'\" t .\" Title: shorewall6-notrack .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.75.2 .\" Date: 06/28/2012 .\" Manual: [FIXME: manual] .\" Source: [FIXME: source] .\" Language: English .\" .TH "SHOREWALL6\-NOTRACK" "5" "06/28/2012" "[FIXME: source]" "[FIXME: manual]" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" notrack \- shorewall6 notrack file .SH "SYNOPSIS" .HP \w'\fB/etc/shorewall6/notrack\fR\ 'u \fB/etc/shorewall6/notrack\fR .SH "DESCRIPTION" .PP The original intent of the notrack file was to exempt certain traffic from Netfilter connection tracking\&. Traffic matching entries in this file were not to be tracked\&. .PP The role of the file was expanded in Shorewall 4\&.4\&.27 to include all rules tht can be added in the Netfilter \fBraw\fR table\&. .PP The file supports two different column layouts: FORMAT 1 and FORMAT 2, FORMAT 1 being the default\&. The two differ in that FORMAT 2 has an additional leading ACTION column\&. When an entry in the file of this form is encountered, the format of the following entries are assumed to be of the specified \fIformat\fR\&. .RS 4 FORMAT \fIformat\fR .RE .PP where \fIformat\fR is either \fB1\fR or \fB2\fR\&. .PP The columns in the file are as follows (where the column name is followed by a different name in parentheses, the different name is used in the alternate specification syntax)\&. .PP \fBACTION\fR \- {\fBNOTRACK\fR|\fBCT\fR:\fIoption\fR:\fIargs\fR} .RS 4 This column is only present when FORMAT = 2\&. Values other than NOTRACK require CT Targetsupport in your iptables and kernel\&. .sp Possible values for \fIoption\fR and \fIarg\fRs are: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \fBnotrack\fR (no \fIarg\fR) .sp Disables connection tracking for this packet, the same as if NOTRACK has been specified in this column\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \fBhelper\fR:\fIname\fR .sp Use the helper identified by the name to this connection\&. This is more flexible than loading the conntrack helper with preset ports\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \fBctevents\fR:\fIevent\fR,\&.\&.\&. .sp Only generate the specified conntrack events for this connection\&. Possible event types are: \fBnew\fR, \fBrelated\fR, \fBdestroy\fR, \fBreply\fR, \fBassured\fR, \fBprotoinfo\fR, \fBhelper\fR, \fBmark\fR (this is connection mark, not packet mark), \fBnatseqinfo\fR, and \fBsecmark\fR\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \fBexpevents\fR\fB:new\fR .sp Only generate a new expectation events for this connection\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \fBzone\fR:\fIid\fR .sp Assign this packet to zone \fIid\fR and only have lookups done in that zone\&. By default, packets have zone 0\&. .RE .sp When FORMAT = 1, this column is not present and the rule is processed as if NOTRACK had been entered in this column\&. .RE .PP SOURCE \(en \fIzone\fR[:\fIinterface\fR][:\fIaddress\-list\fR] .RS 4 where \fIzone\fR is the name of a zone, \fIinterface\fR is an interface to that zone, and \fIaddress\-list\fR is a comma\-separated list of addresses (may contain exclusion \- see \m[blue]\fBshorewall6\-exclusion\fR\m[]\&\s-2\u[1]\d\s+2 (5))\&. .RE .PP DEST \(en [\fIinterface\fR|\fIaddress\-list\fR] .RS 4 where \fIaddress\-list\fR is a comma\-separated list of addresses (may contain exclusion \- see \m[blue]\fBshorewall6\-exclusion\fR\m[]\&\s-2\u[1]\d\s+2 (5))\&. If an interface is given: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} It must be up and configured with an IPv6 address when Shorewall is started or restarted\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} All routes out of the interface must be configured when Shorewall is started or restarted\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} Default routes out of the interface will result in a warning message and will be ignored\&. .RE .RE .PP PROTO \(en \fIprotocol\-name\-or\-number\fR .RS 4 A protocol name from /etc/protocols or a protocol number\&. .RE .PP DEST PORT(S) (dport) \- port\-number/service\-name\-list .RS 4 A comma\-separated list of port numbers and/or service names from /etc/services\&. May also include port ranges of the form \fIlow\-port\fR:\fIhigh\-port\fR if your kernel and iptables include port range support\&. .RE .PP SOURCE PORT(S) (sport) \- port\-number/service\-name\-list .RS 4 A comma\-separated list of port numbers and/or service names from /etc/services\&. May also include port ranges of the form \fIlow\-port\fR:\fIhigh\-port\fR if your kernel and iptables include port range support\&. .RE .PP USER/GROUP (user) \(en [\fIuser\fR][:\fIgroup\fR] .RS 4 May only be specified if the SOURCE \fIzone\fR is $FW\&. Specifies the effective user id and or group id of the process sending the traffic\&. .RE .SH "FILES" .PP /etc/shorewall6/notrack .SH "SEE ALSO" .PP \m[blue]\fBhttp://shorewall\&.net/configuration_file_basics\&.htm#Pairs\fR\m[] .PP shorewall6(8), shorewall6\-accounting(5), shorewall6\-actions(5), shorewall6\-blacklist(5), shorewall6\-hosts(5), shorewall6\-interfaces(5), shorewall6\-ipsec(5), shoewall6\-netmap(5),shorewall6\-params(5), shorewall6\-policy(5), shorewall6\-providers(5), shorewall6\-proxyarp(5), shorewall6\-rtrules(5), shorewall6\-routestopped(5), shorewall6\-rules(5), shorewall6\&.conf(5), shorewall6\-secmarks(5), shorewall6\-tcclasses(5), shorewall6\-tcdevices(5), shorewall6\-tcrules(5), shorewall6\-tos(5), shorewall6\-tunnels(5), shorewall\-zones(5) .SH "NOTES" .IP " 1." 4 shorewall6-exclusion .RS 4 \%http://www.shorewall.net/manpages6/shorewall-exclusion.html .RE