# # Shorewall version 2.6 - Tcrules File # # /etc/shorewall/tcrules # # Entries in this file cause packets to be marked as a means of # classifying them for traffic control or policy routing. # # I M P O R T A N T ! ! ! ! # # FOR ENTRIES IN THIS FILE TO HAVE ANY EFFECT, YOU MUST SET # TC_ENABLED=Yes in /etc/shorewall/shorewall.conf # # Unlike rules in the /etc/shorewall/rules file, evaluation # of rules in this file will continue after a match. So the # final mark for each packet will be the one assigned by the # LAST tcrule that matches. # # If you use multiple internet providers with the 'track' option, # in /etc/shorewall/providers be sure to read the restrictions at # http://shorewall.net/Shorewall_and_Routing.html. # # Columns are: # # # MARK/ a) A mark value which is an integer in the range 1-255 # CLASSIFY # May optionally be followed by ":P" or ":F" # where ":P" indicates that marking should occur in # the PREROUTING chain and ":F" indicates that marking # should occur in the FORWARD chain. If neither # ":P" nor ":F" follow the mark value then the chain # is determined by the setting of # MARK_IN_FORWARD_CHAIN in # /etc/shorewall/shorewall.conf. # # If your kernel and iptables include CONNMARK support # then you can also mark the connection rather than # the packet. # # The mark value may be optionally followed by "/" # and a mask value (used to determine those bits of # the connection mark to actually be set). The # mark and optional mask are then followed by one of: # # C - Mark the connection in the chain determined # by the setting of MARK_IN_FORWARD_CHAIN # # CF: Mark the connection in the FORWARD chain # # CP: Mark the connection in the PREROUTING # chain. # # b) A classification of the form <major>:<minor> where # <major> and <minor> are integers. Corresponds to # the 'class' specification in these traffic shaping # modules: # # - atm # - cbq # - dsmark # - pfifo_fast # - htb # - prio # # Classify always occurs in the POSTROUTING chain. # # c) RESTORE[/mask] -- restore the packet's mark from the # connection's mark using the supplied mask if any. # Your kernel and iptables must include CONNMARK # support. # # As in a) above, may be followed by ":P" or ":F # # c) SAVE[/mask] -- save the packet's mark to the # connection's mark using the supplied mask if any. # Your kernel and iptables must include CONNMARK # support. # # As in a) above, may be followed by ":P" or ":F # # d) CONTINUE -- don't process any more marking rules in # the table. # # As in a) above, may be followed by ":P" or ":F". # # SOURCE Source of the packet. A comma-separated list of # interface names, IP addresses, MAC addresses # and/or subnets. If your kernel and iptables include # iprange match support, IP address ranges are also # allowed. Use $FW if the packet originates on # the firewall in which case the MARK column may NOT # specify either ":P" or ":F" (marking always occurs # in the OUTPUT chain). $FW may be optionally followed # by ":" and a host/network address. # # MAC addresses must be prefixed with "~" and use # "-" as a separator. # # Example: ~00-A0-C9-15-39-78 # # DEST Destination of the packet. Comma separated list of # IP addresses and/or subnets. If your kernel and # iptables include iprange match support, IP address # ranges are also allowed. # # If the MARK column specificies a classification of # the form <major>:<minor> then this column may also # contain an interface name. # # PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p", # a number, or "all". "ipp2p" requires ipp2p match # support in your kernel and iptables. # # PORT(S) Destination Ports. A comma-separated list of Port # names (from /etc/services), port numbers or port # ranges; if the protocol is "icmp", this column is # interpreted as the destination icmp-type(s). # # If the protocol is ipp2p, this column is interpreted # as an ipp2p option without the leading "--" (example # "bit" for bit-torrent). If no PORT is given, "ipp2p" is # assumed. # # This column is ignored if PROTOCOL = all but must be # entered if any of the following field is supplied. # In that case, it is suggested that this field contain # "-" # # SOURCE PORT(S) (Optional) Source port(s). If omitted, # any source port is acceptable. Specified as a comma- # separated list of port names, port numbers or port # ranges. # # USER This column may only be non-empty if the SOURCE is # the firewall itself. # # When this column is non-empty, the rule applies only # if the program generating the output is running under # the effective user and/or group. # # It may contain : # # [<user name or number>]:[<group name or number>][+<program name>] # # The colon is optionnal when specifying only a user # or a program name. # Examples : john: , john , :users , john:users , # +mozilla-bin # # TEST Defines a test on the existing packet or connection # mark. The rule will match only if the test returns # true. Tests have the format [!]<value>[/<mask>][:C] # # Where: # # ! Inverts the test (not equal) # <value> Value of the packet or connection mark. # <mask> A mask to be applied to the mark before # testing # :C Designates a connection mark. If # omitted, the packet mark's value is # tested. # # See http://shorewall.net/traffic_shaping.htm for additional information. ############################################################################### #MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST # PORT(S) #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE