shorewall-files man page

files — Shorewall Configuration Files

Synopsis

/etc/shorewall[6]/*

Description

The following are the Shorewall[6] configuration files:

Config_path

The CONFIG_PATH option in shorewall[6].conf(5)[20] determines where the compiler searches for configuration files. The default setting is CONFIG_PATH=/etc/shorewall:/usr/share/shorewall which means that the compiler first looks in /etc/shorewall and if it doesn't find the file, it then looks in /usr/share/shorewall.

You can change this setting to have the compiler look in different places. For example, if you want to put your own versions of standard macros in /etc/shorewall/Macros, then you could set CONFIG_PATH=/etc/shorewall:/etc/shorewall/Macros:/usr/share/shorewall and the compiler will use your versions rather than the standard ones.

Comments

You may place comments in configuration files by making the first non-whitespace character a pound sign (“#”). You may also place comments at the end of any line, again by delimiting the comment from the rest of the line with a pound sign.

Example 1. Comments in a Configuration File

# This is a comment
ACCEPT  net     $FW      tcp     www     #This is an end-of-line comment

Important

Except in shorewall.conf(5)[1] and params(5)[2], if a comment ends with a backslash ("\"), the next line will also be treated as a comment. See Line Continuation below.

Blank Lines

Most of the configuration files are organized into space-separated columns. If you don't want to supply a value in a column but want to supply a value in a following column, simply enter '-' to make the column appear empty.

Example:

#INTERFACE         BROADCAST            OPTIONS
br0                -                    routeback

Line Continuation

Lines may be continued using the usual backslash (“\”) followed immediately by a new line character (Enter key).

ACCEPT  net     $FW      tcp \↵
smtp,www,pop3,imap  #Services running on the firewall

Important

What follows does NOT apply to shorewall-params(5)[31] and shorewall.conf(5)[1].

In certain cases, leading white space is ignored in continuation lines:

  1. The continued line ends with a colon (":")
  2. The continued line ends with a comma (",")

Example (/etc/shorewall/rules):

#ACTION     SOURCE          DEST            PROTO           DPORT
ACCEPT      net:\
            206.124.146.177,\
            206.124.146.178,\
            206.124.146.180\
                            dmz             tcp             873

The leading white space on the first through third continuation lines is ignored so the SOURCE column effectively contains "net:206.124.146.177,206.124.147.178,206.124.146.180". Because the third continuation line does not end with a comma or colon, the leading white space in the last line is not ignored.

Important

A trailing backslash is not ignored in a comment. So the continued rule above can be commented out with a single '#' as follows:

#ACTION     SOURCE          DEST            PROTO           DPORT
#ACCEPT     net:\
            206.124.146.177,\
            206.124.146.178,\
            206.124.146.180\
                            dmz             tcp             873

Alternative Specification of Column Values

Some of the configuration files now have a large number of columns. That makes it awkward to specify a value for one of the right-most columns as you must have the correct number of intervening '-' columns.

This problem is addressed by allowing column values to be specified as column-name/value pairs.

There is considerable flexibility in how you specify the pairs:

In Shorewall 5.0.3, the sample configuration files and the man pages were updated to use the same column names in both the column headings and in the alternate specification format. The following table shows the column names for each of the table-oriented configuration files.

Note

Column names are case-insensitive.

FileColumn names
accountingaction,chain, source, dest, proto, dport, sport, user,
           mark, ipsec, headers
conntrackaction,source,dest,proto,dport,sport,user,switch
blacklistnetworks,proto,port,options
blrulesaction,source,dest,proto,dport,sport,origdest,rate,user,mark,connlimit,time,headers,switch,helper
ecninterface,hosts. Beginning with Shorewall 4.5.4, 'host' is
           a synonym for 'hosts'.
hostszone,hosts,options. Beginning with Shorewall 4.5.4, 'host'
           is a synonym for 'hosts'.
interfaceszone,interface,broadcast,options
maclistdisposition,interface,mac,addresses
mangleaction,source,dest,proto,dport,sport,user,test,length,tos,connbytes,helper,headers
masqinterface,source,address,proto,port,ipsec,mark,user,switch
natexternal,interface,internal,allints,local
netmaptype,net1,interface,net2,net3,proto,dport,sport
notracksource,dest,proto,dport,sport,user
policysource,dest,policy,loglevel,limit,connlimit
providerstable,number,mark,duplicate,interface,gateway,options,copy
proxyarp and proxyndpaddress,interface,external,haveroute,persistent
rtrulessource,dest,provider,priority
routesprovider,dest,gateway,device
routestoppedinterface,hosts,options,proto,dport,sport
rulesaction,source,dest,proto,dport,sport,origdest,rate,user,mark,connlimit,time,headers,switch,helper
secmarkssecmark,chain,source,dest,proto,dport,sport,user,mark
tcclassesinterface,mark,rate,ceil,prio,options
tcdevicesinterface,in_bandwidth,out_bandwidth,options,redirect
tcfiltersclass,source,dest,proto,dport,sport,tos,length
tcinterfacesinterface,type,in_bandwidth,out_bandwidth
tcpriband,proto,port,address,interface,helper
tcrulesmark,source,dest,proto,dport,sport,user,test,length,tos,connbytes,helper,headers.
           Beginning with Shorewall 4.5.3, 'action' is a synonym for
           'mark'.
tossource,dest,proto,dport,sport,tos,mark
tunnelstype,zone,gateway,gateway_zone. Beginning with Shorewall
           4.5.3, 'gateways' is a synonym for 'gateway'. Beginning with
           Shorewall 4.5.4, 'gateway_zones' is a synonym for
           'gateway_zone'.
zoneszone,type,options,in_options,out_options

Example (rules file):

#ACTION         SOURCE            DEST            PROTO   DPORT
DNAT            net               loc:10.0.0.1    tcp     80    ; mark="88"

Here's the same line in several equivalent formats:

{ action=>DNAT, source=>net, dest=>loc:10.0.0.1, proto=>tcp, dport=>80, mark=>88 }
; action:"DNAT" source:"net"  dest:"loc:10.0.0.1" proto:"tcp" dport:"80" mark:"88"
DNAT { source=net dest=loc:10.0.0.1 proto=tcp dport=80 mark=88 }

Beginning with Shorewall 5.0.11, ip[6]table comments can be attached to individual rules using the comment keyword.

Example from the rules file:

        ACCEPT net $FW { proto=tcp, dport=22, comment="Accept \"SSH\"" }

As shown in that example, when the comment contains whitespace, it must be enclosed in double quotes and any embedded double quotes must be escaped using a backslash ("\").

Time Columns

Several of the files include a TIME column that allows you to specify times when the rule is to be applied. Contents of this column is a list of timeelements separated by apersands (&).

Each timeelement is one of the following:

timestart=hh:mm[:ss]

Defines the starting time of day.

timestop=hh:mm[:ss]

Defines the ending time of day.

contiguous

Added in Shoreawll 5.0.12. When timestop is smaller than timestart value, match this as a single time period instead of distinct intervals. See the Examples below.

utc

Times are expressed in Greenwich Mean Time.

localtz

Deprecated by the Netfilter team in favor of kerneltz. Times are expressed in Local Civil Time (default).

kerneltz

Added in Shorewall 4.5.2. Times are expressed in Local Kernel Time (requires iptables 1.4.12 or later).

weekdays=ddd[,ddd]...

where ddd is one of Mon, Tue, Wed, Thu, Fri, Sat or Sun

monthdays=dd[,dd],...

where dd is an ordinal day of the month

datestart=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]

Defines the starting date and time.

datestop=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]

Defines the ending date and time.

Examples:

To match on weekends, use:

weekdays=Sat,Sun

Or, to match (once) on a national holiday block:

datestart=2016-12-24&datestop=2016-12-27

Since the stop time is actually inclusive, you would need the following stop time to not match the first second of the new day:

datestart=2016-12-24T17:00&datestop=2016-12-27T23:59:59

During Lunch Hour

The fourth Friday in the month:

weekdays=Fri&monthdays=22,23,24,25,26,27,28

Matching across days might not do what is expected. For instance,

weekdays=Mon&timestart=23:00&timestop=01:00

Will match Monday, for one hour from midnight to 1 a.m., and then again for another hour from 23:00 onwards. If this is unwanted, e.g. if you would like 'match for two hours from Montay 23:00 onwards' you need to also specify the contiguous option in the example above.

Switches

here are times when you would like to enable or disable one or more rules in the configuration without having to do a shorewall reload or shorewall restart. This may be accomplished using the SWITCH column in shorewall-rules[32] (5) or shorewall6-rules[33] (5). Using this column requires that your kernel and iptables include Condition Match Support and you must be running Shorewall 4.4.24 or later. See the output of shorewall show capabilities and shorewall version to determine if you can use this feature.

