files - Shorewall Configuration Files
The following are the Shorewall[6] configuration files:
•/etc/shorewall/shorewall.conf and
/etc/shorewall6/shorewall6.conf[1] - used to set global firewall
parameters.
•/etc/shorewall[6]/params[2] - use this
file to set shell variables that you will expand in other files. It is always
processed by /bin/sh or by the shell specified through SHOREWALL_SHELL in
/etc/shorewall/shorewall.conf.
•/etc/shorewall[6]/zones[3] - partition the
firewall's view of the world into zones.
•/etc/shorewall[6]/policy[4] - establishes
firewall high-level policy.
•/etc/shorewall[6]/initdone - An optional Perl
script that will be invoked by the Shorewall rules compiler when the compiler
has finished it's initialization.
•/etc/shorewall[6]/interfaces[5] -
describes the interfaces on the firewall system.
•/etc/shorewall[6]/hosts[6] - allows
defining zones in terms of individual hosts and subnetworks.
•/etc/shorewall[6]/masq[7] - directs the
firewall where to use many-to-one (dynamic) Network Address Translation
(a.k.a. Masquerading) and Source Network Address Translation (SNAT).
Superseded by /etc/shorewall[6]/snat in Shorewall 5.0.14 and not supported in
Shorewall 5.1.0 and later versions.
•/etc/shorewall[6]/mangle[8] - supersedes
/etc/shorewall/tcrules in Shorewall 4.6.0. Contains rules for packet marking,
TTL, TPROXY, etc.
•/etc/shorewall[6]/rules[9] - defines rules
that are exceptions to the overall policies established in
/etc/shorewall/policy.
•/etc/shorewall[6]/nat[10] - defines
one-to-one NAT rules.
•/etc/shorewall6/proxyarp[11] - defines use
of Proxy ARP.
•/etc/shorewall6/proxyndp[12] - defines use
of Proxy NDP.
•/etc/shorewall[6]/routestopped - defines hosts
accessible when Shorewall is stopped. Superseded in Shorewall 4.6.8 by
/etc/shorewall/stoppedrules. Not supported in Shorewall 5.0.0 and later
versions.
•/etc/shorewall[6]/tcrules[13]- The file
has a rather unfortunate name because it is used to define marking of packets
for later use by both traffic control/shaping and policy routing. This file is
superseded by /etc/shorewall/mangle in Shorewall 4.6.0. Not supported in
Shorewall 5.0.0 and later releases.
•/etc/shorewall[6]/tos[14] - defines rules
for setting the TOS field in packet headers. Superseded in Shorewall 4.5.1 by
the TOS target in /etc/shorewall/tcrules (which file has since been superseded
by /etc/shorewall/mangle). Not supported in Shorewall 5.0.0 and later
versions.
•/etc/shorewall[6]/tunnels[15] - defines
tunnels (VPN) with end-points on the firewall system.
•/etc/shorewall[6]/blacklist[16] -
Deprecated in favor of /etc/shorewall/blrules. Lists blacklisted IP/subnet/MAC
addresses. Not supported in Shorewall 5.0.0 and later releases.
•/etc/shorewall[6]/blrules — Added in
Shorewall 4.5.0. Define blacklisting and whitelisting. Supersedes
/etc/shorewall/blacklist.
•/etc/shorewall[6]/init - shell commands that you
wish to execute at the beginning of a “shorewall start”,
"shorewall reload" or “shorewall restart”.
•/etc/shorewall[6]/start - shell commands that you
wish to execute near the completion of a “shorewall start”,
"shorewall reload" or “shorewall restart”
•/etc/shorewall[6]/started - shell commands that
you wish to execute after the completion of a “shorewall start”,
"shorewall reload" or “shorewall restart”
•/etc/shorewall[6]/stop- commands that you wish to
execute at the beginning of a “shorewall stop”.
•/etc/shorewall[6]/stopped - shell commands that
you wish to execute at the completion of a “shorewall
stop”.
•/etc/shorewall/ecn[17] - disable Explicit
Congestion Notification (ECN - RFC 3168) to remote hosts or networks.
