# # Shorewall version 2.1 - Traffic Control Rules File # # /etc/shorewall/tcrules # # Entries in this file cause packets to be marked as a means of # classifying them for traffic control or policy routing. # # I M P O R T A N T ! ! ! ! # # FOR ENTRIES IN THIS FILE TO HAVE ANY EFFECT, YOU MUST SET # TC_ENABLED=Yes in /etc/shorewall/shorewall.conf # # Unlike rules in the /etc/shorewall/rules file, evaluation # of rules in this file will continue after a match. So the # final mark for each packet will be the one assigned by the # LAST tcrule that matches. # # Columns are: # # # MARK/ a) A mark value which is a integer in the range 1-255 # CLASSIFY # May optionally be followed by ":P" or ":F" # where ":P" indicates that marking should occur in # the PREROUTING chain and ":F" indicates that marking # should occur in the FORWARD chain. If neither # ":P" nor ":F" follow the mark value then the chain is # determined by the setting of MARK_IN_FORWARD_CHAIN in # /etc/shorewall/shorewall.conf. # # b) A classification of the form : where # and are integers. Corresponds to # the 'class' specification in these traffic shaping # modules: # # - atm # - cbq # - dsmark # - pfifo_fast # - htb # - prio # # Marking always occurs in the POSTROUTING chain. # # SOURCE Source of the packet. A comma-separated list of # interface names, IP addresses, MAC addresses # and/or subnets. If your kernel and iptables include # iprange match support, IP address ranges are also # allowed. Use $FW if the packet originates on # the firewall in which case the MARK column may NOT # specify either ":P" or ":F" (marking always occurs # in the OUTPUT chain). # # MAC addresses must be prefixed with "~" and use # "-" as a separator. # # Example: ~00-A0-C9-15-39-78 # # DEST Destination of the packet. Comma separated list of # IP addresses and/or subnets. If your kernel and # iptables include iprange match support, IP address # ranges are also allowed. # # PROTO Protocol - Must be "tcp", "udp", "icmp", a number, # or "all". # # PORT(S) Destination Ports. A comma-separated list of Port # names (from /etc/services), port numbers or port # ranges; if the protocol is "icmp", this column is # interpreted as the destination icmp-type(s). # # This column is ignored if PROTOCOL = all but must be # entered if any of the following field is supplied. # In that case, it is suggested that this field contain # "-" # # CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted, # any source port is acceptable. Specified as a comma- # separated list of port names, port numbers or port # ranges. # # USER This column may only be non-empty if the SOURCE is # the firewall itself. # # When this column is non-empty, the rule applies only # if the program generating the output is running under # the effective user and/or group. # # It may contain : # # []:[] # # The colon is optionnal when specifying only a user. # Examples : john: / john / :users / john:users # ############################################################################## #MARK SOURCE DEST PROTO PORT(S) CLIENT USER # PORT(S) #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE