<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
  <refmeta>
    <refentrytitle>shorewall-rules</refentrytitle>

    <manvolnum>5</manvolnum>
  </refmeta>

  <refnamediv>
    <refname>rules</refname>

    <refpurpose>Shorewall rules file</refpurpose>
  </refnamediv>

  <refsynopsisdiv>
    <cmdsynopsis>
      <command>/etc/shorewall/rules</command>
    </cmdsynopsis>
  </refsynopsisdiv>

  <refsect1>
    <title>Description</title>

    <para>Entries in this file govern connection establishment by defining
    exceptions to the policies layed out in <ulink
    url="shorewall-policy.html">shorewall-policy</ulink>(5). By default,
    subsequent requests and responses are automatically allowed using
    connection tracking. For any particular (source,dest) pair of zones, the
    rules are evaluated in the order in which they appear in this file and the
    first terminating match is the one that determines the disposition of the
    request. All rules are terminating except LOG and COUNT rules.</para>

    <warning>
      <para>If you masquerade or use SNAT from a local system to the internet,
      you cannot use an ACCEPT rule to allow traffic from the internet to that
      system. You <emphasis role="bold">must</emphasis> use a DNAT rule
      instead.</para>
    </warning>

    <para>The rules file is divided into sections. Each section is introduced
    by a "Section Header" which is a line beginning with SECTION and followed
    by the section name.</para>

    <para>Sections are as follows and must appear in the order listed:</para>

    <variablelist>
      <varlistentry>
        <term><emphasis role="bold">BLACKLIST</emphasis></term>

        <listitem>
          <para>This section was added in Shorewall 4.4.25.</para>

          <para>Rules in this section are applied depending on the setting of
          BLACKLISTNEWONLY in <ulink
          url="shorewall.conf.html">shorewall.conf</ulink>(5). If
          BLACKLISTNEWONLY=No, then they are applied regardless of the
          connection tracking state of the packet. If BLACKLISTNEWONLY=Yes,
          they are applied to connections in the NEW and INVALID
          states.</para>

          <para>When there are rules in this sectionas well as in
          shorewall-blrules (5), those in this section are processed
          last.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">ALL</emphasis></term>

        <listitem>
          <para>This section was added in Shorewall 4.4.23. Rules in this
          section are applied, regardless of the connection tracking state of
          the packet.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">ESTABLISHED</emphasis></term>

        <listitem>
          <para>Packets in the ESTABLISHED state are processed by rules in
          this section.</para>

          <para>The only ACTIONs allowed in this section are ACCEPT, DROP,
          REJECT, LOG and QUEUE</para>

          <para>There is an implicit ACCEPT rule inserted at the end of this
          section.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">RELATED</emphasis></term>

        <listitem>
          <para>Packets in the RELATED state are processed by rules in this
          section.</para>

          <para>The only ACTIONs allowed in this section are ACCEPT, DROP,
          REJECT, LOG and QUEUE</para>

          <para>There is an implicit ACCEPT rule inserted at the end of this
          section.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">NEW</emphasis></term>

        <listitem>
          <para>Packets in the NEW, INVALID and UNTRACKED states are processed
          by rules in this section.</para>
        </listitem>
      </varlistentry>
    </variablelist>

    <note>
      <para>If you are not familiar with Netfilter to the point where you are
      comfortable with the differences between the various connection tracking
      states, then it is suggested that you omit the <emphasis
      role="bold">ESTABLISHED</emphasis> and <emphasis
      role="bold">RELATED</emphasis> sections and place all of your
      non-blacklisting rules in the NEW section (That's after the line that
      reads SECTION NEW').</para>
    </note>

    <warning>
      <para>If you specify FASTACCEPT=Yes in <ulink
      url="shorewall.conf.html">shorewall.conf</ulink>(5) then the <emphasis
      role="bold">BLACKLIST, ALL, ESTABLISHED</emphasis> and <emphasis
      role="bold">RELATED</emphasis> sections must be empty.</para>

      <para>An except is made if you are running Shorewall 4.4.27 or later and
      you have specified a non-defualt value for RELATED_DISPOSITION or
      RELATED_LOG_LEVEL. In that case, you may have rules in the RELATED
      section of this file.</para>
    </warning>

