'\" t .\" Title: shorewall6-conntrack .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.78.1 .\" Date: 03/16/2017 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" .TH "SHOREWALL6\-CONNTRAC" "5" "03/16/2017" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" conntrack \- shorewall6 conntrack file .SH "SYNOPSIS" .HP \w'\fB/etc/shorewall6/conntrack\fR\ 'u \fB/etc/shorewall6/conntrack\fR .SH "DESCRIPTION" .PP The original intent of the \fBnotrack\fR file was to exempt certain traffic from Netfilter connection tracking\&. Traffic matching entries in the file were not to be tracked\&. .PP The role of the file was expanded in Shorewall 4\&.4\&.27 to include all rules that can be added in the Netfilter \fBraw\fR table\&. In 4\&.5\&.7, the file\*(Aqs name was changed to \fBconntrack\fR\&. .PP The file supports two different column layouts: FORMAT 1, FORMAT 2, and FORMAT 3, FORMAT 1 being the default\&. The three differ as follows: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} in FORMAT 2 and 3, there is an additional leading ACTION column\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} in FORMAT 3, the SOURCE column accepts no zone name; rather the ACTION column allows a SUFFIX that determines the chain(s) that the generated rule will be added to\&. .RE .PP When an entry in the following form is encountered, the format of the following entries are assumed to be of the specified \fIformat\fR\&. .RS 4 \fB?FORMAT\fR \fIformat\fR .RE .PP where \fIformat\fR is either \fB1\fR,\fB2\fR or \fB3\fR\&. .PP Format 3 was introduced in Shorewall 4\&.5\&.10\&. .PP Comments may be attached to Netfilter rules generated from entries in this file through the use of ?COMMENT lines\&. These lines begin with ?COMMENT; the remainder of the line is treated as a comment which is attached to subsequent rules until another ?COMMENT line is found or until the end of the file is reached\&. To stop adding comments to rules, use a line with only ?COMMENT\&. .PP The columns in the file are as follows (where the column name is followed by a different name in parentheses, the different name is used in the alternate specification syntax)\&. .PP \fBACTION\fR \- {\fBNOTRACK\fR|\fBCT\fR:\fBhelper\fR:\fIname\fR[(\fIarg\fR=\fIval\fR[,\&.\&.\&.])|\fBCT:ctevents:\fR\fB\fIevent\fR\fR\fB[,\&.\&.\&.]|CT:expevents:new|notrack\fR|DROP|LOG|NFLOG(\fInflog\-parameters\fR)|IP6TABLES(\fItarget\fR)}[:\fIlog\-level\fR[:\fIlog\-tag\fR]][:\fIchain\-designator\fR] .RS 4 This column is only present when FORMAT >= 2\&. Values other than NOTRACK require CT Targetsupport in your iptables and kernel\&. .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \fBNOTRACK\fR or \fBCT:notrack\fR .sp Disables connection tracking for this packet\&. If a \fIlog\-level\fR is specified, the packet will also be logged at that level\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \fBhelper\fR:\fIname\fR .sp Attach the helper identified by the \fIname\fR to this connection\&. This is more flexible than loading the conntrack helper with preset ports\&. If a \fIlog\-level\fR is specified, the packet will also be logged at that level\&. .sp At this writing, the available helpers are: .PP amanda .RS 4 Requires that the amanda netfilter helper is present\&. .RE .PP ftp .RS 4 Requires that the FTP netfilter helper is present\&. .RE .PP irc .RS 4 Requires that the IRC netfilter helper is present\&. .RE .PP netbios\-ns .RS 4 Requires that the netbios_ns (sic) helper is present\&. .RE .PP RAS and Q\&.931 .RS 4 These require that the H323 netfilter helper is present\&. .RE .PP pptp .RS 4 Requires that the pptp netfilter helper is present\&. .RE .PP sane .RS 4 Requires that the SANE netfilter helper is present\&. .RE .PP sip .RS 4 Requires that the SIP netfilter helper is present\&. .RE .PP snmp .RS 4 Requires that the SNMP netfilter helper is present\&. .RE .PP tftp .RS 4 Requires that the TFTP netfilter helper is present\&. .RE .sp May be followed by an option list of \fIarg\fR=\fIval\fR pairs in parentheses: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \fBctevents\fR=\fIevent\fR[,\&.\&.