2004-03-15 19:47:21 +01:00
|
|
|
#
|
|
|
|
# Shorewall version 2.0 - Traffic Control Rules File
|
|
|
|
#
|
|
|
|
# /etc/shorewall/tcrules
|
|
|
|
#
|
|
|
|
# Entries in this file cause packets to be marked as a means of
|
|
|
|
# classifying them for traffic control or policy routing.
|
|
|
|
#
|
|
|
|
# I M P O R T A N T ! ! ! !
|
|
|
|
#
|
|
|
|
# FOR ENTRIES IN THIS FILE TO HAVE ANY EFFECT, YOU MUST SET
|
|
|
|
# TC_ENABLED=Yes in /etc/shorewall/shorewall.conf
|
|
|
|
#
|
2004-09-30 16:31:35 +02:00
|
|
|
# Unlike rules in the /etc/shorewall/rules file, evaluation
|
|
|
|
# of rules in this file will continue after a match. So the
|
|
|
|
# final mark for each packet will be the one assigned by the
|
|
|
|
# LAST tcrule that matches.
|
|
|
|
#
|
2004-03-15 19:47:21 +01:00
|
|
|
# Columns are:
|
|
|
|
#
|
|
|
|
#
|
|
|
|
# MARK The mark value which is an
|
|
|
|
# integer in the range 1-255
|
|
|
|
#
|
|
|
|
# May optionally be followed by ":P" or ":F"
|
|
|
|
# where ":P" indicates that marking should occur in
|
|
|
|
# the PREROUTING chain and ":F" indicates that marking
|
|
|
|
# should occur in the FORWARD chain. If neither
|
|
|
|
# ":P" nor ":F" follow the mark value then the chain is
|
|
|
|
# determined by the setting of MARK_IN_FORWARD_CHAIN in
|
|
|
|
# /etc/shorewall/shorewall.conf.
|
|
|
|
#
|
|
|
|
# SOURCE Source of the packet. A comma-separated list of
|
|
|
|
# interface names, IP addresses, MAC addresses
|
|
|
|
# and/or subnets. Use $FW if the packet originates on
|
|
|
|
# the firewall in which case the MARK column may NOT
|
|
|
|
# specify either ":P" or ":F" (marking always occurs
|
|
|
|
# in the OUTPUT chain).
|
|
|
|
#
|
|
|
|
# MAC addresses must be prefixed with "~" and use
|
|
|
|
# "-" as a separator.
|
|
|
|
#
|
|
|
|
# Example: ~00-A0-C9-15-39-78
|
|
|
|
#
|
|
|
|
# DEST Destination of the packet. Comma separated list of
|
|
|
|
# IP addresses and/or subnets.
|
|
|
|
#
|
|
|
|
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number,
|
|
|
|
# or "all".
|
|
|
|
#
|
|
|
|
# PORT(S) Destination Ports. A comma-separated list of Port
|
|
|
|
# names (from /etc/services), port numbers or port
|
|
|
|
# ranges; if the protocol is "icmp", this column is
|
|
|
|
# interpreted as the destination icmp-type(s).
|
|
|
|
#
|
|
|
|
# This column is ignored if PROTOCOL = all but must be
|
|
|
|
# entered if any of the following field is supplied.
|
|
|
|
# In that case, it is suggested that this field contain
|
|
|
|
# "-"
|
|
|
|
#
|
|
|
|
# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted,
|
|
|
|
# any source port is acceptable. Specified as a comma-
|
|
|
|
# separated list of port names, port numbers or port
|
|
|
|
# ranges.
|
|
|
|
#
|
|
|
|
# USER This column may only be non-empty if the SOURCE is
|
|
|
|
# the firewall itself.
|
|
|
|
#
|
|
|
|
# When this column is non-empty, the rule applies only
|
|
|
|
# if the program generating the output is running under
|
|
|
|
# the effective user and/or group.
|
|
|
|
#
|
|
|
|
# It may contain :
|
|
|
|
#
|
|
|
|
# [<user name or number>]:[<group name or number>]
|
|
|
|
#
|
|
|
|
# The colon is optionnal when specifying only a user.
|
|
|
|
# Examples : john: / john / :users / john:users
|
|
|
|
#
|
|
|
|
##############################################################################
|
|
|
|
#MARK SOURCE DEST PROTO PORT(S) CLIENT USER
|
|
|
|
# PORT(S)
|
|
|
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|