diff --git a/manpages6-lite/shorewall-lite-vardir.xml b/manpages6-lite/shorewall-lite-vardir.xml
new file mode 100644
index 000000000..a82f0a348
--- /dev/null
+++ b/manpages6-lite/shorewall-lite-vardir.xml
@@ -0,0 +1,64 @@
+
+
+
+ shorewall-lite-vardir
+
+ 5
+
+
+
+ vardir
+
+ Shorewall Lite file
+
+
+
+
+ /etc/shorewall-lite/vardir
+
+
+
+
+ Description
+
+ This file does not exist by default. You may create the file if you
+ want to change the directory used by Shorewall Lite to store state
+ information, including compiled firewall scripts. By default, the
+ directory used is /var/lib/shorewall-lite/.
+
+ The file contains a single variable assignment:
+
+ directory
+
+ where directory is the name of a
+ directory. If you add this file, you should copy the files from
+ /var/lib/shorewall-lite to the new directory before
+ performing a shorewall-lite restart.
+
+
+
+ Example
+
+ VARDIR=/root/shorewall
+
+
+
+ FILES
+
+ /etc/shorewall-lite/vardir
+
+
+
+ See ALSO
+
+ shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+ shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+ shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
+ shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+ shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+ shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
+ shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+ shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
+ shorewall-zones(5)
+
+
\ No newline at end of file
diff --git a/manpages6-lite/shorewall-lite.conf.xml b/manpages6-lite/shorewall-lite.conf.xml
new file mode 100644
index 000000000..712fa9108
--- /dev/null
+++ b/manpages6-lite/shorewall-lite.conf.xml
@@ -0,0 +1,192 @@
+
+
+
+ shorewall-lite.conf
+
+ 5
+
+
+
+ shorewall-lite.conf
+
+ Shorewall Lite global configuration file
+
+
+
+
+ /etc/shorewall-lite/shorewall-lite.conf
+
+
+
+
+ Description
+
+ This file sets options that apply to Shorewall Lite as a
+ whole.
+
+ The file consists of Shell comments (lines beginning with '#'),
+ blank lines and assignment statements
+ (variable=value). Each
+ variable's setting is preceded by comments that describe the variable and
+ it's effect.
+
+ Any option not specified in this file gets its value from the
+ shorewall.conf file used during compilation of
+ /var/lib/shorewall-lite/firewall. Those settings may be found in the file
+ /var/lib/shorewall-lite/firewall.conf.
+
+
+
+ OPTIONS
+
+ The following options may be set in shorewall.conf.
+
+
+
+ IPTABLES=[pathname]
+
+
+ This parameter names the iptables executable to be used by
+ Shorewall. If not specified or if specified as a null value, then
+ the iptables executable located using the PATH option is
+ used.
+
+
+
+
+ LOGFILE=[pathname]
+
+
+ This parameter tells the /sbin/shorewall program where to look
+ for Shorewall messages when processing the dump, logwatch, show
+ log, and hits commands.
+ If not assigned or if assigned an empty value, /var/log/messages is
+ assumed.
+
+
+
+
+ LOGFORMAT=["formattemplate"]
+
+
+ The value of this variable generate the --log-prefix setting
+ for Shorewall logging rules. It contains a “printf” formatting
+ template which accepts three arguments (the chain name, logging rule
+ number (optional) and the disposition). To use LOGFORMAT with
+ fireparse, set it as:
+
+ LOGFORMAT="fp=%s:%d a=%s "
+
+ If the LOGFORMAT value contains the substring “%d” then the
+ logging rule number is calculated and formatted in that position; if
+ that substring is not included then the rule number is not included.
+ If not supplied or supplied as empty (LOGFORMAT="") then
+ “Shorewall:%s:%s:” is assumed.
+
+
+
+
+ PATH=[pathname[:pathname]...]
+
+
+ Determines the order in which Shorewall searches directories
+ for executable files.
+
+
+
+
+ RESTOREFILE=[filename]
+
+
+ Specifies the simple name of a file in /var/lib/shorewall to
+ be used as the default restore script in the shorewall save, shorewall restore, shorewall forget and shorewall -f start commands.
+
+
+
+
+ SHOREWALL_SHELL=[pathname]
+
+
+ This option is used to specify the shell program to be used to
+ run the Shorewall compiler and to interpret the compiled script. If
+ not specified or specified as a null value, /bin/sh is assumed.
+ Using a light-weight shell such as ash or dash can significantly
+ improve performance.
+
+
+
+
+ SUBSYSLOCK=[pathname]
+
+
+ This parameter should be set to the name of a file that the
+ firewall should create if it starts successfully and remove when it
+ stops. Creating and removing this file allows Shorewall to work with
+ your distribution's initscripts. For RedHat, this should be set to
+ /var/lock/subsys/shorewall. For Debian, the value is
+ /var/state/shorewall and in LEAF it is /var/run/shorwall.
+
+
+
+
+ VERBOSITY=[number]
+
+
+ Shorewall has traditionally been very noisy (produced lots of
+ output). You may set the default level of verbosity using the
+ VERBOSITY OPTION.
+
+ Values are:
+
+
+ 0 - Silent. You may make it more verbose using the -v
+ option
+
+ 1 - Major progress messages displayed
+
+ 2 - All progress messages displayed (old default
+ behavior)
+
+
+ If not specified, then 2 is assumed.
+
+
+
+
+
+
+ FILES
+
+ /etc/shorewall-lite/shorewall.conf
+
+
+
+ See ALSO
+
+ http://www.shorewall.net/Documentation_Index.html
+
+ shorewall-lite(8), shorewall-accounting(5), shorewall-actions(5),
+ shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+ shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
+ shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+ shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+ shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
+ shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
+ shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)
+
+
\ No newline at end of file
diff --git a/manpages6-lite/shorewall-lite.xml b/manpages6-lite/shorewall-lite.xml
new file mode 100644
index 000000000..7a53b50b2
--- /dev/null
+++ b/manpages6-lite/shorewall-lite.xml
@@ -0,0 +1,838 @@
+
+
+
+ shorewall-lite
+
+ 8
+
+
+
+ shorewall-lite
+
+ Administration tool for Shoreline Firewall Lite
+ (Shorewall-lite)
+
+
+
+
+ shorewall-lite
+
+ |
+
+ -options
+
+
+
+ address
+
+
+
+ shorewall-lite
+
+ |
+
+ -options
+
+
+
+
+
+ shorewall-lite
+
+ |
+
+ -options
+
+
+
+ address
+
+
+
+ shorewall-lite
+
+ |
+
+ -options
+
+
+
+
+
+
+
+
+
+ shorewall-lite
+
+ |
+
+ -options
+
+
+
+ filename
+
+
+
+ shorewall-lite
+
+ |
+
+ -options
+
+
+
+
+
+ shorewall-lite
+
+ |
+
+ -options
+
+
+
+
+
+ shorewall-lite
+
+ |
+
+ -options
+
+
+
+
+ address
+ mask
+
+ address/vlsm
+
+
+
+
+ shorewall-lite
+
+ |
+
+ -options
+
+
+
+ address1address2
+
+
+
+ shorewall-lite
+
+ |
+
+ -options
+
+
+
+ address
+
+
+
+ shorewall-lite
+
+ |
+
+ -options
+
+
+
+
+
+ refresh-interval
+
+
+
+ shorewall-lite
+
+ |
+
+ -options
+
+
+
+ address
+
+
+
+ shorewall-lite
+
+ |
+
+ -options
+
+
+
+ address
+
+
+
+ shorewall-lite
+
+ |
+
+ -options
+
+
+
+
+
+ shorewall-lite
+
+ |
+
+ -options
+
+
+
+ filename
+
+
+
+ shorewall-lite
+
+ |
+
+ -options
+
+
+
+ filename
+
+
+
+ shorewall-lite
+
+ |
+
+ -options
+
+
+
+
+
+
+ {|||}
+
+ chain
+
+
+
+ shorewall-lite
+
+ |
+
+ -options
+
+
+
+
+
+
+
+
+
+ shorewall-lite
+
+ |
+
+ -options
+
+
+
+
+
+
+
+ shorewall-lite
+
+ |
+
+ -options
+
+
+
+
+
+
+
+
+
+ shorewall-lite
+
+ |
+
+ -options
+
+
+
+
+
+
+
+ shorewall-lite
+
+ |
+
+ -options
+
+
+
+
+
+
+
+
+
+ shorewall-lite
+
+ |
+
+ -options
+
+
+
+
+
+
+
+
+
+ shorewall-lite
+
+ |
+
+ -options
+
+
+
+
+
+ shorewall-lite
+
+ |
+
+ -options
+
+
+
+
+
+ shorewall-lite
+
+ |
+
+ -options
+
+
+
+
+
+
+ Description
+
+ The shorewall-lite utility is used to control the Shoreline Firewall
+ (Shorewall) Lite.
+
+
+
+ Options
+
+ The and options are
+ used for debugging. See http://www.shorewall.net/starting_and_stopping.htm#Trace.
+
+ The nolock prevents the command from
+ attempting to acquire the Shorewall Lite lockfile. It is useful if you
+ need to include shorewall-lite commands in the
+ started extension script.
+
+ The options control the amount of output that
+ the command produces. They consist of a sequence of the letters v and q. If the
+ options are omitted, the amount of output is determined by the setting of
+ the VERBOSITY parameter in shorewall.conf(5). Each v adds one to the effective verbosity and each
+ q subtracts one from the effective
+ VERBOSITY. Anternately, v may be followed
+ immediately with one of -1,0,1,2 to specify a specify VERBOSITY. There may
+ be no white space between v and the
+ VERBOSITY.
+
+ The options may also include the letter
+ which causes all progress messages to be
+ timestamped.
+
+
+
+ Commands
+
+ The available commands are listed below.
+
+
+
+ add
+
+
+ Adds a list of hosts or subnets to a dynamic zone usually used
+ with VPN's.
+
+ The interface argument names an interface
+ defined in the shorewall-interfaces(5)
+ file. A host-list is comma-separated list whose
+ elements are a host or network address.
+ The add command is not very robust. If
+ there are errors in the host-list,
+ you may see a large number of error messages yet a subsequent
+ shorewall show zones command will indicate
+ that all hosts were added. If this happens, replace
+ add by delete and run the
+ same command again. Then enter the correct command.
+
+
+
+
+
+ allow
+
+
+ Re-enables receipt of packets from hosts previously
+ blacklisted by a drop, logdrop, reject, or logreject command.
+
+
+
+
+ clear
+
+
+ Clear will remove all rules and chains installed by Shorewall
+ Lite. The firewall is then wide open and unprotected. Existing
+ connections are untouched. Clear is often used to see if the
+ firewall is causing connection problems.
+
+
+
+
+ delete
+
+
+ The delete command reverses the effect of an earlier add command.
+
+ The interface argument names an interface
+ defined in the shorewall-interfaces(5)
+ file. A host-list is comma-separated list whose
+ elements are a host or network address.
+
+
+
+
+ drop
+
+
+ Causes traffic from the listed addresses
+ to be silently dropped.
+
+
+
+
+ dump
+
+
+ Produces a verbose report about the firewall configuration for
+ the purpose of problem analysis.
+
+ The -x option causes actual
+ packet and byte counts to be displayed. Without that option, these
+ counts are abbreviated. The -m
+ option causes any MAC addresses included in Shorewall Lite log
+ messages to be displayed.
+
+
+
+
+ forget
+
+
+ Deletes /var/lib/shorewall-lite/filename
+ and /var/lib/shorewall-lite/save. If no
+ filename is given then the file specified by
+ RESTOREFILE in shorewall-lite.conf(5) is
+ assumed.
+
+
+
+
+ help
+
+
+ Displays a syntax summary.
+
+
+
+
+ hits
+
+
+ Generates several reports from Shorewall Lite log messages in
+ the current log file.
+
+
+
+
+ ipcalc
+
+
+ Ipcalc displays the network address, broadcast address,
+ network in CIDR notation and netmask corresponding to the
+ input[s].
+
+
+
+
+ iprange
+
+
+ Iprange decomposes the specified range of IP addresses into
+ the equivalent list of network/host addresses.
+
+
+
+
+ logdrop
+
+
+ Causes traffic from the listed addresses
+ to be logged then discarded.
+
+
+
+
+ logwatch
+
+
+ Monitors the log file specified by theLOGFILE option in shorewall-lite.conf(5) and
+ produces an audible alarm when new Shorewall Lite messages are
+ logged. The -m option causes the
+ MAC address of each packet source to be displayed if that
+ information is available. The
+ refresh-interval specifies the time in
+ seconds between screen refreshes. You can enter a negative number by
+ preceding the number with "--" (e.g., shorewall-lite
+ logwatch -- -30). In this case, when a packet count
+ changes, you will be prompted to hit any key to resume screen
+ refreshes.
+
+
+
+
+ logreject
+
+
+ Causes traffic from the listed addresses
+ to be logged then rejected.
+
+
+
+
+ reset
+
+
+ All the packet and byte counters in the firewall are
+ reset.
+
+
+
+
+ restart
+
+
+ Restart is similar to shorewall-lite
+ stop followed by shorewall-lite
+ start. Existing connections are maintained.
+
+ The option causes Shorewall to avoid
+ updating the routing table(s).
+
+ The option causes the connection tracking
+ table to be flushed; the conntrack utility must
+ be installed to use this option.
+
+
+
+
+ restore
+
+
+ Restore Shorewall Lite to a state saved using the shorewall-lite save command. Existing
+ connections are maintained. The filename names
+ a restore file in /var/lib/shorewall-lite created using shorewall-lite save; if no
+ filename is given then Shorewall Lite will be
+ restored from the file specified by the RESTOREFILE option in shorewall-lite.conf(5).
+
+
+
+
+ save
+
+
+ The dynamic blacklist is stored in
+ /var/lib/shorewall-lite/save. The state of the firewall is stored in
+ /var/lib/shorewall-lite/filename for use by the
+ shorewall-lite restore and
+ shorewall-lite -f start commands.
+ If filename is not given then the state is
+ saved in the file specified by the RESTOREFILE option in shorewall-lite.conf(5).
+
+
+
+
+ show
+
+
+ The show command can have a number of different
+ arguments:
+
+
+
+ actions
+
+
+ Produces a report about the available actions (built-in,
+ standard and user-defined).
+
+
+
+
+ capabilities
+
+
+ Displays your kernel/iptables capabilities. The
+ -f option causes the display
+ to be formatted as a capabilities file for use with compile -e.
+
+
+
+
+ [ [ ] chain
+ ... ]
+
+
+ The rules in each chain are
+ displayed using the iptables
+ -Lchain-n -v command. If no
+ chain is given, all of the chains in the
+ filter table are displayed. The -x option is passed directly through to
+ iptables and causes actual packet and byte counts to be
+ displayed. Without this option, those counts are abbreviated.
+ The -t option specifies the
+ Netfilter table to display. The default is filter.
+
+ If the t option and the
+ keyword are both omitted and any of the
+ listed chains do not exist, a usage
+ message will be displayed.
+
+
+
+
+ classifiers
+
+
+ Displays information about the packet classifiers
+ defined on the system 10-080213-8397as a result of traffic
+ shaping configuration.
+
+
+
+
+ config
+
+
+ Dispays distribution-specific defaults.
+
+
+
+
+ connections
+
+
+ Displays the IP connections currently being tracked by
+ the firewall.
+
+
+
+
+ macros
+
+
+ Displays information about each macro defined on the
+ firewall system.
+
+
+
+
+ mangle
+
+
+ Displays the Netfilter mangle table using the command
+ iptables -t mangle -L -n
+ -v.The -x option
+ is passed directly through to iptables and causes actual
+ packet and byte counts to be displayed. Without this option,
+ those counts are abbreviated.
+
+
+
+
+ nat
+
+
+ Displays the Netfilter nat table using the command
+ iptables -t nat -L -n -v.The
+ -x option is passed directly
+ through to iptables and causes actual packet and byte counts
+ to be displayed. Without this option, those counts are
+ abbreviated.
+
+
+
+
+ tc
+
+
+ Displays information about queuing disciplines, classes
+ and filters.
+
+
+
+
+ zones
+
+
+ Displays the current composition of the Shorewall Lite
+ zones on the system.
+
+
+
+
+
+
+
+ start
+
+
+ Start shorewall Lite. Existing connections through
+ shorewall-lite managed interfaces are untouched. New connections
+ will be allowed only if they are allowed by the firewall rules or
+ policies. If -f is specified, the
+ saved configuration specified by the RESTOREFILE option in shorewall-lite.conf(5) will
+ be restored if that saved configuration exists and has been modified
+ more recently than the files in /etc/shorewall.
+
+ The option causes Shorewall to avoid
+ updating the routing table(s).
+
+ The option causes the connection tracking
+ table to be flushed; the conntrack utility must
+ be installed to use this option.
+
+
+
+
+ stop
+
+
+ Stops the firewall. All existing connections, except those
+ listed in shorewall-routestopped(5)
+ or permitted by the ADMINISABSENTMINDED option in shorewall.conf(5),
+ are taken down. The only new traffic permitted through the firewall
+ is from systems listed in shorewall-routestopped(5)
+ or by ADMINISABSENTMINDED.
+
+
+
+
+ status
+
+
+ Produces a short report about the state of the
+ Shorewall-configured firewall.
+
+
+
+
+ version
+
+
+ Displays Shorewall-lite's version.
+
+
+
+
+
+
+ FILES
+
+ /etc/shorewall-lite/
+
+
+
+ See ALSO
+
+ http://www.shorewall.net/starting_and_stopping_shorewall.htm
+
+ shorewall-accounting(5), shorewall-actions(5),
+ shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+ shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
+ shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+ shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+ shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
+ shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+ shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
+ shorewall-zones(5)
+
+
\ No newline at end of file
diff --git a/manpages6/shorewall-accounting.xml b/manpages6/shorewall-accounting.xml
new file mode 100644
index 000000000..e2107d083
--- /dev/null
+++ b/manpages6/shorewall-accounting.xml
@@ -0,0 +1,328 @@
+
+
+
+ shorewall-accounting
+
+ 5
+
+
+
+ accounting
+
+ Shorewall Accounting file
+
+
+
+
+ /etc/shorewall/accounting
+
+
+
+
+ Description
+
+ Accounting rules exist simply to count packets and bytes in
+ categories that you define in this file. You may display these rules and
+ their packet and byte counters using the shorewall show
+ accounting command.
+
+ The columns in the file are as follows.
+
+
+
+ ACTION - {COUNT|DONE|chain[:COUNT]}
+
+
+ What to do when a matching packet is found.
+
+
+
+ COUNT
+
+
+ Simply count the match and continue with the next
+ rule
+
+
+
+
+ DONE
+
+
+ Count the match and don't attempt to match any other
+ accounting rules in the chain specified in the CHAIN column.
+
+
+
+
+ chain[:COUNT]
+
+
+ Where chain is the name of a chain;
+ Shorewall will create the chain automatically if it doesn't
+ already exist. Causes a jump to that chain to be added to the
+ chain specified in the CHAIN column. If :COUNT is included, a counting rule
+ matching this entry will be added to
+ chain
+
+
+
+
+
+
+
+ CHAIN - {-|chain}
+
+
+ The name of a chain. If specified as
+ - the accounting chain is assumed. This is the
+ chain where the accounting rule is added. The
+ chain will be created if it doesn't already
+ exist.
+
+
+
+
+ SOURCE - {-|any|all|interface|interface:address|address}
+
+
+ Packet Source.
+
+ The name of an interface, an
+ address (host or net) or an
+ interface name followed by ":" and a host
+ or net address.
+
+
+
+
+ DESTINATION - {-|any|all|interface|interface:address|address}
+
+
+ Packet Destination.
+
+ Format same as SOURCE
+ column.
+
+
+
+
+ PROTOCOL - {-|any|all|protocol-name|protocol-number|ipp2p[:{udp|all}]}
+
+
+ A protocol-name (from protocols(5)), a
+ protocol-number, ipp2p, ipp2p:udp or ipp2p:all
+
+
+
+
+ DEST PORT(S) - {-|any|all|ipp2p-option|port-name-or-number[,port-name-or-number]...}
+
+
+ Destination Port number. Service name from services(5) or
+ port number. May only be specified if the
+ protocol is tcp or udp (6 or 17).
+
+ You may place a comma-separated list of port names or numbers
+ in this column if your kernel and iptables include multiport match
+ support.
+
+ If the PROTOCOL is ipp2p then
+ this column must contain an ipp2p-option
+ ("iptables -m ipp2p --help") without the leading "--". If no option
+ is given in this column, ipp2p is
+ assumed.
+
+
+
+
+ SOURCE PORT(S) - {-|any|all|port-name-or-number[,port-name-or-number]...}
+
+
+ Service name from services(5) or port
+ number. May only be specified if the protocol is TCP or
+ UDP (6 or 17).
+
+ You may place a comma-separated list of port numbers in this
+ column if your kernel and iptables include multiport match
+ support.
+
+
+
+
+ USER/GROUP - [!][user-name-or-number][:group-name-or-number][+program-name]
+
+
+ This column may only be non-empty if the CHAIN is OUTPUT.
+
+ When this column is non-empty, the rule applies only if the
+ program generating the output is running under the effective
+ user and/or group
+ specified (or is NOT running under that id if "!" is given).
+
+ Examples:
+
+
+
+ joe
+
+
+ program must be run by joe
+
+
+
+
+ :kids
+
+
+ program must be run by a member of the 'kids'
+ group
+
+
+
+
+ !:kids
+
+
+ program must not be run by a member of the 'kids'
+ group
+
+
+
+
+ +upnpd
+
+
+ #program named upnpd
+
+
+ The ability to specify a program name was removed from
+ Netfilter in kernel version 2.6.14.
+
+
+
+
+
+
+
+
+ MARK - [!]value[/mask][:C]
+
+
+ Defines a test on the existing packet or connection mark. The
+ rule will match only if the test returns true.
+
+ If you don't want to define a test but need to specify
+ anything in the following columns, place a "-" in this field.
+
+
+
+ !
+
+
+ Inverts the test (not equal)
+
+
+
+
+ value
+
+
+ Value of the packet or connection mark.
+
+
+
+
+ mask
+
+
+ A mask to be applied to the mark before testing.
+
+
+
+
+ :C
+
+
+ Designates a connection mark. If omitted, the packet
+ mark's value is tested. This option is only supported by
+ Shorewall-perl.
+
+
+
+
+
+
+
+ In all of the above columns except ACTION and CHAIN,
+ the values -, any and all may be
+ used as wildcards. Omitted trailing columns are also treated as
+ wildcards.
+
+
+
+ FILES
+
+ /etc/shorewall/accounting
+
+
+
+ See ALSO
+
+ http://shorewall.net/Accounting.html
+
+
+ shorewall(8), shorewall-actions(5), shorewall-blacklist(5),
+ shorewall-hosts(5), shorewall-interfaces(5), shorewall-ipsec(5),
+ shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
+ shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
+ shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
+ shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+ shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
+ shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)
+
+
diff --git a/manpages6/shorewall-actions.xml b/manpages6/shorewall-actions.xml
new file mode 100644
index 000000000..94ab3d113
--- /dev/null
+++ b/manpages6/shorewall-actions.xml
@@ -0,0 +1,59 @@
+
+
+
+ shorewall-actions
+
+ 5
+
+
+
+ actions
+
+ Shorewall action declaration file
+
+
+
+
+ /etc/shorewall/actions
+
+
+
+
+ Description
+
+ This file allows you to define new ACTIONS for use in rules (see
+ shorewall-rules(5)). You define
+ the iptables rules to be performed in an ACTION in
+ /etc/shorewall/action.action-name.
+
+ ACTION names should begin with an upper-case letter to distinguish
+ them from Shorewall-generated chain names and they must meet the
+ requirements of a Netfilter chain. If you intend to log from the action
+ then the name must be no longer than 11 characters in length. Names must
+ also meet the requirements for a Bourne Shell identifier (must begin with
+ a letter and be composed of letters, digits and underscore
+ characters).
+
+
+
+ FILES
+
+ /etc/shorewall/actions
+
+
+
+ See ALSO
+
+ http://shorewall.net/Actions.html
+
+ shorewall(8), shorewall-accounting(5), shorewall-blacklist(5),
+ shorewall-hosts(5), shorewall-interfaces(5), shorewall-ipsec(5),
+ shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
+ shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
+ shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
+ shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+ shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
+ shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)
+
+
diff --git a/manpages6/shorewall-blacklist.xml b/manpages6/shorewall-blacklist.xml
new file mode 100644
index 000000000..915ee6f69
--- /dev/null
+++ b/manpages6/shorewall-blacklist.xml
@@ -0,0 +1,139 @@
+
+
+
+ shorewall-blacklist
+
+ 5
+
+
+
+ blacklist
+
+ Shorewall Blacklist file
+
+
+
+
+ /etc/shorewall/blacklist
+
+
+
+
+ Description
+
+ The blacklist file is used to perform static blacklisting. You can
+ blacklist by source address (IP or MAC), or by application.
+
+ The columns in the file are as follows.
+
+
+
+ ADDRESS/SUBNET - {-|~mac-address|ip-address|address-range|+ipset}
+
+
+ Host address, network address, MAC address, IP address range
+ (if your kernel and iptables contain iprange match support) or ipset
+ name prefaced by "+" (if your kernel supports ipset match).
+
+ MAC addresses must be prefixed with "~" and use "-" as a
+ separator.
+
+ Example: ~00-A0-C9-15-39-78
+
+ A dash ("-") in this column means that any source address will
+ match. This is useful if you want to blacklist a particular
+ application using entries in the PROTOCOL and PORTS columns.
+
+
+
+
+ PROTOCOL (Optional) -
+ {-|protocol-number|protocol-name}
+
+
+ If specified, must be a protocol number or a protocol name
+ from protocols(5).
+
+
+
+
+ PORTS (Optional) - {-|port-name-or-number[,port-name-or-number]...}
+
+
+ May only be specified if the protocol is TCP (6) or UDP (17).
+ A comma-separated list of destination port numbers or service names
+ from services(5).
+
+
+
+
+ When a packet arrives on an interface that has the blacklist option specified in shorewall-interfaces(5), its
+ source IP address and MAC address is checked against this file and
+ disposed of according to the BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL variables in shorewall.conf(5). If PROTOCOL or PROTOCOL and PORTS
+ are supplied, only packets matching the protocol (and one of the ports if
+ PORTS supplied) are blocked.
+
+
+
+ Example
+
+
+
+ Example 1:
+
+
+ To block DNS queries from address 192.0.2.126:
+
+ #ADDRESS/SUBNET PROTOCOL PORT
+ 192.0.2.126 udp 53
+
+
+
+
+ Example 2:
+
+
+ To block some of the nuisance applications:
+
+ #ADDRESS/SUBNET PROTOCOL PORT
+ - udp 1024:1033,1434
+ - tcp 57,1433,1434,2401,2745,3127,3306,3410,4899,5554,6101,8081,9898
+
+
+
+
+
+
+ FILES
+
+ /etc/shorewall/blacklist
+
+
+
+ See ALSO
+
+ http://shorewall.net/blacklisting_support.htm
+
+ shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+ shorewall-hosts(5), shorewall-interfaces(5), shorewall-ipsec(5),
+ shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
+ shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
+ shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
+ shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+ shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
+ shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)
+
+
diff --git a/manpages6/shorewall-ecn.xml b/manpages6/shorewall-ecn.xml
new file mode 100644
index 000000000..b557a5630
--- /dev/null
+++ b/manpages6/shorewall-ecn.xml
@@ -0,0 +1,74 @@
+
+
+
+ shorewall-ecn
+
+ 5
+
+
+
+ ecn
+
+ Shorewall ECN file
+
+
+
+
+ /etc/shorewall/ecn
+
+
+
+
+ Description
+
+ Use this file to list the destinations for which you want to disable
+ ECN (Explicit Congestion Notification).
+
+ The columns in the file are as follows.
+
+
+
+ INTERFACE -
+ interface
+
+
+ Interface through which host(s) communicate with the
+ firewall
+
+
+
+
+ HOST(S) (Optional) - [-|address-or-address-range[,address-or-address-range]...]
+
+
+ Comma-separated list of host and/or network addresses. If left
+ empty or supplied as "-", 0.0.0.0/0 is assumed. If your kernel and
+ iptables include iprange match support then IP address ranges are
+ also permitted.
+
+
+
+
+
+
+ FILES
+
+ /etc/shorewall/ecn
+
+
+
+ See ALSO
+
+ shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+ shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+ shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
+ shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+ shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+ shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
+ shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+ shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
+ shorewall-zones(5)
+
+
diff --git a/manpages6/shorewall-exclusion.xml b/manpages6/shorewall-exclusion.xml
new file mode 100644
index 000000000..f313c8e61
--- /dev/null
+++ b/manpages6/shorewall-exclusion.xml
@@ -0,0 +1,108 @@
+
+
+
+ shorewall-exclusion
+
+ 5
+
+
+
+ exclusion
+
+ Exclude a set of hosts from a definition in a shorewall
+ configuration file.
+
+
+
+
+ address-or-range[,address-or-range]
+
+
+
+
+ Description
+
+ Exclusion is used when you wish to exclude one or more addresses
+ from a definition. An exclaimation point is followed by a comma-separated
+ list of addresses. The addresses may be single host addresses (e.g.,
+ 192.168.1.4) or they may be network addresses in CIDR format (e.g.,
+ 192.168.1.0/24). If your kernel and iptables include iprange support, you
+ may also specify ranges of ip addresses of the form
+ lowaddress-highaddress
+
+ No embedded whitespace is allowed.
+
+ Exclusion can appear after a list of addresses and/or address
+ ranges. In that case, the final list of address is formed by taking the
+ first list and then removing the addresses defined in the
+ exclusion.
+
+
+
+ Examples
+
+
+
+ Example 1 - All IPv4 addresses except 192.168.3.4
+
+
+ !192.168.3.4
+
+
+
+
+ Example 2 - All IPv4 addresses except the network 192.168.1.0/24
+ and the host 10.2.3.4
+
+
+ !192.168.1.0/24,10.1.3.4
+
+
+
+
+ Example 3 - All IPv4 addresses except the range
+ 192.168.1.3-192.168.1.12 and the network 10.0.0.0/8
+
+
+ !192.168.1.3-192.168.1.12,10.0.0.0/8
+
+
+
+
+ Example 4 - The network 192.168.1.0/24 except hosts 192.168.1.3
+ and 192.168.1.9
+
+
+ 192.168.1.0/24!192.168.1.3,192.168.1.9
+
+
+
+
+
+
+ FILES
+
+ /etc/shorewall/hosts
+
+ /etc/shorewall/masq
+
+ /etc/shorewall/rules
+
+ /etc/shorewall/tcrules
+
+
+
+ See ALSO
+
+ shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+ shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+ shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
+ shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+ shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+ shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
+ shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+ shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
+ shorewall-zones(5)
+
+
\ No newline at end of file
diff --git a/manpages6/shorewall-hosts.xml b/manpages6/shorewall-hosts.xml
new file mode 100644
index 000000000..3944f6285
--- /dev/null
+++ b/manpages6/shorewall-hosts.xml
@@ -0,0 +1,275 @@
+
+
+
+ shorewall-hosts
+
+ 5
+
+
+
+ hosts
+
+ Shorewall file
+
+
+
+
+ /etc/shorewall/hosts
+
+
+
+
+ Description
+
+ This file is used to define zones in terms of subnets and/or
+ individual IP addresses. Most simple setups don't need to (should not)
+ place anything in this file.