The SWITCH column contains the name of a switch. Each switch is initially in the off position. You can turn on the switch named switch1 by:

echo 1 >
     /proc/net/nf_condition/switch1

You can turn it off again by:

echo 0 >
     /proc/net/nf_condition/switch1

If you simply include the switch name in the SWITCH column, then the rule is enabled only when the switch is on. If you precede the switch name with ! (e.g., !switch1), then the rule is enabled only when the switch is off. Switch settings are retained over shorewall restart.

Shorewall requires that switch names:

Multiple rules can be controlled by the same switch.

Example:

Forward port 80 to dmz host $BACKUP if switch 'primary_down' is on.

#ACTION     SOURCE          DEST        PROTO       DPORT        SPORT     ORIGDEST   RATE      USER      MARK    CONNLIMIT     TIME     HEADERS    SWITCH
DNAT        net             dmz:$BACKUP tcp         80           -         -          -         -         -       -             -        -          primary_down

Files

/etc/shorewall[6]/*

Notes

  1. /etc/shorewall/shorewall.conf
           and /etc/shorewall6/shorewall6.conf
    http://www.shorewall.netshorewall.conf.html
  2. /etc/shorewall[6]/params
    http://www.shorewall.netshorewall-params.html
  3. /etc/shorewall[6]/zones
    http://www.shorewall.netshorewall-zones.html
  4. /etc/shorewall[6]/policy
    http://www.shorewall.netshorewall-policy.html
  5. /etc/shorewall[6]/interfaces
    http://www.shorewall.netshorewall-interfaces.html
  6. /etc/shorewall[6]/hosts
    http://www.shorewall.netshorewall-hosts.html
  7. /etc/shorewall[6]/masq
    http://www.shorewall.netshorewall-masq.html
  8. /etc/shorewall[6]/mangle
    http://www.shorewall.netshorewall-mangle.html
  9. /etc/shorewall[6]/rules
    http://www.shorewall.netshorewall-rules.html
  10. /etc/shorewall[6]/nat
    http://www.shorewall.netshorewall-nat.html
  11. /etc/shorewall6/proxyarp
    http://www.shorewall.netshorewall-proxyarp.html
  12. /etc/shorewall6/proxyndp
    http://www.shorewall.netshorewall-proxyndp.html
  13. /etc/shorewall[6]/tcrules
    http://www.shorewall.netshorewall-tcrules.html
  14. /etc/shorewall[6]/tos
    http://www.shorewall.netshorewall-tos.html
  15. /etc/shorewall[6]/tunnels
    http://www.shorewall.netshorewall-tunnels.html
  16. /etc/shorewall[6]/blacklist
    http://www.shorewall.netshorewall-blacklist.html
  17. /etc/shorewall/ecn
    http://www.shorewall.netshorewall-ecn.html
  18. /etc/shorewall/accounting
    http://www.shorewall.netshorewall-accounting.html
  19. /etc/shorewall[6]/actions
    http://www.shorewall.netshorewall-actions.html
  20. /etc/shorewall[6]/providers
    http://www.shorewall.net???
  21. /etc/shorewall[6]/rtrules
    http://www.shorewall.netshorewall-rtrules.html
  22. /etc/shorewall[6]/tcdevices
    http://www.shorewall.netshorewall-tcdevices.html
  23. /etc/shorewall[6]/tcclasses
    http://www.shorewall.netshorewall-tcclasses.html
  24. /etc/shorewall[6]/tcfilters
    http://www.shorewall.netshorewall-tcfilters.html
  25. /etc/shorewall[6]/tcinterfaces
    http://www.shorewall.netshorewall-tcinterfaces.html
  26. /etc/shorewall[6]/tcpri
    http://www.shorewall.netshorewall-tcpri.html
  27. /etc/shorewall[6]/secmarks
    http://www.shorewall.netshorewall-secmarks.html
  28. /etc/shorewall[6]/vardir
    http://www.shorewall.netshorewall-vardir.html
  29. /etc/shorewall/arprules
    http://www.shorewall.netshorewall-arprules.html
  30. /etc/shorewall[6]/snat
    http://www.shorewall.netshorewall-snat.html
  31. shorewall-params(5)
    http://www.shorewall.netmanpages/shorewall-params.html
  32. shorewall-rules
    http://www.shorewall.netmanpages/shorewall-rules.html
  33. shorewall6-rules
    http://www.shorewall.netmanpages6/shorewall6-rules.html

Referenced By

shorewall(8).

01/17/2019 Configuration Files