Superseded by ECN entries in /etc/shorewall/mangle in Shorewall 5.0.6.
•/etc/shorewall/accounting[18] - define IP
traffic accounting rules
•/etc/shorewall[6]/actions[19] and
/usr/share/shorewall[6]/action.template allow user-defined actions.
•/etc/shorewall[6]/providers[20] - defines
alternate routing tables.
•/etc/shorewall[6]/rtrules[21] - Defines
routing rules to be used in conjunction with the routing tables defined in
/etc/shorewall/providers.
•/etc/shorewall[6]/tcdevices[22],
/etc/shorewall[6]/tcclasses[23], /etc/shorewall[6]/tcfilters[24]
- Define complex traffic shaping.
•/etc/shorewall[6]/tcrules[13] - Mark or
classify traffic for traffic shaping or multiple providers. Deprecated in
Shorewall 4.6.0 in favor of /etc/shorewall/mangle. Not supported in Shorewall
5.0.0 and later releases.
•/etc/shorewall[6]/tcinterfaces[25] and
/etc/shorewall[6]/tcpri[26] - Define simple traffic shaping.
•/etc/shorewall[6]/secmarks[27] - Added in
Shorewall 4.4.13. Attach an SELinux context to selected packets.
•/etc/shorewall[6]/vardir[28] - Determines
the directory where Shorewall maintains its state.
•/etc/shorewall/arprules[29] — Added
in Shorewall 4.5.12. Allows specification of arptables rules.
•/etc/shorewall/mangle[8] -- Added in
Shorewall 4.6.0. Supersedes/etc/shorewall/tcrules.
•/etc/shorewall[6]/snat[30] - directs the
firewall where to use many-to-one (dynamic) Network Address Translation
(a.k.a. Masquerading) and Source Network Address Translation (SNAT).
Superseded /etc/shorewall[6]/masq in Shorewall 5.0.14
•/usr/share/shorewall[6]/actions.std - Actions
defined by Shorewall.
•/usr/share/shorewall[6]/action.* - Details of
actions defined by Shorewall.
•/usr/share/shorewall[6]/macro.* - Details of
macros defined by Shorewall.
•/usr/share/shorewall[6]/modules —
Specifies the kernel modules to be loaded during shorewall
start/restart.
•/usr/share/shorewall[6]/helpers — Added in
Shorewall 4.4.7. Specifies the kernel modules to be loaded during shorewall
start/restart when LOAD_HELPERS_ONLY=Yes in shorewall.conf.
The CONFIG_PATH option in shorewall[6].conf(5)[20]
determines where the compiler searches for configuration files. The default
setting is CONFIG_PATH=/etc/shorewall:/usr/share/shorewall which means that
the compiler first looks in /etc/shorewall and if it doesn't find the file,
it then looks in /usr/share/shorewall.
You can change this setting to have the compiler look in different
places. For example, if you want to put your own versions of standard macros
in /etc/shorewall/Macros, then you could set
CONFIG_PATH=/etc/shorewall:/etc/shorewall/Macros:/usr/share/shorewall and
the compiler will use your versions rather than the standard ones.
You may place comments in configuration files by making the first
non-whitespace character a pound sign (“#”). You may also
place comments at the end of any line, again by delimiting the comment from
the rest of the line with a pound sign.
Example 1. Comments in a Configuration
File
# This is a comment
ACCEPT net $FW tcp www #This is an end-of-line comment
Important
Except in shorewall.conf(5)[1] and params(5)[2], if
a comment ends with a backslash ("\"), the next line will also be
treated as a comment. See Line Continuation below.
Most of the configuration files are organized into space-separated
columns. If you don't want to supply a value in a column but want to supply
a value in a following column, simply enter '-' to make the column appear
empty.
Example:
#INTERFACE BROADCAST OPTIONS
br0 - routeback
Lines may be continued using the usual backslash
(“\”) followed immediately by a new line character (Enter
key).
