<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> <refentry> <refmeta> <refentrytitle>shorewall-exclusion</refentrytitle> <manvolnum>5</manvolnum> </refmeta> <refnamediv> <refname>exclusion</refname> <refpurpose>Exclude a set of hosts from a definition in a shorewall configuration file.</refpurpose> </refnamediv> <refsynopsisdiv> <cmdsynopsis> <arg choice="plain" rep="repeat"><option>!</option><replaceable>address-or-range</replaceable>[,<replaceable>address-or-range</replaceable>]</arg> </cmdsynopsis> <cmdsynopsis> <arg choice="plain" rep="repeat"><option>!</option><replaceable>zone-name</replaceable>[,<replaceable>zone-name</replaceable>]</arg> </cmdsynopsis> </refsynopsisdiv> <refsect1> <title>Description</title> <para>The first form of exclusion is used when you wish to exclude one or more addresses from a definition. An exclamation point is followed by a comma-separated list of addresses. The addresses may be single host addresses (e.g., 192.168.1.4) or they may be network addresses in CIDR format (e.g., 192.168.1.0/24). If your kernel and iptables include iprange support, you may also specify ranges of ip addresses of the form <emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis></para> <para>No embedded white-space is allowed.</para> <para>Exclusion can appear after a list of addresses and/or address ranges. In that case, the final list of address is formed by taking the first list and then removing the addresses defined in the exclusion.</para> <para>Beginning in Shorewall 4.4.13, the second form of exclusion is allowed after <emphasis role="bold">all</emphasis> and <emphasis role="bold">any</emphasis> in the SOURCE and DEST columns of /etc/shorewall/rules. It allows you to omit arbitrary zones from the list generated by those key words.</para> <warning> <para>If you omit a sub-zone and there is an explicit or explicit CONTINUE policy, a connection to/from that zone can still be matched by the rule generated for a parent zone.</para> <para>For example:</para> <blockquote> <para>/etc/shorewall/zones:</para> <programlisting>#ZONE TYPE z1 ip z2:z1 ip ...</programlisting> <para>/etc/shorewall/policy:</para> <programlisting>#SOURCE DEST POLICY z1 net CONTINUE z2 net REJECT</programlisting> <para>/etc/shorewall/rules:</para> <programlisting>#ACTION SOURCE DEST PROTO DEST # PORT(S) ACCEPT all!z2 net tcp 22</programlisting> <para>In this case, SSH connections from <emphasis role="bold">z2</emphasis> to <emphasis role="bold">net</emphasis> will be accepted by the generated <emphasis role="bold">z1</emphasis> to net ACCEPT rule.</para> </blockquote> </warning> <para>In most contexts, ipset names can be used as an <replaceable>address-or-range</replaceable>. Beginning with Shorewall 4.4.14, ipset lists enclosed in +[...] may also be included (see <ulink url="shorewall-ipsets.html">shorewall-ipsets</ulink> (5)). The semantics of these lists when used in an exclusion are as follows:</para> <itemizedlist> <listitem> <para>!+[<replaceable>set1</replaceable>,<replaceable>set2</replaceable>,...<replaceable>setN</replaceable>] produces a packet match if the packet does not match at least one of the sets. In other words, it is like NOT match <replaceable>set1</replaceable> OR NOT match <replaceable>set2</replaceable> ... OR NOT match <replaceable>setN</replaceable>.</para> </listitem> <listitem> <para>+[!<replaceable>set1</replaceable>,!<replaceable>set2</replaceable>,...!<replaceable>setN</replaceable>] produces a packet match if the packet does not match any of the sets. In other words, it is like NOT match <replaceable>set1</replaceable> AND NOT match <replaceable>set2</replaceable> ... AND NOT match <replaceable>setN</replaceable>.</para> </listitem> </itemizedlist> </refsect1> <refsect1> <title>Examples</title> <variablelist> <varlistentry> <term>Example 1 - All IPv4 addresses except 192.168.3.4</term> <listitem> <para>!192.168.3.4</para> </listitem> </varlistentry> <varlistentry> <term>Example 2 - All IPv4 addresses except the network 192.168.1.0/24 and the host 10.2.3.4</term> <listitem> <para>!192.168.1.0/24,10.1.3.4</para> </listitem> </varlistentry> <varlistentry> <term>Example 3 - All IPv4 addresses except the range 192.168.1.3-192.168.1.12 and the network 10.0.0.0/8</term> <listitem> <para>!192.168.1.3-192.168.1.12,10.0.0.0/8</para> </listitem> </varlistentry> <varlistentry> <term>Example 4 - The network 192.168.1.0/24 except hosts 192.168.1.3 and 192.168.1.9</term> <listitem> <para>192.168.1.0/24!192.168.1.3,192.168.1.9</para> </listitem> </varlistentry> <varlistentry> <term>Example 5 - All parent zones except loc</term> <listitem> <para>any!loc</para> </listitem> </varlistentry> </variablelist> </refsect1> <refsect1> <title>FILES</title> <para>/etc/shorewall/hosts</para> <para>/etc/shorewall/masq</para> <para>/etc/shorewall/rules</para> <para>/etc/shorewall/tcrules</para> </refsect1> <refsect1> <title>See ALSO</title> <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5), shorewall-params(5), shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para> </refsect1> </refentry>