    <para>You may omit any section that you don't need. If no Section Headers
    appear in the file then all rules are assumed to be in the NEW
    section.</para>

    <para>When defining rules that rewrite the destination IP address and/or
    port number (namely DNAT and REDIRECT rules), it is important to keep
    straight which columns in the file specify the packet before rewriting and
    which specify how the packet will look after rewriting.</para>

    <itemizedlist>
      <listitem>
        <para>The DEST column specifies the final destination for the packet
        after rewriting and can include the final IP address and/or port
        number.</para>
      </listitem>

      <listitem>
        <para>The remaining columns specify characteristics of the packet
        before rewriting. In particular, the ORIGINAL DEST column gives the
        original destination IP address of the packet and the DEST PORT(S)
        column give the original destination port(s).</para>
      </listitem>
    </itemizedlist>

    <para>The columns in the file are as follows (where the column name is
    followed by a different name in parentheses, the different name is used in
    the alternate specification syntax).</para>

    <variablelist>
      <varlistentry>
        <term><emphasis role="bold">ACTION</emphasis> - <emphasis
        role="bold"><replaceable>target</replaceable>[:</emphasis>{<emphasis>log-level</emphasis>|<emphasis
        role="bold">none</emphasis>}[<emphasis role="bold"><emphasis
        role="bold">!</emphasis></emphasis>][<emphasis
        role="bold">:</emphasis><emphasis>tag</emphasis>]]</term>

        <listitem>
          <para>Specifies the action to be taken if the connection request
          matches the rule. <replaceable>target</replaceable> must be one of
          the following.</para>

          <variablelist>
            <varlistentry>
              <term><emphasis role="bold">ACCEPT</emphasis></term>

              <listitem>
                <para>Allow the connection request.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis role="bold">ACCEPT+</emphasis></term>

              <listitem>
                <para>like ACCEPT but also excludes the connection from any
                subsequent matching <emphasis
                role="bold">DNAT</emphasis>[<emphasis
                role="bold">-</emphasis>] or <emphasis
                role="bold">REDIRECT</emphasis>[<emphasis
                role="bold">-</emphasis>] rules. Not available in the
                <emphasis role="bold">BLACKLIST</emphasis> section.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis role="bold">ACCEPT!</emphasis></term>

              <listitem>
                <para>like ACCEPT but exempts the rule from being suppressed
                by OPTIMIZE=1 in <ulink
                url="shorewall.conf.html">shorewall.conf</ulink>(5). Not
                available in the <emphasis role="bold">BLACKLIST</emphasis>
                section.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term>A_ACCEPT, A_ACCEPT+ and A_ACCEPT!</term>

              <listitem>
                <para>Added in Shorewall 4.4.20. Audited versions of ACCEPT,
                ACCEPT+ and ACCEPT! respectively. Require AUDIT_TARGET support
                in the kernel and iptables. A_ACCEPT+ and A_ACCEPT! are not
                available in the <emphasis role="bold">BLACKLIST</emphasis>
                section.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis role="bold">NONAT</emphasis></term>

              <listitem>
                <para>Excludes the connection from any subsequent <emphasis
                role="bold">DNAT</emphasis>[-] or <emphasis
                role="bold">REDIRECT</emphasis>[-] rules but doesn't generate
                a rule to accept the traffic. Not available in the <emphasis
                role="bold">BLACKLIST</emphasis> section.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis role="bold">DROP</emphasis></term>

              <listitem>
                <para>Ignore the request.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis role="bold">DROP!</emphasis></term>

              <listitem>
                <para>like DROP but exempts the rule from being suppressed by
                OPTIMIZE=1 in <ulink
                url="shorewall.conf.html">shorewall.conf</ulink>(5). Not
                available in the <emphasis role="bold">BLACKLIST</emphasis>
                section. Not available in the <emphasis
                role="bold">BLACKLIST</emphasis> section.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term>A_DROP and A_DROP!</term>