+
+ The order of entries in this file is not significant in determining
+ zone composition. Rather, the order that the zones are declared in shorewall-zones(5) determines the order
+ in which the records in this file are interpreted.
+
+
+ The only time that you need this file is when you have more than
+ one zone connected through a single interface.
+
+
+
+ If you have an entry for a zone and interface in shorewall-interfaces(5) then do
+ not include any entries in this file for that same (zone, interface)
+ pair.
+
+
+ The columns in the file are as follows.
+
+
+
+ ZONE -
+ zone-name
+
+
+ The name of a zone declared in shorewall-zones(5). You may not
+ list the firewall zone in this column.
+
+
+
+
+ HOST(S) -
+ interface:{[{address-or-range[,address-or-range]...|+ipset}[exclusion]
+
+
+ The name of an interface defined in the shorewall-interfaces(5) file
+ followed by a colon (":") and a comma-separated list whose elements
+ are either:
+
+
+
+ The IP address of a
+ host.
+
+
+
+ A network in CIDR format.
+
+
+
+ An IP address range of the form
+ low.address-high.address.
+ Your kernel and iptables must have iprange match support.
+
+
+
+ The name of an ipset.
+
+
+
+
+ You may also exclude certain hosts through use of an
+ exclusion (see shorewall-exclusion(5).
+
+
+
+
+
+ OPTIONS (Optional) - [option[,option]...]
+
+
+ A comma-separated list of options from the following list. The
+ order in which you list the options is not significant but the list
+ must have no embedded white space.
+
+
+
+ maclist
+
+
+ Connection requests from these hosts are compared
+ against the contents of shorewall-maclist(5). If
+ this option is specified, the interface must be an ethernet
+ NIC or equivalent and must be up before Shorewall is
+ started.
+
+
+
+
+ routeback
+
+
+ Shorewall should set up the infrastructure to pass
+ packets from this/these address(es) back to themselves. This
+ is necessary if hosts in this group use the services of a
+ transparent proxy that is a member of the group or if DNAT is
+ used to send requests originating from this group to a server
+ in the group.
+
+
+
+
+ blacklist
+
+
+ This option only makes sense for ports on a
+ bridge.
+
+ Check packets arriving on this port against the shorewall-blacklist(5)
+ file.
+
+
+
+
+ tcpflags
+
+
+ Packets arriving from these hosts are checked for
+ certain illegal combinations of TCP flags. Packets found to
+ have such a combination of flags are handled according to the
+ setting of TCP_FLAGS_DISPOSITION after having been logged
+ according to the setting of TCP_FLAGS_LOG_LEVEL.
+
+
+
+
+ nosmurfs
+
+
+ This option only makes sense for ports on a
+ bridge.
+
+ Filter packets for smurfs (packets with a broadcast
+ address as the source).
+
+ Smurfs will be optionally logged based on the setting of
+ SMURF_LOG_LEVEL in shorewall.conf(5). After
+ logging, the packets are dropped.
+
+
+
+
+ ipsec
+
+
+ The zone is accessed via a kernel 2.6 ipsec SA. Note
+ that if the zone named in the ZONE column is specified as an
+ IPSEC zone in the shorewall-zones(5) file
+ then you do NOT need to specify the 'ipsec' option
+ here.
+
+
+
+
+ broadcast
+
+
+ Used when you want to include limited broadcasts
+ (destination IP address 255.255.255.255) from the firewall to
+ this zone. Only necessary when:
+
+
+
+ The network specified in the HOST(S) column does not
+ include 255.255.255.255.
+
+
+
+ The zone does not have an entry for this interface
+ in shorewall-interfaces(5).
+
+
+
+
+
+
+ destonly
+
+
+ Normally used with the Multi-cast IP address range
+ (224.0.0.0/4). Specifies that traffic will be sent to the
+ specified net(s) but that no traffic will be received from the
+ net(s).
+
+
+
+
+
+
+
+
+
+ Examples
+
+
+
+ Example 1
+
+
+ The firewall runs a PPTP server which creates a ppp interface
+ for each remote client. The clients are assigned IP addresses in the
+ network 192.168.3.0/24 and in a zone named 'vpn'.#ZONE HOST(S) OPTIONS
+vpn ppp+:192.168.3.0/24
+
+ If you are running a Shorewall version prior to 4.1.4, it is
+ especially recommended to define such a zone using this file rather
+ than shorewall-interfaces(8) if
+ there is another zone that uses a fixed PPP interface (for example,
+ if the 'net' zone always interfaces through ppp0). See shorewall-nesting(8) for
+ additional information.
+
+
+
+
+
+
+ FILES
+
+ /etc/shorewall/hosts
+
+
+
+ See ALSO
+
+ shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+ shorewall-blacklist(5), shorewall-interfaces(5), shorewall-ipsec(5),
+ shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
+ shorewall-nesting(5), shorewall-netmap(5), shorewall-params(5),
+ shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+ shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
+ shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+ shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
+ shorewall-zones(5)
+
+
\ No newline at end of file
diff --git a/manpages6/shorewall-interfaces.xml b/manpages6/shorewall-interfaces.xml
new file mode 100644
index 000000000..5cdca4763
--- /dev/null
+++ b/manpages6/shorewall-interfaces.xml
@@ -0,0 +1,622 @@
+
+
+
+
+ shorewall-interfaces
+
+ 5
+
+
+
+ interfaces
+
+ Shorewall interfaces file
+
+
+
+
+ /etc/shorewall/interfaces
+
+
+
+
+ Description
+
+ The interfaces file serves to define the firewall's network
+ interfaces to Shorewall. The order of entries in this file is not
+ significant in determining zone composition.
+
+ The columns in the file are as follows.
+
+
+
+ ZONE -
+ zone-name
+
+
+ Zone for this interface. Must match the name of a zone
+ declared in /etc/shorewall/zones. You may not list the firewall zone
+ in this column.
+
+ If the interface serves multiple zones that will be defined in
+ the shorewall-hosts(5)
+ file, you should place "-" in this column.
+
+ If there are multiple interfaces to the same zone, you must
+ list them in separate entries.
+
+ Example:
+
+
+
+
+
+
+ INTERFACE -
+ interface[:port]
+
+
+ Name of interface. Each interface may be listed only once in
+ this file. You may NOT specify the name of a "virtual" interface
+ (e.g., eth0:0) here; see http://www.shorewall.net/FAQ.htm#faq18
+
+ You may use wildcards here by specifying a prefix followed by
+ the plus sign ("+"). For example, if you want to make an entry that
+ applies to all PPP interfaces, use 'ppp+'; that would match ppp0,
+ ppp1, ppp2, …
+
+ When using Shorewall versions before 4.1.4, care must be
+ exercised when using wildcards where there is another zone that uses
+ a matching specific interface. See shorewall-nesting(5) for a
+ discussion of this problem.
+
+ Beginning with Shorewall 4.2.3, Shorewall-perl allows '+' as
+ an interface name.
+
+ There is no need to define the loopback interface (lo) in this
+ file.
+
+ (Shorewall-perl only) If a port is
+ given, then the interface must have been
+ defined previously with the option. The
+ OPTIONS column must be empty when a port
+ is given.
+
+
+
+
+ BROADCAST (Optional) -
+ {-|detect|address[,address]...}
+
+
+ The broadcast address(es) for the network(s) to which the
+ interface belongs. For P-T-P interfaces, this column is left blank.
+ If the interface has multiple addresses on multiple subnets then
+ list the broadcast addresses as a comma-separated list.
+
+ If you use the special value detect, Shorewall will detect the broadcast
+ address(es) for you. If you select this option, the interface must
+ be up before the firewall is started.
+
+ If you don't want to give a value for this column but you want
+ to enter a value in the OPTIONS column, enter - in this column.
+
+ Note to Shorewall-perl users:
+ Shorewall-perl only supports or - in this column. If you specify
+ addresses, a compilation warning will be
+ issued.
+
+
+
+
+ OPTIONS (Optional) -
+ [option[,option]...]
+
+
+ A comma-separated list of options from the following list. The
+ order in which you list the options is not significant but the list
+ should have no embedded white space.
+
+
+
+ arp_filter[={0|1}]
+
+
+ If specified, this interface will only respond to ARP
+ who-has requests for IP addresses configured on the interface.
+ If not specified, the interface can respond to ARP who-has
+ requests for IP addresses on any of the firewall's interface.
+ The interface must be up when Shorewall is started.
+
+ The option value (0 or 1) may only be specified if you
+ are using Shorewall-perl. With Shorewall-perl, only those
+ interfaces with the option will
+ have their setting changes; the value assigned to the setting
+ will be the value specified (if any) or 1 if no value is
+ given.
+
+
+
+
+ This option does not work with a wild-card
+ interface name (e.g., eth0.+) in
+ the INTERFACE column.
+
+
+
+
+
+ arp_ignore[=number]
+
+
+ If specified, this interface will respond to arp
+ requests based on the value of number
+ (defaults to 1).
+
+ 1 - reply only if the target IP address is local address
+ configured on the incoming interface
+
+ 2 - reply only if the target IP address is local address
+ configured on the incoming interface and the sender's IP
+ address is part from same subnet on this interface
+
+ 3 - do not reply for local addresses configured with
+ scope host, only resolutions for global and link
+
+ 4-7 - reserved
+
+ 8 - do not reply for all local addresses
+
+
+
+
+ This option does not work with a wild-card
+ interface name (e.g., eth0.+) in
+ the INTERFACE column.
+
+
+
+
+
+ Do not specify arp_ignore for any interface involved
+ in Proxy ARP.
+
+
+
+
+
+ blacklist
+
+
+ Check packets arriving on this interface against the
+ shorewall-blacklist(5)
+ file.
+
+
+
+
+ bridge
+
+
+ (Shorewall-perl only) Designates the interface as a
+ bridge.
+
+
+
+
+ detectnets
+ (Deprecated)
+
+
+ Automatically tailors the zone named in the ZONE column
+ to include only those hosts routed through the
+ interface.
+
+
+
+
+ Do not set the detectnets option on your internet
+ interface.
+
+ Support for this option will be removed in a future
+ release of Shorewall-perl. Better to use the routefilter option together with the
+ logmartians option.
+
+
+
+
+
+ dhcp
+
+
+ Specify this option when any of the following are
+ true:
+
+
+
+ the interface gets its IP address via DHCP
+
+
+
+ the interface is used by a DHCP server running on
+ the firewall
+
+
+
+ the interface has a static IP but is on a LAN
+ segment with lots of DHCP clients.
+
+
+
+ the interface is a bridge with a DHCP server on one
+ port and DHCP clients on another port.
+
+
+
+ This option allows DHCP datagrams to enter and leave the
+ interface.
+
+
+
+
+ logmartians[={0|1}]
+
+
+ Turn on kernel martian logging (logging of packets with
+ impossible source addresses. It is strongly suggested that if
+ you set routefilter on an
+ interface that you also set logmartians. Even if you do not specify
+ the option, it is a good idea to
+ specify because your distribution
+ may be enabling route filtering without you knowing it.
+
+ The option value (0 or 1) may only be specified if you
+ are using Shorewall-perl. With Shorewall-perl, only those
+ interfaces with the option will
+ have their setting changes; the value assigned to the setting
+ will be the value specified (if any) or 1 if no value is
+ given.
+
+ To find out if route filtering is set on a given
+ interface, check the contents of
+ /proc/sys/net/ipv4/conf/interface/rp_filter
+ - a non-zero value indicates that route filtering is
+ enabled.
+
+ Example:
+
+ teastep@lists:~$ cat /proc/sys/net/ipv4/conf/eth0/rp_filter
+ 1
+ teastep@lists:~$
+
+
+
+
+ This option does not work with a wild-card
+ interface name (e.g., eth0.+) in
+ the INTERFACE column.
+
+
+
+ This option may also be enabled globally in the shorewall.conf(5)
+ file.
+
+
+
+
+
+ maclist
+
+
+ Connection requests from this interface are compared
+ against the contents of shorewall-maclist(5). If
+ this option is specified, the interface must be an ethernet
+ NIC and must be up before Shorewall is started.
+
+
+
+
+ mss[=number]
+
+
+ Added in Shorewall 4.0.3. Causes forwarded TCP SYN
+ packets entering or leaving on this interface to have their
+ MSS field set to the specified
+ number.
+
+
+
+
+ norfc1918
+
+
+ This interface should not receive any packets whose
+ source is in one of the ranges reserved by RFC 1918 (i.e.,
+ private or "non-routable" addresses). If packet mangling or
+ connection-tracking match is enabled in your kernel, packets
+ whose destination addresses are reserved by RFC 1918 are also
+ rejected.
+
+
+
+
+ nosmurfs
+
+
+ Filter packets for smurfs (packets with a broadcast
+ address as the source).
+
+ Smurfs will be optionally logged based on the setting of
+ SMURF_LOG_LEVEL in shorewall.conf(5). After
+ logging, the packets are dropped.
+
+
+
+
+ optional
+
+
+ Only supported by Shorewall-perl. When
+ is specified for an interface,
+ Shorewall will be silent when:
+
+
+
+ a /proc/sys/net/ipv4/conf/
+ entry for the interface cannot be modified (including for
+ proxy ARP).
+
+
+
+ The first address of the interface cannot be
+ obtained.
+
+
+
+
+
+
+ I specify on interfaces to
+ Xen virtual machines that may or may not be running when
+ Shorewall is [re]started.
+
+
+
+
+ Use at your own risk. If
+ you [re]start Shorewall when an 'optional' interface is
+ not available and then do a shorewall
+ save, subsequent shorewall
+ restore and shorewall -f
+ start operations will instantiate a ruleset that
+ does not support that interface, even if it is available
+ at the time of the restore/start.
+
+
+
+
+
+
+ proxyarp[={0|1}]
+
+
+ Sets
+ /proc/sys/net/ipv4/conf/interface/proxy_arp.
+ Do NOT use this option if you are employing Proxy ARP through
+ entries in shorewall-proxyarp(5).
+ This option is intended solely for use with Proxy ARP
+ sub-networking as described at: http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html.
+
+
+ Note: This option does
+ not work with a wild-card interface
+ name (e.g., eth0.+) in the INTERFACE column.
+
+ The option value (0 or 1) may only be specified if you
+ are using Shorewall-perl. With Shorewall-perl, only those
+ interfaces with the option will have
+ their setting changes; the value assigned to the setting will
+ be the value specified (if any) or 1 if no value is
+ given.
+
+
+
+
+ routeback
+
+
+ If specified, indicates that Shorewall should include
+ rules that allow filtering traffic arriving on this interface
+ back out that same interface. This option is also required
+ when you have used a wildcard in the INTERFACE column if you
+ want to allow traffic between the interfaces that match the
+ wildcard.
+
+
+
+
+ routefilter[={0|1}]
+
+
+ Turn on kernel route filtering for this interface
+ (anti-spoofing measure).
+
+ The option value (0 or 1) may only be specified if you
+ are using Shorewall-perl. With Shorewall-perl, only those
+ interfaces with the option will
+ have their setting changes; the value assigned to the setting
+ will be the value specified (if any) or 1 if no value is
+ given.
+
+
+
+
+ This option does not work with a wild-card
+ interface name (e.g., eth0.+) in
+ the INTERFACE column.
+
+
+
+ This option can also be enabled globally in the shorewall.conf(5)
+ file.
+
+
+
+
+
+ sourceroute[={0|1}]
+
+
+ If this option is not specified for an interface, then
+ source-routed packets will not be accepted from that interface
+ (sets
+ /proc/sys/net/ipv4/conf/interface/accept_source_route
+ to 1). Only set this option if you know what you are doing.
+ This might represent a security risk and is not usually
+ needed.
+
+ The option value (0 or 1) may only be specified if you
+ are using Shorewall-perl. With Shorewall-perl, only those
+ interfaces with the option will
+ have their setting changes; the value assigned to the setting
+ will be the value specified (if any) or 1 if no value is
+ given.
+
+
+
+
+ This option does not work with a wild-card
+ interface name (e.g., eth0.+) in
+ the INTERFACE column.
+
+
+
+
+
+ tcpflags
+
+
+ Packets arriving on this interface are checked for
+ certain illegal combinations of TCP flags. Packets found to
+ have such a combination of flags are handled according to the
+ setting of TCP_FLAGS_DISPOSITION after having been logged
+ according to the setting of TCP_FLAGS_LOG_LEVEL.
+
+
+
+
+ upnp
+
+
+ Incoming requests from this interface may be remapped
+ via UPNP (upnpd). See http://www.shorewall.net/UPnP.html.
+
+
+
+
+
+
+
+
+
+ Example
+
+
+
+ Example 1:
+
+
+ Suppose you have eth0 connected to a DSL modem and eth1
+ connected to your local network and that your local subnet is
+ 192.168.1.0/24. The interface gets it's IP address via DHCP from
+ subnet 206.191.149.192/27. You have a DMZ with subnet 192.168.2.0/24
+ using eth2.
+
+ Your entries for this setup would look like:
+
+ #ZONE INTERFACE BROADCAST OPTIONS
+net eth0 206.191.149.223 dhcp
+loc eth1 192.168.1.255
+dmz eth2 192.168.2.255
+
+
+
+
+ Example 2:
+
+
+ The same configuration without specifying broadcast addresses
+ is:
+
+ #ZONE INTERFACE BROADCAST OPTIONS
+net eth0 detect dhcp
+loc eth1 detect
+dmz eth2 detect
+
+
+
+
+ Example 3:
+
+
+ You have a simple dial-in system with no ethernet
+ connections.
+
+ #ZONE INTERFACE BROADCAST OPTIONS
+net ppp0 -
+
+
+
+
+
+
+ FILES
+
+ /etc/shorewall/interfaces
+
+
+
+ See ALSO
+
+ shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+ shorewall-blacklist(5), shorewall-hosts(5), shorewall-ipsec(5),
+ shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
+ shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
+ shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
+ shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+ shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
+ shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)
+
+
diff --git a/manpages6/shorewall-maclist.xml b/manpages6/shorewall-maclist.xml
new file mode 100644
index 000000000..92b6ef59b
--- /dev/null
+++ b/manpages6/shorewall-maclist.xml
@@ -0,0 +1,111 @@
+
+
+
+ shorewall-maclist
+
+ 5
+
+
+
+ maclist
+
+ Shorewall MAC Verification file
+
+
+
+
+ /etc/shorewall/maclist
+
+
+
+
+ Description
+
+ This file is used to define the MAC addresses and optionally their
+ associated IP addresses to be allowed to use the specified interface. The
+ feature is enabled by using the maclist
+ option in the shorewall-interfaces(5) or shorewall-hosts(5) configuration
+ file.
+
+ The columns in the file are as follows.
+
+
+
+ DISPOSITION - {ACCEPT|DROP|REJECT}[log-level]
+
+
+ ACCEPT or DROP (if MACLIST_TABLE=filter in shorewall.conf(5), then REJECT is
+ also allowed). If specified, the
+ log-level causes packets matching the
+ rule to be logged at that level.
+
+
+
+
+ INTERFACE -
+ interface
+
+
+ Network interface to a host.
+
+
+
+
+ MAC -
+ address
+
+
+ MAC address of the host -- you do not
+ need to use the Shorewall format for MAC addresses here. If
+ IP ADDRESSESES is supplied then
+ MAC can be supplied as a dash
+ (-)
+
+
+
+
+ IP ADDRESSES (Optional) -
+ [address[,address]...]
+
+
+ If specified, both the MAC and IP address must match. This
+ column can contain a comma-separated list of host and/or subnet
+ addresses. If your kernel and iptables have iprange match support
+ then IP address ranges are also allowed. Similarly, if your kernel
+ and iptables include ipset support than set names (prefixed by "+")
+ are also allowed.
+
+
+
+
+
+
+ FILES
+
+ /etc/shorewall/maclist
+
+
+
+ See ALSO
+
+ http://shorewall.net/MAC_Validation.html
+
+ shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+ shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+ shorewall-ipsec(5), shorewall-masq(5), shorewall-nat(5),
+ shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
+ shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
+ shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+ shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
+ shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)
+
+
\ No newline at end of file
diff --git a/manpages6/shorewall-masq.xml b/manpages6/shorewall-masq.xml
new file mode 100644
index 000000000..e185a4a81
--- /dev/null
+++ b/manpages6/shorewall-masq.xml
@@ -0,0 +1,502 @@
+
+
+
+
+ shorewall-masq
+
+ 5
+
+
+
+ masq
+
+ Shorewall Masquerade/SNAT definition file
+
+
+
+
+ /etc/shorewall/masq
+
+
+
+
+ Description
+
+ Use this file to define dynamic NAT (Masquerading) and to define
+ Source NAT (SNAT).
+
+
+ The entries in this file are order-sensitive. The first entry that
+ matches a particular connection will be the one that is used.
+
+
+
+ If you have more than one ISP, adding entries to this file will
+ *not* force connections to go out through a particular ISP. You must use
+ PREROUTING entries in shorewall-tcrules(5) to do
+ that.
+
+
+ The columns in the file are as follows.
+
+
+
+ INTERFACE - [+]interfacelist[:[digit]][:[address[,address]...[exclusion]]
+
+
+ Outgoing interfacelist. Prior to
+ Shorewall 4.1.4, this must be a single interface name; in 4.1.4 and
+ later, this may be a comma-separated list of interface names. This
+ is usually your internet interface. If ADD_SNAT_ALIASES=Yes in
+ shorewall.conf(5), you may
+ add ":" and a digit to indicate that you want
+ the alias added with that name (e.g., eth0:0). This will allow the
+ alias to be displayed with ifconfig. That is
+ the only use for the alias name; it may not appear in any other
+ place in your Shorewall configuration.
+
+ Each interface must match an entry in shorewall-interfaces(5).
+ Prior to Shorewall 4.1.4, this must be an exact match.
+ Shorewall-perl 4.1.4 and later allow loose matches to wildcard
+ entries in shorewall-interfaces(5). For
+ example, ppp0 in this file
+ will match a shorewall-interfaces(5)
+ entry that defines ppp+.
+
+ The interface may be qualified by adding the character ":"
+ followed by a comma-separated list of destination host or subnet
+ addresses to indicate that you only want to change the source IP
+ address for packets being sent to those particular destinations.
+ Exclusion is allowed (see shorewall-exclusion(5)).
+
+ If you wish to inhibit the action of ADD_SNAT_ALIASES for this
+ entry then include the ":" but omit the digit:
+
+ eth0:
+ eth2::192.0.2.32/27
+
+ Normally Masq/SNAT rules are evaluated after those for
+ one-to-one NAT (defined in shorewall-nat(5)). If you want the
+ rule to be applied before one-to-one NAT rules, prefix the interface
+ name with "+":
+
+ +eth0
+ +eth0:192.0.2.32/27
+ +eth0:2
+
+ This feature should only be required if you need to insert
+ rules in this file that preempt entries in shorewall-nat(5).
+
+
+
+
+ SOURCE (Formerly called SUBNET)
+ -
+ {interface[[:]exclusion]|address[,address][exclusion]}
+
+
+ Set of hosts that you wish to masquerade. You can specify this
+ as an address (net or host) or as an
+ interface. If you give the name of an
+ interface, the interface must be up before you start the firewall
+ (Shorewall will use your main routing table to determine the
+ appropriate addresses to masquerade).
+
+ In order to exclude a address of the specified SOURCE, you may
+ append an exclusion ("!" and a comma-separated
+ list of IP addresses (host or net) that you wish to exclude (see
+ shorewall-exclusion(5))).
+ Note that with Shorewall-perl, a colon (":") must appear between an
+ interface name and the
+ exclusion;
+
+ Example (shorewall-shell):
+ eth1!192.168.1.4,192.168.32.0/27
+
+ Example (shorewall-perl):
+ eth1:!192.168.1.4,192.168.32.0/27
+
+ In that example traffic from eth1 would be masqueraded unless
+ it came from 192.168.1.4 or 196.168.32.0/27
+
+
+
+
+ ADDRESS (Optional) - [-|NONAT|[SAME:[nodst:]][address-or-address-range[,address-or-address-range]...][:lowport-highport][:random]|detect|random]
+
+
+ If you specify an address here, SNAT will be used and this
+ will be the source address. If ADD_SNAT_ALIASES is set to Yes or yes
+ in shorewall.conf(5) then
+ Shorewall will automatically add this address to the INTERFACE named
+ in the first column.
+
+ You may also specify a range of up to 256 IP addresses if you
+ want the SNAT address to be assigned from that range in a
+ round-robin fashion by connection. The range is specified by
+ first.ip.in.range-last.ip.in.range.
+ Beginning with Shorewall 4.0.6, you may follow the port range
+ with :random in which case
+ assignment of ports from the list will be random. random may also be specified by itself in
+ this column in which case random local port assignments are made for
+ the outgoing connections.
+
+ Example: 206.124.146.177-206.124.146.180
+
+ You may also use the special value "detect" which causes
+ Shorewall to determine the IP addresses configured on the interface
+ named in the INTERFACES column and substitute them in this
+ column.
+
+ Finally, you may also specify a comma-separated list of ranges
+ and/or addresses in this column.
+
+ This column may not contain DNS Names.
+
+ Normally, Netfilter will attempt to retain the source port
+ number. You may cause netfilter to remap the source port by
+ following an address or range (if any) by ":" and a port range with
+ the format
+ lowport-highport. If this
+ is done, you must specify "tcp" or "udp" in the PROTO column.
+
+ Examples:
+
+ 192.0.2.4:5000-6000
+ :4000-5000
+
+ You can invoke the SAME target rather than the SNAT target by
+ prefixing the column contents with .
+
+ SAME works like SNAT with the exception that the same local IP
+ address is assigned to each connection from a local address to a
+ given remote address.
+
+ If the option is included, then the
+ same source address is used for a given internal system regardless
+ of which remote system is involved.
+ Support for the SAME target is scheduled for removal from
+ the Linux kernel in 2008.
+
+
+ If you simply place NONAT in
+ this column, no rewriting of the source IP address or port number
+ will be performed. This is useful if you want particular traffic to
+ be exempt from the entries that follow in the file.
+
+ If you want to leave this column empty but you need to specify
+ the next column then place a hyphen ("-") here.
+
+
+
+
+ PROTO (Optional) - {-|protocol-name|protocol-number}
+
+
+ If you wish to restrict this entry to a particular protocol
+ then enter the protocol name (from protocols(5)) or number
+ here.
+
+
+
+
+ PORT(S) (Optional) -
+ [port-name-or-number[,port-name-or-number]...]
+
+
+ If the PROTO column specifies TCP (protocol 6) or UDP
+ (protocol 17) then you may list one or more port numbers (or names
+ from services(5)) separated by commas or you may list a single port
+ range
+ (lowport:highport).
+
+ Where a comma-separated list is given, your kernel and
+ iptables must have multiport match support and a maximum of 15 ports
+ may be listed.
+
+
+
+
+ IPSEC (Optional) -
+ [option[,option]...]
+
+
+ If you specify a value other than "-" in this column, you must
+ be running kernel 2.6 and your kernel and iptables must include
+ policy match support.
+
+ Comma-separated list of options from the following. Only
+ packets that will be encrypted via an SA that matches these options
+ will have their source address changed.
+
+
+
+ reqid=number
+
+
+ where number is specified using
+ setkey(8) using the 'unique:number option
+ for the SPD level.
+
+
+
+
+ spi=<number>
+
+
+ where number is the SPI of the SA
+ used to encrypt/decrypt packets.
+
+
+
+
+ proto=ah|esp|ipcomp
+
+
+ IPSEC Encapsulation Protocol
+
+
+
+
+ mss=number
+
+
+ sets the MSS field in TCP packets
+
+
+
+
+ mode=transport|tunnel
+
+
+ IPSEC mode
+
+
+
+
+ tunnel-src=address[/mask]
+
+
+ only available with mode=tunnel
+
+
+
+
+ tunnel-dst=address[/mask]
+
+
+ only available with mode=tunnel
+
+
+
+
+ strict
+
+
+ Means that packets must match all rules.
+
+
+
+
+ next
+
+
+ Separates rules; can only be used with strict
+
+
+
+
+
+
+
+ MARK - [!]value[/mask][:C]
+
+
+ Defines a test on the existing packet or connection mark. The
+ rule will match only if the test returns true.
+
+ If you don't want to define a test but need to specify
+ anything in the following columns, place a "-" in this field.
+
+
+
+ !
+
+
+ Inverts the test (not equal)
+
+
+
+
+ value
+
+
+ Value of the packet or connection mark.
+
+
+
+
+ mask
+
+
+ A mask to be applied to the mark before testing.
+
+
+
+
+ :C
+
+
+ Designates a connection mark. If omitted, the packet
+ mark's value is tested. This option is only supported by
+ Shorewall-perl.
+
+
+
+
+
+
+
+
+
+ Examples
+
+
+
+ Example 1:
+
+
+ You have a simple masquerading setup where eth0 connects to a
+ DSL or cable modem and eth1 connects to your local network with
+ subnet 192.168.0.0/24.
+
+ Your entry in the file can be either:
+
+ #INTERFACE SOURCE
+ eth0 eth1
+
+ or
+
+ #INTERFACE SOURCE
+ eth0 192.168.0.0/24
+
+
+
+
+ Example 2:
+
+
+ You add a router to your local network to connect subnet
+ 192.168.1.0/24 which you also want to masquerade. You then add a
+ second entry for eth0 to this file:
+
+ #INTERFACE SOURCE
+ eth0 192.168.1.0/24
+
+
+
+
+ Example 3:
+
+
+ You have an IPSEC tunnel through ipsec0 and you want to
+ masquerade packets coming from 192.168.1.0/24 but only if these
+ packets are destined for hosts in 10.1.1.0/24:
+
+ #INTERFACE SOURCE
+ ipsec0:10.1.1.0/24 196.168.1.0/24
+
+
+
+
+ Example 4:
+
+
+ You want all outgoing traffic from 192.168.1.0/24 through eth0
+ to use source address 206.124.146.176 which is NOT the primary
+ address of eth0. You want 206.124.146.176 to be added to eth0 with
+ name eth0:0.