ACCEPT net $FW tcp \↵
smtp,www,pop3,imap #Services running on the firewall
In certain cases, leading white space is ignored in continuation
lines:
1.The continued line ends with a colon
(":")
2.The continued line ends with a comma
(",")
Example (/etc/shorewall/rules):
#ACTION SOURCE DEST PROTO DPORT
ACCEPT net:\
206.124.146.177,\
206.124.146.178,\
206.124.146.180\
dmz tcp 873
The leading white space on the first through third continuation
lines is ignored so the SOURCE column effectively contains
"net:206.124.146.177,206.124.147.178,206.124.146.180". Because the
third continuation line does not end with a comma or colon, the leading
white space in the last line is not ignored.
Important
A trailing backslash is not ignored in a comment. So the continued
rule above can be commented out with a single '#' as follows:
#ACTION SOURCE DEST PROTO DPORT
#ACCEPT net:\
206.124.146.177,\
206.124.146.178,\
206.124.146.180\
dmz tcp 873
Some of the configuration files now have a large number of
columns. That makes it awkward to specify a value for one of the right-most
columns as you must have the correct number of intervening '-' columns.
This problem is addressed by allowing column values to be
specified as column-name/value pairs.
There is considerable flexibility in how you specify the
pairs:
•At any point, you can enter a left curly bracket
('{') followed by one or more specifications of the following forms:
column-name=value
column-name=>value
column-name:value
The pairs must be followed by a right curly bracket ("}").
The value may optionally be enclosed in double quotes.
The pairs must be separated by white space, but you can add a
comma adjacent to the values for readability as in:
{ proto=>udp, port=1024
}
•You can also separate the pairs from columns by
using a semicolon:
; proto:udp,
port:1024
In Shorewall 5.0.3, the sample configuration files and the man
pages were updated to use the same column names in both the column headings
and in the alternate specification format. The following table shows the
column names for each of the table-oriented configuration files.
Note
Column names are case-insensitive.
| File |
Column names |
| accounting |
action,chain, source, dest, proto, dport, sport, user, mark, ipsec,
headers |
| conntrack |
action,source,dest,proto,dport,sport,user,switch |
| blacklist |
networks,proto,port,options |
| blrules |
action,source,dest,proto,dport,sport,origdest,rate,user,mark,connlimit,time,headers,switch,helper |
| ecn |
interface,hosts. Beginning with Shorewall 4.5.4, 'host' is a synonym for
'hosts'. |
| hosts |
zone,hosts,options. Beginning with Shorewall 4.5.4, 'host' is a synonym
for 'hosts'. |
| interfaces |
zone,interface,broadcast,options |
| maclist |
disposition,interface,mac,addresses |
| mangle |
action,source,dest,proto,dport,sport,user,test,length,tos,connbytes,helper,headers |
| masq |
interface,source,address,proto,port,ipsec,mark,user,switch |
| nat |
external,interface,internal,allints,local |
| netmap |
type,net1,interface,net2,net3,proto,dport,sport |
| notrack |
source,dest,proto,dport,sport,user |
| policy |
source,dest,policy,loglevel,limit,connlimit |
| providers |
table,number,mark,duplicate,interface,gateway,options,copy |
| proxyarp and proxyndp |
address,interface,external,haveroute,persistent |
| rtrules |
source,dest,provider,priority |
| routes |
provider,dest,gateway,device |
| routestopped |
interface,hosts,options,proto,dport,sport |
| rules |
action,source,dest,proto,dport,sport,origdest,rate,user,mark,connlimit,time,headers,switch,helper |
| secmarks |
secmark,chain,source,dest,proto,dport,sport,user,mark |
| tcclasses |
interface,mark,rate,ceil,prio,options |
| tcdevices |
interface,in_bandwidth,out_bandwidth,options,redirect |
| tcfilters |
class,source,dest,proto,dport,sport,tos,length |
| tcinterfaces |
interface,type,in_bandwidth,out_bandwidth |
| tcpri |
band,proto,port,address,interface,helper |
| tcrules |
mark,source,dest,proto,dport,sport,user,test,length,tos,connbytes,helper,headers.