              <listitem>
                <para>Added in Shorewall 4.4.20. Audited versions of DROP and
                DROP! respectively. Require AUDIT_TARGET support in the kernel
                and iptables. A_DROP! is not available in the <emphasis
                role="bold">BLACKLIST</emphasis> section. A_DROP! is not
                available in the <emphasis role="bold">BLACKLIST</emphasis>
                section.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis role="bold">REJECT</emphasis></term>

              <listitem>
                <para>disallow the request and return an icmp-unreachable or
                an RST packet.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis role="bold">REJECT!</emphasis></term>

              <listitem>
                <para>like REJECT but exempts the rule from being suppressed
                by OPTIMIZE=1 in <ulink
                url="shorewall.conf.html">shorewall.conf</ulink>(5). Not
                available in the <emphasis role="bold">BLACKLIST</emphasis>
                section.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term>A_REJECT AND A_REJECT!</term>

              <listitem>
                <para>Added in Shorewall 4.4.20. Audited versions of REJECT
                and REJECT! respectively. Require AUDIT_TARGET support in the
                kernel and iptables. A_REJECT! is not available in the
                <emphasis role="bold">BLACKLIST</emphasis> section.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis role="bold">DNAT</emphasis></term>

              <listitem>
                <para>Forward the request to another system (and optionally
                another port).</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis role="bold">DNAT-</emphasis></term>

              <listitem>
                <para>Advanced users only.</para>

                <para>Like <emphasis role="bold">DNAT</emphasis> but only
                generates the <emphasis role="bold">DNAT</emphasis> iptables
                rule and not the companion <emphasis
                role="bold">ACCEPT</emphasis> rule. Not available in the
                <emphasis role="bold">BLACKLIST</emphasis> section.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis role="bold">REDIRECT</emphasis></term>

              <listitem>
                <para>Redirect the request to a server running on the
                firewall.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis role="bold">REDIRECT-</emphasis></term>

              <listitem>
                <para>Advanced users only.</para>

                <para>Like <emphasis role="bold">REDIRECT</emphasis> but only
                generates the <emphasis role="bold">REDIRECT</emphasis>
                iptables rule and not the companion <emphasis
                role="bold">ACCEPT</emphasis> rule. Not available in the
                <emphasis role="bold">BLACKLIST</emphasis> section.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis role="bold">CONTINUE</emphasis></term>

              <listitem>
                <para>For experts only.</para>

                <para>Do not process any of the following rules for this
                (source zone,destination zone). If the source and/or
                destination IP address falls into a zone defined later in
                <ulink url="shorewall-zones.html">shorewall-zones</ulink>(5)
                or in a parent zone of the source or destination zones, then
                this connection request will be passed to the rules defined
                for that (those) zone(s). See <ulink
                url="shorewall-nesting.html">shorewall-nesting</ulink>(5) for
                additional information.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis role="bold">CONTINUE!</emphasis></term>

              <listitem>
                <para>like CONTINUE but exempts the rule from being suppressed
                by OPTIMIZE=1 in <ulink
                url="shorewall.conf.html">shorewall.conf</ulink>(5). Not
                available in the <emphasis role="bold">BLACKLIST</emphasis>
                section.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis role="bold">LOG</emphasis></term>

              <listitem>
                <para>Simply log the packet and continue with the next
                rule.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis role="bold">QUEUE</emphasis></term>

              <listitem>
                <para>Queue the packet to a user-space application such as
                ftwall (http://p2pwall.sf.net). The application may reinsert
                the packet for further processing.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis role="bold">QUEUE!</emphasis></term>

              <listitem>
                <para>like QUEUE but exempts the rule from being suppressed by
                OPTIMIZE=1 in <ulink
                url="shorewall.conf.html">shorewall.conf</ulink>(5). Not
                available in the <emphasis role="bold">BLACKLIST</emphasis>
                section.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis
              role="bold">NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)]</term>

              <listitem>
                <para>queues matching packets to a backend logging daemon via
                a netlink socket then continues to the next rule. See <ulink
                url="http://www.shorewall.net/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis
              role="bold">NFQUEUE</emphasis>[(<replaceable>queuenumber</replaceable>)]</term>