+
+ #INTERFACE SOURCE ADDRESS
+ eth0:0 192.168.1.0/24 206.124.146.176
+
+
+
+
+ Example 5:
+
+
+ You want all outgoing SMTP traffic entering the firewall on
+ eth1 to be sent from eth0 with source IP address 206.124.146.177.
+ You want all other outgoing traffic from eth1 to be sent from eth0
+ with source IP address 206.124.146.176.
+
+ #INTERFACE SOURCE ADDRESS PROTO PORT(S)
+ eth0 eth1 206.124.146.177 tcp smtp
+ eth0 eth1 206.124.146.176
+
+
+ The order of the above two rules is significant!
+
+
+
+
+
+
+
+ FILES
+
+ /etc/shorewall/masq
+
+
+
+ See ALSO
+
+ shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+ shorewall-blacklist(5), shorewall-exclusion(5), shorewall-hosts(5),
+ shorewall-interfaces(5), shorewall-ipsec(5), shorewall-maclist(5),
+ shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+ shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+ shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
+ shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+ shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
+ shorewall-zones(5)
+
+
diff --git a/manpages6/shorewall-modules.xml b/manpages6/shorewall-modules.xml
new file mode 100644
index 000000000..051a421c0
--- /dev/null
+++ b/manpages6/shorewall-modules.xml
@@ -0,0 +1,81 @@
+
+
+
+ shorewall-modules
+
+ 5
+
+
+
+ modules
+
+ Shorewall file
+
+
+
+
+ /usr/share/shorewall/modules
+
+
+
+
+ Description
+
+ This file specifies which kernel modules Shorewall will load before
+ trying to determine your iptables/kernel's capabilities. Each record in
+ the file has the following format:
+
+
+ loadmodule
+
+ modulename
+
+ moduleoption
+
+
+ The modulename names a kernel module
+ (without suffix). Shorewall will search for modules based on your
+ MODULESDIR and MODULE_SUFFIX settings in shorewall.conf(8). The
+ moduleoptions are passed to modprobe (if
+ installed) or to insmod.
+
+ The /usr/share/shorewall/modules file contains a large number of
+ modules. Users are encouraged to copy the file to /etc/shorewall/modules
+ and modify the copy to load only the modules required.
+ If you build monolithic kernels and have not installed
+ module-init-tools, then create an empty /etc/shorewall/modules file;
+ that will prevent Shorewall from trying to load modules at all.
+
+
+
+
+
+ Example
+
+ loadmodule ip_conntrack_ftp ports=21,221
+
+
+
+ FILES
+
+ /usr/share/shorewall/modules
+
+ /etc/shorewall/modules
+
+
+
+ See ALSO
+
+ shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+ shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+ shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
+ shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+ shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+ shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
+ shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+ shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
+ shorewall-zones(5)
+
+
\ No newline at end of file
diff --git a/manpages6/shorewall-nat.xml b/manpages6/shorewall-nat.xml
new file mode 100644
index 000000000..b2045e118
--- /dev/null
+++ b/manpages6/shorewall-nat.xml
@@ -0,0 +1,154 @@
+
+
+
+ shorewall-nat
+
+ 5
+
+
+
+ nat
+
+ Shorewall one-to-one NAT file
+
+
+
+
+ /etc/shorewall/nat
+
+
+
+
+ Description
+
+ This file is used to define one-to-one Network Address Translation
+ (NAT).
+
+
+ If all you want to do is simple port forwarding, do NOT use this
+ file. See http://www.shorewall.net/FAQ.htm#faq1.
+ Also, in many cases, Proxy ARP (shorewall-proxyarp(5)) is a better
+ solution that one-to-one NAT.
+
+
+ The columns in the file are as follows.
+
+
+
+ EXTERNAL -
+ address
+
+
+ External IP Address - this should NOT be the primary IP
+ address of the interface named in the next column and must not be a
+ DNS Name.
+
+ If you put COMMENT in this column, the rest of the line will
+ be attached as a comment to the Netfilter rule(s) generated by the
+ following entries in the file. The comment will appear delimited by
+ "/* ... */" in the output of "shorewall show nat"
+
+ To stop the comment from being attached to further rules,
+ simply include COMMENT on a line by itself.
+
+
+
+
+ INTERFACE -
+ interfacelist[:[digit]]
+
+
+ Interfacees that have the EXTERNAL address. If ADD_IP_ALIASES=Yes in
+ shorewall.conf(5),
+ Shorewall will automatically add the EXTERNAL address to this
+ interface. Also if ADD_IP_ALIASES=Yes, you may follow the interface
+ name with ":" and a digit to indicate that you
+ want Shorewall to add the alias with this name (e.g., "eth0:0").
+ That allows you to see the alias with ifconfig. That is the only thing that this name is good for -- you
+ cannot use it anwhere else in your Shorewall configuration.
+
+
+ Each interface must match an entry in shorewall-interfaces(5).
+ Prior to Shorewall 4.1.4, this must be an exact match.
+ Shorewall-perl 4.1.4 and later allow loose matches to wildcard
+ entries in shorewall-interfaces(5). For
+ example, ppp0 in this file
+ will match a shorewall-interfaces(5)
+ entry that defines ppp+.
+
+ Prior to Shorewall 4.1.4,
+ interfacelist must be a single interface
+ name. Beginning with Shorewall-perl 4.1.4, Shorewall-perl users may
+ specify a comma-separated list of interfaces.
+
+ If you want to override ADD_IP_ALIASES=Yes for a particular
+ entry, follow the interface name with ":" and no digit (e.g.,
+ "eth0:").
+
+
+
+
+ INTERNAL -
+ address
+
+
+ Internal Address (must not be a DNS Name).
+
+
+
+
+ ALL INTERFACES - [Yes|No]
+
+
+ If Yes or yes, NAT will be effective from all hosts. If No or
+ no (or left empty) then NAT will be effective only through the
+ interface named in the INTERFACE
+ column.
+
+
+
+
+ LOCAL - [Yes|No]
+
+
+ If Yes or yes, NAT will be effective from the firewall
+ system
+
+
+
+
+
+
+ FILES
+
+ /etc/shorewall/nat
+
+
+
+ See ALSO
+
+ http://shorewall.net/NAT.htm
+
+ shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+ shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+ shorewall-maclist(5), shorewall-masq(5), shorewall-netmap(5),
+ shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
+ shorewall-proxyarp(5), shorewall-route_rules(5),
+ shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+ shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
+ shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)
+
+
\ No newline at end of file
diff --git a/manpages6/shorewall-nesting.xml b/manpages6/shorewall-nesting.xml
new file mode 100644
index 000000000..12b2ca6ff
--- /dev/null
+++ b/manpages6/shorewall-nesting.xml
@@ -0,0 +1,211 @@
+
+
+
+ shorewall-nesting
+
+ 5
+
+
+
+ nesting
+
+ Shorewall Nested Zones
+
+
+
+
+ child-zone[:parent-zone[,parent-zone]...]
+
+
+
+
+ Description
+
+ In shorewall-zones(5), a
+ zone may be declared to be a sub-zone of one or more other zones using the
+ above syntax.
+
+ Where zones are nested, the CONTINUE policy in shorewall-policy(5) allows hosts that
+ are within multiple zones to be managed under the rules of all of these
+ zones.
+
+
+
+ Example
+
+ /etc/shorewall/zones:
+
+ #ZONE TYPE OPTION
+ fw firewall
+ net ipv4
+ sam:net ipv4
+ loc ipv4
+
+ /etc/shorewall/interfaces:
+
+ #ZONE INTERFACE BROADCAST OPTIONS
+ - eth0 detect dhcp,norfc1918
+ loc eth1 detect
+
+ /etc/shorewall/hosts:
+
+ #ZONE HOST(S) OPTIONS
+ net eth0:0.0.0.0/0
+ sam eth0:206.191.149.197
+
+ /etc/shorewall/policy:
+
+ #SOURCE DEST POLICY LOG LEVEL
+ loc net ACCEPT
+ sam all CONTINUE
+ net all DROP info
+ all all REJECT info
+
+ The second entry above says that when Sam is the client, connection
+ requests should first be processed under rules where the source zone is
+ sam and if there is no match then the connection request should be treated
+ under rules where the source zone is net. It is important that this policy
+ be listed BEFORE the next policy (net to all). You can have this policy
+ generated for you automatically by using the IMPLICIT_CONTINUE option in
+ shorewall.conf(5).
+
+ Partial /etc/shorewall/rules:
+
+ #ACTION SOURCE DEST PROTO DEST PORT(S)
+ ...
+ DNAT sam loc:192.168.1.3 tcp ssh
+ DNAT net loc:192.168.1.5 tcp www
+ ...
+
+ Given these two rules, Sam can connect to the firewall's internet
+ interface with ssh and the connection request will be forwarded to
+ 192.168.1.3. Like all hosts in the net zone, Sam can connect to the
+ firewall's internet interface on TCP port 80 and the connection request
+ will be forwarded to 192.168.1.5. The order of the rules is not
+ significant. Sometimes it is necessary to suppress port forwarding for a
+ sub-zone. For example, suppose that all hosts can SSH to the firewall and
+ be forwarded to 192.168.1.5 EXCEPT Sam. When Sam connects to the
+ firewall's external IP, he should be connected to the firewall itself.
+ Because of the way that Netfilter is constructed, this requires two rules
+ as follows:
+
+ #ACTION SOURCE DEST PROTO DEST PORT(S)
+ ...
+ ACCEPT+ sam $FW tcp ssh
+ DNAT net loc:192.168.1.3 tcp ssh
+ ...
+
+ The first rule allows Sam SSH access to the firewall. The second
+ rule says that any clients from the net zone with the exception of those
+ in the “sam” zone should have their connection port forwarded to
+ 192.168.1.3. If you need to exclude more than one zone, simply use
+ multiple ACCEPT+ rules. This technique also may be used when the ACTION is
+ REDIRECT.
+
+ Care must be taken when nesting occurs as a result of the use of
+ wildcard interfaces (interface names ends in '+').
+
+ Here's an example. /etc/shorewall/zones:
+
+ /etc/shorewall/interfaces: #ZONE INTERFACE BROADCAST OPTIONS
+ net ppp0
+ loc eth1
+ loc ppp+
+ dmz eth2
+
+ Because the net zone is declared before the loc zone, net is an
+ implicit sub-zone of loc and in the absence of a net->... CONTINUE
+ policy, traffic from the net zone will not be passed through loc->...
+ rules. But DNAT and REDIRECT rules are an exception!
+
+
+
+ DNAT and REDIRECT rules generate two Netfilter rules: a 'nat'
+ table rule that rewrites the destination IP address and/or port
+ number, and a 'filter' table rule that ACCEPTs the rewritten
+ connection.
+
+
+
+ Policies only affect the 'filter' table.
+
+
+
+ As a consequence, the following rules will have unexpected
+ behavior: #ACTION SOURCE DEST PROTO DEST
+ # PORT(S)
+ ACCEPT net dmz tcp 80
+ REDIRECT loc 3128 tcp 80
+
+ The second rule is intended to redirect local web requests to a
+ proxy running on the firewall and listening on TCP port 3128. But the
+ 'nat' part of that rule will cause all connection requests for TCP port 80
+ arriving on interface ppp+ (including ppp0!) to have their destination
+ port rewritten to 3128. Hence, the web server running in the DMZ will be
+ inaccessible from the web.
+
+ The above problem can be corrected in several ways.
+
+ The preferred way is to use the pppd option
+ to change the 'net' interface to something other than ppp0. That way, it
+ won't match ppp+.
+
+ If you are running Shorewall version 4.1.4 or later, a second way is
+ to simply make the nested zones explicit: #ZONE TYPE OPTION
+ fw firewall
+ loc ipv4
+ net:loc ipv4
+ dmz ipv4
+
+ If you take this approach, be sure to set IMPLICIT_CONTINUE=No in
+ shorewall.conf.
+
+ When using other Shorewall versions, another way is to rewrite the
+ DNAT rule (assume that the local zone is entirely within
+ 192.168.2.0/23): #ACTION SOURCE DEST PROTO DEST
+ # PORT(S)
+ ACCEPT net dmz tcp 80
+ REDIRECT loc:192.168.2.0/23 3128 tcp 80
+
+ Another way is to restrict the definition of the loc zone:
+
+ /etc/shorewall/interfaces: #ZONE INTERFACE BROADCAST OPTIONS
+ net ppp0
+ loc eth1
+ - ppp+
+ dmz eth2
+
+ /etc/shorewall/hosts: #ZONE HOST(S) OPTIONS
+ loc ppp+:192.168.2.0/23
+
+
+
+ FILES
+
+ /etc/shorewall/zones
+
+ /etc/shorewall/interfaces
+
+ /etc/shorewall/hosts
+
+ /etc/shorewall/policy
+
+ /etc/shorewall/rules
+
+
+
+ See ALSO
+
+ shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+ shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+ shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
+ shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+ shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+ shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
+ shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+ shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
+ shorewall-zones(5)
+
+
\ No newline at end of file
diff --git a/manpages6/shorewall-netmap.xml b/manpages6/shorewall-netmap.xml
new file mode 100644
index 000000000..a2955a13d
--- /dev/null
+++ b/manpages6/shorewall-netmap.xml
@@ -0,0 +1,114 @@
+
+
+
+ shorewall-netmap
+
+ 5
+
+
+
+ netmap
+
+ Shorewall NETMAP definition file
+
+
+
+
+ /etc/shorewall/netmap
+
+
+
+
+ Description
+
+ This file is used to map addresses in one network to corresponding
+ addresses in a second network.
+
+
+ To use this file, your kernel and iptables must have NETMAP
+ support included.
+
+
+ The columns in the file are as follows.
+
+
+
+ TYPE - DNAT|SNAT
+
+
+ Must be DNAT or SNAT.
+
+ If DNAT, traffic entering INTERFACE and addressed to NET1 has
+ it's destination address rewritten to the corresponding address in
+ NET2.
+
+ If SNAT, traffic leaving INTERFACE with a source address in
+ NET1 has it's source address rewritten to the corresponding address
+ in NET2.
+
+
+
+
+ NET1 -
+ network-address
+
+
+ Network in CIDR format (e.g., 192.168.1.0/24).
+
+
+
+
+ INTERFACE -
+ interface
+
+
+ The name of a network interface. The interface must be defined
+ in shorewall-interfaces(5)
+ Prior to Shorewall 4.1.4, this must be an exact match.
+ Shorewall-perl 4.1.4 and later allow loose matches to wildcard
+ entries in shorewall-interfaces(5). For
+ example, ppp0 in this file
+ will match a shorewall-interfaces(8)
+ entry that defines ppp+.
+
+
+
+
+ NET2 -
+ network-address
+
+
+ Network in CIDR format
+
+
+
+
+
+
+ FILES
+
+ /etc/shorewall/netmap
+
+
+
+ See ALSO
+
+ http://shorewall.net/netmap.html
+
+ shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+ shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+ shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
+ shorewall-nat(5), shorewall-params(5), shorewall-policy(5),
+ shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
+ shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+ shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
+ shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)
+
+
\ No newline at end of file
diff --git a/manpages6/shorewall-params.xml b/manpages6/shorewall-params.xml
new file mode 100644
index 000000000..6e0cd8798
--- /dev/null
+++ b/manpages6/shorewall-params.xml
@@ -0,0 +1,70 @@
+
+
+
+ shorewall-params
+
+ 5
+
+
+
+ params
+
+ Shorewall parameters file
+
+
+
+
+ /etc/shorewall/params
+
+
+
+
+ Description
+
+ Assign any shell variables that you need in this file.
+
+ It is suggested that variable names begin with an upper case letter
+ to distinguish them from variables used internally within the Shorewall
+ programs
+
+ Example params file:
+
+ NET_IF=eth0
+NET_BCAST=130.252.100.255
+NET_OPTIONS=routefilter,norfc1918
+
+ Example shorewall-interfaces(5)
+ file.
+
+ ZONE INTERFACE BROADCAST OPTIONS
+net $NET_IF $NET_BCAST $NET_OPTIONS
+
+ This is the same as if the interfaces file had contained:
+
+ ZONE INTERFACE BROADCAST OPTIONS
+net eth0 130.252.100.255 routefilter,norfc1918
+
+
+
+ FILES
+
+ /etc/shorewall/params
+
+
+
+ See ALSO
+
+ http://www.shorewall.net/configuration_file_basics.htm#Variables
+
+ shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+ shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+ shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
+ shorewall-nat(5), shorewall-netmap(5), shorewall-policy(5),
+ shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
+ shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+ shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
+ shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)
+
+
\ No newline at end of file
diff --git a/manpages6/shorewall-policy.xml b/manpages6/shorewall-policy.xml
new file mode 100644
index 000000000..1f4539967
--- /dev/null
+++ b/manpages6/shorewall-policy.xml
@@ -0,0 +1,312 @@
+
+
+
+
+ shorewall-policy
+
+ 5
+
+
+
+ policy
+
+ Shorewall policy file
+
+
+
+
+ /etc/shorewall/policy
+
+
+
+
+ Description
+
+ This file defines the high-level policy for connections between
+ zones defined in shorewall-zones(5).
+
+
+ The order of entries in this file is important
+
+ This file determines what to do with a new connection request if
+ we don't get a match from the /etc/shorewall/rules file . For each
+ source/destination pair, the file is processed in order until a match is
+ found ("all" will match any client or server).
+
+
+
+ Intra-zone policies are pre-defined
+
+ For $FW and for all of the zones defined in /etc/shorewall/zones,
+ the POLICY for connections from the zone to itself is ACCEPT (with no
+ logging or TCP connection rate limiting but may be overridden by an
+ entry in this file. The overriding entry must be explicit (cannot use
+ "all" in the SOURCE or DEST).
+
+ Similarly, if you have IMPLICIT_CONTINUE=Yes in shorewall.conf,
+ then the implicit policy to/from any sub-zone is CONTINUE. These
+ implicit CONTINUE policies may also be overridden by an explicit entry
+ in this file.
+
+
+ The columns in the file are as follows.
+
+
+
+ SOURCE -
+ zone|$FW|all
+
+
+ Source zone. Must be the name of a zone defined in shorewall-zones(5), $FW or
+ "all".
+
+
+
+
+ DEST -
+ zone|$FW|all
+
+
+ Destination zone. Must be the name of a zone defined in shorewall-zones(5), $FW or "all".
+ If the DEST is a bport zone, then the SOURCE must be "all", another
+ bport zone associated with the same bridge, or it must be an ipv4
+ zone that is associated with only the same bridge.
+
+
+
+
+ POLICY - {ACCEPT|DROP|REJECT|CONTINUE|QUEUE|NFQUEUE[(queuenumber)]|NONE}[:{default-action-or-macro|None}]
+
+
+ Policy if no match from the rules file is found.
+
+ If the policy is other than CONTINUE or NONE then the policy
+ may be followed by ":" and one of the following:
+
+
+
+ The word "None" or "none". This causes any default action
+ defined in shorewall.conf(5) to be
+ omitted for this policy.
+
+
+
+ The name of an action (requires that USE_ACTIONS=Yes in
+ shorewall.conf(5)).
+ That action will be invoked before the policy is
+ enforced.
+
+
+
+ The name of a macro. The rules in that macro will be
+ applied before the policy is enforced. This does not require
+ USE_ACTIONS=Yes.
+
+
+
+
+
+
+ Possible policies are:
+
+
+
+
+ ACCEPT
+
+
+ Accept the connection.
+
+
+
+
+ DROP
+
+
+ Ignore the connection request.
+
+
+
+
+ REJECT
+
+
+ For TCP, send RST. For all other, send an "unreachable"
+ ICMP.
+
+
+
+
+ QUEUE
+
+
+ Queue the request for a user-space application such as
+ Snort-inline.
+
+
+
+
+ NFQUEUE
+
+
+ Added in Shorewall-perl 4.0.3. Queue the request for a
+ user-space application using the nfnetlink_queue mechanism. If
+ a queuenumber is not given, queue
+ zero (0) is assumed.
+
+
+
+
+ CONTINUE
+
+
+ Pass the connection request past any other rules that it
+ might also match (where the source or destination zone in
+ those rules is a superset of the SOURCE or DEST in this
+ policy). See shorewall-nesting(5) for
+ additional information.
+
+
+
+
+ NONE
+
+
+ Assume that there will never be any packets from this
+ SOURCE to this DEST. Shorewall will not create any
+ infrastructure to handle such packets and you may not have any
+ rules with this SOURCE and DEST in the /etc/shorewall/rules
+ file. If such a packet is
+ received, the result is undefined. NONE may not be used if the
+ SOURCE or DEST columns contain the firewall zone ($FW) or
+ "all".
+
+
+
+
+
+
+
+ LOG LEVEL (Optional) -
+ [log-level|ULOG]
+
+
+ If supplied, each connection handled under the default POLICY
+ is logged at that level. If not supplied, no log message is
+ generated. See syslog.conf(5) for a description of log
+ levels.
+
+ You may also specify ULOG (must be in upper case). This will
+ log to the ULOG target and will send to a separate log through use
+ of ulogd (http://www.netfilter.org/projects/ulogd/index.html).
+
+ If you don't want to log but need to specify the following
+ column, place "-" here.
+
+
+
+
+ BURST:LIMIT -
+ rate/{second|minute}:burst
+
+
+ If passed, specifies the maximum TCP connection
+ rate and the size of an acceptable
+ burst. If not specified, TCP connections are
+ not limited.
+
+
+
+
+ CONNLIMIT -
+ limit[:mask]
+
+
+ Added in Shorewall-perl 4.2.1. May be used to limit the number
+ of simultaneous connections from each individual host to
+ limit connections. While the limit is
+ only checked on connections to which this policy could apply, the
+ number of current connections is calculated over all current
+ connections from the SOURCE host. By default, the limit is applied
+ to each host individually but can be made to apply to networks of
+ hosts by specifying a mask. The
+ mask specifies the width of a VLSM mask
+ to be applied to the source address; the number of current
+ connections is then taken over all hosts in the subnet
+ source-address/mask.
+
+
+
+
+
+
+ Example
+
+
+
+ All connections from the local network to the internet are
+ allowed
+
+
+
+ All connections from the internet are ignored but logged at
+ syslog level KERNEL.INFO.
+
+
+
+ All other connection requests are rejected and logged at level
+ KERNEL.INFO.
+
+
+
+ #SOURCE DEST POLICY LOG BURST:LIMIT
+ # LEVEL
+ loc net ACCEPT
+ net all DROP info
+ #
+ # THE FOLLOWING POLICY MUST BE LAST
+ #
+ all all REJECT info
+
+
+
+ FILES
+
+ /etc/shorewall/policy
+
+
+
+ See ALSO
+
+ shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+ shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+ shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
+ shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+ shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+ shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
+ shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+ shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
+ shorewall-zones(5)
+
+
diff --git a/manpages6/shorewall-providers.xml b/manpages6/shorewall-providers.xml
new file mode 100644
index 000000000..4c23394f1
--- /dev/null
+++ b/manpages6/shorewall-providers.xml
@@ -0,0 +1,304 @@
+
+
+
+ shorewall-providers
+
+ 5
+
+
+
+ providers
+
+ Shorewall Providers file
+
+
+
+
+ /etc/shorewall/providers
+
+
+
+
+ Description
+
+ This file is used to define additional routing tables. You will want
+ to define an additional table if:
+
+
+
+ You have connections to more than one ISP or multiple
+ connections to the same ISP
+
+
+
+ You run Squid as a transparent proxy on a host other than the
+ firewall.
+
+
+
+ You have other requirements for policy routing.
+
+
+
+ Each entry in the file defines a single routing table.
+
+ If you wish to omit a column entry but want to include an entry in
+ the next column, use "-" for the omitted entry.
+
+ The columns in the file are as follows.
+
+
+
+ NAME -
+ name
+
+
+ The provider name. Must be a valid shell
+ variable name. The names 'local', 'main', 'default' and 'unspec' are
+ reserved and may not be used as provider names.
+
+
+
+
+ NUMBER -
+ number
+
+
+ The provider number -- a number between 1 and 15. Each
+ provider must be assigned a unique value.
+
+
+
+
+ MARK -
+ value
+
+
+ A FWMARK value used in your shorewall-tcrules(5) file to
+ direct packets to this provider.
+
+ If HIGH_ROUTE_MARKS=Yes in shorewall.conf(5), then the value
+ must be a multiple of 256 between 256 and 65280 or their hexadecimal
+ equivalents (0x0100 and 0xff00 with the low-order byte of the value
+ being zero). Otherwise, the value must be between 1 and 255. Each
+ provider must be assigned a unique mark value.
+
+
+
+
+ DUPLICATE -
+ routing-table-name
+
+
+ The name of an existing table to duplicate to create this
+ routing table. May be or the name of a
+ previously listed provider. You may select only certain entries from
+ the table to copy by using the COPY column below. This column should
+ contain a dash ("-') when USE_DEFAULT_RT=Yes in shorewall.conf(5).
+
+
+
+
+ INTERFACE -
+ interface[:address]
+
+
+ The name of the network interface to the provider. Must be
+ listed in shorewall-interfaces(5).
+
+ Where more than one provider is serviced through a single
+ interface, the interface must be followed by a
+ colon and the IP address of the interface that
+ is supplied by the associated provider.
+
+
+
+
+ GATEWAY - {-|address|detect}
+
+
+ The IP address of the provider's gateway router.
+
+ You can enter "detect" here and Shorewall will attempt to
+ detect the gateway automatically.
+
+ For PPP devices, you may omit this column.
+
+
+
+
+ OPTIONS (Optional) - [-|option[,option]...]
+
+
+ A comma-separated list selected from the following. The order
+ of the options is not significant but the list may contain no
+ embedded whitespace.
+
+
+
+ track
+
+
+ If specified, inbound connections on this interface are
+ to be tracked so that responses may be routed back out this
+ same interface.
+
+ You want to specify if internet
+ hosts will be connecting to local servers through this
+ provider.
+
+
+
+
+ balance[=weight]
+
+
+ The providers that have
+ specified will get outbound traffic load-balanced among them.
+ By default, all interfaces with
+ specified will have the same weight (1). You can change the
+ weight of an interface by specifiying
+ weight
+ where weight is the weight of the
+ route out of this interface.
+
+
+
+
+ loose
+
+
+ Shorewall normally adds a routing rule for each IP
+ address on an interface which forces traffic whose source is
+ that IP address to be sent using the routing table for that
+ interface. Setting prevents creation of
+ such rules on this interface.
+
+
+
+
+ optional
+
+
+ If the interface named in the INTERFACE column is not up
+ and configured with an IPv4 address then ignore this provider.
+ If not specified, the value of the
+ option for the INTERFACE in shorewall-interfaces(5)
+ is assumed.
+
+
+
+
+ src=source-address
+
+
+ Added in Shorewall-perl 4.1.5. Specifies the source
+ address to use when routing to this provider and none is known
+ (the local client has bound to the 0 address). May not be
+ specified when an address is given
+ in the INTERFACE column. If this option is not used, Shorewall
+ substitutes the primary IP address on the interface named in
+ the INTERFACE column.
+
+
+
+
+ mtu=number
+
+
+ Added in Shorewall-perl 4.1.5. Specifies the MTU when
+ forwarding through this provider. If not given, the MTU of the
+ interface named in the INTERFACE column is assumed.
+
+
+
+
+
+
+
+ COPY -
+ [{|interface[,interface]...}]
+
+
+ A comma-separated list of other interfaces on your firewall.
+ Wildcards specified using an asterisk ("*") are permitted (e.g.,
+ tun* ). Usually used only when DUPLICATE is .
+ Only copy routes through INTERFACE and through interfaces listed
+ here. If you only wish to copy routes through INTERFACE, enter
+ in this column.
+
+
+
+
+
+
+ Examples
+
+
+
+ Example 1:
+
+
+ You run squid in your DMZ on IP address 192.168.2.99. Your DMZ
+ interface is eth2
+
+ #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS
+ Squid 1 1 - eth2 192.168.2.99 -
+
+
+
+
+ Example 2:
+
+
+ eth0 connects to ISP 1. The IP address of eth0 is
+ 206.124.146.176 and the ISP's gateway router has IP address
+ 206.124.146.254.
+
+ eth1 connects to ISP 2. The IP address of eth1 is
+ 130.252.99.27 and the ISP's gateway router has IP address
+ 130.252.99.254.
+
+ eth2 connects to a local network.
+
+ #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
+ ISP1 1 1 main eth0 206.124.146.254 track,balance eth2
+ ISP2 2 2 main eth1 130.252.99.254 track,balance eth2
+
+
+
+
+
+
+ FILES
+
+ /etc/shorewall/providers
+
+
+
+ See ALSO
+
+ http://shorewall.net/MultiISP.html
+
+ shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+ shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+ shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
+ shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+ shorewall-policy(5), shorewall-proxyarp(5), shorewall-route_rules(5),
+ shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+ shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
+ shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)
+
+
\ No newline at end of file
diff --git a/manpages6/shorewall-proxyarp.xml b/manpages6/shorewall-proxyarp.xml
new file mode 100644
index 000000000..99f17e01c
--- /dev/null
+++ b/manpages6/shorewall-proxyarp.xml
@@ -0,0 +1,141 @@
+
+
+
+ shorewall-proxyarp
+
+ 5
+
+
+
+ proxyarp
+
+ Shorewall Proxy ARP file
+
+
+
+
+ /etc/shorewall/proxyarp
+
+
+
+
+ Description
+
+ This file is used to define Proxy ARP. There is one entry in this
+ file for each IP address to be proxied.
+
+ The columns in the file are as follows.
+
+
+
+ ADDRESS -
+ address
+
+
+ IP Address.
+
+
+
+
+ INTERFACE -
+ interface
+
+
+ Local interface where system with the ip address in ADDRESS is
+ connected.
+
+
+
+
+ EXTERNAL -
+ interface
+
+
+ External Interface to be used to access this system from the
+ Internet.
+
+
+
+
+ HAVEROUTE - [-|Yes|No]
+
+
+ If there is already a route from the firewall to the host
+ whose address is given, enter Yes
+ or yes in this column. Otherwise,
+ enter no or No or leave the column empty and Shorewall
+ will add the route for you. If Shorewall adds the route,the route
+ will be persistent if the PERSISTENT column contains Yes; otherwise, shorewall stop or shorewall clear will delete the route.
+
+
+
+
+ PERSISTENT - [-|Yes|No]
+
+
+ If HAVEROUTE is No or
+ no, then the value of this column
+ determines if the route added by Shorewall persists after a
+ shorewall stop or a shorewall clear. If this column contains
+ Yes or yes then the route persists; If the column is
+ empty or contains No or no then the route is deleted by
+ shorewall stop or shorewall
+ clear.
+
+
+
+
+
+
+ Example
+
+
+
+ Example 1:
+
+
+ Host with IP 155.186.235.6 is connected to interface eth1 and
+ we want hosts attached via eth0 to be able to access it using that
+ address.
+
+ #ADDRESS INTERFACE EXTERNAL
+ 155.186.235.6 eth1 eth0
+
+
+
+
+
+
+ FILES
+
+ /etc/shorewall/proxyarp
+
+
+
+ See ALSO
+
+ http://shorewall.net/ProxyARP.htm
+
+ shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+ shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+ shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
+ shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+ shorewall-policy(5), shorewall-providers(5), shorewall-route_rules(5),
+ shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+ shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
+ shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)
+
+
\ No newline at end of file
diff --git a/manpages6/shorewall-rfc1918.xml b/manpages6/shorewall-rfc1918.xml
new file mode 100644
index 000000000..a3bf4dcc8
--- /dev/null
+++ b/manpages6/shorewall-rfc1918.xml
@@ -0,0 +1,100 @@
+
+
+
+ shorewall-rfc1918
+
+ 5
+
+
+
+ rfc1918
+
+ Shorewall file
+
+
+
+
+ /usr/share/shorewall/rfc1918
+
+
+
+
+ Description
+
+ The rfc1918 file determines the handling of connections under the
+ norfc1918 option in shorewall-interfaces(5). Do not
+ modify /usr/share/shorewall/rfc1918; if you need to
+ change norfc1918 handling, then copy
+ /usr/share/shorewall/rfc1918 to
+ /etc/shorewall/rfc1918 and modify the copy.
+
+ The released version of this file logs and drops packets from the
+ three address ranges reserved by RFC 1918:
+
+
+ 10.0.0.0/8
+172.16.0.0/12
+192.168.0.0/16
+
+
+ The columns in the file are as follows.
+
+
+
+ SUBNET -
+ address
+
+
+ Subnet address in CIDR format.
+
+
+
+
+ TARGET - {RETURN|DROP|logdrop}
+
+
+ RETURN causes packets to/from
+ the specified subnet to be processed normally by the applicable
+ rules and policies.
+
+ DROP causes packets from the
+ specified subnet to be silently dropped.
+
+ logdrop causes packets from
+ the specified subnet to be logged at the level specified by the
+ RFC1918_LOG_LEVEL option in shorewall.conf(5).
+
+
+
+
+ Also, please see the RFC1918_STRICT option in shorewall.conf(5).
+
+
+
+ FILES
+
+ /usr/share/shorewall/rfc1918
+
+ /etc/shorewall/rfc1918
+
+
+
+ See ALSO
+
+ shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+ shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+ shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
+ shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+ shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+ shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
+ shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+ shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
+ shorewall-zones(5)
+
+
\ No newline at end of file
diff --git a/manpages6/shorewall-route_rules.xml b/manpages6/shorewall-route_rules.xml
new file mode 100644
index 000000000..97e7cf247
--- /dev/null
+++ b/manpages6/shorewall-route_rules.xml
@@ -0,0 +1,174 @@
+
+
+
+ shorewall-route_rules
+
+ 5
+
+
+
+ route_rules
+
+ Shorewall Routing Rules file
+
+
+
+
+ /etc/shorewall/route_rules
+
+
+
+
+ Description
+
+ Entries in this file cause traffic to be routed to one of the
+ providers listed in shorewall-providers(5).
+
+ The columns in the file are as follows.
+
+
+
+ SOURCE (Optional) - {-|interface|address|interface:address}
+
+
+ An ip address (network or host) that
+ matches the source IP address in a packet. May also be specified as
+ an interface name optionally followed by ":"
+ and an address. If the device lo is
+ specified, the packet must originate from the firewall
+ itself.
+
+
+
+
+ DEST (Optional) - {-|address}
+
+
+ An ip address (network or host) that matches the destination
+ IP address in a packet.
+
+ If you choose to omit either SOURCE or DEST, place "-" in that column. Note that you
+ may not omit both SOURCE and
+ DEST.
+
+
+
+
+ PROVIDER -
+ {provider-name|provider-number|main}
+
+
+ The provider to route the traffic through. May be expressed
+ either as the provider name or the provider number. May also be
+ main or 254 for the main routing
+ table. This can be used in combination with VPN tunnels, see example
+ 2 below.
+
+
+
+
+ PRIORITY -
+ priority
+
+
+ The rule's numeric priority which
+ determines the order in which the rules are processed. Rules with
+ equal priority are applied in the order in which they appear in the
+ file.
+
+
+
+ 1000-1999
+
+
+ Before Shorewall-generated 'MARK' rules
+
+
+
+
+ 11000-11999
+
+
+ After 'MARK' rules but before Shorewall-generated rules
+ for ISP interfaces.
+
+
+
+
+ 26000-26999
+
+
+ After ISP interface rules but before 'default'
+ rule.
+
+
+
+
+
+
+
+
+
+ Examples
+
+
+
+ Example 1:
+
+
+ You want all traffic coming in on eth1 to be routed to the
+ ISP1 provider.
+
+ #SOURCE DEST PROVIDER PRIORITY
+ eth1 - ISP1 1000
+
+
+
+
+
+ Example 2:
+
+
+ You use OpenVPN (routed setup /tunX) in combination with
+ multiple providers. In this case you have to set up a rule to ensure
+ that the OpenVPN traffic is routed back through the tunX
+ interface(s) rather than through any of the providers. 10.8.0.0/24
+ is the subnet chosen in your OpenVPN configuration (server 10.8.0.0
+ 255.255.255.0).
+
+ #SOURCE DEST PROVIDER PRIORITY
+ - 10.8.0.0/24 main 1000
+
+
+
+
+
+
+
+ FILES
+
+ /etc/shorewall/route_rules
+
+
+
+ See ALSO
+
+ http://shorewall.net/MultiISP.html
+
+ shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+ shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+ shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
+ shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+ shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+ shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+ shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
+ shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)
+
+
\ No newline at end of file
diff --git a/manpages6/shorewall-routestopped.xml b/manpages6/shorewall-routestopped.xml
new file mode 100644
index 000000000..ea9366916
--- /dev/null
+++ b/manpages6/shorewall-routestopped.xml
@@ -0,0 +1,182 @@
+
+
+
+ shorewall-routestopped
+
+ 5
+
+
+
+ routestopped
+
+ The Shorewall file that governs what traffic flows through the
+ firewall while it is in 'stopped' state.
+
+
+
+
+ /etc/shorewall/routestopped
+
+
+
+
+ Description
+
+ This file is used to define the hosts that are accessible when the
+ firewall is stopped or is being stopped. When shorewall-shell is being
+ used, the file also determines those hosts that are accessible when the
+ firewall is in the process of being [re]started.
+
+ The columns in the file are as follows.
+
+
+
+ INTERFACE -
+ interface
+
+
+ Interface through which host(s) communicate with the
+ firewall
+
+
+
+
+ HOST(S) (Optional) - [-|address[,address]...]
+
+
+ Comma-separated list of IP/subnet addresses. If your kernel
+ and iptables include iprange match support, IP address ranges are
+ also allowed.
+
+ If left empty or supplied as "-", 0.0.0.0/0 is assumed.
+
+
+
+
+ OPTIONS (Optional) - [-|option[,option]...]
+
+
+ A comma-separated list of options. The order of the options is
+ not important but the list can contain no embedded whitespace. The
+ currently-supported options are:
+
+
+
+ routeback
+
+
+ Set up a rule to ACCEPT traffic from these hosts back to
+ themselves.
+
+
+
+
+ source
+
+
+ Allow traffic from these hosts to ANY destination.
+ Without this option or the dest option, only traffic from this
+ host to other listed hosts (and the firewall) is allowed. If
+ source is specified then
+ routeback is
+ redundant.
+
+
+
+
+ dest
+
+
+ Allow traffic to these hosts from ANY source. Without
+ this option or the source
+ option, only traffic from this host to other listed hosts (and
+ the firewall) is allowed. If dest is specified then routeback is redundant.
+
+
+
+
+ critical
+
+
+ Allow traffic between the firewall and these hosts
+ throughout '[re]start', 'stop' and 'clear'. Specifying
+ critical on one or more
+ entries will cause your firewall to be "totally open" for a
+ brief window during each of those operations. Examples of
+ where you might want to use this are:
+
+
+
+ 'Ping' nodes with heartbeat.
+
+
+
+ LDAP server(s) if you use LDAP Authentication
+
+
+
+ NFS Server if you have an NFS-mounted root
+ filesystem.
+
+
+
+
+
+
+
+
+
+
+ The source and dest options work best when used in conjunction
+ with ADMINISABSENTMINDED=Yes in shorewall.conf(5).
+
+
+
+
+ Example
+
+
+
+ Example 1:
+
+
+ #INTERFACE HOST(S) OPTIONS
+ eth2 192.168.1.0/24
+ eth0 192.0.2.44
+ br0 - routeback
+ eth3 - source
+
+
+
+
+
+
+ FILES
+
+ /etc/shorewall/routestopped
+
+
+
+ See ALSO
+
+ http://shorewall.net/starting_and_stopping_shorewall.htm
+
+ shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+ shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+ shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
+ shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+ shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+ shorewall-route_rules(5), shorewall-rules(5), shorewall.conf(5),
+ shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
+ shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)
+
+
\ No newline at end of file
diff --git a/manpages6/shorewall-rules.xml b/manpages6/shorewall-rules.xml
new file mode 100644
index 000000000..509c61175
--- /dev/null
+++ b/manpages6/shorewall-rules.xml
@@ -0,0 +1,1382 @@
+
+
+
+
+ shorewall-rules
+
+ 5
+
+
+
+ rules
+
+ Shorewall rules file
+
+
+
+
+ /etc/shorewall/rules
+
+
+
+
+ Description
+
+ Entries in this file govern connection establishment by defining
+ exceptions to the policies layed out in shorewall-policy(5). By default,
+ subsequent requests and responses are automatically allowed using
+ connection tracking. For any particular (source,dest) pair of zones, the
+ rules are evaluated in the order in which they appear in this file and the
+ first terminating match is the one that determines the disposition of the
+ request. All rules are terminating except LOG and QUEUE rules.
+
+
+ If you masquerade or use SNAT from a local system to the internet,
+ you cannot use an ACCEPT rule to allow traffic from the internet to that
+ system. You must use a DNAT rule
+ instead.
+
+
+ The rules file is divided into sections. Each section is introduced
+ by a "Section Header" which is a line beginning with SECTION and followed
+ by the section name.
+
+ Sections are as follows and must appear in the order listed:
+
+
+
+ ESTABLISHED
+
+
+ Packets in the ESTABLISHED state are processed by rules in
+ this section.
+
+ The only ACTIONs allowed in this section are ACCEPT, DROP,
+ REJECT, LOG and QUEUE
+
+ There is an implicit ACCEPT rule inserted at the end of this
+ section.
+
+
+
+
+ RELATED
+
+
+ Packets in the RELATED state are processed by rules in this
+ section.
+
+ The only ACTIONs allowed in this section are ACCEPT, DROP,
+ REJECT, LOG and QUEUE
+
+ There is an implicit ACCEPT rule inserted at the end of this
+ section.
+
+
+
+
+ NEW
+
+
+ Packets in the NEW and INVALID states are processed by rules
+ in this section.
+
+
+
+
+
+ If you are not familiar with Netfilter to the point where you are
+ comfortable with the differences between the various connection tracking
+ states, then it is suggested that you omit the ESTABLISHED and RELATED sections and place all of your rules in
+ the NEW section (That's after the line that reads SECTION NEW').
+
+
+
+ If you specify FASTACCEPT=Yes in shorewall.conf(5) then the ESTABLISHED and RELATED sections must be empty.
+
+
+ You may omit any section that you don't need. If no Section Headers
+ appear in the file then all rules are assumed to be in the NEW
+ section.
+
+ When defining rules that rewrite the destination IP address and/or
+ port number (namely DNAT and REDIRECT rules), it is important to keep
+ straight which columns in the file specify the packet before rewriting and
+ which specify how the packet will look after rewriting.
+
+
+
+ The DEST column specifies the final destination for the packet
+ after rewriting and can include the final IP address and/or port
+ number.
+
+
+
+ The remaining columns specify characteristics of the packet
+ before rewriting. In particular, the ORIGINAL DEST column gives the
+ original destination IP address of the packet and the DEST PORT(S)
+ column give the original destination port(s).
+
+
+
+ The columns in the file are as follows.
+
+
+
+ ACTION - {ACCEPT[|]|NONAT|DROP[]|REJECT[]|DNAT[-]|SAME[-]|REDIRECT[-]|CONTINUE[]|LOG|QUEUE[]|NFQUEUE[(queuenumber)]|COMMENT|action|macro[(target)]}[:{log-level|none}[!][:tag]]
+
+
+ Specifies the action to be taken if the connection request
+ matches the rule. Must be one of the following.
+
+
+
+ ACCEPT
+
+
+ Allow the connection request.
+
+
+
+
+ ACCEPT+
+
+
+ like ACCEPT but also excludes the connection from any
+ subsequent matching DNAT[-] or REDIRECT[-] rules
+
+
+
+
+ ACCEPT!
+
+
+ like ACCEPT but exempts the rule from being suppressed
+ by OPTIMIZE=1 in shorewall.conf(5).
+
+
+
+
+ NONAT
+
+
+ Excludes the connection from any subsequent DNAT[-] or REDIRECT[-] rules but doesn't generate
+ a rule to accept the traffic.
+
+
+
+
+ DROP
+
+
+ Ignore the request.
+
+
+
+
+ DROP!
+
+
+ like DROP but exempts the rule from being suppressed by
+ OPTIMIZE=1 in shorewall.conf(5).
+
+
+
+
+ REJECT
+
+
+ disallow the request and return an icmp-unreachable or
+ an RST packet.
+
+
+
+
+ REJECT!
+
+
+ like REJECT but exempts the rule from being suppressed
+ by OPTIMIZE=1 in shorewall.conf(5).
+
+
+
+
+ DNAT
+
+
+ Forward the request to another system (and optionally
+ another port).
+
+
+
+
+ DNAT-
+
+
+ Advanced users only.
+
+ Like DNAT but only
+ generates the DNAT iptables
+ rule and not the companion ACCEPT rule.
+
+
+
+
+ SAME
+
+
+ Similar to DNAT except
+ that the port may not be remapped and when multiple server
+ addresses are listed, all requests from a given remote system
+ go to the same server.
+ Support for SAME is scheduled for removal from the
+ Linux kernel in 2008.
+
+
+
+
+
+ SAME-
+
+
+ Advanced users only.
+
+ Like SAME but only generates the nat iptables rule and
+ not the companion ACCEPT
+ rule.
+
+
+
+
+ REDIRECT
+
+
+ Redirect the request to a server running on the
+ firewall.
+
+
+
+
+ REDIRECT-
+
+
+ Advanced users only.
+
+ Like REDIRECT but only
+ generates the REDIRECT
+ iptables rule and not the companion ACCEPT rule.
+
+
+
+
+ CONTINUE
+
+
+ For experts only.
+
+ Do not process any of the following rules for this
+ (source zone,destination zone). If the source and/or
+ destination IP address falls into a zone defined later in
+ shorewall-zones(5)
+ or in a parent zone of the source or destination zones, then
+ this connection request will be passed to the rules defined
+ for that (those) zone(s). See shorewall-nesting(5) for
+ additional information.
+
+
+
+
+ CONTINUE!
+
+
+ like CONTINUE but exempts the rule from being suppressed
+ by OPTIMIZE=1 in shorewall.conf(5).
+
+
+
+
+ LOG
+
+
+ Simply log the packet and continue with the next
+ rule.
+
+
+
+
+ QUEUE
+
+
+ Queue the packet to a user-space application such as
+ ftwall (http://p2pwall.sf.net). The application may reinsert
+ the packet for further processing.
+
+
+
+
+ QUEUE!
+
+
+ like QUEUE but exempts the rule from being suppressed by
+ OPTIMIZE=1 in shorewall.conf(5).
+
+
+
+
+ NFQUEUE
+
+
+ Only supported by Shorewall-perl >= 4.0.3.
+
+ Queues the packet to a user-space application using the
+ nfnetlink_queue mechanism. If a
+ queuenumber is not specified, queue
+ zero (0) is assumed.
+
+
+
+
+ NFQUEUE!
+
+
+ like NFQUEUE but exempts the rule from being suppressed
+ by OPTIMIZE=1 in shorewall.conf(5).
+
+
+
+
+ COMMENT
+
+
+ the rest of the line will be attached as a comment to
+ the Netfilter rule(s) generated by the following entries. The
+ comment will appear delimited by "/* ... */" in the output of
+ "shorewall show <chain>". To stop the comment from being
+ attached to further rules, simply include COMMENT on a line by
+ itself.
+
+
+
+
+ action
+
+
+ The name of an action declared in
+ shorewall-actions(5) or
+ in /usr/share/shorewall/actions.std.
+
+
+
+
+ macro
+
+
+ The name of a macro defined in a file named
+ macro.macro. If the macro accepts an
+ action parameter (Look at the macro source to see if it has
+ PARAM in the TARGET column) then the
+ macro name is followed by the
+ parenthesized target (ACCEPT, DROP, REJECT, ...) to be substituted for the
+ parameter.
+
+ Example: FTP(ACCEPT).
+
+ The older syntax where the macro name and the target are
+ separated by a slash (e.g. FTP/ACCEPT) is still allowed but is
+ deprecated.
+
+
+
+
+
+
+
+ The ACTION may optionally
+ be followed by ":" and a syslog log level (e.g, REJECT:info or
+ DNAT:debug). This causes the packet to be logged at the specified
+ level. Note that if the ACTION
+ involves destination network address translation (DNAT, REDIRECT,
+ SAME, etc.) then the packet is logged before the destination address is
+ rewritten.
+
+ If the ACTION names an
+ action declared in shorewall-actions(5) or in
+ /usr/share/shorewall/actions.std then:
+
+
+
+ If the log level is followed by "!' then all rules in
+ the action are logged at the log level.
+
+
+
+ If the log level is not followed by "!" then only those
+ rules in the action that do not specify logging are logged at
+ the specified level.
+
+
+
+ The special log level none! suppresses logging by the
+ action.
+
+
+
+ You may also specify ULOG
+ (must be in upper case) as a log level.This will log to the ULOG
+ target for routing to a separate log through use of ulogd (http://www.netfilter.org/projects/ulogd/index.html).
+
+ Actions specifying logging may be followed by a log tag (a
+ string of alphanumeric characters) which is appended to the string
+ generated by the LOGPREFIX (in shorewall.conf(5)).
+
+ Example: ACCEPT:info:ftp would include 'ftp ' at the end of
+ the log prefix generated by the LOGPREFIX setting.
+
+
+
+
+
+ SOURCE -
+ {zone|all[+][-]}[:interface][:{address-or-range[,address-or-range]...[exclusion]|exclusion|+ipset}
+
+
+ Source hosts to which the rule applies. May be a zone declared
+ in /etc/shorewall/zones, $FW to
+ indicate the firewall itself, all,
+ all+, all-, all+-
+ or none.
+
+ When none is used either in
+ the SOURCE or DEST column, the rule is ignored.
+
+ all means "All Zones",
+ including the firewall itself. all-
+ means "All Zones, except the firewall itself". When all[-] is
+ used either in the SOURCE or
+ DEST column intra-zone traffic is
+ not affected. When all+[-] is "used, intra-zone traffic is
+ affected.
+
+ Except when all[+][-] is
+ specified, clients may be further restricted to a list of networks
+ and/or hosts by appending ":" and a comma-separated list of network
+ and/or host addresses. Hosts may be specified by IP or MAC address;
+ mac addresses must begin with "~" and must use "-" as a
+ separator.
+
+ Hosts may also be specified as an IP address range using the
+ syntax
+ lowaddress-highaddress.
+ This requires that your kernel and iptables contain iprange match
+ support. If your kernel and iptables have ipset match support then
+ you may give the name of an ipset prefaced by "+". The ipset name
+ may be optionally followed by a number from 1 to 6 enclosed in
+ square brackets ([]) to indicate the number of levels of source
+ bindings to be matched.
+
+ You may exclude certain hosts from the set already defined
+ through use of an exclusion (see shorewall-exclusion(5)).
+
+ Examples:
+
+
+
+ dmz:192.168.2.2
+
+
+ Host 192.168.2.2 in the DMZ
+
+
+
+
+ net:155.186.235.0/24
+
+
+ Subnet 155.186.235.0/24 on the Internet
+
+
+
+
+ loc:192.168.1.1,192.168.1.2
+
+
+ Hosts 192.168.1.1 and 192.168.1.2 in the local
+ zone.
+
+
+
+
+ loc:~00-A0-C9-15-39-78
+
+
+ Host in the local zone with MAC address
+ 00:A0:C9:15:39:78.
+
+
+
+
+ net:192.0.2.11-192.0.2.17
+
+
+ Hosts 192.0.2.11-192.0.2.17 in the net zone.
+
+
+
+
+ net:!192.0.2.11-192.0.2.17
+
+
+ All hosts in the net zone except for
+ 192.0.2.11-192.0.2.17.
+
+
+
+
+ net:155.186.235.0/24!155.186.235.16/28
+
+
+ Subnet 155.186.235.0/24 on the Internet except for
+ 155.186.235.16/28
+
+
+
+
+
+ Alternatively, clients may be specified by interface by
+ appending ":" to the zone name followed by the interface name. For
+ example, loc:eth1 specifies a
+ client that communicates with the firewall system through eth1.
+ This may be optionally followed by another colon (":") and an
+ IP/MAC/subnet address as described above (e.g., loc:eth1:192.168.1.5).
+
+ It is important to note that when using Shorewall-shell and specifying an
+ address list that will be split (i.e., a comma separated list),
+ there is a subtle behavior which has the potential to cause
+ confusion. Consider the two examples below:
+
+
+ Examples:
+
+
+
+ loc:eth1:192.168.1.3,192.168.1.5
+
+
+ Hosts 192.168.1.3 and 192.168.1.5 in the Local zone,
+ with 192.168.1.3 coming from eth1 and 192.168.1.5 originating
+ from any interface in the zone.
+
+
+
+
+ loc:eth1:192.168.1.3,eth1:192.168.1.5
+
+
+ Hosts 192.168.1.3 and 192.168.1.5 in the Local zone,
+ with both originating from
+ eth1.
+
+
+
+
+
+ That is, the interface name must be explicitly stated for
+ each member of the comma separated list. Again, this distinction
+ in behavior only occurs when using
+ Shorewall-shell.
+
+
+
+
+
+ DEST -
+ {zone|all[+][-]}[:{interface|address-or-range[,address-or-range]...[exclusion]|exclusion|+ipset}][port[:random]]
+
+
+ Location of Server. May be a zone declared in shorewall-zones(5), $FW to indicate the firewall itself, all. all+ or
+ none.
+
+ When none is used either in
+ the SOURCE or DEST column, the rule is ignored.
+
+ When all is used either in
+ the SOURCE or DEST column intra-zone traffic is not
+ affected. When all+ is used,
+ intra-zone traffic is affected.
+
+ Beginning with Shorewall 4.1.4, the
+ zone should be omitted in DNAT-,
+ REDIRECT- and NONAT rules.
+
+ If the DEST zone is a bport zone,
+ then either:
+
+ the SOURCE must be , or
+
+
+
+ the SOURCE zone must be
+ another bport zone associated with the same bridge, or
+
+
+
+ the SOURCE zone must be an
+ ipv4 zone that is associated with only the same bridge.
+
+
+
+
+
+
+ Except when all[+]|[-] is specified, the server may be
+ further restricted to a particular network, host or interface by
+ appending ":" and the network, host or interface. See SOURCE above.
+
+ You may exclude certain hosts from the set already defined
+ through use of an exclusion (see shorewall-exclusion(5)).
+
+ Restrictions:
+
+ 1. MAC addresses are not allowed (this is a Netfilter
+ restriction).
+
+ 2.Prior to Shorewall 4.1.4, only IP addresses are allowed in
+ DNAT rules; no DNS names are
+ permitted. In no case may a network be specified as the
+ server.
+
+ 3. You may not specify both an interface and an
+ address.
+
+ Like in the SOURCE column,
+ you may specify a range of IP addresses using the syntax
+ lowaddress-highaddress.
+ When the ACTION is DNAT or DNAT-, the connections will be assigned to
+ addresses in the range in a round-robin fashion.
+
+ If you kernel and iptables have ipset match support then you
+ may give the name of an ipset prefaced by "+". The ipset name may
+ be optionally followed by a number from 1 to 6 enclosed in square
+ brackets ([]) to indicate the number of levels of destination
+ bindings to be matched. Only one of the SOURCE and DEST columns may specify an ipset
+ name.
+
+ The port that the server is
+ listening on may be included and separated from the server's IP
+ address by ":". If omitted, the firewall will not modifiy the
+ destination port. A destination port may only be included if the
+ ACTION is DNAT or REDIRECT.
+
+
+
+ Example:
+
+
+ loc:192.168.1.3:3128
+ specifies a local server at IP address 192.168.1.3 and
+ listening on port 3128.
+
+
+
+
+ If you are using Shorewall-shell or Shorewall-perl before
+ version 4.0.5, then the port number MUST be specified as an
+ integer and not as a name from services(5). Shorewall-perl 4.0.5
+ and later permit the port to be specified as
+ a service name. Additionally, Shorewall-perl 4.0.5 and later
+ permit specifying a port range in the form
+ lowport-highport to cause connections to be
+ assigned to ports in the range in round-robin fashion. When a port
+ range is specified, lowport and
+ highport must be given as integers; service
+ names are not permitted. Beginning with Shorewall 4.0.6, the port
+ range may be optionally followed by :random which causes assignment to ports in
+ the list to be random.
+
+ If the ACTION is REDIRECT or REDIRECT-, this column needs only to
+ contain the port number on the firewall that the request should be
+ redirected to. That is equivalent to specifying
+ ::port.
+
+
+
+
+
+ PROTO (Optional) - {-|tcp:syn|ipp2p|ipp2p:udp|ipp2p:all|protocol-number|protocol-name|all}
+
+
+ Protocol - ipp2p* requires
+ ipp2p match support in your kernel and iptables. tcp:syn implies tcp plus the SYN flag must be set and the
+ RST,ACK and FIN flags must be reset.
+
+
+
+
+ DEST PORT(S) (Optional) -
+ {-|port-name-number-or-range[,port-name-number-or-range]...}
+
+
+ Destination Ports. A comma-separated list of Port names (from
+ services(5)), port numbers or port ranges; if the protocol is
+ icmp, this column is interpreted as
+ the destination icmp-type(s).
+
+ If the protocol is ipp2p,
+ this column is interpreted as an ipp2p option without the leading
+ "--" (example bit for bit-torrent).
+ If no port is given, ipp2p is
+ assumed.
+
+ A port range is expressed as
+ lowport:highport.
+
+ This column is ignored if PROTO = all
+ but must be entered if any of the following columns are supplied. In
+ that case, it is suggested that this field contain a dash (-).
+
+ If your kernel contains multi-port match support, then only a
+ single Netfilter rule will be generated if in this list and the
+ CLIENT PORT(S) list below:
+
+ 1. There are 15 or less ports listed.
+
+ 2. No port ranges are included or your kernel and iptables
+ contain extended multiport match support.
+
+ Otherwise, unless you are using Shorewall-perl, a separate rule
+ will be generated for each port. Shorewall-perl does not
+ automatically break up lists into individual rules.
+
+
+
+
+ SOURCE PORT(S) (Optional) -
+ {-|port-name-number-or-range[,port-name-number-or-range]...}
+
+
+ Port(s) used by the client. If omitted, any source port is
+ acceptable. Specified as a comma- separated list of port names, port
+ numbers or port ranges.
+
+
+ Unless you really understand IP, you should leave this
+ column empty or place a dash (-)
+ in the column. Most people who try to use this column get it
+ wrong.
+
+
+
+ If you don't want to restrict client ports but need to
+ specify an ORIGINAL DEST in the
+ next column, then place "-" in this column.
+
+ If your kernel contains multi-port match support, then only
+ a single Netfilter rule will be generated if in this list and the
+ DEST PORT(S) list above:
+
+ 1. There are 15 or less ports listed.
+
+ 2. No port ranges are included or your kernel and iptables
+ contain extended multiport match support.
+
+ Otherwise, unless you are using Shorewall-perl, a separate
+ rule will be generated for each port. Shorewall-perl does not
+ automatically break up lists into individual rules.
+
+
+
+
+
+ ORIGINAL DEST (Optional) -
+ [-|address[,address]...[exclusion]|exclusion]
+
+
+ If ACTION is DNAT[-] or REDIRECT[-]
+ then if this column is included and is different from the IP address
+ given in the SERVER column, then
+ connections destined for that address will be forwarded to the IP
+ and port specified in the DEST
+ column.
+
+ A comma-separated list of addresses may also be used. This is
+ most useful with the REDIRECT
+ target where you want to redirect traffic destined for particular
+ set of hosts. Finally, if the list of addresses begins with "!"
+ (exclusion) then the rule will be followed only
+ if the original destination address in the connection request does
+ not match any of the addresses listed.
+
+ For other actions, this column may be included and may contain
+ one or more addresses (host or network) separated by commas. Address
+ ranges are not allowed. When this column is supplied, rules are
+ generated that require that the original destination address matches
+ one of the listed addresses. This feature is most useful when you
+ want to generate a filter rule that corresponds to a DNAT- or REDIRECT- rule. In this usage, the list of
+ addresses should not begin with "!".
+
+ It is also possible to specify a set of addresses then exclude
+ part of those addresses. For example, 192.168.1.0/24!192.168.1.16/28 specifies the
+ addresses 192.168.1.0-182.168.1.15 and 192.168.1.32-192.168.1.255.
+ See shorewall-exclusion(5).
+
+ See http://shorewall.net/PortKnocking.html
+ for an example of using an entry in this column with a user-defined
+ action rule.
+
+
+
+
+ RATE LIMIT (Optional) -
+ [-|rate/{sec|min}[:burst]
+
+
+ You may rate-limit the rule by placing a value in this
+ column:
+
+ rate is the number of connections per
+ interval (sec or min) and burst is the
+ largest burst permitted. If no burst is given,
+ a value of 5 is assumed. There may be no no whitespace embedded in
+ the specification.
+
+ Example: 10/sec:20
+
+
+
+
+ USER/GROUP (Optional) -
+ [!][user-name-or-number][:group-name-or-number][+program-name]
+
+
+ This column may only be non-empty if the SOURCE is the
+ firewall itself.
+
+ When this column is non-empty, the rule applies only if the
+ program generating the output is running under the effective
+ user and/or group
+ specified (or is NOT running under that id if "!" is given).
+
+ Examples:
+
+
+
+ joe
+
+
+ program must be run by joe
+
+
+
+
+ :kids
+
+
+ program must be run by a member of the 'kids'
+ group
+
+
+
+
+ !:kids
+
+
+ program must not be run by a member of the 'kids'
+ group
+
+
+
+
+ +upnpd
+
+
+ #program named upnpd
+
+
+ The ability to specify a program name was removed from
+ Netfilter in kernel version 2.6.14.
+
+
+
+
+
+
+
+
+ MARK - [!]value[/mask][:C]
+
+
+ Defines a test on the existing packet or connection mark. The
+ rule will match only if the test returns true.
+
+ If you don't want to define a test but need to specify
+ anything in the following columns, place a "-" in this field.
+
+
+
+ !
+
+
+ Inverts the test (not equal)
+
+
+
+
+ value
+
+
+ Value of the packet or connection mark.
+
+
+
+
+ mask
+
+
+ A mask to be applied to the mark before testing.
+
+
+
+
+ :C
+
+
+ Designates a connection mark. If omitted, the packet
+ mark's value is tested. This option is only supported by
+ Shorewall-perl.
+
+
+
+
+
+
+
+ CONNLIMIT - [!]limit[:mask]
+
+
+ Added in Shorewall-perl 4.2.1. May be used to limit the number
+ of simultaneous connections from each individual host to
+ limit connections. Requires connlimit
+ match in your kernel and iptables. While the limit is only checked
+ on rules specifying CONNLIMIT, the number of current connections is
+ calculated over all current connections from the SOURCE host. By
+ default, the limit is applied to each host but can be made to apply
+ to networks of hosts by specifying a
+ mask. The mask
+ specifies the width of a VLSM mask to be applied to the source
+ address; the number of current connections is then taken over all
+ hosts in the subnet
+ source-address/mask.
+ When is specified, the rule matches when the
+ number of connection exceeds the
+ limit.
+
+
+
+
+ TIME -
+ timeelement[,timelement...]
+
+
+ Added in Shorewall-perl 4.2.1. May be used to limit the rule
+ to a particular time period each day, to particular days of the week
+ or month, or to a range defined by dates and times. Requires time
+ match support in your kernel and iptables.
+
+ timeelement may be:
+
+
+
+ timestart=hh:mm[:ss]
+
+
+ Defines the starting time of day.
+
+
+
+
+ timestop=hh:mm[:ss]
+
+
+ Defines the ending time of day.
+
+
+
+
+ utc
+
+
+ Times are expressed in Greenwich Mean Time.
+
+
+
+
+ localtz
+
+
+ Times are expressed in Local Civil Time
+ (default).
+
+
+
+
+ weekdays=ddd[,ddd]...
+
+
+ where ddd is one of
+ , ,
+ , ,
+ , or
+
+
+
+
+
+ monthdays=dd[,dd],...
+
+
+ where dd is an ordinal day of
+ the month
+
+
+
+
+ datestart=yyyy[-mm[-dd[hh[:mm[:ss]]]]]
+
+
+ Defines the starting date and time.
+
+
+
+
+ datestop=yyyy[-mm[-dd[hh[:mm[:ss]]]]]
+
+
+ Defines the ending date and time.
+
+
+
+
+
+
+
+
+
+ Restrictions
+
+ Unless you are using Shorewall-perl and your
+ iptables/kernel have Repeat Match support (see the
+ output of shorewall show capabilities), if you specify
+ a list of DEST PORT(S), then you may not specify SOURCE PORT(S) and vice
+ versa.
+
+
+
+ Example
+
+
+
+ Example 1:
+
+
+ Accept SMTP requests from the DMZ to the internet
+
+ #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
+ # PORT PORT(S) DEST
+ ACCEPT dmz net tcp smtp
+
+
+
+
+ Example 2:
+
+
+ Forward all ssh and http connection requests from the internet
+ to local system 192.168.1.3
+
+ #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
+ # PORT PORT(S) DEST
+ DNAT net loc:192.168.1.3 tcp ssh,http
+
+
+
+
+ Example 3:
+
+
+ Forward all http connection requests from the internet to
+ local system 192.168.1.3 with a limit of 3 per second and a maximum
+ burst of 10 #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
+ # PORT PORT(S) DEST LIMIT
+ DNAT net loc:192.168.1.3 tcp http - - 3/sec:10
+
+
+
+
+ Example 4:
+
+
+ Redirect all locally-originating www connection requests to
+ port 3128 on the firewall (Squid running on the firewall system)
+ except when the destination address is 192.168.2.2
+
+ #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
+ # PORT PORT(S) DEST
+ REDIRECT loc 3128 tcp www - !192.168.2.2
+
+
+
+
+ Example 5:
+
+
+ All http requests from the internet to address 130.252.100.69
+ are to be forwarded to 192.168.1.3
+
+ #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
+ # PORT PORT(S) DEST
+ DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69
+
+
+
+
+ Example 6:
+
+
+ You want to accept SSH connections to your firewall only from
+ internet IP addresses 130.252.100.69 and 130.252.100.70
+
+ #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
+ # PORT PORT(S) DEST
+ ACCEPT net:130.252.100.69,130.252.100.70 $FW \
+ tcp 22
+
+
+
+
+ Example 7:
+
+
+ You wish to accept connections from the internet to your
+ firewall on port 2222 and you want to forward them to local system
+ 192.168.1.3, port 22
+
+ #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
+ # PORT PORT(S) DEST
+ DNAT net loc:192.168.1.3:22 tcp 2222
+
+
+
+
+ Example 8:
+
+
+ You want to redirect connection requests to port 80 randomly
+ to the port range 81-90.
+
+ #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
+ # PORT PORT(S) DEST
+ REDIRECT net $FW::81-90:random tcp www
+
+
+
+
+ Example 9:
+
+
+ Shorewall does not impose as much structure on the Netfilter
+ rules in the 'nat' table as it does on those in the filter table. As
+ a consequence, when using Shorewall versions before 4.1.4, care must
+ be exercised when using DNAT and REDIRECT rules with zones defined
+ with wildcard interfaces (those ending with '+'. Here is an
+ example:
+
+ shorewall-zones(8): #ZONE TYPE OPTIONS
+ fw firewall
+ net ipv4
+ dmz ipv4
+ loc ipv4
+
+ shorewall-interfaces(8): #ZONE INTERFACE BROADCAST OPTIONS
+ net ppp0
+ loc eth1 detect
+ dmz eth2 detect
+ - ppp+ # Addresses are assigned from 192.168.3.0/24
+
+ shorewall-host(8): #ZONE HOST(S) OPTIONS
+ loc ppp+:192.168.3.0/24
+
+ rules:
+
+ #ACTION SOURCE DEST PROTO DEST
+ # PORT(S)
+ REDIRECT loc 3128 tcp 80
+
+ Note that it would have been tempting to simply define the
+ loc zone entirely in shorewall-interfaces(8):
+
+ #******************* INCORRECT *****************
+ #ZONE INTERFACE BROADCAST OPTIONS
+ net ppp0
+ loc eth1 detect
+ loc ppp+
+ dmz eth2
+
+ This would have made it impossible to run a
+ internet-accessible web server in the DMZ because all traffic
+ entering ppp+ interfaces would have been redirected to port 3128 on
+ the firewall and there would have been no net->fw ACCEPT rule for
+ that traffic.
+
+
+
+
+
+
+ FILES
+
+ /etc/shorewall/rules
+
+
+
+ See ALSO
+
+ shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+ shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+ shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
+ shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+ shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+ shorewall-route_rules(5), shorewall-routestopped(5), shorewall.conf(5),
+ shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
+ shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)
+
+
diff --git a/manpages6/shorewall-tcclasses.xml b/manpages6/shorewall-tcclasses.xml
new file mode 100644
index 000000000..771eeb9fb
--- /dev/null
+++ b/manpages6/shorewall-tcclasses.xml
@@ -0,0 +1,368 @@
+
+
+
+ shorewall-tcclasses
+
+ 5
+
+
+
+ tcclasses
+
+ Shorewall file to define HTB classes
+
+
+
+
+ /etc/shorewall/tcclasses
+
+
+
+
+ Description
+
+ A note on the rate/bandwidth definitions used
+ in this file:
+
+
+
+ don't use a space between the integer value and the unit: 30kbit
+ is valid while 30 kbit is NOT.
+
+
+
+ you can use one of the following units:
+
+
+
+ kpbs
+
+
+ Kilobytes per second.
+
+
+
+
+ mbps
+
+
+ Megabytes per second.
+
+
+
+
+ kbit
+
+
+ Kilobits per second.
+
+
+
+
+ mbit
+
+
+ Megabits per second.
+
+
+
+
+ bps or number
+
+
+ Bytes per second.
+
+
+
+
+
+
+ if you want the values to be calculated for you depending on the
+ output bandwidth setting defined for an interface in tcdevices, you
+ can use expressions like the following:
+
+
+
+ full/3
+
+
+ causes the bandwidth to be calculated as 1/3 of the full
+ outgoing speed that is defined.
+
+
+
+
+ full*9/10
+
+
+ will set this bandwidth to 9/10 of the full
+ bandwidth
+
+
+
+
+ DO NOT add a unit to the rate if it is calculated !
+
+
+
+ The columns in the file are as follows.
+
+
+
+ INTERFACE -
+ interface[:class]
+
+
+ Name of interface. Each interface may be
+ listed only once in this file. You may NOT specify the name of an
+ alias (e.g., eth0:0) here; see http://www.shorewall.net/FAQ.htm#faq18
+
+ If you are running Shorewall-perl 4.1.6 or later, you may
+ specify the interface number rather than the interface name. If the
+ classify option is given for the
+ interface in shorewall-tcdevices(5), then
+ you must also specify an interface class (an integer that must be
+ unique within classes associated with this interface).
+
+ You may NOT specify wildcards here, e.g. if you have multiple
+ ppp interfaces, you need to put them all in here!
+
+ Please note that you can only use interface names in here that
+ have a bandwidth defined in the shorewall-tcdevices(5)
+ file
+
+
+
+
+ MARK -
+ {-|value}
+
+
+ The mark value which is an integer in the
+ range 1-255. You set mark values in the shorewall-tcrules(5) file,
+ marking the traffic you want to fit in the classes defined in here.
+ Must be specified as '-' if the classify option is given for the interface in
+ shorewall-tcdevices(5)
+
+ You can use the same marks for different interfaces.
+
+
+
+
+ RATE -
+ rate
+
+
+ The minimum bandwidth this class should get, when the traffic
+ load rises. If the sum of the rates in this column exceeds the
+ INTERFACE's OUT-BANDWIDTH, then the OUT-BANDWIDTH limit may not be
+ honored.
+
+
+
+
+ CEIL -
+ rate
+
+
+ The maximum bandwidth this class is allowed to use when the
+ link is idle. Useful if you have traffic which can get full speed
+ when more needed services (e.g. ssh) are not used.
+
+ You can use the value full in
+ here for setting the maximum bandwidth to the defined output
+ bandwidth of that interface.
+
+
+
+
+ PRIORITY -
+ priority
+
+
+ The priority in which classes will be
+ serviced by the packet shaping scheduler and also the priority in
+ which bandwidth in excess of the rate will be given to each
+ class.
+
+ Higher priority classes will experience less delay since they
+ are serviced first. Priority values are serviced in ascending order
+ (e.g. 0 is higher priority than 1).
+
+ Classes may be set to the same priority, in which case they
+ will be serviced as equals.
+
+
+
+
+ OPTIONS (Optional) -
+ [option[,option]...]
+
+
+ Added in Shorewall-perl 4.1. A comma-separated list of options
+ including the following:
+
+
+
+ default
+
+
+ This is the default class for that interface where all
+ traffic should go, that is not classified otherwise.
+
+
+
+
+ You must define default for exactly one class per
+ interface.
+
+
+
+
+
+ tos=0xvalue[/0xmask]
+ (mask defaults to 0xff)
+
+
+ This lets you define a classifier for the given
+ value/mask
+ combination of the IP packet's TOS/Precedence/DiffSrv octet
+ (aka the TOS byte). Please note that classifiers override all
+ mark settings, so if you define a classifer for a class, all
+ traffic having that mark will go in it regardless of any mark
+ set on the packet by a firewall/mangle filter.
+
+
+
+
+ tos-tosname
+
+
+ Aliases for the following TOS octet value and mask
+ encodings. TOS encodings of the "TOS byte" have been
+ deprecated in favor of diffserve classes, but programs like
+ ssh, rlogin, and ftp still use them.
+
+ tos-minimize-delay 0x10/0x10
+ tos-maximize-throughput 0x08/0x08
+ tos-maximize-reliability 0x04/0x04
+ tos-minimize-cost 0x02/0x02
+ tos-normal-service 0x00/0x1e
+
+
+ Each of these options is only valid for ONE class per
+ interface.
+
+
+
+
+
+ tcp-ack
+
+
+ If defined, causes a tc filter to be created that puts
+ all tcp ack packets on that interface that have a size of
+ <=64 Bytes to go in this class. This is useful for speeding
+ up downloads. Please note that the size of the ack packets is
+ limited to 64 bytes because we want only packets WITHOUT
+ payload to match.
+
+
+
+
+ This option is only valid for ONE class per
+ interface.
+
+
+
+
+
+
+
+
+
+
+ Examples
+
+
+
+ Example 1:
+
+
+ Suppose you are using PPP over Ethernet (DSL) and ppp0 is the
+ interface for this. You have 4 classes here, the first you can use
+ for voice over IP traffic, the second interactive traffic (e.g.
+ ssh/telnet but not scp), the third will be for all unclassified
+ traffic, and the forth is for low priority traffic (e.g.
+ peer-to-peer).
+
+ The voice traffic in the first class will be guaranteed a
+ minimum of 100kbps and always be serviced first (because of the low
+ priority number, giving less delay) and will be granted excess
+ bandwidth (up to 180kbps, the class ceiling) first, before any other
+ traffic. A single VOIP stream, depending upon codecs, after
+ encapsulation, can take up to 80kbps on a PPOE/DSL link, so we pad a
+ little bit just in case. (TOS byte values 0xb8 and 0x68 are DiffServ
+ classes EF and AFF3-1 respectively and are often used by VOIP
+ devices).
+
+ Interactive traffic (tos-minimum-delay) and TCP acks (and ICMP
+ echo traffic if you use the example in tcrules) and any packet with
+ a mark of 2 will be guaranteed 1/4 of the link bandwidth, and may
+ extend up to full speed of the link.
+
+ Unclassified traffic and packets marked as 3 will be
+ guaranteed 1/4th of the link bandwidth, and may extend to the full
+ speed of the link.
+
+ Packets marked with 4 will be treated as low priority packets.
+ (The tcrules example marks p2p traffic as such.) If the link is
+ congested, they're only guaranteed 1/8th of the speed, and even if
+ the link is empty, can only expand to 80% of link bandwidth just as
+ a precaution in case there are upstream queues we didn't account
+ for. This is the last class to get additional bandwidth and the last
+ to get serviced by the scheduler because of the low priority.
+
+ #INTERFACE MARK RATE CEIL PRIORITY OPTIONS
+ ppp0 1 100kbit 180kbit 1 tos=0x68/0xfc,tos=0xb8/0xfc
+ ppp0 2 full/4 full 2 tcp-ack,tos-minimize-delay
+ ppp0 3 full/4 full 3 default
+ ppp0 4 full/8 full*8/10 4
+
+
+
+
+
+
+ FILES
+
+ /etc/shorewall/tcclasses
+
+
+
+ See ALSO
+
+ http://shorewall.net/traffic_shaping.htm
+
+ shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+ shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+ shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
+ shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+ shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+ shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
+ shorewall.conf(5), shorewall-tcdevices(5), shorewall-tcrules(5),
+ shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)
+
+
\ No newline at end of file
diff --git a/manpages6/shorewall-tcdevices.xml b/manpages6/shorewall-tcdevices.xml
new file mode 100644
index 000000000..01593620b
--- /dev/null
+++ b/manpages6/shorewall-tcdevices.xml
@@ -0,0 +1,225 @@
+
+
+
+ shorewall-tcdevices
+
+ 5
+
+
+
+ tcdevices
+
+ Shorewall Traffic Shaping Devices file
+
+
+
+
+ /etc/shorewall/tcdevices
+
+
+
+
+ Description
+
+ Entries in this file define the bandwidth for interfaces on which
+ you want traffic shaping to be enabled.
+
+ If you do not plan to use traffic shaping for a device, don't put it
+ in here as it limits the troughput of that device to the limits you set
+ here.
+
+ A note on the bandwidth definitions used in
+ this file:
+
+
+
+ don't use a space between the integer value and the unit: 30kbit
+ is valid while 30 kbit is not.
+
+
+
+ you can use one of the following units:
+
+
+
+ kpbs
+
+
+ Kilobytes per second.
+
+
+
+
+ mbps
+
+
+ Megabytes per second.
+
+
+
+
+ kbit
+
+
+ Kilobits per second.
+
+
+
+
+ mbit
+
+
+ Megabits per second.
+
+
+
+
+ bps or number
+
+
+ Bytes per second.
+
+
+
+
+
+
+ Only whole integers are allowed.
+
+
+
+ The columns in the file are as follows.
+
+
+
+ INTERFACE -
+ [number:]interface
+
+
+ Name of interface. Each interface may be
+ listed only once in this file. You may NOT specify the name of an
+ alias (e.g., eth0:0) here; see http://www.shorewall.net/FAQ.htm#faq18
+
+ You may NOT specify wildcards here, e.g. if you have multiple
+ ppp interfaces, you need to put them all in here!
+
+ If the device doesn't exist, a warning message will be issued
+ during "shorewall [re]start" and "shorewall refresh" and traffic
+ shaping configuration will be skipped for that device.
+
+ Shorewall assigns a sequential interface
+ number to each interface (the first entry in the file is
+ interface 1, the second is interface 2 and so on) Beginning with
+ Shorewall-perl 4.1.6, you can explicitly specify the interface
+ number by prefixing the interface name with the number and a colon
+ (":"). Example: 1:eth0.
+
+
+
+
+ IN-BANDWIDTH -
+ bandwidth
+
+
+ The incoming bandwidth of that interface.
+ Please note that you are not able to do traffic shaping on incoming
+ traffic, as the traffic is already received before you could do so.
+ But this allows you to define the maximum traffic allowed for this
+ interface in total, if the rate is exceeded, the packets are
+ dropped. You want this mainly if you have a DSL or Cable connection
+ to avoid queuing at your providers side.
+
+ If you don't want any traffic to be dropped, set this to a
+ value to zero in which case Shorewall will not create an ingress
+ qdisc.Must be set to zero if the REDIRECTED INTERFACES column is
+ non-empty.
+
+
+
+
+ OUT-BANDWIDTH -
+ bandwidth
+
+
+ The outgoing bandwidth of that interface.
+ This is the maximum speed your connection can handle. It is also the
+ speed you can refer as "full" if you define the tc classes in shorewall-tcclasses(5).
+ Outgoing traffic above this rate will be dropped.
+
+
+
+
+ OPTIONS - {-|classify}
+
+
+ classify ― When specified, Shorewall will not generate tc or
+ Netfilter rules to classify traffic based on packet marks. You must
+ do all classification using CLASSIFY rules in shorewall-tcrules(5).
+
+
+
+
+ REDIRECTED INTERFACES -
+ [interface[,interface]...]
+
+
+ Added in Shorewall-perl 4.1.6. May only be specified if the
+ interface in the INTERFACE column is an Intermediate Frame Block
+ (IFB) device. Causes packets that enter each listed interface to be
+ passed through the egress filters defined for this device, thus
+ providing a form of incoming traffic shaping. When this column is
+ non-empty, the classify option is
+ assumed.
+
+
+
+
+
+
+ Examples
+
+
+
+ Example 1:
+
+
+ Suppose you are using PPP over Ethernet (DSL) and ppp0 is the
+ interface for this. The device has an outgoing bandwidth of 500kbit
+ and an incoming bandwidth of 6000kbit
+
+ #INTERFACE IN-BANDWIDTH OUT-BANDWIDTH OPTIONS REDIRECTED
+ # INTERFACES
+ 1:ppp0 6000kbit 500kbit
+
+
+
+
+
+
+ FILES
+
+ /etc/shorewall/tcdevices
+
+
+
+ See ALSO
+
+ http://shorewall.net/traffic_shaping.htm
+
+ shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+ shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+ shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
+ shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+ shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+ shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
+ shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcrules(5),
+ shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)
+
+
\ No newline at end of file
diff --git a/manpages6/shorewall-tcfilters.xml b/manpages6/shorewall-tcfilters.xml
new file mode 100644
index 000000000..461e8f0c4
--- /dev/null
+++ b/manpages6/shorewall-tcfilters.xml
@@ -0,0 +1,158 @@
+
+
+
+ shorewall-tcfilters
+
+ 5
+
+
+
+ tcfilters
+
+ Shorewall u32 classifier rules file
+
+
+
+
+ /etc/shorewall/tcfilters
+
+
+
+
+ Description
+
+ Entries in this file cause packets to be classified for traffic
+ shaping.
+
+ The columns in the file are as follows.
+
+
+
+ CLASS -
+ interface:class
+
+
+ The name or number of an interface
+ defined in shorewall-tcdevices(5)
+ followed by a class number defined for
+ that interface in shorewall-tcclasses(5).
+
+
+
+
+ SOURCE - {-|address}
+
+
+ Source of the packet. May be a host or network
+ address. DNS names are not
+ allowed.
+
+
+
+
+ DEST - {-|address}}
+
+
+ Destination of the packet. Comma separated list of IP
+ addresses and/or subnets. If your kernel and iptables include
+ iprange match support, IP address ranges are also allowed. List
+ elements may also consist of an interface name followed by ":" and
+ an address (e.g., eth1:192.168.1.0/24). If the MARK column specificies a classification of
+ the form major:minor then
+ this column may also contain an interface name.
+
+ You may exclude certain hosts from the set already defined
+ through use of an exclusion (see shorewall-exclusion(5)).
+
+
+
+
+ PROTO - {-|protocol-number|protocol-name|all}
+
+
+ Protocol.
+
+
+
+
+ DEST PORT (Optional) -
+ [-|port-name-or-number]
+
+
+ Destination Ports. A Port name (from services(5)) or a
+ port number; if the protocol is icmp, this column is interpreted as the
+ destination icmp-type(s).
+
+
+
+
+ SOURCE PORT (Optional) -
+ [-|port-name-or-number]
+
+
+ Source port.
+
+
+
+
+
+
+ Example
+
+
+
+ Example 1:
+
+
+ Place all ICMP echo traffic on interface 1 in class 10.
+
+ #CLASS SOURCE DEST PROTO DEST
+ # PORT
+ 1:10 0.0.0.0/0 0.0.0.0/0 icmp echo-request
+ 1:10 0.0.0.0/0 0.0.0.0/0 icmp echo-reply
+
+
+
+
+
+
+ FILES
+
+ /etc/shorewall/tcfilters
+
+
+
+ See ALSO
+
+ http://shorewall.net/traffic_shaping.htm
+
+ http://shorewall.net/MultiISP.html
+
+ http://shorewall.net/PacketMarking.html
+
+ shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+ shorewall-blacklist(5), shorewall-ecn(5), shorewall-exclusion(5),
+ shorewall-hosts(5), shorewall-interfaces(5), shorewall-ipsec(5),
+ shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
+ shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
+ shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
+ shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+ shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tos(5),
+ shorewall-tunnels(5), shorewall-zones(5)
+
+
\ No newline at end of file
diff --git a/manpages6/shorewall-tcrules.xml b/manpages6/shorewall-tcrules.xml
new file mode 100644
index 000000000..66704a09d
--- /dev/null
+++ b/manpages6/shorewall-tcrules.xml
@@ -0,0 +1,637 @@
+
+
+
+
+ shorewall-tcrules
+
+ 5
+
+
+
+ tcrules
+
+ Shorewall Packet Marking rules file
+
+
+
+
+ /etc/shorewall/rules
+
+
+
+
+ Description
+
+ Entries in this file cause packets to be marked as a means of
+ classifying them for traffic control or policy routing.
+
+
+ Unlike rules in the shorewall-rules(5) file, evaluation
+ of rules in this file will continue after a match. So the final mark for
+ each packet will be the one assigned by the LAST tcrule that
+ matches.
+
+ If you use multiple internet providers with the 'track' option, in
+ /etc/shorewall/providers be sure to read the restrictions at http://shorewall.net/MultiISP.html.
+
+
+ The columns in the file are as follows.
+
+
+
+ MARK/CLASSIFY -
+ {value|major:minor|RESTORE[/mask]|SAVE[/mask]|CONTINUE|COMMENT}[:{C|F|P|T|CF|CP|CT}]
+
+
+ May assume one of the following values.
+
+
+
+ A mark value which is an integer in
+ the range 1-255.
+
+ Normally will set the mark value. If preceded by a
+ vertical bar ("|"), the mark value will be logically ORed with
+ the current mark value to produce a new mark value. If preceded
+ by an ampersand ("&"), will be logically ANDed with the
+ current mark value to produce a new mark value.
+
+ Both "|" and "&" require Extended MARK Target support
+ in your kernel and iptables; neither may be used with connection
+ marks (see below).
+
+ May optionally be followed by :P, :F
+ or :T where :P indicates that marking should occur
+ in the PREROUTING chain, :F
+ indicates that marking should occur in the FORWARD chain and
+ :T indicates that marking
+ should occur in the POSTROUTING chain. If neither :P, :F
+ nor :T follow the mark value
+ then the chain is determined as follows:
+
+ - If the SOURCE is $FW[:address-or-range[,address-or-range]...],
+ then the rule is inserted into the OUTPUT chain. The behavior
+ changed in Shorewall-perl 4.1. Previously, when
+ HIGH_ROUTE_MARKS=Yes, Shorewall allowed non-zero mark values
+ < 256 to be assigned in the OUTPUT chain. This has been
+ changed so that only high mark values may be assigned there.
+ Packet marking rules for traffic shaping of packets originating
+ on the firewall must be coded in the POSTROUTING chain (see
+ below).
+
+ - Otherwise, the chain is determined by the setting of
+ MARK_IN_FORWARD_CHAIN in shorewall.conf(5).
+
+ If your kernel and iptables include CONNMARK support then
+ you can also mark the connection rather than the packet.
+
+ The mark value may be optionally followed by "/" and a
+ mask value (used to determine those bits of the connection mark
+ to actually be set). The mark and optional mask are then
+ followed by one of:+
+
+
+
+ C
+
+
+ Mark the connection in the chain determined by the
+ setting of MARK_IN_FORWARD_CHAIN
+
+
+
+
+ CF
+
+
+ Mark the connection in the FORWARD chain
+
+
+
+
+ CP
+
+
+ Mark the connection in the PREROUTING chain.
+
+
+
+
+ CT
+
+
+ Mark the connecdtion in the POSTROUTING chain
+
+
+
+
+ Special considerations for If
+ HIGH_ROUTE_MARKS=Yes in shorewall.conf(5).
+
+ If HIGH_ROUTE_MARKS=Yes, then you may also specify a value
+ in the range 0x0100-0xFF00 with the low-order byte being zero.
+ Such values may only be used in the PREROUTING chain (value
+ followed by :P or you have set
+ MARK_IN_FORWARD_CHAIN=No in shorewall.conf(5) and have not
+ followed the value with ) or the OUTPUT chain
+ (SOURCE is $FW). With
+ HIGH_ROUTE_MARKS=Yes, non-zero mark values less that 256 are not
+ permitted. Shorewall 4.1 and later versions prohibit non-zero
+ mark values less that 256 in the OUTPUT chain when
+ HIGH_ROUTE_MARKS=Yes. While earlier versions allow such values
+ in the OUTPUT chain, it is strongly recommended that with
+ HIGH_ROUTE_MARKS=Yes, you use the POSTROUTING chain to apply
+ traffic shaping marks/classification.
+
+
+
+ A classification Id (classid) of the form
+ major:minor where
+ major and minor are
+ integers. Corresponds to the 'class' specification in these
+ traffic shaping modules:
+
+ atm
+ cbq
+ dsmark
+ pfifo_fast
+ htb
+ prio
+
+ Classification occurs in the POSTROUTING chain except when
+ the SOURCE is $FW[:address] in
+ which case classification occurs in the OUTPUT chain.
+
+ When using Shorewall's built-in traffic shaping tool, the
+ major class is the device number (the first
+ device in shorewall-tcdevices(5) is
+ major class 1, the second device is major class 2, and so on)
+ and the minor class is the class's MARK
+ value in shorewall-tcclasses(5)
+ preceded by the number 1 (MARK 1 corresponds to minor class 11,
+ MARK 5 corresponds to minor class 15, MARK 22 corresponds to
+ minor class 122, etc.).
+
+
+
+ RESTORE[/mask] --
+ restore the packet's mark from the connection's mark using the
+ supplied mask if any. Your kernel and iptables must include
+ CONNMARK support.
+
+ As in 1) above, may be followed by :P or :F
+
+
+
+ SAVE[/mask] -- save
+ the packet's mark to the connection's mark using the supplied
+ mask if any. Your kernel and iptables must include CONNMARK
+ support.
+
+ As in 1) above, may be followed by :P or :F
+
+
+
+ CONTINUE Don't process
+ any more marking rules in the table.
+
+ As in 1) above, may be followed by :P or :F. Currently, CONTINUE may not be used
+ with exclusion (see the SOURCE and DEST
+ columns below); that restriction will be removed when
+ iptables/Netfilter provides the necessary support.
+
+
+
+ COMMENT -- the rest of
+ the line will be attached as a comment to the Netfilter rule(s)
+ generated by the following entries. The comment will appear
+ delimited by "/* ... */" in the output of shorewall
+ show mangle
+
+ To stop the comment from being attached to further rules,
+ simply include COMMENT on a line by itself.
+
+
+
+
+
+
+ SOURCE - {-|{interface|$FW}|[{interface|$FW}:]address-or-range[,address-or-range]...}[exclusion]
+
+
+ Source of the packet. A comma-separated list of interface
+ names, IP addresses, MAC addresses and/or subnets for packets being
+ routed through a common path. List elements may also consist of an
+ interface name followed by ":" and an address (e.g.,
+ eth1:192.168.1.0/24). For example, all packets for connections
+ masqueraded to eth0 from other interfaces can be matched in a single
+ rule with several alternative SOURCE criteria. However, a connection
+ whose packets gets to eth0 in a different way, e.g., direct from the
+ firewall itself, needs a different rule.
+
+ Accordingly, use $FW in its
+ own separate rule for packets originating on the firewall. In such a
+ rule, the MARK column may NOT specify either :P or :F
+ because marking for firewall-originated packets always occurs in the
+ OUTPUT chain.
+
+ MAC addresses must be prefixed with "~" and use "-" as a
+ separator.
+
+ Example: ~00-A0-C9-15-39-78
+
+ You may exclude certain hosts from the set already defined
+ through use of an exclusion (see shorewall-exclusion(5)).
+
+
+
+
+ DEST - {-|{interface|[interface:]address-or-range[,address-or-range]...}[exclusion]
+
+
+ Destination of the packet. Comma separated list of IP
+ addresses and/or subnets. If your kernel and iptables include
+ iprange match support, IP address ranges are also allowed. List
+ elements may also consist of an interface name followed by ":" and
+ an address (e.g., eth1:192.168.1.0/24). If the MARK column specificies a classification of
+ the form major:minor then
+ this column may also contain an interface name.
+
+ You may exclude certain hosts from the set already defined
+ through use of an exclusion (see shorewall-exclusion(5)).
+
+
+
+
+ PROTO - {-|tcp:syn|ipp2p|ipp2p:udp|ipp2p:all|protocol-number|protocol-name|all}
+
+
+ Protocol - ipp2p requires
+ ipp2p match support in your kernel and iptables.
+
+
+
+
+ PORT(S) (Optional) - [-|port-name-number-or-range[,port-name-number-or-range]...]
+
+
+ Destination Ports. A comma-separated list of Port names (from
+ services(5)), port numbers or port
+ ranges; if the protocol is icmp, this column is interpreted as the
+ destination icmp-type(s).
+
+ If the protocol is ipp2p,
+ this column is interpreted as an ipp2p option without the leading
+ "--" (example bit for bit-torrent).
+ If no PORT is given, ipp2p is
+ assumed.
+
+ This column is ignored if PROTOCOL = all but must be entered
+ if any of the following field is supplied. In that case, it is
+ suggested that this field contain "-"
+
+
+
+
+ SOURCE PORT(S) (Optional) -
+ [-|port-name-number-or-range[,port-name-number-or-range]...]
+
+
+ Source port(s). If omitted, any source port is acceptable.
+ Specified as a comma-separated list of port names, port numbers or
+ port ranges.
+
+
+
+
+ USER (Optional) - [!][user-name-or-number][:group-name-or-number][+program-name]
+
+
+ This column may only be non-empty if the SOURCE is the
+ firewall itself.
+
+ When this column is non-empty, the rule applies only if the
+ program generating the output is running under the effective
+ user and/or group
+ specified (or is NOT running under that id if "!" is given).
+
+ Examples:
+
+
+
+ joe
+
+
+ program must be run by joe
+
+
+
+
+ :kids
+
+
+ program must be run by a member of the 'kids'
+ group
+
+
+
+
+ !:kids
+
+
+ program must not be run by a member of the 'kids'
+ group
+
+
+
+
+ +upnpd
+
+
+ #program named upnpd
+
+
+ The ability to specify a program name was removed from
+ Netfilter in kernel version 2.6.14.
+
+
+
+
+
+
+
+
+ TEST - [!]value[/mask][:C]
+
+
+ Defines a test on the existing packet or connection mark. The
+ rule will match only if the test returns true.
+
+ If you don't want to define a test but need to specify
+ anything in the following columns, place a "-" in this field.
+
+
+
+ !
+
+
+ Inverts the test (not equal)
+
+
+
+
+ value
+
+
+ Value of the packet or connection mark.
+
+
+
+
+ mask
+
+
+ A mask to be applied to the mark before testing.
+
+
+
+
+ :C
+
+
+ Designates a connection mark. If omitted, the packet
+ mark's value is tested.
+
+
+
+
+
+
+
+ LENGTH (Optional) -
+ [length|[min]:[max]]
+
+
+ Packet Length. This field, if present allow you to match the
+ length of a packet against a specific value or range of values. You
+ must have iptables length support for this to work. A range is
+ specified in the form
+ min:max where either
+ min or max (but not both)
+ may be omitted. If min is omitted, then 0 is
+ assumed; if max is omitted, than any packet
+ that is min or longer will match.
+
+
+
+
+ TOS -
+ tos
+
+
+ Type of service. Either a standard name, or a numeric value to
+ match.
+
+ Minimize-Delay (16)
+ Maximize-Throughput (8)
+ Maximize-Reliability (4)
+ Minimize-Cost (2)
+ Normal-Service (0)
+
+
+
+
+ CONNBYTES -
+ [!]min:[max[:{O|R|B}[:{B|P|A}]]]
+
+
+ Connection Bytes; defines a byte or packet range that the
+ connection must fall within in order for the rule to match. Added in
+ Shorewall-perl 4.2.0.
+
+ A packet matches if the the packet/byte count is within the
+ range defined by min and
+ max (unless ! is given in which case, a packet
+ matches if the packet/byte count is not within the range).
+ min is an integer which defines the beginning
+ of the byte/packet range. max is an integer
+ which defines the end of the byte/packet range; if omitted, only the
+ beginning of the range is checked. The first letter gives the
+ direction which the range refers to:
+ O - The original
+ direction of the connection.
+
+ R - The opposite
+ direction from the original connection.
+
+ B - The total of both
+ directions.
+
+
+ If omitted, B is assumed.
+
+
+ The second letter determines what the range refers
+ to.
+ B - Bytes
+
+ P - Packets
+
+ A - Average packet
+ size.
+
If omitted, B is
+ assumed.
+
+
+
+
+ HELPER -
+ helper
+
+
+ Added in Shorewall-perl 4.2.0. Names a Netfiler protocol
+ helper module such as ,
+ , , etc. A packet will
+ match if it was accepted by the named helper module. You can also
+ append "-" and a port number to the helper module name (e.g.,
+ ftp-21) to specify the port number
+ that the original connection was made on.
+
+ Example: Mark all FTP data connections with mark
+ 4:#MARK/ SOURCE DEST PROTO PORT(S) SOURCE USER TEST LENGTH TOS CONNBYTES HELPER
+#CLASSIFY PORT(S)
+4 0.0.0.0/0 0.0.0.0/0 TCP - - - - - - - ftp
+
+
+
+
+
+
+ Example
+
+
+
+ Example 1:
+
+
+ Mark all ICMP echo traffic with packet mark 1. Mark all peer
+ to peer traffic with packet mark 4.
+
+ This is a little more complex than otherwise expected. Since
+ the ipp2p module is unable to determine all packets in a connection
+ are P2P packets, we mark the entire connection as P2P if any of the
+ packets are determined to match.
+
+ We assume packet/connection mark 0 means unclassified.
+
+ #MARK/ SOURCE DEST PROTO PORT(S) SOURCE USER TEST
+ #CLASSIFY PORT(S)
+ 1 0.0.0.0/0 0.0.0.0/0 icmp echo-request
+ 1 0.0.0.0/0 0.0.0.0/0 icmp echo-reply
+ RESTORE 0.0.0.0/0 0.0.0.0/0 all - - - 0
+ CONTINUE 0.0.0.0/0 0.0.0.0/0 all - - - !0
+ 4 0.0.0.0/0 0.0.0.0/0 ipp2p:all
+ SAVE 0.0.0.0/0 0.0.0.0/0 all - - - !0
+
+ If a packet hasn't been classifed (packet mark is 0), copy the
+ connection mark to the packet mark. If the packet mark is set, we're
+ done. If the packet is P2P, set the packet mark to 4. If the packet
+ mark has been set, save it to the connection mark.
+
+
+
+
+
+
+ FILES
+
+ /etc/shorewall/tcrules
+
+
+
+ See ALSO
+
+ http://shorewall.net/traffic_shaping.htm
+
+ http://shorewall.net/MultiISP.html
+
+ http://shorewall.net/PacketMarking.html
+
+ shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+ shorewall-blacklist(5), shorewall-ecn(5), shorewall-exclusion(5),
+ shorewall-hosts(5), shorewall-interfaces(5), shorewall-ipsec(5),
+ shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
+ shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
+ shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
+ shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+ shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tos(5),
+ shorewall-tunnels(5), shorewall-zones(5)
+
+
diff --git a/manpages6/shorewall-template.xml b/manpages6/shorewall-template.xml
new file mode 100644
index 000000000..3970dc423
--- /dev/null
+++ b/manpages6/shorewall-template.xml
@@ -0,0 +1,62 @@
+
+
+
+ shorewall-
+
+ 5
+
+
+
+ file
+
+ Shorewall file
+
+
+
+
+ /etc/shorewall/
+
+
+
+
+ Description
+
+ The columns in the file are as follows.
+
+
+
+ COLUMN 1
+
+
+
+
+
+
+
+
+
+ Example
+
+
+
+
+
+ FILES
+
+ /etc/shorewall/
+
+
+
+ See ALSO
+
+ shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+ shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+ shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
+ shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+ shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+ shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
+ shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+ shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
+ shorewall-zones(5)
+
+
\ No newline at end of file
diff --git a/manpages6/shorewall-tos.xml b/manpages6/shorewall-tos.xml
new file mode 100644
index 000000000..cdab1e293
--- /dev/null
+++ b/manpages6/shorewall-tos.xml
@@ -0,0 +1,216 @@
+
+
+
+ shorewall-tos
+
+ 5
+
+
+
+ tos
+
+ Shorewall Type of Service rules file
+
+
+
+
+ /etc/shorewall/tos
+
+
+
+
+ Description
+
+ This file defines rules for setting Type Of Service (TOS)
+
+ The columns in the file are as follows.
+
+
+
+ SOURCE -
+ {zone[:address]|all|$FW}
+ (Shorewall-shell)
+
+
+ Name of a zone declared in shorewall-zones(5), all or $FW.
+
+ If not all or $FW, may optionally be followed by ":" and an
+ IP address, a MAC address, a subnet specification or the name of an
+ interface.
+
+ Example: loc:192.168.2.3
+
+ MAC addresses must be prefixed with "~" and use "-" as a
+ separator.
+
+ Example: ~00-A0-C9-15-39-78
+
+
+
+
+ SOURCE - {all|address]|all:address|$FW} (Shorewall-perl)
+
+
+ If all, may optionally be
+ followed by ":" and an IP address, a MAC address, a subnet
+ specification or the name of an interface.
+
+ Example: all:192.168.2.3
+
+ MAC addresses must be prefixed with "~" and use "-" as a
+ separator.
+
+ Example: ~00-A0-C9-15-39-78
+
+
+
+
+ DEST -
+ {zone[:address]|all} (Shorewall-shell)
+
+
+ Name of a zone declared in shorewall-zones(5) or all.
+
+ If not all, may optionally be
+ followed by ":" and an IP address or a subnet specification
+
+ Example: loc:192.168.2.3
+
+
+
+
+ DEST - {all|address]|all:address}
+ (Shorewall-perl)
+
+
+ Example: 192.168.2.3
+
+
+
+
+ PROTOCOL -
+ proto-name-or-number
+
+
+ Protocol name or number.
+
+
+
+
+ SOURCE PORT(S) -
+ {-|port|lowport:highport}
+
+
+ Source port or port range. If all ports, use "-".
+
+
+
+
+ DEST PORT(S) -
+ {-|port|lowport:highport}
+
+
+ Destination port or port range. If all ports, use "-"
+
+
+
+
+ TOS -
+ tos
+
+
+ Must be one of the following;
+
+ tos-minimize-delay (16)
+ tos-maximize-throughput (8)
+ tos-maximize-reliability (4)
+ tos-minimize-cost (2)
+ tos-normal-service (0)
+
+
+
+
+ MARK - [!]value[/mask][:C]
+
+
+ If you don't want to define a test but need to specify
+ anything in the following columns, place a "-" in this field.
+
+
+
+ !
+
+
+ Inverts the test (not equal)
+
+
+
+
+ value
+
+
+ Value of the packet or connection mark.
+
+
+
+
+ mask
+
+
+ A mask to be applied to the mark before testing.
+
+
+
+
+ :C
+
+
+ Designates a connection mark. If omitted, the packet
+ mark's value is tested. This option is only supported by
+ Shorewall-perl.
+
+
+
+
+
+
+
+
+
+ FILES
+
+ /etc/shorewall/tos
+
+
+
+ See ALSO
+
+ shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+ shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+ shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
+ shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+ shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+ shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
+ shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+ shorewall-tcrules(5), shorewall-tunnels(5), shorewall-zones(5)
+
+
\ No newline at end of file
diff --git a/manpages6/shorewall-tunnels.xml b/manpages6/shorewall-tunnels.xml
new file mode 100644
index 000000000..20c96a841
--- /dev/null
+++ b/manpages6/shorewall-tunnels.xml
@@ -0,0 +1,275 @@
+
+
+
+ shorewall-tunnels
+
+ 5
+
+
+
+ tunnels
+
+ Shorewall VPN definition file
+
+
+
+
+ /etc/shorewall/tunnels
+
+
+
+
+ Description
+
+ The tunnels file is used to define rules for encapsulated (usually
+ encrypted) traffic to pass between the Shorewall system and a remote
+ gateway. Traffic flowing through the tunnel is handled using the normal
+ zone/policy/rule mechanism. See http://www.shorewall.net/VPNBasics.html
+ for details.
+
+ The columns in the file are as follows.
+
+
+
+ TYPE - {ipsec[:{noah|ah}]|ipsecnat|ipip|gre|l2tp|pptpclient|pptpserver|{openvpn|openvpnclient|openvpnserver}[:{tcp|udp}][:port]|generic:protocol[:port]}
+
+
+ Types are as follows:
+
+ ipsec - IPv4 IPSEC
+ ipsecnat - IPv4 IPSEC with NAT Traversal (UDP port 4500 encapsulation)
+ ipip - IPv4 encapsulated in IPv4 (Protocol 4)
+ gre - Generalized Routing Encapsulation (Protocol 47)
+ l2tp - Layer 2 Tunneling Protocol (UDP port 1701)
+ pptpclient - PPTP Client runs on the firewall
+ pptpserver - PPTP Server runs on the firewall
+ openvpn - OpenVPN in point-to-point mode
+ openvpnclient - OpenVPN client runs on the firewall
+ openvpnserver - OpenVPN server runs on the firewall
+ generic - Other tunnel type
+
+ If the type is ipsec, it may
+ be followed by :ah to indicate that
+ the Authentication Headers protocol (51) is used by the tunnel (the
+ default is which means that protocol 51 is
+ not used). NAT traversal is only supported with ESP (protocol 50) so
+ ipsecnat tunnels don't allow the
+ ah option (ipsecnat:noah may be specified but is
+ redundant).
+
+ If type is openvpn, openvpnclient or openvpnserver it may optionally be followed
+ by ":" and tcp or udp to specify the protocol to be used. If
+ not specified, udp is
+ assumed.
+
+ If type is openvpn, openvpnclient or openvpnserver it may optionally be followed
+ by ":" and the port number used by the tunnel. if no ":" and port
+ number are included, then the default port of 1194 will be used. .
+ Where both the protocol and port are specified, the protocol must be
+ given first (e.g., openvpn:tcp:4444).
+
+ If type is generic, it must
+ be followed by ":" and a protocol name (from /etc/protocols) or a
+ protocol number. If the protocol is tcp or udp
+ (6 or 17), then it may optionally be followed by ":" and a port
+ number.
+
+
+
+
+
+
+
+
+
+
+
+
+ ZONE -
+ zone
+
+
+ The zone of the physical interface
+ through which tunnel traffic passes. This is normally your internet
+ zone.
+
+
+
+
+ GATEWAY -
+ address-or-range
+
+
+ The IP address of the remote tunnel gateway. If the remote
+ gateway has no fixed address (Road Warrior) then specify the gateway
+ as 0.0.0.0/0. May be specified as a
+ network address and if your kernel and iptables include iprange
+ match support then IP address ranges are also allowed.
+
+
+
+
+ GATEWAY ZONES (Optional) -
+ [zone[,zone]...]
+
+
+ If the gateway system specified in the third column is a
+ standalone host then this column should contain a comma-separated
+ list of the names of the zones that the host might be in. This
+ column only applies to IPSEC tunnels where it enables ISAKMP traffic
+ to flow through the tunnel to the remote gateway.
+
+
+
+
+
+
+ Example
+
+
+
+ Example 1:
+
+
+ IPSec tunnel.
+
+ The remote gateway is 4.33.99.124 and the remote subnet is
+ 192.168.9.0/24. The tunnel does not use the AH protocol
+
+ #TYPE ZONE GATEWAY
+ ipsec:noah net 4.33.99.124
+
+
+
+
+ Example 2:
+
+
+ Road Warrior (LapTop that may connect from anywhere) where the
+ "gw" zone is used to represent the remote LapTop
+
+ #TYPE ZONE GATEWAY GATEWAY ZONES
+ ipsec net 0.0.0.0/0 gw
+
+
+
+
+ Example 3:
+
+
+ Host 4.33.99.124 is a standalone system connected via an ipsec
+ tunnel to the firewall system. The host is in zone gw.
+
+ #TYPE ZONE GATEWAY GATEWAY ZONES
+ ipsec net 4.33.99.124 gw
+
+
+
+
+ Example 4:
+
+
+ Road Warriors that may belong to zones vpn1, vpn2 or vpn3. The
+ FreeS/Wan _updown script will add the host to the appropriate zone
+ using the shorewall add command on connect and
+ will remove the host from the zone at disconnect time.
+
+ #TYPE ZONE GATEWAY GATEWAY ZONES
+ ipsec net 0.0.0.0/0 vpn1,vpn2,vpn3
+
+
+
+
+ Example 5:
+
+
+ You run the Linux PPTP client on your firewall and connect to
+ server 192.0.2.221.
+
+ #TYPE ZONE GATEWAY GATEWAY ZONES
+ pptpclient net 192.0.2.221
+
+
+
+
+ Example 6:
+
+
+ You run a PPTP server on your firewall.
+
+ #TYPE ZONE GATEWAY GATEWAY ZONES
+ pptpserver net 0.0.0.0/0
+
+
+
+
+ Example 7:
+
+
+ OPENVPN tunnel. The remote gateway is 4.33.99.124 and openvpn
+ uses port 7777.
+
+ #TYPE ZONE GATEWAY GATEWAY ZONES
+ openvpn:7777 net 4.33.99.124
+
+
+
+
+ Example 8:
+
+
+ You have a tunnel that is not one of the supported types. Your
+ tunnel uses UDP port 4444. The other end of the tunnel is
+ 4.3.99.124.
+
+ #TYPE ZONE GATEWAY GATEWAY ZONES
+ generic:udp:4444 net 4.3.99.124
+
+
+
+
+
+
+ FILES
+
+ /etc/shorewall/tunnels
+
+
+
+ See ALSO
+
+ shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+ shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+ shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
+ shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+ shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+ shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
+ shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+ shorewall-tcrules(5), shorewall-tos(5), shorewall-zones(5)
+
+
\ No newline at end of file
diff --git a/manpages6/shorewall-vardir.xml b/manpages6/shorewall-vardir.xml
new file mode 100644
index 000000000..bbc83d215
--- /dev/null
+++ b/manpages6/shorewall-vardir.xml
@@ -0,0 +1,64 @@
+
+
+
+ shorewall-vardir
+
+ 5
+
+
+
+ vardir
+
+ Shorewall file
+
+
+
+
+ /etc/shorewall/vardir
+
+
+
+
+ Description
+
+ This file does not exist by default. You may create the file if you
+ want to change the directory used by Shorewall to store state information,
+ including compiled firewall scripts. By default, the directory used is
+ /var/lib/shorewall/.
+
+ The file contains a single variable assignment:
+
+ directory
+
+ where directory is the name of a
+ directory. If you add this file, you should copy the files from
+ /var/lib/shorewall to the new directory before
+ performing a shorewall restart.
+
+
+
+ Example
+
+ VARDIR=/root/shorewall
+
+
+
+ FILES
+
+ /etc/shorewall/vardir
+
+
+
+ See ALSO
+
+ shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+ shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+ shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
+ shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+ shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+ shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
+ shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+ shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
+ shorewall-zones(5)
+
+
\ No newline at end of file
diff --git a/manpages6/shorewall-zones.xml b/manpages6/shorewall-zones.xml
new file mode 100644
index 000000000..e505d08a4
--- /dev/null
+++ b/manpages6/shorewall-zones.xml
@@ -0,0 +1,261 @@
+
+
+
+ shorewall-zones
+
+ 5
+
+
+
+ zones
+
+ Shorewall zone declaration file
+
+
+
+
+ /etc/shorewall/zones
+
+
+
+
+ Description
+
+ The /etc/shorewall/zones file declares your network zones. You
+ specify the hosts in each zone through entries in
+ /etc/shorewall/interfaces or
+ /etc/shorewall/hosts.
+
+ The columns in the file are as follows.
+
+
+
+ ZONE -
+ zone[:parent-zone[,parent-zone]...]
+
+
+ Name of the zone. The names "all",
+ "none", "SOURCE" and "DEST" are reserved and may not be used as zone
+ names. The maximum length of a zone name is determined by the
+ setting of the LOGFORMAT option in shorewall.conf(5). With the
+ default LOGFORMAT, zone names can be at most 5 characters
+ long.
+
+ The order in which Shorewall matches addresses from packets to
+ zones is determined by the order of zone declarations. Where a zone
+ is nested in one or more other zones, you may either ensure that the
+ nested zone precedes its parents in this file, or you may follow the
+ (sub)zone name by ":" and a comma-separated list of the parent
+ zones. The parent zones must have been declared in earlier records
+ in this file. See shorewall-nesting(5) for
+ additional information.
+
+ Example:
+
+ #ZONE TYPE OPTIONS IN OPTIONS OUT OPTIONS
+a ipv4
+b ipv4
+c:a,b ipv4
+
+ Currently, Shorewall uses this information to reorder the zone
+ list so that parent zones appear after their subzones in the list.
+ The IMPLICIT_CONTINUE option in shorewall.conf(5) can also create
+ implicit CONTINUE policies to/from the subzone.
+
+ In the future, Shorewall may make additional use of nesting
+ information.
+
+
+
+
+ TYPE
+
+
+
+
+ ipv4
+
+
+ This is the standard Shorewall zone type and is the
+ default if you leave this column empty or if you enter "-" in
+ the column. Communication with some zone hosts may be
+ encrypted. Encrypted hosts are designated using the
+ 'ipsec'option in shorewall-hosts(5).
+
+
+
+
+ ipsec
+
+
+ Communication with all zone hosts is encrypted. Your
+ kernel and iptables must include policy match support.
+
+
+
+
+ firewall
+
+
+ Designates the firewall itself. You must have exactly
+ one 'firewall' zone. No options are permitted with a
+ 'firewall' zone. The name that you enter in the ZONE column
+ will be stored in the shell variable $FW which you may use in
+ other configuration files to designate the firewall
+ zone.
+
+
+
+
+ bport (or bport4)
+
+
+ (Shorewall-perl only) The zone is associated with one or
+ more ports on a single bridge.
+
+
+
+
+
+
+
+ OPTIONS, IN OPTIONS and OUT
+ OPTIONS - [option[,option]...]
+
+
+ A comma-separated list of options. With the exception of the
+ option, these only apply to TYPE
+ zones.
+
+
+
+ reqid=number
+
+
+ where number is specified using
+ setkey(8) using the 'unique:number option
+ for the SPD level.
+
+
+
+
+ spi=<number>
+
+
+ where number is the SPI of the SA
+ used to encrypt/decrypt packets.
+
+
+
+
+ proto=ah|esp|ipcomp
+
+
+ IPSEC Encapsulation Protocol
+
+
+
+
+ mss=number
+
+
+ sets the MSS field in TCP packets. If you supply this
+ option, you should also set FASTACCEPT=No in shorewall.conf(5) to insure
+ that both the SYN and SYN,ACK packets have their MSS field
+ adjusted.
+
+
+
+
+ mode=transport|tunnel
+
+
+ IPSEC mode
+
+
+
+
+ tunnel-src=address[/mask]
+
+
+ only available with mode=tunnel
+
+
+
+
+ tunnel-dst=address[/mask]
+
+
+ only available with mode=tunnel
+
+
+
+
+ strict
+
+
+ Means that packets must match all rules.
+
+
+
+
+ next
+
+
+ Separates rules; can only be used with strict
+
+
+
+
+ The options in the OPTIONS column are applied to both incoming
+ and outgoing traffic. The IN OPTIONS are applied to incoming traffic
+ (in addition to OPTIONS) and the OUT OPTIONS are applied to outgoing
+ traffic.
+
+ If you wish to leave a column empty but need to make an entry
+ in a following column, use "-".
+
+
+
+
+
+
+ FILES
+
+ /etc/shorewall/zones
+
+
+
+ See ALSO
+
+ http://www.shorewall.net/Multiple_Zones.html.
+
+ shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+ shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+ shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
+ shorewall-nat(5), shorewall-nesting(8), shorewall-netmap(5),
+ shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
+ shorewall-proxyarp(5), shorewall-route_rules(5),
+ shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+ shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
+ shorewall-tos(5), shorewall-tunnels(5)
+
+
\ No newline at end of file
diff --git a/manpages6/shorewall.conf.xml b/manpages6/shorewall.conf.xml
new file mode 100644
index 000000000..9e1709543
--- /dev/null
+++ b/manpages6/shorewall.conf.xml
@@ -0,0 +1,1657 @@
+
+
+
+
+ shorewall.conf
+
+ 5
+
+
+
+ shorewall.conf
+
+ Shorewall global configuration file
+
+
+
+
+ /etc/shorewall/shorewall.conf
+
+
+
+
+ Description
+
+ This file sets options that apply to Shorewall as a whole.
+
+ The file consists of Shell comments (lines beginning with '#'),
+ blank lines and assignment statements
+ (variable=value).
+
+
+
+ OPTIONS
+
+ Many options have as their value a log-level.
+ Log levels are a method of describing to syslog (8) the importance of a
+ message and a number of parameters in this file have log levels as their
+ value.
+
+ These levels are defined by syslog and are used to determine the
+ destination of the messages through entries in /etc/syslog.conf (5). The
+ syslog documentation refers to these as "priorities"; Netfilter calls them
+ "levels" and Shorewall also uses that term.
+
+ Valid levels are:
+
+ 7 debug
+ 6 info
+ 5 notice
+ 4 warning
+ 3 err
+ 2 crit
+ 1 alert
+ 0 emerg
+
+ For most Shorewall logging, a level of 6 (info) is appropriate.
+ Shorewall log messages are generated by NetFilter and are logged using
+ facility 'kern' and the level that you specifify. If you are unsure of the
+ level to choose, 6 (info) is a safe bet. You may specify levels by name or
+ by number.
+
+ If you have built your kernel with ULOG target support, you may also
+ specify a log level of ULOG (must be all caps). Rather than log its
+ messages to syslogd, Shorewall will direct netfilter to log the messages
+ via the ULOG target which will send them to a process called 'ulogd'.
+ ulogd is available with most Linux distributions (although it probably
+ isn't installed by default). Ulogd is also available from http://www.netfilter.org/projects/ulogd/index.html
+ and can be configured to log all Shorewall message to their own log
+ file
+
+ The following options may be set in shorewall.conf.
+
+
+
+ ACCEPT_DEFAULT={action|macro|none}
+
+
+
+
+
+
+
+ DROP_DEFAULT={action|macro|none}
+
+
+
+
+
+
+
+ REJECT_DEFAULT={action|macro|none}
+
+
+
+
+
+
+
+ QUEUE_DEFAULT={action|macro|none}
+
+
+
+
+
+
+
+ NFQUEUE_DEFAULT={action|macro|none} (Shorewall-perl 4.0.3 and later)
+
+
+ In earlier Shorewall versions, a "default action" for DROP and
+ REJECT policies was specified in the file
+ /usr/share/shorewall/actions.std.
+
+ To allow for default rules to be applied when USE_ACTIONS=No,
+ the DROP_DEFAULT, REJECT_DEFAULT, ACCEPT_DEFAULT, QUEUE_DEFAULT and
+ NFQUEUE_DEFAULT options have been added.
+
+ DROP_DEFAULT describes the rules to be applied before a
+ connection request is dropped by a DROP policy; REJECT_DEFAULT
+ describes the rules to be applied if a connection request is
+ rejected by a REJECT policy. The other three are similar for ACCEPT,
+ QUEUE and NFQUEUE policies.
+
+ The value applied to these may be:
+
+
+ a) The name of an
+ action.
+
+ b) The name of a macro
+ (Shorewall-shell only)
+
+ c) None or none
+
+
+ The default values are:
+
+
+ DROP_DEFAULT="Drop"
+
+ REJECT_DEFAULT="Reject"
+
+ ACCEPT_DEFAULT="none"
+
+ QUEUE_DEFAULT="none"
+
+ NFQUEUE_DEFAULT="None"
+
+
+ If USE_ACTIONS=Yes, then these values refer to action.Drop and
+ action.Reject respectively. If USE_ACTIONS=No, then these values
+ refer to macro.Drop and macro.Reject.
+
+ If you set the value of either option to "None" then no
+ default action will be used and the default action or macro must be
+ specified in shorewall-policy(5).
+
+
+
+
+ ADD_IP_ALIASES=[Yes|No]
+
+
+ This parameter determines whether Shorewall automatically adds
+ the external address(es) in shorewall-nat(5). If the variable
+ is set to Yes or yes then Shorewall automatically adds these
+ aliases. If it is set to No or
+ no, you must add these aliases
+ yourself using your distribution's network configuration
+ tools.
+
+ If this variable is not set or is given an empty value
+ (ADD_IP_ALIASES="") then ADD_IP_ALIASES=Yes is assumed.
+
+
+ Addresses added by ADD_IP_ALIASES=Yes are deleted and
+ re-added during shorewall restart. As a consequence, connections
+ using those addresses may be severed.
+
+
+
+
+
+ ADD_SNAT_ALIASES=[Yes|No]
+
+
+ This parameter determines whether Shorewall automatically adds
+ the SNAT ADDRESS in shorewall-masq(5). If the variable
+ is set to Yes or yes then Shorewall automatically adds these
+ addresses. If it is set to No or
+ no, you must add these addresses
+ yourself using your distribution's network configuration
+ tools.
+
+ If this variable is not set or is given an empty value
+ (ADD_SNAT_ALIASES="") then ADD_SNAT_ALIASES=No is assumed.
+
+
+ Addresses added by ADD_SNAT_ALIASES=Yes are deleted and
+ re-added during shorewall restart. As a consequence, connections
+ using those addresses may be severed.
