling the rule without requiring shorewall6 restart.
Enables the rule if the value stored in /proc/net/nf_condition/
switch-name is 1. Disables the rule if that file contains 0 (the
default). If '!' is supplied, the test is inverted such that the rule is
enabled if the file contains 0.
Within the switch-name, '@0' and '@{0}' are replaced by the name of the
chain to which the rule is a added. The switch-name (after '@...'
expansion) must begin with a letter and be composed of letters, decimal
digits, underscores or hyphens. Switch names must be 30 characters or less in
length.
Switches are normally off. To turn a switch on:
HELPER - [helper]
echo 1 >
/proc/net/nf_condition/switch-name
To turn it off again:
/proc/net/nf_condition/switch-name
echo 0 >
/proc/net/nf_condition/switch-name
Switch settings are retained over shorewall6 restart.
Beginning with Shorewall 4.5.10, when the switch-name is followed by
=0 or =1, then the switch is initialized to off or on
respectively by the start command. Other commands do not affect the
switch setting./proc/net/nf_condition/switch-name
Added in Shorewall 4.5.7.
In the NEW section, causes the named conntrack helper to be associated
with this connection; the contents of this column are ignored unless ACTION is
ACCEPT*, DNAT* or REDIRECT*.
In the RELATED section, will only match if the related connection has the named
helper associated with it.
The helper may be one of:
amanda
ftp
irc
netbios-ns
pptp
Q.931
RAS
sane
sip
snmp
tftp
If the HELPERS option is specified in shorewall6.conf[2](5), then any
module specified in this column must be listed in the HELPERS setting.EXAMPLE¶
Example 1:Accept SMTP requests from the DMZ to the internet
Example 4:
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # PORT PORT(S) DEST ACCEPT dmz net tcp smtp
You want to accept SSH connections to your firewall only
from internet IP addresses 2002:ce7c::92b4:1::2 and 2002:ce7c::92b4:1::22
Example 5:
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # PORT PORT(S) DEST ACCEPT net:<2002:ce7c::92b4:1::2,2002:ce7c::92b4:1::22> \ $FW tcp 22
You wish to limit SSH connections from remote systems to
1/min with a burst of three (to allow for limited retry):
Example 6:
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE # PORT(S) PORT(S) DEST LIMIT SSH(ACCEPT) net all - - - - s:1/min:3
Forward port 80 to dmz host $BACKUP if switch
'primary_down' is set.
Example 7:
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH # PORT(S) PORT(S) DEST LIMIT GROUP DNAT net dmz:$BACKUP tcp 80 - - - - - - - - primary_down
Drop all email from IP addresses in the country whose
ISO-3661 country code is ZZ.
Example 8:
#ACTION SOURCE DEST PROTO DEST # PORT(S) DROP net:^ZZ fw tcp 25
You want to generate your own rule involving ip6tables
targets and matches not supported by Shorewall.
The above will generate the following ip6tables-restore input:
Note that SECCTX must be defined as a builtin action in
shorewall6-actions[3](5):
#ACTION SOURCE DEST PROTO DEST # PORT(S) INLINE $FW net ; -p 6 -m mickey-mouse --name test -m set --match-set set1 src -m mickey-mouse --name test2 -j SECCTX --name test3
-A fw2net -p 6 -m mickey-mouse --name test -m set --match-set set1 src -m mickey-mouse --name test2 -j SECCTX --name test3
#ACTION OPTIONS SECCTX builtin
FILES¶
/etc/shorewall6/rulesSEE ALSO¶
http://www.shorewall.net/shorewall_logging.html[7] http://www.shorewall.net/configuration_file_basics.htm#Pairs[13] shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-blrules(5), shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5), shorewall6-rtrules(5), shorewall6-routestopped(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-mangle(5), shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)NOTES¶
- 1.
- shorewall6-policy
- 2.
- shorewall6.conf
- 3.
- shorewall6-actions
- 4.
- shorewall6-zones
- 5.
- shorewall6-nesting
- 6.
- shorewall6-actions
- 8.
- shorewall-actions
- 9.
- shorewall6-exclusion
- 10.
- shorewall6-interfaces
10/19/2014 | Configuration Files |