              <listitem>
                <para>Queues the packet to a user-space application using the
                nfnetlink_queue mechanism. If a
                <replaceable>queuenumber</replaceable> is not specified, queue
                zero (0) is assumed.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis
              role="bold">NFQUEUE![(<replaceable>queuenumber</replaceable>)]</emphasis></term>

              <listitem>
                <para>like NFQUEUE but exempts the rule from being suppressed
                by OPTIMIZE=1 in <ulink
                url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis role="bold">COUNT</emphasis></term>

              <listitem>
                <para>Simply increment the rule's packet and byte count and
                pass the packet to the next rule.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis role="bold">COMMENT</emphasis></term>

              <listitem>
                <para>the rest of the line will be attached as a comment to
                the Netfilter rule(s) generated by the following entries. The
                comment will appear delimited by "/* ... */" in the output of
                "shorewall show &lt;chain&gt;". To stop the comment from being
                attached to further rules, simply include COMMENT on a line by
                itself.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis>action</emphasis></term>

              <listitem>
                <para>The name of an <emphasis>action</emphasis> declared in
                <ulink
                url="shorewall-actions.html">shorewall-actions</ulink>(5) or
                in /usr/share/shorewall/actions.std.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis>macro</emphasis><emphasis
              role="bold">[(<replaceable>macrotarget</replaceable>)]</emphasis></term>

              <listitem>
                <para>The name of a macro defined in a file named
                macro.<emphasis>macro</emphasis>. If the macro accepts an
                action parameter (Look at the macro source to see if it has
                PARAM in the TARGET column) then the
                <emphasis>macro</emphasis> name is followed by the
                parenthesized <emphasis>macrotarget</emphasis> (<emphasis
                role="bold">ACCEPT</emphasis>, <emphasis
                role="bold">DROP</emphasis>, <emphasis
                role="bold">REJECT</emphasis>, ...) to be substituted for the
                parameter.</para>

                <para>Example: FTP(ACCEPT).</para>

                <para>The older syntax where the macro name and the target are
                separated by a slash (e.g. FTP/ACCEPT) is still allowed but is
                deprecated.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis
              role="bold">ADD(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>)</emphasis></term>

              <listitem>
                <para>Added in Shorewall 4.4.12. Causes addresses and/or port
                numbers to be added to the named
                <replaceable>ipset</replaceable>. The
                <replaceable>flags</replaceable> specify the address or tupple
                to be added to the set and must match the type of ipset
                involved. For example, for an iphash ipset, either the SOURCE
                or DESTINATION address can be added using
                <replaceable>flags</replaceable> <emphasis
                role="bold">src</emphasis> or <emphasis
                role="bold">dst</emphasis> respectively (see the -A command in
                ipset (8)).</para>

                <para>ADD is non-terminating. Even if a packet matches the
                rule, it is passed on to the next rule.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis
              role="bold">DEL(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>)</emphasis></term>

              <listitem>
                <para>Added in Shorewall 4.4.12. Causes an entry to be deleted
                from the named <replaceable>ipset</replaceable>. The
                <replaceable>flags</replaceable> specify the address or tupple
                to be deleted from the set and must match the type of ipset
                involved. For example, for an iphash ipset, either the SOURCE
                or DESTINATION address can be deletec using
                <replaceable>flags</replaceable> <emphasis
                role="bold">src</emphasis> or <emphasis
                role="bold">dst</emphasis> respectively (see the -D command in
                ipset (8)).</para>

                <para>DEL is non-terminating. Even if a packet matches the
                rule, it is passed on to the next rule.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis role="bold">WHITELIST</emphasis></term>

              <listitem>
                <para>Added in Shorewall 4.4.25. May only appear in the
                <emphasis role="bold">BLACKLIST</emphasis> section and exempts
                the packet from following rules in that section.</para>
              </listitem>
            </varlistentry>
          </variablelist>

          <para>The <replaceable>target</replaceable> may optionally be
          followed by ":" and a syslog log level (e.g, REJECT:info or
          Web(ACCEPT):debug). This causes the packet to be logged at the
          specified level. Note that if the <emphasis
          role="bold">ACTION</emphasis> involves destination network address
          translation (DNAT, REDIRECT, etc.) then the packet is logged
          <emphasis role="bold">before</emphasis> the destination address is
          rewritten.</para>