+
+
+
+
+
+ ADMINISABSENTMINDED=[Yes|No]
+
+
+ The value of this variable affects Shorewall's stopped state.
+ When ADMINISABSENTMINDED=No, only traffic to/from those addresses
+ listed in shorewall-routestopped(5)
+ is accepted when Shorewall is stopped. When ADMINISABSENTMINDED=Yes,
+ in addition to traffic to/from addresses in shorewall-routestopped(5),
+ connections that were active when Shorewall stopped continue to work
+ and all new connections from the firewall system itself are allowed.
+ If this variable is not set or is given the empty value then
+ ADMINISABSENTMINDED=No is assumed.
+
+
+
+
+ AUTO_COMMENT=[Yes|No]
+
+
+ Added in Shorewall-perl 4.1.5. If set, if there is not a
+ current comment when a macro is invoked, the behavior is as if the
+ first line of the macro file was "COMMENT <macro name>". The
+ AUTO_COMMENT option has a default value of 'Yes'.
+
+
+
+
+ BIGDPORTLISTS=[Yes|No]
+
+
+ Setting this option to 'Yes' allows you to include arbitrarily
+ long destination port lists in all configuration files.
+
+
+
+
+ BLACKLIST_DISPOSITION=[DROP|REJECT]
+
+
+ This parameter determines the disposition of packets from
+ blacklisted hosts. It may have the value DROP if the packets are to
+ be dropped or REJECT if the packets are to be replied with an ICMP
+ port unreachable reply or a TCP RST (tcp only). If you do not assign
+ a value or if you assign an empty value then DROP is assumed.
+
+
+
+
+ BLACKLIST_LOGLEVEL=[log-level]
+
+
+ This parameter determines if packets from blacklisted hosts
+ are logged and it determines the syslog level that they are to be
+ logged at. Its value is a syslog level (Example:
+ BLACKLIST_LOGLEVEL=debug). If you do not assign a value or if you
+ assign an empty value then packets from blacklisted hosts are not
+ logged.
+
+
+
+
+ BLACKLISTNEWONLY={Yes|No}
+
+
+ When set to Yes or yes, blacklists are only consulted for new
+ connections. When set to No or
+ no, blacklists are consulted for
+ every packet (will slow down your firewall noticably if you have
+ large blacklists). If the BLACKLISTNEWONLY option is not set or is
+ set to the empty value then BLACKLISTNEWONLY=No is assumed.
+
+
+ BLACKLISTNEWONLY=No is incompatible with
+ FASTACCEPT=Yes.
+
+
+
+
+
+ BRIDGING={Yes|No}
+
+
+ When set to Yes or yes, enables Shorewall Bridging
+ support.
+
+
+ BRIDGING=Yes may not work properly with Linux kernel
+ 2.6.20 or later and is not supported by Shorewall-perl.
+
+
+
+
+
+ CLAMPMSS=[Yes|No|value]
+
+
+ This parameter enables the TCP Clamp MSS to PMTU feature of
+ Netfilter and is usually required when your internet connection is
+ through PPPoE or PPTP. If set to Yes or yes,
+ the feature is enabled. If left blank or set to No or no,
+ the feature is not enabled.
+
+ Important: This option
+ requires CONFIG_IP_NF_TARGET_TCPMSS in your kernel.
+
+ You may also set CLAMPMSS to a numeric
+ value (e.g., CLAMPMSS=1400). This will set the
+ MSS field in TCP SYN packets going through the firewall to the
+ value that you specify.
+
+
+
+
+ CLEAR_TC=[Yes|No]
+
+
+ If this option is set to No
+ then Shorewall won't clear the current traffic control rules during
+ [re]start. This setting is intended for use by people that prefer to
+ configure traffic shaping when the network interfaces come up rather
+ than when the firewall is started. If that is what you want to do,
+ set TC_ENABLED=Yes and CLEAR_TC=No and do not supply an
+ /etc/shorewall/tcstart file. That way, your traffic shaping rules
+ can still use the “fwmark” classifier based on packet marking
+ defined in shorewall-tcrules(5). If not
+ specified, CLEAR_TC=Yes is assumed.
+
+
+
+
+ CONFIG_PATH=[directory[:directory]...]
+
+
+ Specifies where configuration files other than shorewall.conf
+ may be found. CONFIG_PATH is specifies as a list of directory names
+ separated by colons (":"). When looking for a configuration file
+ other than shorewall.conf:
+
+
+
+ If the command is "try" or a "<configuration
+ directory>" was specified in the command (e.g.,
+ shorewall check ./gateway) then the directory
+ given in the command is searched first.
+
+
+
+ Next, each directory in the CONFIG_PATH setting is
+ searched in sequence.
+
+
+
+
+
+
+ If CONFIG_PATH is not given or if it is set to the empty
+ value then the contents of /usr/share/shorewall/configpath are
+ used. As released from shorewall.net, that file sets the
+ CONFIG_PATH to /etc/shorewall:/usr/share/shorewall but your
+ particular distribution may set it differently. See the output of
+ shorewall show config for the default on your system.
+
+ Note that the setting in /usr/share/shorewall/configpath is
+ always used to locate shorewall.conf.
+
+
+
+
+
+ DELAYBLACKLISTLOAD={Yes|No}
+
+
+ Users with a large static black list (shorewall-blacklist(5)) may
+ want to set the DELAYBLACKLISTLOAD option to Yes. When DELAYBLACKLISTLOAD=Yes, Shorewall
+ will enable new connections before loading the blacklist rules.
+ While this may allow connections from blacklisted hosts to slip by
+ during construction of the blacklist, it can substantially reduce
+ the time that all new connections are disabled during shorewall [re]start.
+
+
+ DELAYBLACKLISTLOAD=Yes is not supported by
+ Shorewall-perl.
+
+
+
+
+
+ DELETE_THEN_ADD={Yes|No}
+
+
+ Added in Shorewall 4.0.4. If set to Yes (the default value),
+ entries in the /etc/shorewall/route_stopped files cause an 'ip rule
+ del' command to be generated in addition to an 'ip rule add'
+ command. Setting this option to No, causes the 'ip rule del' command
+ to be omitted.
+
+
+
+
+ DETECT_DNAT_IPADDRS=[Yes|No]
+
+
+ If set to Yes or yes, Shorewall will detect the first IP
+ address of the interface to the source zone and will include this
+ address in DNAT rules as the original destination IP address. If set
+ to No or no, Shorewall will not detect this address
+ and any destination IP address will match the DNAT rule. If not
+ specified or empty, “DETECT_DNAT_IPADDRS=Yes” is assumed.
+
+
+
+
+ DISABLE_IPV6=[Yes|No]
+
+
+ If set to Yes or yes, IPv6 traffic to, from and through the
+ firewall system is disabled. If set to No or no,
+ Shorewall will take no action with respect to allowing or
+ disallowing IPv6 traffic. If not specified or empty,
+ “DISABLE_IPV6=No” is assumed.
+
+
+
+
+ DONT_LOAD=[module[,module]...]
+
+
+ Added in Shorewall-4.0.6. Causes Shorewall to not load the
+ listed modules.
+
+
+
+
+ DYNAMIC_ZONES={Yes|No}
+
+
+ When set to Yes or yes, enables dynamic zones. DYNAMIC_ZONES=Yes
+ is not allowed in configurations that will run under Shorewall
+ Lite.
+
+ DYNAMIC_ZONES=Yes is not supported by Shorewall-perl 4.2.0 and
+ later.
+
+
+
+
+ EXPAND_POLICIES={Yes|No}
+
+
+ Normally, when the SOURCE or DEST columns in
+ shorewall-policy(5) contains 'all', a single policy chain is created
+ and the policy is enforced in that chain. For example, if the policy
+ entry is#SOURCE DEST POLICY LOG
+# LEVEL
+net all DROP infothen the chain name is 'net2all'
+ which is also the chain named in Shorewall log messages generated as
+ a result of the policy. If EXPAND_POLICIES=Yes, then Shorewall-perl
+ will create a separate chain for each pair of zones covered by the
+ policy. This makes the resulting log messages easier to interpret
+ since the chain in the messages will have a name of the form 'a2b'
+ where 'a' is the SOURCE zone and 'b' is the DEST zone.
+
+
+
+
+ EXPORTPARAMS={Yes|No}
+
+
+ It is quite difficult to code a 'params' file that assigns
+ other than constant values such that it works correctly with
+ Shorewall Lite. The EXPORTPARAMS option works around this problem.
+ When EXPORTPARAMS=No, the 'params' file is not copied to the
+ compiler output.
+
+ With EXPORTPARAMS=No, if you need to set environmental
+ variables on the firewall system for use by your extension scripts,
+ then do so in the init extension script.
+
+ The default is EXPORTPARAMS=Yes
+
+
+
+
+ FASTACCEPT={Yes|No}
+
+
+ Normally, Shorewall defers accepting ESTABLISHED/RELATED
+ packets until these packets reach the chain in which the original
+ connection was accepted. So for packets going from the 'loc' zone to
+ the 'net' zone, ESTABLISHED/RELATED packets are ACCEPTED in the
+ 'loc2net' chain.
+
+ If you set FASTACCEPT=Yes, then ESTABLISHED/RELEATED packets
+ are accepted early in the INPUT, FORWARD and OUTPUT chains. If you
+ set FASTACCEPT=Yes then you may not include rules in the ESTABLISHED
+ or RELATED sections of shorewall-rules(5).
+
+
+
+
+ FASTACCEPT=Yes is incompatible with
+ BLACKLISTNEWONLY=No.
+
+
+
+
+
+ HIGH_ROUTE_MARKS={Yes|No}
+
+
+ Prior to version 3.2.0, it was not possible to use connection
+ marking in shorewall-tcrules(5) if you
+ have a multi-ISP configuration that uses the track option.
+
+ Beginning with release 3.2.0, you may now set
+ HIGH_ROUTE_MARKS=Yes in to effectively divide the packet mark and
+ connection mark into two 8-byte mark fields.
+
+ When you do this:
+
+
+
+ The MARK field in the providers file must have a value
+ that is less than 65536 and that is a multiple of 256 (using hex
+ representation, the values are 0x0100-0xFF00 with the low-order
+ 8 bits being zero).
+
+
+
+ You may only set those mark values in the PREROUTING
+ chain.
+
+
+
+ Marks used for traffic shaping must still be in the range
+ of 1-255 and may still not be set in the PREROUTING
+ chain.
+
+
+
+ When you SAVE or RESTORE in tcrules, only the TC mark
+ value is saved or restored. Shorewall handles saving and
+ restoring the routing (provider) marks.
+
+
+
+
+
+
+ IMPLICIT_CONTINUE={Yes|No}
+
+
+ When this option is set to Yes, it causes subzones to be treated
+ differently with respect to policies.
+
+ Subzones are defined by following their name with ":" and a
+ list of parent zones (in shorewall-zones(5)). Normally,
+ you want to have a set of special rules for the subzone and if a
+ connection doesn't match any of those subzone-specific rules then
+ you want the parent zone rules and policies to be applied; see
+ shorewall-nesting(5).
+ With IMPLICIT_CONTINUE=Yes, that happens automatically.
+
+ If IMPLICIT_CONTINUE=No or if IMPLICIT_CONTINUE is not set,
+ then subzones are not subject to this special treatment. With
+ IMPLICIT_CONTINUE=Yes, an implicit CONTINUE policy may be overridden
+ by including an explicit policy (one that does not specify "all" in
+ either the SOURCE or the DEST columns).
+
+
+
+
+ IP_FORWARDING=[On|Off|Keep]
+
+
+ This parameter determines whether Shorewall enables or
+ disables IPV4 Packet Forwarding (/proc/sys/net/ipv4/ip_forward).
+ Possible values are:
+
+
+
+ On or on
+
+
+ packet forwarding will be enabled.
+
+
+
+
+ Off or off
+
+
+ packet forwarding will be disabled.
+
+
+
+
+ Keep or keep
+
+
+ Shorewall will neither enable nor disable packet
+ forwarding.
+
+
+
+
+
+
+
+ If this variable is not set or is given an empty value
+ (IP_FORWARD="") then IP_FORWARD=On is assumed.
+
+
+
+
+
+ IPSECFILE={zones|ipsec}
+
+
+ This should be set to zones
+ for all new Shorewall installations. IPSECFILE=ipsec is only used
+ for compatibility with pre-Shorewall-3.0 configurations.
+
+
+
+
+ IPTABLES=[pathname]
+
+
+ This parameter names the iptables executable to be used by
+ Shorewall. If not specified or if specified as a null value, then
+ the iptables executable located using the PATH option is
+ used.
+
+ Regardless of how the IPTABLES utility is located (specified
+ via IPTABLES= or located via PATH), Shorewall uses the
+ iptables-restore and iptables-save utilities from that same
+ directory.
+
+
+
+
+ KEEP_RT_TABLES={Yes|No}
+
+
+ Added in Shorewall 4.0.3. When set to ,
+ this option prevents scripts generated by Shorewall-perl from
+ altering the /etc/iproute2/rt_tables database when there are entries
+ in /etc/shorewall/providers. If you set this
+ option to while Shorewall (Shorewall-lite) is
+ running, you should remove the file
+ /var/lib/shorewall/rt_tables
+ (/var/lib/shorewall-lite/rt_tables) before your
+ next stop, refresh,
+ restore on restart
+ command.
+
+ The default is KEEP_RT_TABLES=No.
+
+
+
+
+ LOG_MARTIANS=[Yes|No|Keep]
+
+
+ If set to Yes or yes, sets
+ /proc/sys/net/ipv4/conf/all/log_martians and
+ /proc/sys/net/ipv4/conf/default/log_martians to 1. In Shorewall
+ versions prior to 4.1.5, the default is No which sets both of the above to zero. In
+ Shorewall 4.1.5, the default value was chaned to Yes which sets both of the above to one. If
+ you do not enable martian logging for all interfaces, you may still
+ enable it for individual interfaces using the logmartians interface option in shorewall-interfaces(5).
+
+ The value Keep is only
+ allowed under Shorewall-perl. It causes Shorewall to ignore the
+ option. If the option is set to Yes, then martians are logged on all
+ interfaces. If the option is set to No, then martian logging is disabled on all
+ interfaces except those specified in shorewall-interfaces(5).
+
+
+
+
+ LOG_VERBOSITY=[number]
+
+
+ This option controls the amount of information logged to the
+ file specified in the STARTUP_LOG option.
+
+ Values are:
+
+
+ -1 - Logging is disabled
+
+ 0 - Silent. Only error messages are logged.
+
+ 1 - Major progress messages logged.
+
+ 2 - All progress messages logged
+
+
+ If not specified, then -1 is assumed.
+
+
+
+
+ LOGALLNEW=[log-level]
+
+
+ This option is intended for use as a debugging aid. When set
+ to a log level, this option causes Shorewall to generate a logging
+ rule as the first rule in each builtin chain.
+
+
+
+ The table name is used as the chain name in the log
+ prefix.
+
+
+
+ The chain name is used as the target in the log
+ prefix.
+
+
+
+
+
+
+ For example, using the default LOGFORMAT, the log prefix for
+ logging from the nat table's PREROUTING chain is:
+
+ Shorewall:nat:PREROUTING
+
+
+
+ To help insure that all packets in the NEW state are
+ logged, rate limiting (LOGBURST and LOGRATE) should be disabled
+ when using LOGALLNEW. Use LOGALLNEW at your own risk; it may
+ cause high CPU and disk utilization and you may not be able to
+ control your firewall after you enable this option.
+
+
+
+
+
+ Do not use this option if the resulting log messages will
+ be sent to another system.
+
+
+
+
+
+
+ LOGFILE=[pathname]
+
+
+ This parameter tells the /sbin/shorewall program where to look
+ for Shorewall messages when processing the dump, logwatch, show
+ log, and hits commands.
+ If not assigned or if assigned an empty value, /var/log/messages is
+ assumed.
+
+
+
+
+ LOGFORMAT=["formattemplate"]
+
+
+ The value of this variable generate the --log-prefix setting
+ for Shorewall logging rules. It contains a “printf” formatting
+ template which accepts three arguments (the chain name, logging rule
+ number (optional) and the disposition). To use LOGFORMAT with
+ fireparse, set it as:
+
+ LOGFORMAT="fp=%s:%d a=%s "
+
+ If the LOGFORMAT value contains the substring “%d” then the
+ logging rule number is calculated and formatted in that position; if
+ that substring is not included then the rule number is not included.
+ If not supplied or supplied as empty (LOGFORMAT="") then
+ “Shorewall:%s:%s:” is assumed.
+
+
+
+
+ LOGBURST=[burst]
+
+
+
+
+
+
+
+ LOGRATE=[rate/{minute|second}]
+
+
+ These parameters set the match rate and initial burst size for
+ logged packets. Please see iptables(8) for a description of the
+ behavior of these parameters (the iptables option --limit is set by
+ LOGRATE and --limit-burst is set by LOGBURST). If both parameters
+ are set empty, no rate-limiting will occur.
+
+ Example:
+
+ LOGRATE=10/minute
+ LOGBURST=5
+
+ For each logging rule, the first time the rule is reached, the
+ packet will be logged; in fact, since the burst is 5, the first five
+ packets will be logged. After this, it will be 6 seconds (1 minute
+ divided by the rate of 10) before a message will be logged from the
+ rule, regardless of how many packets reach it. Also, every 6 seconds
+ which passes without matching a packet, one of the bursts will be
+ regained; if no packets hit the rule for 30 seconds, the burst will
+ be fully recharged; back where we started.
+
+
+
+
+ LOGTAGONLY=[Yes|No]
+
+
+ Using the default LOGFORMAT, chain names may not exceed 11
+ characters or truncation of the log prefix may occur. Longer chain
+ names may be used with log tags if you set LOGTAGONLY=Yes. With
+ LOGTAGONLY=Yes, if a log tag is specified then the tag is included
+ in the log prefix in place of the chain name.
+
+
+
+
+ MACLIST_DISPOSITION=[ACCEPT|DROP|REJECT]
+
+
+ Determines the disposition of connections requests that fail
+ MAC Verification and must have the value ACCEPT (accept the
+ connection request anyway), REJECT (reject the connection request)
+ or DROP (ignore the connection request). If not set or if set to the
+ empty value (e.g., MACLIST_DISPOSITION="") then
+ MACLIST_DISPOSITION=REJECT is assumed.
+
+
+
+
+ MACLIST_LOG_LEVEL=[log-level]
+
+
+ Determines the syslog level for logging connection requests
+ that fail MAC Verification. The value must be a valid syslogd log
+ level. If you don't want to log these connection requests, set to
+ the empty value (e.g., MACLIST_LOG_LEVEL="").
+
+
+
+
+ MACLIST_TABLE=[filter|mangle]
+
+
+ Normally, MAC verification occurs in the filter table (INPUT
+ and FORWARD) chains. When forwarding a packet from an interface with
+ MAC verification to a bridge interface, that doesn't work.
+
+ This problem can be worked around by setting
+ MACLIST_TABLE=mangle which will cause Mac verification to occur out
+ of the PREROUTING chain. Because REJECT isn't available in that
+ environment, you may not specify MACLIST_DISPOSITION=REJECT with
+ MACLIST_TABLE=mangle.
+
+
+
+
+ MACLIST_TTL=[number]
+
+
+ The performance of configurations with a large numbers of
+ entries in shorewall-maclist(5) can be
+ improved by setting the MACLIST_TTL variable in shorewall.conf(5).
+
+ If your iptables and kernel support the "Recent Match" (see
+ the output of "shorewall check" near the top), you can cache the
+ results of a 'maclist' file lookup and thus reduce the overhead
+ associated with MAC Verification.
+
+ When a new connection arrives from a 'maclist' interface, the
+ packet passes through then list of entries for that interface in
+ shorewall-maclist(5). If
+ there is a match then the source IP address is added to the 'Recent'
+ set for that interface. Subsequent connection attempts from that IP
+ address occurring within $MACLIST_TTL seconds will be accepted
+ without having to scan all of the entries. After $MACLIST_TTL from
+ the first accepted connection request from an IP address, the next
+ connection request from that IP address will be checked against the
+ entire list.
+
+ If MACLIST_TTL is not specified or is specified as empty (e.g,
+ MACLIST_TTL="" or is specified as zero then 'maclist' lookups will
+ not be cached).
+
+
+
+
+ MAPOLDACTIONS=[Yes|No]
+
+
+ Previously, Shorewall included a large number of standard
+ actions (AllowPing, AllowFTP, ...). These have been replaced with
+ parameterized macros. For compatibility, Shorewall can map the old
+ names into invocations of the new macros if you set
+ MAPOLDACTIONS=Yes. If this option is not set or is set to the empty
+ value (MAPOLDACTIONS="") then MAPOLDACTIONS=Yes is assumed.
+
+
+
+
+ MAPOLDACTIONS=Yes is not supported by Shorewall-perl. With
+ Shorewall-perl, if MAPOLDACTIONS is not set or is set to the ampty
+ value then MAPOLDACTIONS=No is assumed.
+
+
+
+
+
+ MARK_IN_FORWARD_CHAIN=[Yes|No]
+
+
+ If your kernel has a FORWARD chain in the mangle table, you
+ may set MARK_IN_FORWARD_CHAIN=Yes to cause the marking specified in
+ the tcrules file to occur in that chain rather than in the
+ PREROUTING chain. This permits you to mark inbound traffic based on
+ its destination address when DNAT is in use. To determine if your
+ kernel has a FORWARD chain in the mangle table, use the /sbin/shorewall show mangle command; if a
+ FORWARD chain is displayed then your kernel will support this
+ option. If this option is not specified or if it is given the empty
+ value (e.g., MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No
+ is assumed.
+
+
+
+
+ MODULE_SUFFIX=["extension ..."]
+
+
+ The value of this option determines the possible file
+ extensions of kernel modules. The default value is "o gz ko
+ o.gz".
+
+
+
+
+ MODULESDIR=[pathname[:pathname]...]
+
+
+ This parameter specifies the directory/directories where your
+ kernel netfilter modules may be found. If you leave the variable
+ empty, Shorewall will supply the value "/lib/modules/`uname
+ -r`/kernel/net/ipv4/netfilter" in versions of Shorewall prior to
+ 3.2.4 and "/lib/modules/`uname
+ -r`/kernel/net/ipv4/netfilter:/lib/modules/`uname
+ -r`/kernel/net/ipv4/netfilter" in later versions.
+
+
+
+
+ MULTICAST=[Yes|No]
+
+
+ This option will normally be set to 'No' (the default). It
+ should be set to 'Yes' under the following circumstances:
+
+
+
+ You have an interface that has parallel zones defined via
+ /etc/shorewall/hosts.
+
+
+
+ You want to forward multicast packets to two or more of
+ those parallel zones.
+
+
+
+ In such cases, you will configure a
+ network on each zone receiving multicasts.
+
+ The MULTICAST option is only recognized by Shorewall-perl and
+ is ignored by Shorewall-shell.
+
+
+
+
+ MUTEX_TIMEOUT=[seconds]
+
+
+ The value of this variable determines the number of seconds
+ that programs will wait for exclusive access to the Shorewall lock
+ file. After the number of seconds corresponding to the value of this
+ variable, programs will assume that the last program to hold the
+ lock died without releasing the lock.
+
+ If not set or set to the empty value, a value of 60 (60
+ seconds) is assumed.
+
+ An appropriate value for this parameter would be twice the
+ length of time that it takes your firewall system to process a
+ shorewall restart command.
+
+
+
+
+ OPTIMIZE=[0|1]
+
+
+ Traditionally, Shorewall has created rules for the complete matrix of host
+ groups defined by the zones, interfaces and hosts files. Any
+ traffic that didn't correspond to an element of that matrix was
+ rejected in one of the built-in chains. When the matrix is sparse,
+ this results in lots of largely useless rules.
+
+ These extra rules can be eliminated by setting
+ OPTIMIZE=1.
+
+ The OPTIMIZE setting also controls the suppression of
+ redundant wildcard rules (those specifying "all" in the SOURCE or
+ DEST column). A wildcard rule is considered to be redundant when it
+ has the same ACTION and Log Level as the applicable policy.
+
+
+
+
+ PATH=pathname[:pathname]...
+
+
+ Determines the order in which Shorewall searches directories
+ for executable files.
+
+
+
+
+ PKTTYPE={Yes|No}
+
+
+ Normally Shorewall attempts to use the iptables packet type
+ match extension to determine broadcast and multicast packets.
+
+
+
+ This can cause a message to appear during shorewall start
+ (modprobe: cant locate module ipt_pkttype).
+
+
+
+ Some users have found problems with the packet match
+ extension with the result that their firewall log is flooded
+ with messages relating to broadcast packets.
+
+
+
+
+
+
+ If you are experiencing either of these problems, setting
+ PKTTYPE=No will prevent Shorewall from trying to use the packet
+ type match extension and to use IP address matching to determine
+ which packets are broadcasts or multicasts.
+
+
+
+
+
+ RCP_COMMAND="command"
+
+
+
+
+
+
+
+ RSH_COMMAND="command"
+
+
+ Eariler generations of Shorewall Lite required that remote
+ root login via ssh be enabled in order to use the
+ load and reload commands.
+ Beginning with release 3.9.5, you may define an alternative means
+ for accessing the remote firewall system. In that release, two new
+ options were added to shorewall.conf:
+ RSH_COMMAND
+
+ RCP_COMMAND
+ The default values for these are as
+ follows:
+ RSH_COMMAND: ssh ${root}@${system} ${command}
+
+ RCP_COMMAND: scp ${files}
+ ${root}@${system}:${destination}
+ Shell variables that will be set when the commands
+ are envoked are as follows:
+ root - root user. Normally
+ but may be overridden using the '-r'
+ option.
+
+ system - The name/IP address
+ of the remote firewall system.
+
+ command - For RSH_COMMAND,
+ the command to be executed on the firewall system.
+
+ files - For RCP_COMMAND, a
+ space-separated list of files to be copied to the remote
+ firewall system.
+
+ destination - The directory
+ on the remote system that the files are to be copied
+ into.
+
+
+
+
+
+ RESTOREFILE=filename
+
+
+ Specifies the simple name of a file in /var/lib/shorewall to
+ be used as the default restore script in the shorewall save, shorewall restore, shorewall forget and shorewall -f start commands.
+
+
+
+
+ RETAIN_ALIASES={Yes|No}
+
+
+ During shorewall start, IP
+ addresses to be added as a consequence of ADD_IP_ALIASES=Yes and
+ ADD_SNAT_ALIASES=Yes are quietly deleted when shorewall-nat(5) and shorewall-masq(5) are processed
+ then are re-added later. This is done to help ensure that the
+ addresses can be added with the specified labels but can have the
+ undesirable side effect of causing routes to be quietly deleted.
+ When RETAIN_ALIASES is set to Yes, existing addresses will not be
+ deleted. Regardless of the setting of RETAIN_ALIASES, addresses
+ added during shorewall start are
+ still deleted at a subsequent shorewall
+ stop or shorewall
+ restart.
+
+
+
+
+ RFC1918_LOG_LEVEL=[log-level]
+
+
+ This parameter determines the level at which packets logged
+ under the norfc1918 mechanism are
+ logged. The value must be a valid syslog level and if no level is
+ given, then info is assumed.
+
+
+
+
+ RFC1918_STRICT=[Yes|No]
+
+
+ Traditionally, the RETURN target in the 'rfc1918' file has
+ caused norfc1918 processing to cease for a packet if the packet's
+ source IP address matches the rule. Thus, if you have this entry in
+ shorewall-rfc1918(5):
+
+ #SUBNETS TARGET
+ 192.168.1.0/24 RETURN
+
+ then traffic from 192.168.1.4 to 10.0.3.9 will be accepted
+ even though you also have:
+
+ #SUBNETS TARGET
+ 10.0.0.0/8 logdrop
+
+ Setting RFC1918_STRICT=Yes in shorewall.conf will cause such
+ traffic to be logged and dropped since while the packet's source
+ matches the RETURN rule, the packet's destination matches the
+ 'logdrop' rule.
+
+ If not specified or specified as empty (e.g.,
+ RFC1918_STRICT="") then RFC1918_STRICT=No is assumed.
+
+
+
+
+ RFC1918_STRICT=Yes requires that your kernel and iptables
+ support 'Connection Tracking' match.
+
+
+
+
+
+ ROUTE_FILTER=[Yes|No|Keep]
+
+
+ If this parameter is given the value Yes or yes
+ then route filtering (anti-spoofing) is enabled on all network
+ interfaces which are brought up while Shorewall is in the started
+ state. The default value is no.
+
+ The value Keep is only
+ allowed under Shorewall-perl. It causes Shorewall to ignore the
+ option. If the option is set to Yes, then route filtering occurs on all
+ interfaces. If the option is set to No, then route filtering is disabled on all
+ interfaces except those specified in shorewall-interfaces(5).
+
+
+
+
+ SAVE_IPSETS={Yes|No}
+
+
+ If SAVE_IPSETS=Yes, then the current contents of your ipsets
+ will be saved by the shorewall save
+ command. Regardless of the setting of SAVE_IPSETS, if saved ipset
+ contents are available then they will be restored by shorewall restore.
+
+
+
+
+ SHOREWALL_COMPILER={perl|shell}
+
+
+ Specifies the compiler to use to generate firewall scripts
+ when both compilers are installed. The value of this option can be
+ either or . If both
+ compilers are installed and SHOREWALL_SHELL is not set, then
+ SHOREWALL_SHELL=shell is assumed.
+
+ If you add 'SHOREWALL_COMPILER=perl' to
+ /etc/shorewall/shorewall.conf then by default,
+ the Shorewall-perl compiler will be used on the system. If you add
+ it to shorewall.conf in a separate directory
+ (such as a Shorewall-lite export directory) then the Shorewall-perl
+ compiler will only be used when you compile from that
+ directory.
+
+ If you only install one compiler, it is suggested that you do
+ not set SHOREWALL_COMPILER.
+
+ This setting may be overriden in those commands that invoke
+ the compiler by using the -C command option (see shorewall(8)).
+
+
+
+
+ SHOREWALL_SHELL=[pathname]
+
+
+ This option is used to specify the shell program to be used to
+ run the Shorewall compiler and to interpret the compiled script. If
+ not specified or specified as a null value, /bin/sh is assumed.
+ Using a light-weight shell such as ash or dash can significantly
+ improve performance.
+
+
+
+
+ SMURF_LOG_LEVEL=[log-level]
+
+
+ Specifies the logging level for smurf packets (see the
+ nosmurfs option in shorewall-interfaces(5)). If
+ set to the empty value ( SMURF_LOG_LEVEL="" ) then smurfs are not
+ logged.
+
+
+
+
+ STARTUP_ENABLED={Yes|No}
+
+
+ Determines if Shorewall is allowed to start. As released from
+ shorewall.net, this option is set to No. When set to Yes or yes,
+ Shorewall may be started. Used as a guard against Shorewall being
+ accidentally started before it has been configured.