Beginning with Shorewall 4.5.3, 'action' is a synonym for 'mark'. |
| tos |
source,dest,proto,dport,sport,tos,mark |
| tunnels |
type,zone,gateway,gateway_zone. Beginning with Shorewall 4.5.3,
'gateways' is a synonym for 'gateway'. Beginning with Shorewall 4.5.4,
'gateway_zones' is a synonym for 'gateway_zone'. |
| zones |
zone,type,options,in_options,out_options |
Example (rules file):
#ACTION SOURCE DEST PROTO DPORT
DNAT net loc:10.0.0.1 tcp 80 ; mark="88"
Here's the same line in several equivalent formats:
{ action=>DNAT, source=>net, dest=>loc:10.0.0.1, proto=>tcp, dport=>80, mark=>88 }
; action:"DNAT" source:"net" dest:"loc:10.0.0.1" proto:"tcp" dport:"80" mark:"88"
DNAT { source=net dest=loc:10.0.0.1 proto=tcp dport=80 mark=88 }
Beginning with Shorewall 5.0.11, ip[6]table comments can be
attached to individual rules using the comment keyword.
Example from the rules file:
ACCEPT net $FW { proto=tcp, dport=22, comment="Accept \"SSH\"" }
As shown in that example, when the comment contains whitespace, it
must be enclosed in double quotes and any embedded double quotes must be
escaped using a backslash ("\").
Several of the files include a TIME column that allows you to
specify times when the rule is to be applied. Contents of this column is a
list of timeelements separated by apersands (&).
Each timeelement is one of the following:
timestart=hh:mm[:ss]
Defines the starting time of day.
timestop=hh:mm[:ss]
Defines the ending time of day.
contiguous
Added in Shoreawll 5.0.12. When timestop is
smaller than timestart value, match this as a single time period
instead of distinct intervals. See the Examples below.
utc
Times are expressed in Greenwich Mean Time.
localtz
Deprecated by the Netfilter team in favor of
kerneltz. Times are expressed in Local Civil Time (default).
kerneltz
Added in Shorewall 4.5.2. Times are expressed in Local
Kernel Time (requires iptables 1.4.12 or later).
weekdays=ddd[,ddd]...
where ddd is one of Mon, Tue,
Wed, Thu, Fri, Sat or Sun
monthdays=dd[,dd],...
where dd is an ordinal day of the month
datestart=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
Defines the starting date and time.
datestop=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
Defines the ending date and time.
Examples:
To match on weekends, use:
Or, to match (once) on a national holiday block:
datestart=2016-12-24&datestop=2016-12-27
Since the stop time is actually inclusive, you would need the
following stop time to not match the first second of the new day:
datestart=2016-12-24T17:00&datestop=2016-12-27T23:59:59
During Lunch Hour
The fourth Friday in the month:
weekdays=Fri&monthdays=22,23,24,25,26,27,28
Matching across days might not do what is expected. For
instance,
weekdays=Mon×tart=23:00×top=01:00
Will match Monday, for one hour from midnight to 1 a.m., and then
again for another hour from 23:00 onwards. If this is unwanted, e.g. if you
would like 'match for two hours from Montay 23:00 onwards' you need to also
specify the contiguous option in the example above.
here are times when you would like to enable or disable one or
more rules in the configuration without having to do a shorewall
reload or shorewall restart. This may be accomplished using the
SWITCH column in shorewall-rules[32] (5) or
shorewall6-rules[32] (5). Using this column requires that your kernel
and iptables include Condition Match Support and you must be running
Shorewall 4.4.24 or later. See the output of shorewall show
capabilities and shorewall version to determine if you can use
this feature.
The SWITCH column contains the name of a switch. Each switch is
initially in the off position. You can turn on the switch named
switch1 by:
echo 1 >
/proc/net/nf_condition/switch1
You can turn it off again by:
echo 0 >
/proc/net/nf_condition/switch1
If you simply include the switch name in the SWITCH column, then
the rule is enabled only when the switch is on. If you precede the
switch name with ! (e.g., !switch1), then the rule is enabled only when the
switch is off. Switch settings are retained over shorewall
reload.