          <para>If the <emphasis role="bold">ACTION</emphasis> names an
          <emphasis>action</emphasis> declared in <ulink
          url="shorewall-actions.html">shorewall-actions</ulink>(5) or in
          /usr/share/shorewall/actions.std then:</para>

          <itemizedlist>
            <listitem>
              <para>If the log level is followed by "!' then all rules in the
              action are logged at the log level.</para>
            </listitem>

            <listitem>
              <para>If the log level is not followed by "!" then only those
              rules in the action that do not specify logging are logged at
              the specified level.</para>
            </listitem>

            <listitem>
              <para>The special log level <emphasis
              role="bold">none!</emphasis> suppresses logging by the
              action.</para>
            </listitem>
          </itemizedlist>

          <para>You may also specify <emphasis role="bold">ULOG</emphasis> or
          <emphasis role="bold">NFLOG</emphasis> (must be in upper case) as a
          log level.This will log to the ULOG or NFLOG target for routing to a
          separate log through use of ulogd (<ulink
          url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html</ulink>).</para>

          <para>Actions specifying logging may be followed by a log tag (a
          string of alphanumeric characters) which is appended to the string
          generated by the LOGPREFIX (in <ulink
          url="shorewall.conf.html">shorewall.conf</ulink>(5)).</para>

          <para>Example: ACCEPT:info:ftp would include 'ftp ' at the end of
          the log prefix generated by the LOGPREFIX setting.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">SOURCE</emphasis> -
        {<emphasis>zone</emphasis>|<emphasis>zone-list</emphasis>[+]|{<emphasis
        role="bold">all</emphasis>|<emphasis
        role="bold">any</emphasis>}[<emphasis
        role="bold">+</emphasis>][<emphasis
        role="bold">-</emphasis>]}<emphasis
        role="bold">[:</emphasis><emphasis>interface</emphasis>][<emphasis
        role="bold">:</emphasis>{<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>|<emphasis
        role="bold">+</emphasis><emphasis>ipset</emphasis>}</term>

        <listitem>
          <para>Source hosts to which the rule applies. May be a
          <replaceable>zone</replaceable> declared in /etc/shorewall/zones,
          <emphasis role="bold">$FW</emphasis> to indicate the firewall
          itself, <emphasis role="bold">all</emphasis>, <emphasis
          role="bold">all+</emphasis>, <emphasis role="bold">all-</emphasis>,
          <emphasis role="bold">all+-</emphasis> or <emphasis
          role="bold">none</emphasis>.</para>

          <para>Beginning with Shorewall 4.4.13, you may use a
          <replaceable>zone-list </replaceable>which consists of a
          comma-separated list of zones declared in <ulink
          url="shorewall-zones.html">shorewall-zones</ulink> (5). Ths
          <replaceable>zone-list</replaceable> may be optionally followed by
          "+" to indicate that the rule is to apply to intra-zone traffic as
          well as inter-zone traffic.</para>

          <para>When <emphasis role="bold">none</emphasis> is used either in
          the <emphasis role="bold">SOURCE</emphasis> or <emphasis
          role="bold">DEST</emphasis> column, the rule is ignored.</para>

          <para><emphasis role="bold">all</emphasis> means "All Zones",
          including the firewall itself. <emphasis role="bold">all-</emphasis>
          means "All Zones, except the firewall itself". When <emphasis
          role="bold">all</emphasis>[<emphasis role="bold">-</emphasis>] is
          used either in the <emphasis role="bold">SOURCE</emphasis> or
          <emphasis role="bold">DEST</emphasis> column intra-zone traffic is
          not affected. When <emphasis role="bold">all+</emphasis>[<emphasis
          role="bold">-</emphasis>] is "used, intra-zone traffic is affected.
          Beginning with Shorewall 4.4.13, exclusion is supported -- see see
          <ulink
          url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>

          <para>Except when <emphasis role="bold">all</emphasis>[<emphasis
          role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] or
          <emphasis role="bold">any</emphasis>[<emphasis
          role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] is
          specified, clients may be further restricted to a list of networks
          and/or hosts by appending ":" and a comma-separated list of network
          and/or host addresses. Hosts may be specified by IP or MAC address;
          mac addresses must begin with "~" and must use "-" as a
          separator.</para>