+
+
+
+
+ STARTUP_LOG=[pathname]
+
+
+ If specified, determines where Shorewall will log the details
+ of each start, restart and refresh command. Logging verbosity is
+ determined by the setting of LOG_VERBOSITY above.
+
+
+
+
+ SUBSYSLOCK=[pathname]
+
+
+ This parameter should be set to the name of a file that the
+ firewall should create if it starts successfully and remove when it
+ stops. Creating and removing this file allows Shorewall to work with
+ your distribution's initscripts. For RedHat, this should be set to
+ /var/lock/subsys/shorewall. For Debian, the value is
+ /var/state/shorewall and in LEAF it is /var/run/shorwall.
+
+
+
+
+ TC_ENABLED=[Yes|No|Internal]
+
+
+ If you say Yes or yes here, Shorewall will use a script that
+ you supply to configure traffic shaping. The script must be named
+ 'tcstart' and must be placed in a directory on your
+ CONFIG_PATH.
+
+ If you say No or no then traffic shaping is not
+ enabled.
+
+ If you set TC_ENABLED=Internal or internal or leave the option
+ empty then Shorewall will use its builtin traffic shaper
+ (tc4shorewall written by Arne Bernin.
+
+
+
+
+ TC_EXPERT={Yes|No}
+
+
+ Normally, Shorewall tries to protect users from themselves by
+ preventing PREROUTING and OUTPUT tcrules from being applied to
+ packets that have been marked by the 'track' option in shorewall-providers(5).
+
+ If you know what you are doing, you can set TC_EXPERT=Yes and
+ Shorewall will not include these cautionary checks.
+
+
+
+
+ TCP_FLAGS_DISPOSITION=[ACCEPT|DROP|REJECT]
+
+
+ Determines the disposition of TCP packets that fail the checks
+ enabled by the tcpflags interface
+ option (see shorewall-interfaces(5)) and
+ must have a value of ACCEPT (accept the packet), REJECT (send an RST
+ response) or DROP (ignore the packet). If not set or if set to the
+ empty value (e.g., TCP_FLAGS_DISPOSITION="") then
+ TCP_FLAGS_DISPOSITION=DROP is assumed.
+
+
+
+
+ TCP_FLAGS_LOG_LEVEL=[log-level]
+
+
+ Determines the syslog level for logging packets that fail the
+ checks enabled by the tcpflags interface option. The value must be a
+ valid syslogd log level. If you don't want to log these packets, set
+ to the empty value (e.g., TCP_FLAGS_LOG_LEVEL="").
+
+
+
+
+ USE_ACTIONS={Yes|No}
+
+
+ While Shorewall Actions can be very useful, they also require
+ a sizable amount of code to implement. By setting USE_ACTIONS=No,
+ embedded Shorewall installations can omit the large library
+ /usr/share/shorewall-shell/lib.actions.
+
+
+ USE_ACTIONS=No is not supported by Shorewall-perl.
+
+
+
+
+
+ USE_DEFAULT_RT=[Yes|No]
+
+
+ When set to 'Yes', this option causes the Shorewall multi-ISP
+ feature to create a different set of routing rules which are
+ resilient to changes in the main routing table. Such changes can
+ occur for a number of reasons, VPNs going up and down being an
+ example. The idea is to send packets through the main table prior to
+ applying any of the Shorewall-generated routing rules. So changes to
+ the main table will affect the routing of packets by default.
+
+ When USE_DEFAULT_RT=Yes:
+
+
+
+ Both the DUPLICATE and the COPY columns in providers(5) file must
+ remain empty (or contain "-").
+
+
+
+ The default route is added to the the 'default' table
+ rather than to the main table.
+
+
+
+ balance is assumed unless
+ loose is specified.
+
+
+
+ Packets are sent through the main routing table by a rule
+ with priority 999. In routing_rules(5), the
+ range 1-998 may be used for inserting rules that bypass the main
+ table.
+
+
+
+ All provider gateways must be specified explicitly in the
+ GATEWAY column. detect may not
+ be specified.
+
+
+
+ You should disable all default route management outside of
+ Shorewall. If a default route is added to the main table while
+ Shorewall is started, then all policy routing will stop working
+ (except for those routing rules in the priority range
+ 1-998).
+
+
+
+ If USE_DEFAULT_RT is not set or if it is set to the empty
+ string then USE_DEFAULT_RT=No is assumed.
+
+
+
+
+ VERBOSITY=[number]
+
+
+ Shorewall has traditionally been very noisy (produced lots of
+ output). You may set the default level of verbosity using the
+ VERBOSITY OPTION.
+
+ Values are:
+
+
+ 0 - Silent. You may make it more verbose using the -v
+ option
+
+ 1 - Major progress messages displayed
+
+ 2 - All progress messages displayed (pre Shorewall-3.2.0
+ behavior)
+
+
+ If not specified, then 2 is assumed.
+
+
+
+
+
+
+ FILES
+
+ /etc/shorewall/shorewall.conf
+
+
+
+ See ALSO
+
+ shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+ shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+ shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
+ shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+ shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+ shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
+ shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
+ shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)
+
+
diff --git a/manpages6/shorewall.xml b/manpages6/shorewall.xml
new file mode 100644
index 000000000..ad2ea2756
--- /dev/null
+++ b/manpages6/shorewall.xml
@@ -0,0 +1,1457 @@
+
+
+
+
+ shorewall
+
+ 8
+
+
+
+ shorewall
+
+ Administration tool for Shoreline Firewall
+ (Shorewall)
+
+
+
+
+ shorewall
+
+ |
+
+ -options
+
+
+
+ interface[:host-list]
+
+ zone
+
+
+
+ shorewall
+
+ |
+
+ -options
+
+
+
+ address
+
+
+
+ shorewall
+
+ |
+
+ -options
+
+
+
+
+
+
+
+
+
+
+
+ directory
+
+
+
+ shorewall
+
+ |
+
+ -options
+
+
+
+
+
+ shorewall
+
+ |
+
+ -options
+
+
+
+
+
+
+
+
+
+
+
+ directory
+
+ pathname
+
+
+
+ shorewall
+
+ |
+
+ -options
+
+
+
+ interface[:host-list]
+
+ zone
+
+
+
+ shorewall
+
+ |
+
+ -options
+
+
+
+ address
+
+
+
+ shorewall
+
+ |
+
+ -options
+
+
+
+
+
+
+
+
+
+ shorewall
+
+ |
+
+ -options
+
+
+
+
+ directory1
+
+ [user@]system[directory2]
+
+
+
+ shorewall
+
+ |
+
+ -options
+
+
+
+ filename
+
+
+
+ shorewall
+
+ |
+
+ -options
+
+
+
+
+
+ shorewall
+
+ |
+
+ -options
+
+
+
+
+
+ shorewall
+
+ |
+
+ -options
+
+
+
+
+ address
+ mask
+
+ address/vlsm
+
+
+
+
+ shorewall
+
+ |
+
+ -options
+
+
+
+ address1address2
+
+
+
+ shorewall
+
+ |
+
+ -options
+
+
+
+
+
+
+
+ root-user-name
+
+
+
+ directory
+
+ system
+
+
+
+ shorewall
+
+ |
+
+ -options
+
+
+
+ address
+
+
+
+ shorewall
+
+ |
+
+ -options
+
+
+
+
+
+ refresh-interval
+
+
+
+ shorewall
+
+ |
+
+ -options
+
+
+
+ address
+
+
+
+ shorewall
+
+ |
+
+ -options
+
+ chain
+
+
+
+ shorewall
+
+ |
+
+ -options
+
+
+
+ address
+
+
+
+ shorewall
+
+ |
+
+ -options
+
+
+
+
+
+
+
+ root-user-name
+
+
+
+ directory
+
+ system
+
+
+
+ shorewall
+
+ |
+
+ -options
+
+
+
+
+
+ shorewall
+
+ |
+
+ -options
+
+
+
+
+
+
+
+
+
+
+
+ directory
+
+
+
+ shorewall
+
+ |
+
+ -options
+
+
+
+ filename
+
+
+
+ shorewall
+
+ |
+
+ -options
+
+
+
+
+
+
+
+
+
+ directory
+
+
+
+ shorewall
+
+ |
+
+ -options
+
+
+
+
+
+
+
+
+
+ directory
+
+
+
+ shorewall
+
+ |
+
+ -options
+
+
+
+ filename
+
+
+
+ shorewall
+
+ |
+
+ -options
+
+
+
+
+
+
+ {|||}
+
+ chain
+
+
+
+ shorewall
+
+ |
+
+ -options
+
+
+
+
+
+
+
+
+
+ shorewall
+
+ |
+
+ -options
+
+
+
+
+
+
+
+ shorewall
+
+ |
+
+ -options
+
+
+
+
+
+
+
+
+
+ shorewall
+
+ |
+
+ -options
+
+
+
+
+
+
+
+ shorewall
+
+ |
+
+ -options
+
+
+
+
+
+
+
+
+
+ shorewall
+
+ |
+
+ -options
+
+
+
+
+
+
+
+
+
+
+
+ directory
+
+
+
+ shorewall
+
+ |
+
+ -options
+
+
+
+
+
+ shorewall
+
+ |
+
+ -options
+
+
+
+
+
+ shorewall
+
+ |
+
+ -options
+
+
+
+
+
+ directory
+
+ timeout
+
+
+
+ shorewall
+
+ |
+
+ -options
+
+
+
+
+
+
+ Description
+
+ The shorewall utility is used to control the Shoreline Firewall
+ (Shorewall).
+
+
+
+ Options
+
+ The and options are
+ used for debugging. See http://www.shorewall.net/starting_and_stopping.htm#Trace.
+
+ The nolock prevents the command from
+ attempting to acquire the Shorewall lockfile. It is useful if you need to
+ include shorewall commands in
+ /etc/shorewall/started.
+
+ The options control the amount of output that
+ the command produces. They consist of a sequence of the letters v and q. If the
+ options are omitted, the amount of output is determined by the setting of
+ the VERBOSITY parameter in shorewall.conf(5). Each v adds one to the effective verbosity and each
+ q subtracts one from the effective
+ VERBOSITY. Anternately, v may be followed
+ immediately with one of -1,0,1,2 to specify a specify VERBOSITY. There may
+ be no white space between v and the
+ VERBOSITY.
+
+ The options may also include the letter
+ which causes all progress messages to be
+ timestamped.
+
+
+
+ Commands
+
+ The available commands are listed below.
+
+
+
+ add
+
+
+ Adds a list of hosts or subnets to a dynamic zone usually used
+ with VPN's.
+
+ The interface argument names an interface
+ defined in the shorewall-interfaces(5)
+ file. A host-list is comma-separated list whose
+ elements are host or network addresses.
+ The add command is not very robust. If
+ there are errors in the host-list,
+ you may see a large number of error messages yet a subsequent
+ shorewall show zones command will indicate
+ that all hosts were added. If this happens, replace
+ add by delete and run the
+ same command again. Then enter the correct command.
+
+
+
+
+
+ allow
+
+
+ Re-enables receipt of packets from hosts previously
+ blacklisted by a drop, logdrop, reject, or logreject command.
+
+
+
+
+ check
+
+
+ Compiles the configuraton in the specified
+ directory and discards the compiled output
+ script. If no directory is given, then
+ /etc/shorewall is assumed.
+
+ The -e option causes the
+ compiler to look for a file named capabilities. This file is
+ produced using the command shorewall-lite show
+ -f capabilities > capabilities on a system with
+ Shorewall Lite installed.
+
+ The option determines the compiler to use
+ (Shorewall-shell or Shorewall-perl). If not specified, the
+ SHOREWALL_COMPILER setting in shorewall.conf(5) determines the
+ compiler to use.
+
+ The option only works when the compiler is
+ Shorewall-perl. It causes the compiler to be run under control of
+ the Perl debugger.
+
+ The option only works when the compiler is
+ Shorewall-perl. It causes the compiler to be profiled via the Perl
+ command-line option.
+
+
+
+
+ clear
+
+
+ Clear will remove all rules and chains installed by Shorewall.
+ The firewall is then wide open and unprotected. Existing connections
+ are untouched. Clear is often used to see if the firewall is causing
+ connection problems.
+
+ The option was added in Shorewall 4.0.3.
+ If is given, the command will be processed by
+ the compiled script that executed the last successful start, restart or refresh command if that script exists.
+
+
+
+
+ compile
+
+
+ Compiles the current configuration into the executable file
+ pathname. If a directory is supplied, Shorewall
+ will look in that directory first for configuration files.
+
+ When -e is specified, the compilation is being performed on a
+ system other than where the compiled script will run. This option
+ disables certain configuration options that require the script to be
+ compiled where it is to be run. The use of -e requires the presense
+ of a configuration file named capabilities
+ which may be produced using the command shorewall-lite show -f capabilities >
+ capabilities on a system with Shorewall Lite
+ installed
+
+ The option determines the compiler to use
+ (Shorewall-shell or Shorewall-perl). If not specified, the
+ SHOREWALL_COMPILER setting in shorewall.conf(5) determines the
+ compiler to use.
+
+ The option only works when the compiler is
+ Shorewall-perl. It causes the compiler to be run under control of
+ the Perl debugger.
+
+ The option only works when the compiler is
+ Shorewall-perl. It causes the compiler to be profiled via the Perl
+ command-line option.
+
+
+
+
+ delete
+
+
+ The delete command reverses the effect of an earlier add command.
+
+ The interface argument names an interface
+ defined in the shorewall-interfaces(5)
+ file. A host-list is comma-separated list whose
+ elements are a host or network address.
+
+
+
+
+ drop
+
+
+ Causes traffic from the listed addresses
+ to be silently dropped.
+
+
+
+
+ dump
+
+
+ Produces a verbose report about the firewall configuration for
+ the purpose of problem analysis.
+
+ The -x option causes actual
+ packet and byte counts to be displayed. Without that option, these
+ counts are abbreviated. The -m
+ option causes any MAC addresses included in Shorewall log messages
+ to be displayed.
+
+
+
+
+ export
+
+
+ If directory1 is omitted, the current
+ working directory is assumed.
+
+ The option determines the compiler to use
+ (Shorewall-shell or Shorewall-perl). If not specified, the
+ SHOREWALL_COMPILER setting in shorewall.conf(5) determines the
+ compiler to use.
+
+ Allows a non-root user to compile a shorewall script and stage
+ it on a system (provided that the user has access to the system via
+ ssh). The command is equivalent to:
+
+ /sbin/shorewall compile -edirectory1directory1/firewall &&\
+ scp directory1/firewalldirectory1/firewall.conf [user@]system:[directory2]
+
+ In other words, the configuration in the specified (or
+ defaulted) directory is compiled to a file called firewall in that
+ directory. If compilation succeeds, then firewall and firewall.conf
+ are copied to system using scp.
+
+
+
+
+ forget
+
+
+ Deletes /var/lib/shorewall/filename and
+ /var/lib/shorewall/save. If no filename is
+ given then the file specified by RESTOREFILE in shorewall.conf(5) is
+ assumed.
+
+
+
+
+ help
+
+
+ Displays a syntax summary.
+
+
+
+
+ hits
+
+
+ Generates several reports from Shorewall log messages in the
+ current log file. If the option is included, the
+ reports are restricted to log messages generated today.
+
+
+
+
+ ipcalc
+
+
+ Ipcalc displays the network address, broadcast address,
+ network in CIDR notation and netmask corresponding to the
+ input[s].
+
+
+
+
+ iprange
+
+
+ Iprange decomposes the specified range of IP addresses into
+ the equivalent list of network/host addresses.
+
+
+
+
+ load
+
+
+ If directory is omitted, the current
+ working directory is assumed. Allows a non-root user to compile a
+ shorewall script and install it on a system (provided that the user
+ has root access to the system via ssh). The command is equivalent
+ to:
+
+ /sbin/shorewall compile -edirectorydirectory/firewall &&\
+ scpdirectory/firewalldirectory/firewall.confroot@system:/var/lib/shorewall-lite/ &&\
+ ssh root@system'/sbin/shorewall-lite start'
+
+ In other words, the configuration in the specified (or
+ defaulted) directory is compiled to a file called firewall in that
+ directory. If compilation succeeds, then firewall is copied to
+ system using scp. If the copy succeeds,
+ Shorewall Lite on system is started via
+ ssh.
+
+ If -s is specified and the
+ start command succeeds, then the
+ remote Shorewall-lite configuration is saved by executing shorewall-lite save via ssh.
+
+ if -c is included, the
+ command shorewall-lite show capabilities -f
+ > /var/lib/shorewall-lite/capabilities is executed via
+ ssh then the generated file is copied to
+ directory using scp. This step is
+ performed before the configuration is compiled.
+
+ If is included, it specifies that the root
+ user on system is named
+ root-user-name rather than "root".
+
+ The option determines the compiler to use
+ (Shorewall-shell or Shorewall-perl). If not specified, the
+ SHOREWALL_COMPILER setting in shorewall.conf(5) determines the
+ compiler to use.
+
+
+
+
+ logdrop
+
+
+ Causes traffic from the listed addresses
+ to be logged then discarded.
+
+
+
+
+ logwatch
+
+
+ Monitors the log file specified by the LOGFILE option in
+ shorewall.conf(5) and
+ produces an audible alarm when new Shorewall messages are logged.
+ The -m option causes the MAC
+ address of each packet source to be displayed if that information is
+ available. The refresh-interval specifies
+ the time in seconds between screen refreshes. You can enter a
+ negative number by preceding the number with "--" (e.g.,
+ shorewall logwatch -- -30). In this case, when a
+ packet count changes, you will be prompted to hit any key to resume
+ screen refreshes.
+
+
+
+
+ logreject
+
+
+ Causes traffic from the listed addresses
+ to be logged then rejected.
+
+
+
+
+ refresh
+
+
+ Shorewall-shell: The rules involving the the black list, ECN
+ control rules, and traffic shaping are recreated to reflect any
+ changes made to your configuration files. Existing connections are
+ untouched.
+
+ Shorewall-perl: All steps performed by
+ restart are performed by
+ refresh with the exception that
+ refresh only recreates the chains specified in
+ the command while restart recreates the entire
+ Netfilter ruleset. If no chain is given,
+ the static blacklisting chain blacklst is assumed.
+
+ Note: Specifying chains in
+ the command requires Shorewall-perl 4.0.3 or later. Earlier versions
+ only refresh the blacklst chain
+
+ The listed chains are assumed to be in the filter table. You
+ can refresh chains in other tables by prefixing the chain name with
+ the table name followed by ":" (e.g., nat:net_dnat). Chain names
+ which follow are assumed to be in that table until the end of the
+ list or until an entry in the list names another table. Built-in
+ chains such as FORWARD may not be refreshed.
+
+ Example:shorewall refresh net2fw nat:net_dnat #Refresh the 'net2loc' chain in the filter table and the 'net_dnat' chain in the nat table
+
+ Beginning with Shorewall 4.1, the refresh command has slightly different
+ behavior. When no chain name is given to the refresh command, the mangle table is
+ refreshed along with the blacklist chain (if any). This allows you
+ to modify /etc/shorewall/tcrules and install
+ the changes using refresh.
+
+
+
+
+ reload
+
+
+ If directory is omitted, the current
+ working directory is assumed. Allows a non-root user to compile a
+ shorewall script and install it on a system (provided that the user
+ has root access to the system via ssh). The command is equivalent
+ to:
+
+ /sbin/shorewall compile -edirectorydirectory/firewall &&\
+ scpdirectory/firewalldirectory/firewall.confroot@system:/var/lib/shorewall-lite/ &&\
+ ssh root@system'/sbin/shorewall-lite restart'
+
+ In other words, the configuration in the specified (or
+ defaulted) directory is compiled to a file called firewall in that
+ directory. If compilation succeeds, then firewall is copied to
+ system using scp. If the copy succeeds,
+ Shorewall Lite on system is restarted via
+ ssh.
+
+ If -s is specified and the
+ restart command succeeds, then the
+ remote Shorewall-lite configuration is saved by executing shorewall-lite save via ssh.
+
+ if -c is included, the
+ command shorewall-lite show capabilities -f
+ > /var/lib/shorewall-lite/capabilities is executed via
+ ssh then the generated file is copied to
+ directory using scp. This step is performed
+ before the configuration is compiled.
+
+ If is included, it specifies that the root
+ user on system is named
+ root-user-name rather than "root".
+
+ The option determines the compiler to use
+ (Shorewall-shell or Shorewall-perl). If not specified, the
+ SHOREWALL_COMPILER setting in shorewall.conf(5) determines the
+ compiler to use.
+
+
+
+
+ reset
+
+
+ All the packet and byte counters in the firewall are
+ reset.
+
+
+
+
+ restart
+
+
+ Restart is similar to shorewall
+ stop followed by shorewall
+ start. Existing connections are maintained. If a
+ directory is included in the command, Shorewall
+ will look in that directory first for
+ configuration files.
+
+ The option causes Shorewall to avoid
+ updating the routing table(s).
+
+ The option causes the connection tracking
+ table to be flushed; the conntrack utility must
+ be installed to use this option.
+
+ The option suppresses the compilation step
+ and simply reused the compiled script which last started/restarted
+ Shorewall.
+
+ The option determines the compiler to use
+ (Shorewall-shell or Shorewall-perl). If not specified, the
+ SHOREWALL_COMPILER setting in shorewall.conf(5) determines the
+ compiler to use.
+
+
+ If you use Shorewall's multi-ISP feature, you are stronly
+ advised against using the -C option of the
+ restart command when switching between
+ Shorewall-shell and Shorewall-perl. The only supported way to
+ switch compilers is to shorewall stop followed
+ by shorewall start -C
+ compiler
+
+
+
+
+
+ restore
+
+
+ Restore Shorewall to a state saved using the shorewall save command. Existing connections
+ are maintained. The filename names a restore
+ file in /var/lib/shorewall created using shorewall save; if no
+ filename is given then Shorewall will be
+ restored from the file specified by the RESTOREFILE option in shorewall.conf(5).
+
+
+
+
+ safe-restart
+
+
+ Only allowed if Shorewall is running. The current
+ configuration is saved in /var/lib/shorewall/safe-restart (see the
+ save command below) then a shorewall
+ restart is done. You will then be prompted asking if you
+ want to accept the new configuration or not. If you answer "n" or if
+ you fail to answer within 60 seconds (such as when your new
+ configuration has disabled communication with your terminal), the
+ configuration is restored from the saved configuration. If a
+ directory is given, then Shorewall will look in that directory first
+ when opening configuration files.
+
+ The option determines the compiler to use
+ (Shorewall-shell or Shorewall-perl). If not specified, the
+ SHOREWALL_COMPILER setting in shorewall.conf(5) determines the
+ compiler to use.
+
+
+ If you use Shorewall's multi-ISP feature, you are stronly
+ advised against using the -C option of the
+ safe-restart command when switching between
+ Shorewall-shell and Shorewall-perl. The only supported way to
+ switch compilers is to shorewall stop followed
+ by shorewall safe-start -C
+ compiler
+
+
+
+
+
+ safe-start
+
+
+ Shorewall is started normally. You will then be prompted
+ asking if everything went all right. If you answer "n" or if you
+ fail to answer within 60 seconds (such as when your new
+ configuration has disabled communication with your terminal), a
+ shorewall clear is performed for you. If a directory is given, then
+ Shorewall will look in that directory first when opening
+ configuration files.
+
+ The option determines the compiler to use
+ (Shorewall-shell or Shorewall-perl). If not specified, the
+ SHOREWALL_COMPILER setting in shorewall.conf(5) determines the
+ compiler to use.
+
+
+
+
+ save
+
+
+ The dynamic blacklist is stored in /var/lib/shorewall/save.
+ The state of the firewall is stored in
+ /var/lib/shorewall/filename for use by the
+ shorewall restore and shorewall -f start commands. If
+ filename is not given then the state is saved
+ in the file specified by the RESTOREFILE option in shorewall.conf(5).
+
+
+
+
+ show
+
+
+ The show command can have a number of different
+ arguments:
+
+
+
+ actions
+
+
+ Produces a report about the available actions (built-in,
+ standard and user-defined).
+
+
+
+
+ capabilities
+
+
+ Displays your kernel/iptables capabilities. The
+ -f option causes the display
+ to be formatted as a capabilities file for use with compile -e.
+
+
+
+
+ [ [ ] chain...
+ ]
+
+
+ The rules in each chain are
+ displayed using the iptables
+ -Lchain-n -v command. If no
+ chain is given, all of the chains in the
+ filter table are displayed. The -x option is passed directly through to
+ iptables and causes actual packet and byte counts to be
+ displayed. Without this option, those counts are abbreviated.
+ The -t option specifies the
+ Netfilter table to display. The default is filter.
+
+ If the t option and the
+ keyword are both omitted and any of the
+ listed chains do not exist, a usage
+ message is displayed.
+
+
+
+
+ classifiers|filters
+
+
+ Displays information about the packet classifiers
+ defined on the system as a result of traffic shaping
+ configuration.
+
+
+
+
+ config
+
+
+ Dispays distribution-specific defaults.
+
+
+
+
+ connections
+
+
+ Displays the IP connections currently being tracked by
+ the firewall.
+
+
+
+
+ log
+
+
+ Displays the last 20 Shorewall messages from the log
+ file specified by the LOGFILE option in shorewall.conf(5). The
+ -m option causes the MAC
+ address of each packet source to be displayed if that
+ information is available.
+
+
+
+
+ macros
+
+
+ Displays information about each macro defined on the
+ firewall system.
+
+
+
+
+ mangle
+
+
+ Displays the Netfilter mangle table using the command
+ iptables -t mangle -L -n
+ -v.The -x option
+ is passed directly through to iptables and causes actual
+ packet and byte counts to be displayed. Without this option,
+ those counts are abbreviated.
+
+
+
+
+ nat
+
+
+ Displays the Netfilter nat table using the command
+ iptables -t nat -L -n -v.The
+ -x option is passed directly
+ through to iptables and causes actual packet and byte counts
+ to be displayed. Without this option, those counts are
+ abbreviated.
+
+
+
+
+ tc
+
+
+ Displays information about queuing disciplines, classes
+ and filters.
+
+
+
+
+ zones
+
+
+ Displays the current composition of the Shorewall zones
+ on the system.
+
+
+
+
+
+
+
+ start
+
+
+ Start shorewall. Existing connections through shorewall
+ managed interfaces are untouched. New connections will be allowed
+ only if they are allowed by the firewall rules or policies. If a
+ directory is included in the command,
+ Shorewall will look in that directory first for
+ configuration files. If -f is
+ specified, the saved configuration specified by the RESTOREFILE
+ option in shorewall.conf(5)
+ will be restored if that saved configuration exists and has been
+ modified more recently than the files in /etc/shorewall. When
+ -f is given, a
+ directory may not be specified.
+
+ The option causes Shorewall to avoid
+ updating the routing table(s).
+
+ The option causes the connection tracking
+ table to be flushed; the conntrack utility must
+ be installed to use this option.
+
+ The option determines the compiler to use
+ (Shorewall-shell or Shorewall-perl). If not specified, the
+ SHOREWALL_COMPILER setting in shorewall.conf(5) determines the
+ compiler to use.
+
+
+
+
+ stop
+
+
+ Stops the firewall. All existing connections, except those
+ listed in shorewall-routestopped(5)
+ or permitted by the ADMINISABSENTMINDED option in shorewall.conf(5), are taken down.
+ The only new traffic permitted through the firewall is from systems
+ listed in shorewall-routestopped(5)
+ or by ADMINISABSENTMINDED.
+
+ The option was added in Shorewall 4.0.3.
+ If is given, the command will be processed by
+ the compiled script that executed the last successful start, restart or refresh command if that script exists.
+
+
+
+
+ status
+
+
+ Produces a short report about the state of the
+ Shorewall-configured firewall.
+
+
+
+
+ try
+
+
+ If Shorewall is started then the firewall state is saved to a
+ temporary saved configuration
+ (/var/lib/shorewall/.try). Next, if Shorewall
+ is currently started then a restart
+ command is issued; otherwise, a start command is performed. if an error
+ occurs during the compliation phase of the restart or start, the command terminates without
+ changing the Shorewall state. If an error occurs during the
+ restart phase, then a shorewall restore is performed using the
+ saved configuration. If an error occurs during the start phase, then Shorewall is cleared. If
+ the start/restart succeeds and a
+ timeout is specified then a clear or restore is performed after
+ timeout seconds.
+
+ The option determines the compiler to use
+ (Shorewall-shell or Shorewall-perl). If not specified, the
+ SHOREWALL_COMPILER setting in shorewall.conf(5) determines the
+ compiler to use.
+
+
+
+
+ version
+
+
+ Displays Shorewall's version. If the
+ option is included, the versions of Shorewall-shell and/or
+ Shorewall-perl will also be displayed.
+
+
+
+
+
+
+ FILES
+
+ /etc/shorewall/
+
+
+
+ See ALSO
+
+ http://www.shorewall.net/starting_and_stopping_shorewall.htm
+
+ shorewall-accounting(5), shorewall-actions(5),
+ shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+ shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
+ shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+ shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+ shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
+ shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+ shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
+ shorewall-zones(5)
+
+
diff --git a/tools/build/upload b/tools/build/upload
index f521d9c6e..2db98d4a8 100755
--- a/tools/build/upload
+++ b/tools/build/upload
@@ -236,10 +236,12 @@ fi
files="errata known_problems.txt releasenotes.txt patch-*-$1 ${1}.*"
base=
+[ -n "$UPLOAD6" ] && base="shorewall6-${1}.tar.*" && files="$files shorewall6-${1}.* $rpm6"
[ -n "$UPLOADPERL" ] && base="shorewall-perl-${1}.tar.*" && files="$files shorewall-perl-${1}.* $perlrpm"
[ -n "$UPLOADCOMMON" ] && base="$base shorewall-common-${1}.tar.*" && files="$files shorewall-common-${1}.* $rpm"
[ -n "$UPLOADSHELL" ] && base="$base shorewall-shell-${1}.tar.*" && files="$files shorewall-shell-${1}.* $shellrpm"
[ -n "$UPLOADLITE" ] && base="$base shorewall-lite-${1}.tar.*" && files="$files shorewall-lite-${1}.* $literpm"
+[ -n "$UPLOAD6LITE" ] && base="$base shorewall6-lite-${1}.tar.*" && files="$files shorewall6-lite-${1}.* $lite6rpm"
[ -n "$UPLOADXML" ] && base="$base shorewall-docs-xml-${1}.tar.*" && files="$files shorewall-docs-xml-${1}.* $literpm"
[ -n "$UPLOADHTML" ] && base="$base shorewall-docs-html-${1}.tar.*" && files="$files shorewall-docs-html-${1}.* $literpm"