<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> <refentry> <refmeta> <refentrytitle>shorewall-routestopped</refentrytitle> <manvolnum>5</manvolnum> </refmeta> <refnamediv> <refname>routestopped</refname> <refpurpose>The Shorewall file that governs what traffic flows through the firewall while it is in the 'stopped' state.</refpurpose> </refnamediv> <refsynopsisdiv> <cmdsynopsis> <command>/etc/shorewall/routestopped</command> </cmdsynopsis> </refsynopsisdiv> <refsect1> <title>Description</title> <para>This file is used to define the hosts that are accessible when the firewall is stopped or is being stopped.</para> <warning> <para>Changes to this file do not take effect until after the next <command>shorewall start</command> or <command>shorewall restart</command> command.</para> </warning> <para>The columns in the file are as follows (where the column name is followed by a different name in parentheses, the different name is used in the alternate specification syntax).</para> <variablelist> <varlistentry> <term><emphasis role="bold">INTERFACE</emphasis> - <emphasis>interface</emphasis></term> <listitem> <para>Interface through which host(s) communicate with the firewall</para> </listitem> </varlistentry> <varlistentry> <term><emphasis role="bold">HOST(S)</emphasis> (hosts) - [<emphasis role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...]</term> <listitem> <para>Optional. Comma-separated list of IP/subnet addresses. If your kernel and iptables include iprange match support, IP address ranges are also allowed.</para> <para>If left empty or supplied as "-", 0.0.0.0/0 is assumed.</para> </listitem> </varlistentry> <varlistentry> <term><emphasis role="bold">OPTIONS</emphasis> - [<emphasis role="bold">-</emphasis>|<emphasis>option</emphasis>[<emphasis role="bold">,</emphasis><emphasis>option</emphasis>]...]</term> <listitem> <para>Optional. A comma-separated list of options. The order of the options is not important but the list can contain no embedded whitespace. The currently-supported options are:</para> <variablelist> <varlistentry> <term><emphasis role="bold">routeback</emphasis></term> <listitem> <para>Set up a rule to ACCEPT traffic from these hosts back to themselves. Beginning with Shorewall 4.4.9, this option is automatically set if <emphasis role="bold">routeback</emphasis> is specified in <ulink url="shorewall-interfaces.html">shorewall-interfaces</ulink> (5) or if the rules compiler detects that the interface is a bridge.</para> </listitem> </varlistentry> <varlistentry> <term><emphasis role="bold">source</emphasis></term> <listitem> <para>Allow traffic from these hosts to ANY destination. Without this option or the <emphasis role="bold">dest</emphasis> option, only traffic from this host to other listed hosts (and the firewall) is allowed. If <emphasis role="bold">source</emphasis> is specified then <emphasis role="bold">routeback</emphasis> is redundant.</para> </listitem> </varlistentry> <varlistentry> <term><emphasis role="bold">dest</emphasis></term> <listitem> <para>Allow traffic to these hosts from ANY source. Without this option or the <emphasis role="bold">source</emphasis> option, only traffic from this host to other listed hosts (and the firewall) is allowed. If <emphasis role="bold">dest</emphasis> is specified then <emphasis role="bold">routeback</emphasis> is redundant.</para> </listitem> </varlistentry> <varlistentry> <term>notrack</term> <listitem> <para>The traffic will be exempted from conntection tracking.</para> </listitem> </varlistentry> </variablelist> </listitem> </varlistentry> <varlistentry> <term>PROTO (Optional) ‒ <replaceable>protocol-name-or-number</replaceable></term> <listitem> <para>Protocol.</para> </listitem> </varlistentry> <varlistentry> <term>DEST PORT(S) (dport) ‒ <replaceable>service-name/port-number-list</replaceable></term> <listitem> <para>Optional. A comma-separated list of port numbers and/or service names from <filename>/etc/services</filename>. May also include port ranges of the form <replaceable>low-port</replaceable>:<replaceable>high-port</replaceable> if your kernel and iptables include port range support.</para> </listitem> </varlistentry> <varlistentry> <term>SOURCE PORT(S) (sport) ‒ <replaceable>service-name/port-number-list</replaceable></term> <listitem> <para>Optional. A comma-separated list of port numbers and/or service names from <filename>/etc/services</filename>. May also include port ranges of the form <replaceable>low-port</replaceable>:<replaceable>high-port</replaceable> if your kernel and iptables include port range support.</para> </listitem> </varlistentry> </variablelist> <note> <para>The <emphasis role="bold">source</emphasis> and <emphasis role="bold">dest</emphasis> options work best when used in conjunction with ADMINISABSENTMINDED=Yes in <ulink url="shorewall.conf.html">shorewall.conf</ulink>(5).</para> </note> </refsect1> <refsect1> <title>Example</title> <variablelist> <varlistentry> <term>Example 1:</term> <listitem> <programlisting> #INTERFACE HOST(S) OPTIONS PROTO DEST SOURCE # PORT(S) PORT(S) eth2 192.168.1.0/24 eth0 192.0.2.44 br0 - routeback eth3 - source eth4 - notrack 41</programlisting> </listitem> </varlistentry> </variablelist> </refsect1> <refsect1> <title>FILES</title> <para>/etc/shorewall/routestopped</para> </refsect1> <refsect1> <title>See ALSO</title> <para><ulink url="http://shorewall.net/starting_and_stopping_shorewall.htm">http://shorewall.net/starting_and_stopping_shorewall.htm</ulink></para> <para><ulink url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para> <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5), shorewall-params(5), shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para> </refsect1> </refentry>