          <para>The above restriction on <emphasis
          role="bold">all</emphasis>[<emphasis
          role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] and
          <emphasis role="bold">any</emphasis>[<emphasis
          role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] is
          removed in Shorewall-4.4.13.</para>

          <para><emphasis role="bold">any</emphasis> is equivalent to
          <emphasis role="bold">all</emphasis> when there are no nested zones.
          When there are nested zones, <emphasis role="bold">any</emphasis>
          only refers to top-level zones (those with no parent zones). Note
          that <emphasis role="bold">any</emphasis> excludes all vserver
          zones, since those zones are nested within the firewall zone.</para>

          <para>Hosts may also be specified as an IP address range using the
          syntax
          <emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.
          This requires that your kernel and iptables contain iprange match
          support. If your kernel and iptables have ipset match support then
          you may give the name of an ipset prefaced by "+". The ipset name
          may be optionally followed by a number from 1 to 6 enclosed in
          square brackets ([]) to indicate the number of levels of source
          bindings to be matched.</para>

          <para>Beginning with Shorewall 4.4.17, the primary IP address of a
          firewall interface can be specified by an apersand ('&amp;')
          followed by the logican name of the interface as found in the
          INTERFACE column of <ulink
          url="shorewall-interfaces.html">shorewall-interfaces</ulink>
          (5).</para>

          <para>You may exclude certain hosts from the set already defined
          through use of an <emphasis>exclusion</emphasis> (see <ulink
          url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>

          <para>Examples:</para>

          <variablelist>
            <varlistentry>
              <term>dmz:192.168.2.2</term>

              <listitem>
                <para>Host 192.168.2.2 in the DMZ</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term>net:155.186.235.0/24</term>

              <listitem>
                <para>Subnet 155.186.235.0/24 on the Internet</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term>loc:192.168.1.1,192.168.1.2</term>

              <listitem>
                <para>Hosts 192.168.1.1 and 192.168.1.2 in the local
                zone.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term>loc:~00-A0-C9-15-39-78</term>

              <listitem>
                <para>Host in the local zone with MAC address
                00:A0:C9:15:39:78.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term>net:192.0.2.11-192.0.2.17</term>

              <listitem>
                <para>Hosts 192.0.2.11-192.0.2.17 in the net zone.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term>net:!192.0.2.11-192.0.2.17</term>

              <listitem>
                <para>All hosts in the net zone except for
                192.0.2.11-192.0.2.17.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term>net:155.186.235.0/24!155.186.235.16/28</term>

              <listitem>
                <para>Subnet 155.186.235.0/24 on the Internet except for
                155.186.235.16/28</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term>$FW:&amp;eth0</term>

              <listitem>
                <para>The primary IP address of eth0 in the firewall zone
                (Shorewall 4.4.17 and later).</para>
              </listitem>
            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">DEST</emphasis> -
        {<emphasis>zone</emphasis>|<emphasis>zone-list</emphasis>[+]|{<emphasis
        role="bold">all</emphasis>|<emphasis
        role="bold">any</emphasis>}[<emphasis
        role="bold">+</emphasis>][<emphasis
        role="bold">-</emphasis>]}<emphasis
        role="bold">[:{</emphasis><emphasis>interface</emphasis>|<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>|<emphasis
        role="bold">+</emphasis><emphasis>ipset</emphasis>}][<option>:</option><replaceable>port</replaceable>[:<emphasis
        role="bold">random</emphasis>]]</term>

        <listitem>
          <para>Location of Server. May be a zone declared in <ulink
          url="shorewall-zones.html">shorewall-zones</ulink>(5), $<emphasis
          role="bold">FW</emphasis> to indicate the firewall itself, <emphasis
          role="bold">all</emphasis>. <emphasis role="bold">all+</emphasis> or
          <emphasis role="bold">none</emphasis>.</para>