Shorewall requires that switch names:
•begin with a letter and be composed of letters,
digits, underscore ('_') or hyphen ('-'); and
•be 30 characters or less in length.
Multiple rules can be controlled by the same switch.
Example:
Forward port 80 to dmz host $BACKUP if switch 'primary_down' is
on.
#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH
DNAT net dmz:$BACKUP tcp 80 - - - - - - - - primary_down
- 1.
- /etc/shorewall/shorewall.conf
and /etc/shorewall6/shorewall6.conf
https://shorewall.org/manpages/shorewall.conf.html
- 2.
- /etc/shorewall[6]/params
https://shorewall.org/manpages/shorewall-params.html
- 3.
- /etc/shorewall[6]/zones
https://shorewall.org/manpages/shorewall-zones.html
- 4.
- /etc/shorewall[6]/policy
https://shorewall.org/manpages/shorewall-policy.html
- 5.
- /etc/shorewall[6]/interfaces
https://shorewall.org/manpages/shorewall-interfaces.html
- 6.
- /etc/shorewall[6]/hosts
https://shorewall.org/manpages/shorewall-hosts.html
- 7.
- /etc/shorewall[6]/masq
https://shorewall.org/manpages/shorewall-masq.html
- 8.
- /etc/shorewall[6]/mangle
https://shorewall.org/manpages/shorewall-mangle.html
- 9.
- /etc/shorewall[6]/rules
https://shorewall.org/manpages/shorewall-rules.html
- 10.
- /etc/shorewall[6]/nat
https://shorewall.org/manpages/shorewall-nat.html
- 11.
- /etc/shorewall6/proxyarp
https://shorewall.org/manpages/shorewall-proxyarp.html
- 12.
- /etc/shorewall6/proxyndp
https://shorewall.org/manpages/shorewall-proxyndp.html
- 13.
- /etc/shorewall[6]/tcrules
https://shorewall.org/manpages/shorewall-tcrules.html
- 14.
- /etc/shorewall[6]/tos
https://shorewall.org/manpages/shorewall-tos.html
- 15.
- /etc/shorewall[6]/tunnels
https://shorewall.org/manpages/shorewall-tunnels.html
- 16.
- /etc/shorewall[6]/blacklist
https://shorewall.org/manpages/shorewall-blacklist.html
- 17.
- /etc/shorewall/ecn
https://shorewall.org/manpages/shorewall-ecn.html
- 18.
- /etc/shorewall/accounting
https://shorewall.org/manpages/shorewall-accounting.html
- 19.
- /etc/shorewall[6]/actions
https://shorewall.org/manpages/shorewall-actions.html
- 20.
- /etc/shorewall[6]/providers
https://shorewall.org/manpages/???
- 21.
- /etc/shorewall[6]/rtrules
https://shorewall.org/manpages/shorewall-rtrules.html
- 22.
- /etc/shorewall[6]/tcdevices
https://shorewall.org/manpages/shorewall-tcdevices.html
- 23.
- /etc/shorewall[6]/tcclasses
https://shorewall.org/manpages/shorewall-tcclasses.html
- 24.
- /etc/shorewall[6]/tcfilters
https://shorewall.org/manpages/shorewall-tcfilters.html
- 25.
- /etc/shorewall[6]/tcinterfaces
https://shorewall.org/manpages/shorewall-tcinterfaces.html
- 26.
- /etc/shorewall[6]/tcpri
https://shorewall.org/manpages/shorewall-tcpri.html
- 27.
- /etc/shorewall[6]/secmarks
https://shorewall.org/manpages/shorewall-secmarks.html
- 28.
- /etc/shorewall[6]/vardir
https://shorewall.org/manpages/shorewall-vardir.html
- 29.
- /etc/shorewall/arprules
https://shorewall.org/manpages/shorewall-arprules.html
- 30.
- /etc/shorewall[6]/snat
https://shorewall.org/manpages/shorewall-snat.html
- 31.
- shorewall-params(5)
https://shorewall.org/manpages/shorewall-params.html
- 32.
- shorewall-rules
https://shorewall.org/manpages/shorewall-rules.html