\&.] .sp Only generate the specified conntrack events for this connection\&. Possible event types are: \fBnew\fR, \fBrelated\fR, \fBdestroy\fR, \fBreply\fR, \fBassured\fR, \fBprotoinfo\fR, \fBhelper\fR, \fBmark\fR (this is connection mark, not packet mark), \fBnatseqinfo\fR, and \fBsecmark\fR\&. If more than one \fIevent\fR is listed, the \fIevent\fR list must be enclosed in parentheses (e\&.g\&., ctevents=(new,related))\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \fBexpevents\fR\fB=new\fR .sp Only generate \fBnew\fR expectation events for this connection\&. .RE .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} ctevents:\fIevent\fR[,\&.\&.\&.] .sp Added in Shorewall 4\&.6\&.10\&. Only generate the specified conntrack events for this connection\&. Possible event types are: \fBnew\fR, \fBrelated\fR, \fBdestroy\fR, \fBreply\fR, \fBassured\fR, \fBprotoinfo\fR, \fBhelper\fR, \fBmark\fR (this is connection mark, not packet mark), \fBnatseqinfo\fR, and \fBsecmark\fR\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} expevents=new .sp Added in Shorewall 4\&.6\&.10\&. Only generate \fBnew\fR expectation events for this connection\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \fBDROP\fR .sp Added in Shorewall 4\&.5\&.10\&. Silently discard the packet\&. If a \fIlog\-level\fR is specified, the packet will also be logged at that level\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \fBIP6TABLES\fR(\fItarget\fR) .sp Added in Shorewall 4\&.6\&.0\&. Allows you to specify any iptables \fItarget\fR with target options (e\&.g\&., "IP6TABLES(AUDIT \-\-type drop)")\&. If the target is not one recognized by Shorewall, the following error message will be issued: .RS 4 ERROR: Unknown target (\fItarget\fR) .RE This error message may be eliminated by adding \fItarget\fR as a builtin action in \m[blue]\fBshorewall6\-actions(5)\fR\m[]\&\s-2\u[1]\d\s+2\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \fBLOG\fR .sp Added in Shoreawll 4\&.6\&.0\&. Logs the packet using the specified \fIlog\-level\fR and\fI log\-tag \fR(if any)\&. If no log\-level is specified, then \*(Aqinfo\*(Aq is assumed\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \fBNFLOG\fR .sp Added in Shoreawll 4\&.6\&.0\&. Queues the packet to a backend logging daemon using the NFLOG netfilter target with the specified \fInflog\-parameters\fR\&. .RE .sp When FORMAT = 1, this column is not present and the rule is processed as if NOTRACK had been entered in this column\&. .sp Beginning with Shorewall 4\&.5\&.10, when FORMAT = 3, this column can end with a colon followed by a \fIchain\-designator\fR\&. The \fIchain\-designator\fR can be one of the following: .PP P .RS 4 The rule is added to the raw table PREROUTING chain\&. This is the default if no \fIchain\-designator\fR is present\&. .RE .PP O .RS 4 The rule is added to the raw table OUTPUT chain\&. .RE .PP PO or OP .RS 4 The rule is added to the raw table PREROUTING and OUTPUT chains\&. .RE .RE .PP SOURCE (formats 1 and 2) \(en \fIzone\fR[:\fIinterface\fR][:\fIaddress\-list\fR] .RS 4 where \fIzone\fR is the name of a zone, \fIinterface\fR is an interface to that zone, and \fIaddress\-list\fR is a comma\-separated list of addresses (may contain exclusion \- see \m[blue]\fBshorewall6\-exclusion\fR\m[]\&\s-2\u[2]\d\s+2 (5))\&. .sp Beginning with Shorewall 4\&.5\&.7, \fBall\fR can be used as the \fIzone\fR name to mean all zones\&. .sp Beginning with Shorewall 4\&.5\&.10, \fBall\-\fR can be used as the \fIzone\fR name to mean all off\-firewall zones\&. .RE .PP SOURCE (format 3) \(en {\-|\fIinterface\fR[:\fIaddress\-list\fR]|\fIaddress\-list\fR} .RS 4 Where \fIinterface\fR is an interface to that zone, and \fIaddress\-list\fR is a comma\-separated list of addresses (may contain exclusion \- see \m[blue]\fBshorewall6\-exclusion\fR\m[]\&\s-2\u[2]\d\s+2 (5))\&. .sp COMMENT is only allowed in format 1; the remainder of the line is treated as a comment that will be associated with the generated rule(s)\&. .RE .PP DEST \(en {\-|\fIinterface\fR[:\fIaddress\-list\fR]|\fIaddress\-list\fR} .RS 4 where \fIaddress\-list\fR is a comma\-separated list of addresses (may contain exclusion \- see \m[blue]\fBshorewall6\-exclusion\fR\m[]\&\s-2\u[2]\d\s+2 (5))\&. .RE .PP PROTO \(en \fIprotocol\-name\-or\-number\fR[,\&.\&.