          <para>Beginning with Shorewall 4.4.13, you may use a
          <replaceable>zone-list </replaceable>which consists of a
          comma-separated list of zones declared in <ulink
          url="shorewall-zones.html">shorewall-zones</ulink> (5). Ths
          <replaceable>zone-list</replaceable> may be optionally followed by
          "+" to indicate that the rule is to apply to intra-zone traffic as
          well as inter-zone traffic.</para>

          <para>When <emphasis role="bold">none</emphasis> is used either in
          the <emphasis role="bold">SOURCE</emphasis> or <emphasis
          role="bold">DEST</emphasis> column, the rule is ignored.</para>

          <para>When <emphasis role="bold">all</emphasis> is used either in
          the <emphasis role="bold">SOURCE</emphasis> or <emphasis
          role="bold">DEST</emphasis> column intra-zone traffic is not
          affected. When <emphasis role="bold">all+</emphasis> is used,
          intra-zone traffic is affected. Beginning with Shorewall 4.4.13,
          exclusion is supported -- see see <ulink
          url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>

          <para><emphasis role="bold">any</emphasis> is equivalent to
          <emphasis role="bold">all</emphasis> when there are no nested zones.
          When there are nested zones, <emphasis role="bold">any</emphasis>
          only refers to top-level zones (those with no parent zones).</para>

          <para>The <replaceable>zone</replaceable> should be omitted in
          DNAT-, REDIRECT- and NONAT rules.</para>

          <para>If the DEST <replaceable>zone</replaceable> is a bport zone,
          then either:<orderedlist numeration="loweralpha">
              <listitem>
                <para>the SOURCE must be <option>all[+][-]</option>, or</para>
              </listitem>

              <listitem>
                <para>the SOURCE <replaceable>zone</replaceable> must be
                another bport zone associated with the same bridge, or</para>
              </listitem>

              <listitem>
                <para>the SOURCE <replaceable>zone</replaceable> must be an
                ipv4 zone that is associated with only the same bridge.</para>
              </listitem>
            </orderedlist></para>

          <blockquote>
            <para></para>

            <para>Except when <emphasis role="bold">all</emphasis>[<emphasis
            role="bold">+]|[-</emphasis>] is specified, the server may be
            further restricted to a particular network, host or interface by
            appending ":" and the network, host or interface. See <emphasis
            role="bold">SOURCE</emphasis> above.</para>

            <para>You may exclude certain hosts from the set already defined
            through use of an <emphasis>exclusion</emphasis> (see <ulink
            url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>

            <para>Restrictions:</para>

            <para>1. MAC addresses are not allowed (this is a Netfilter
            restriction).</para>

            <para>2. You may not specify both an interface and an
            address.</para>

            <para>Like in the <emphasis role="bold">SOURCE</emphasis> column,
            you may specify a range of IP addresses using the syntax
            <emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.
            When the <emphasis role="bold">ACTION</emphasis> is <emphasis
            role="bold">DNAT</emphasis> or <emphasis
            role="bold">DNAT-</emphasis>, the connections will be assigned to
            addresses in the range in a round-robin fashion.</para>

            <para>If you kernel and iptables have ipset match support then you
            may give the name of an ipset prefaced by "+". The ipset name may
            be optionally followed by a number from 1 to 6 enclosed in square
            brackets ([]) to indicate the number of levels of destination
            bindings to be matched. Only one of the <emphasis
            role="bold">SOURCE</emphasis> and <emphasis
            role="bold">DEST</emphasis> columns may specify an ipset
            name.</para>

            <para>Beginning with Shorewall 4.4.17, the primary IP address of a
            firewall interface can be specified by an apersand ('&amp;')
            followed by the logical name of the interface as found in the
            INTERFACE column of <ulink
            url="shorewall-interfaces.html">shorewall-interfaces</ulink>
            (5).</para>

            <para>The <replaceable>port</replaceable> that the server is
            listening on may be included and separated from the server's IP
            address by ":". If omitted, the firewall will not modifiy the
            destination port. A destination port may only be included if the
            <emphasis role="bold">ACTION</emphasis> is <emphasis
            role="bold">DNAT</emphasis> or <emphasis
            role="bold">REDIRECT</emphasis>.</para>

            <variablelist>
              <varlistentry>
                <term>Example:</term>

