'\" t .\" Title: shorewall6-notrack .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.75.2 .\" Date: 06/28/2012 .\" Manual: [FIXME: manual] .\" Source: [FIXME: source] .\" Language: English .\" .TH "SHOREWALL6\-NOTRACK" "5" "06/28/2012" "[FIXME: source]" "[FIXME: manual]" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" notrack \- shorewall notrack file .SH "SYNOPSIS" .HP \w'\fB/etc/shorewall/notrack\fR\ 'u \fB/etc/shorewall/notrack\fR .SH "DESCRIPTION" .PP The original intent of the notrack file was to exempt certain traffic from Netfilter connection tracking\&. Traffic matching entries in this file were not to be tracked\&. .PP The role of the file was expanded in Shorewall 4\&.4\&.27 to include all rules tht can be added in the Netfilter \fBraw\fR table\&. .PP The file supports two different column layouts: FORMAT 1 and FORMAT 2, FORMAT 1 being the default\&. The two differ in that FORMAT 2 has an additional leading ACTION column\&. When an entry in the file of this form is encountered, the format of the following entries are assumed to be of the specified \fIformat\fR\&. .RS 4 \fBFORMAT\fR \fIformat\fR .RE .PP where \fIformat\fR is either \fB1\fR or \fB2\fR\&. .PP The columns in the file are as follows (where the column name is followed by a different name in parentheses, the different name is used in the alternate specification syntax)\&. .PP \fBACTION\fR \- {\fBNOTRACK\fR|\fBCT\fR:\fIoption\fR[:\fIarg,\&.\&.\&.\fR]} .RS 4 This column is only present when FORMAT = 2\&. Values other than NOTRACK require CT Targetsupport in your iptables and kernel\&. .sp Possible values for \fIoption\fR and \fIarg\fRs are: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \fBnotrack\fR (no \fIarg\fR) .sp Disables connection tracking for this packet, the same as if NOTRACK has been specified in this column\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \fBhelper\fR:\fIname\fR .sp Use the helper identified by the name to this connection\&. This is more flexible than loading the conntrack helper with preset ports\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \fBctevents\fR:\fIevent\fR,\&.\&.\&. .sp Only generate the specified conntrack events for this connection\&. Possible event types are: \fBnew\fR, \fBrelated\fR, \fBdestroy\fR, \fBreply\fR, \fBassured\fR, \fBprotoinfo\fR, \fBhelper\fR, \fBmark\fR (this is connection mark, not packet mark), \fBnatseqinfo\fR, and \fBsecmark\fR\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \fBexpevents\fR\fB:new\fR .sp Only generate a new expectation events for this connection\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \fBzone\fR:\fIid\fR .sp Assign this packet to zone \fIid\fR and only have lookups done in that zone\&. By default, packets have zone 0\&. .RE .sp When FORMAT = 1, this column is not present and the rule is processed as if NOTRACK had been entered in this column\&. .RE .PP SOURCE \(en {\fIzone\fR[:\fIinterface\fR][:\fIaddress\-list\fR]|COMMENT} .RS 4 where \fIzone\fR is the name of a zone, \fIinterface\fR is an interface to that zone, and \fIaddress\-list\fR is a comma\-separated list of addresses (may contain exclusion \- see \m[blue]\fBshorewall\-exclusion\fR\m[]\&\s-2\u[1]\d\s+2 (5))\&. .sp Comments may be attached to Netfilter rules generated from entries in this file through the use of COMMENT lines\&. These lines begin with the word COMMENT; the remainder of the line is treated as a comment which is attached to subsequent rules until another COMMENT line is found or until the end of the file is reached\&. To stop adding comments to rules, use a line with only the word COMMENT\&. .RE .PP DEST \(en [\fIinterface\fR|\fIaddress\-list\fR] .RS 4 where \fIinterface\fR is the name of a network interface and \fIaddress\-list\fR is a comma\-separated list of addresses (may contain exclusion \- see \m[blue]\fBshorewall\-exclusion\fR\m[]\&\s-2\u[1]\d\s+2 (5))\&. If an interface is given: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} It must be up and configured with an IPv4 address when Shorewall is started or restarted\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} All routes out of the interface must be configured when Shorewall is started or restarted\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} Default routes out of the interface will result in a warning message and will be ignored\&. .RE .sp These restrictions are because Netfilter doesn\*(Aqt support NOTRACK rules that specify a destination interface (these rules are applied before packets are routed and hence the destination interface is unknown)\&. Shorewall uses the routes out of the interface to replace the interface with an address list corresponding to the networks routed out of the named interface\&. .RE .PP PROTO \(en \fIprotocol\-name\-or\-number\fR .RS 4 A protocol name from /etc/protocols or a protocol number\&. .RE .PP DEST PORT(S) (dport) \- port\-number/service\-name\-list .RS 4 A comma\-separated list of port numbers and/or service names from /etc/services\&. May also include port ranges of the form \fIlow\-port\fR:\fIhigh\-port\fR if your kernel and iptables include port range support\&. .RE .PP SOURCE PORT(S) (sport) \- port\-number/service\-name\-list .RS 4 A comma\-separated list of port numbers and/or service names from /etc/services\&. May also include port ranges of the form \fIlow\-port\fR:\fIhigh\-port\fR if your kernel and iptables include port range support\&. .RE .PP USER/GROUP (user) \(en [\fIuser\fR][:\fIgroup\fR] .RS 4 May only be specified if the SOURCE \fIzone\fR is $FW\&. Specifies the effective user id and or group id of the process sending the traffic\&. .RE .SH "FILES" .PP /etc/shorewall/notrack .SH "SEE ALSO" .PP \m[blue]\fBhttp://shorewall\&.net/configuration_file_basics\&.htm#Pairs\fR\m[] .PP shorewall(8), shorewall\-accounting(5), shorewall\-actions(5), shorewall\-blacklist(5), shorewall\-hosts(5), shorewall_interfaces(5), shorewall\-ipsets(5), shorewall\-masq(5), shorewall\-nat(5), shorewall\-netmap(5), shorewall\-params(5), shorewall\-policy(5), shorewall\-providers(5), shorewall\-proxyarp(5), shorewall\-rtrules(5), shorewall\-routestopped(5), shorewall\-rules(5), shorewall\&.conf(5), shorewall\-secmarks(5), shorewall\-tcclasses(5), shorewall\-tcdevices(5), shorewall\-tcrules(5), shorewall\-tos(5), shorewall\-tunnels(5), shorewall\-zones(5) .SH "NOTES" .IP " 1." 4 shorewall-exclusion .RS 4 \%http://www.shorewall.net/manpages/shorewall-exclusion.html .RE