\&.] .RS 4 A protocol name from /etc/protocols or a protocol number\&. .sp Beginning with Shorewall 4\&.5\&.12, this column can accept a comma\-separated list of protocols\&. .RE .PP DPORT \- {\-|\fIport\-number/service\-name\-list\fR|+\fIipset\fR} .RS 4 A comma\-separated list of port numbers and/or service names from /etc/services\&. May also include port ranges of the form \fIlow\-port\fR:\fIhigh\-port\fR if your kernel and iptables include port range support\&. .sp Beginning with Shorewall 4\&.6\&.0, an ipset name can be specified in this column\&. This is intended to be used with bitmap:port ipsets\&. .sp This column was formerly labelled DEST PORT(S)\&. .RE .PP SPORT \- {\-|\fIport\-number/service\-name\-list\fR|+\fIipset\fR} .RS 4 A comma\-separated list of port numbers and/or service names from /etc/services\&. May also include port ranges of the form \fIlow\-port\fR:\fIhigh\-port\fR if your kernel and iptables include port range support\&. .sp Beginning with Shorewall 4\&.5\&.15, you may place \*(Aq=\*(Aq in this column, provided that the DPORT column is non\-empty\&. This causes the rule to match when either the source port or the destination port in a packet matches one of the ports specified in DPORT\&. .sp Beginning with Shorewall 4\&.6\&.0, an ipset name can be specified in this column\&. This is intended to be used with bitmap:port ipsets\&. .sp This column was formerly labelled SOURCE PORT(S)\&. .RE .PP USER \(en [\fIuser\fR][:\fIgroup\fR] .RS 4 May only be specified if the SOURCE \fIzone\fR is $FW\&. Specifies the effective user id and or group id of the process sending the traffic\&. .sp This column was formerly labelled USER/GROUP\&. .RE .PP \fBSWITCH \- [!]\fR\fB\fIswitch\-name\fR\fR\fB[={0|1}]\fR .RS 4 Added in Shorewall6 4\&.5\&.10 and allows enabling and disabling the rule without requiring \fBshorewall6 restart\fR\&. .sp Enables the rule if the value stored in /proc/net/nf_condition/\fIswitch\-name\fR is 1\&. Disables the rule if that file contains 0 (the default)\&. If \*(Aq!\*(Aq is supplied, the test is inverted such that the rule is enabled if the file contains 0\&. .sp Within the \fIswitch\-name\fR, \*(Aq@0\*(Aq and \*(Aq@{0}\*(Aq are replaced by the name of the chain to which the rule is a added\&. The \fIswitch\-name\fR (after \*(Aq@\&.\&.\&.\*(Aq expansion) must begin with a letter and be composed of letters, decimal digits, underscores or hyphens\&. Switch names must be 30 characters or less in length\&. .sp Switches are normally \fBoff\fR\&. To turn a switch \fBon\fR: .RS 4 \fBecho 1 > /proc/net/nf_condition/\fR\fB\fIswitch\-name\fR\fR .RE To turn it \fBoff\fR again: .RS 4 \fBecho 0 > /proc/net/nf_condition/\fR\fB\fIswitch\-name\fR\fR .RE Switch settings are retained over \fBshorewall6 restart\fR\&. .sp When the \fIswitch\-name\fR is followed by \fB=0\fR or \fB=1\fR, then the switch is initialized to off or on respectively by the \fBstart\fR command\&. Other commands do not affect the switch setting\&. .RE .SH "EXAMPLES" .PP Example 1: .PP Use the FTP helper for TCP port 21 connections from the firewall itself\&. .sp .if n \{\ .RS 4 .\} .nf FORMAT 2 #ACTION SOURCE DEST PROTO DPORT SPORT USER CT:helper:ftp(expevents=new) fw \- tcp 21 .fi .if n \{\ .RE .\} .PP Example 2 (Shorewall 4\&.5\&.10 or later): .PP Drop traffic to/from all zones to IP address 2001:1\&.2\&.3::4 .sp .if n \{\ .RS 4 .\} .nf FORMAT 2 #ACTION SOURCE DEST PROTO DPORT SPORT USER DROP all\-:2001:1\&.2\&.3::4 \- DROP all 2001:1\&.2\&.3::4 .fi .if n \{\ .RE .\} .PP or .sp .if n \{\ .RS 4 .\} .nf FORMAT 3 #ACTION SOURCE DEST PROTO DPORT SPORT USER DROP:P 2001:1\&.2\&.3::4 \- DROP:PO \- 2001:1\&.2\&.3::4 .fi .if n \{\ .RE .\} .SH "FILES" .PP /etc/shorewall6/notrack .SH "SEE ALSO" .PP \m[blue]\fBhttp://www\&.shorewall\&.net/configuration_file_basics\&.htm#Pairs\fR\m[]\&\s-2\u[3]\d\s+2 .PP shorewall6(8), shorewall6\-accounting(5), shorewall6\-actions(5), shorewall6\-blacklist(5), shorewall6\-hosts(5), shorewall6\-interfaces(5), shorewall6\-ipsec(5), shorewall6\-netmap(5),shorewall6\-params(5), shorewall6\-policy(5), shorewall6\-providers(5), shorewall6\-proxyarp(5), shorewall6\-rtrules(5), shorewall6\-routestopped(5), shorewall6\-rules(5), shorewall6\&.conf(5), shorewall6\-secmarks(5), shorewall6\-tcclasses(5), shorewall6\-tcdevices(5), shorewall6\-mangle(5), shorewall6\-tos(5), shorewall6\-tunnels(5), shorewall\-zones(5) .SH "NOTES" .IP " 1." 4 shorewall6-actions(5) .RS 4 \%http://www.shorewall.net/manpages6/shorewall6-actions.html .RE .IP " 2." 4 shorewall6-exclusion .RS 4 \%http://www.shorewall.net/manpages6/shorewall6-exclusion.html .RE .IP " 3." 4 http://www.shorewall.net/configuration_file_basics.htm#Pairs .RS 4 \%http://www.shorewall.net/configuration_file_basics.htm#Pairs .RE