'\" t .\" Title: shorewall-exclusion .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.75.2 .\" Date: 06/28/2012 .\" Manual: [FIXME: manual] .\" Source: [FIXME: source] .\" Language: English .\" .TH "SHOREWALL\-EXCLUSION" "5" "06/28/2012" "[FIXME: source]" "[FIXME: manual]" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" exclusion \- Exclude a set of hosts from a definition in a shorewall configuration file\&. .SH "SYNOPSIS" .HP \w'\ 'u \fB!\fR\fIaddress\-or\-range\fR[,\fIaddress\-or\-range\fR]... .HP \w'\ 'u \fB!\fR\fIzone\-name\fR[,\fIzone\-name\fR]... .SH "DESCRIPTION" .PP The first form of exclusion is used when you wish to exclude one or more addresses from a definition\&. An exclaimation point is followed by a comma\-separated list of addresses\&. The addresses may be single host addresses (e\&.g\&., 192\&.168\&.1\&.4) or they may be network addresses in CIDR format (e\&.g\&., 192\&.168\&.1\&.0/24)\&. If your kernel and iptables include iprange support, you may also specify ranges of ip addresses of the form \fIlowaddress\fR\-\fIhighaddress\fR .PP No embedded whitespace is allowed\&. .PP Exclusion can appear after a list of addresses and/or address ranges\&. In that case, the final list of address is formed by taking the first list and then removing the addresses defined in the exclusion\&. .PP Beginning in Shorewall 4\&.4\&.13, the second form of exclusion is allowed after \fBall\fR and \fBany\fR in the SOURCE and DEST columns of /etc/shorewall/rules\&. It allows you to omit arbitrary zones from the list generated by those key words\&. .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBWarning\fR .ps -1 .br .PP If you omit a sub\-zone and there is an explicit or explicit CONTINUE policy, a connection to/from that zone can still be matched by the rule generated for a parent zone\&. .PP For example: .PP /etc/shorewall/zones: .sp .if n \{\ .RS 4 .\} .nf #ZONE TYPE z1 ip z2:z1 ip \&.\&.\&. .fi .if n \{\ .RE .\} .PP /etc/shorewall/policy: .sp .if n \{\ .RS 4 .\} .nf #SOURCE DEST POLICY z1 net CONTINUE z2 net REJECT .fi .if n \{\ .RE .\} .PP /etc/shorewall/rules: .sp .if n \{\ .RS 4 .\} .nf #ACTION SOURCE DEST PROTO DEST # PORT(S) ACCEPT all!z2 net tcp 22 .fi .if n \{\ .RE .\} .PP In this case, SSH connections from \fBz2\fR to \fBnet\fR will be accepted by the generated \fBz1\fR to net ACCEPT rule\&. .sp .5v .RE .PP In most contexts, ipset names can be used as an \fIaddress\-or\-range\fR\&. Beginning with Shorewall 4\&.4\&.14, ipset lists enclosed in +[\&.\&.\&.] may also be included (see \m[blue]\fBshorewall\-ipsets\fR\m[]\&\s-2\u[1]\d\s+2 (5))\&. The semantics of these lists when used in an exclusion are as follows: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} !+[\fIset1\fR,\fIset2\fR,\&.\&.\&.\fIsetN\fR] produces a packet match if the packet does not match at least one of the sets\&. In other words, it is like NOT match \fIset1\fR OR NOT match \fIset2\fR \&.\&.\&. OR NOT match \fIsetN\fR\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} +[!\fIset1\fR,!\fIset2\fR,\&.\&.\&.!\fIsetN\fR] produces a packet match if the packet does not match any of the sets\&. In other words, it is like NOT match \fIset1\fR AND NOT match \fIset2\fR \&.\&.\&. AND NOT match \fIsetN\fR\&. .RE .SH "EXAMPLES" .PP Example 1 \- All IPv4 addresses except 192\&.168\&.3\&.4 .RS 4 !192\&.168\&.3\&.4 .RE .PP Example 2 \- All IPv4 addresses except the network 192\&.168\&.1\&.0/24 and the host 10\&.2\&.3\&.4 .RS 4 !192\&.168\&.1\&.0/24,10\&.1\&.3\&.4 .RE .PP Example 3 \- All IPv4 addresses except the range 192\&.168\&.1\&.3\-192\&.168\&.1\&.12 and the network 10\&.0\&.0\&.0/8 .RS 4 !192\&.168\&.1\&.3\-192\&.168\&.1\&.12,10\&.0\&.0\&.0/8 .RE .PP Example 4 \- The network 192\&.168\&.1\&.0/24 except hosts 192\&.168\&.1\&.3 and 192\&.168\&.1\&.9 .RS 4 192\&.168\&.1\&.0/24!192\&.168\&.1\&.3,192\&.168\&.1\&.9 .RE .PP Example 5 \- All parent zones except loc .RS 4 any!loc .RE .SH "FILES" .PP /etc/shorewall/hosts .PP /etc/shorewall/masq .PP /etc/shorewall/rules .PP /etc/shorewall/tcrules .SH "SEE ALSO" .PP shorewall(8), shorewall\-accounting(5), shorewall\-actions(5), shorewall\-blacklist(5), shorewall\-hosts(5), shorewall_interfaces(5), shorewall\-ipsets(5), shorewall\-maclist(5), shorewall\-masq(5), shorewall\-nat(5), shorewall\-netmap(5), shorewall\-params(5), shorewall\-policy(5), shorewall\-providers(5), shorewall\-proxyarp(5), shorewall\-rtrules(5), shorewall\-routestopped(5), shorewall\-rules(5), shorewall\&.conf(5), shorewall\-secmarks(5), shorewall\-tcclasses(5), shorewall\-tcdevices(5), shorewall\-tcrules(5), shorewall\-tos(5), shorewall\-tunnels(5), shorewall\-zones(5) .SH "NOTES" .IP " 1." 4 shorewall-ipsets .RS 4 \%http://www.shorewall.net/manpages/shorewall-ipsets.html .RE