                <listitem>
                  <para><emphasis role="bold">loc:192.168.1.3:3128</emphasis>
                  specifies a local server at IP address 192.168.1.3 and
                  listening on port 3128.</para>
                </listitem>
              </varlistentry>
            </variablelist>

            <para>The <emphasis>port</emphasis> may be specified as a service
            name. You may specify a port range in the form
            <emphasis>lowport-highport</emphasis> to cause connections to be
            assigned to ports in the range in round-robin fashion. When a port
            range is specified, <emphasis>lowport</emphasis> and
            <emphasis>highport</emphasis> must be given as integers; service
            names are not permitted. Additionally, the port range may be
            optionally followed by <emphasis role="bold">:random</emphasis>
            which causes assignment to ports in the list to be random.</para>

            <para>If the <emphasis role="bold">ACTION</emphasis> is <emphasis
            role="bold">REDIRECT</emphasis> or <emphasis
            role="bold">REDIRECT-</emphasis>, this column needs only to
            contain the port number on the firewall that the request should be
            redirected to. That is equivalent to specifying
            <option>$FW</option>::<replaceable>port</replaceable>.</para>
          </blockquote>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">PROTO</emphasis>- {<emphasis
        role="bold">-</emphasis>|<emphasis
        role="bold">tcp:syn</emphasis>|<emphasis
        role="bold">ipp2p</emphasis>|<emphasis
        role="bold">ipp2p:udp</emphasis>|<emphasis
        role="bold">ipp2p:all</emphasis>|<emphasis>protocol-number</emphasis>|<emphasis>protocol-name</emphasis>|<emphasis
        role="bold">all}</emphasis></term>

        <listitem>
          <para>Optional Protocol - <emphasis role="bold">ipp2p</emphasis>*
          requires ipp2p match support in your kernel and iptables. <emphasis
          role="bold">tcp:syn</emphasis> implies <emphasis
          role="bold">tcp</emphasis> plus the SYN flag must be set and the
          RST,ACK and FIN flags must be reset.</para>

          <para>Beginning with Shorewall 4.4.19, this column can contain a
          comma-separated list of protocol-numbers and/or protocol
          names.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">DEST PORT(S) (dport)</emphasis> -
        {<emphasis
        role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
        role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...}</term>

        <listitem>
          <para>Optional destination Ports. A comma-separated list of Port
          names (from services(5)), port numbers or port ranges; if the
          protocol is <emphasis role="bold">icmp</emphasis>, this column is
          interpreted as the destination icmp-type(s). ICMP types may be
          specified as a numeric type, a numberic type and code separated by a
          slash (e.g., 3/4), or a typename. See <ulink
          url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.
          Note that prior to Shorewall 4.4.19, only a single ICMP type may be
          listsed.</para>

          <para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
          this column is interpreted as an ipp2p option without the leading
          "--" (example <emphasis role="bold">bit</emphasis> for bit-torrent).
          If no port is given, <emphasis role="bold">ipp2p</emphasis> is
          assumed.</para>

          <para>A port range is expressed as
          <emphasis>lowport</emphasis>:<emphasis>highport</emphasis>.</para>

          <para>This column is ignored if <emphasis
          role="bold">PROTO</emphasis> = <emphasis role="bold">all</emphasis>
          but must be entered if any of the following columns are supplied. In
          that case, it is suggested that this field contain a dash (<emphasis
          role="bold">-</emphasis>).</para>

          <para>If your kernel contains multi-port match support, then only a
          single Netfilter rule will be generated if in this list and the
          <emphasis role="bold">CLIENT PORT(S)</emphasis> list below:</para>

          <para>1. There are 15 or less ports listed.</para>

          <para>2. No port ranges are included or your kernel and iptables
          contain extended multiport match support.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">SOURCE PORT(S)</emphasis> (sport) -
        {<emphasis
        role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
        role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...}</term>

        <listitem>
          <para>Optional port(s) used by the client. If omitted, any source
          port is acceptable. Specified as a comma- separated list of port
          names, port numbers or port ranges.</para>

          <warning>
            <para>Unless you really understand IP, you should leave this
            column empty or place a dash (<emphasis role="bold">-</emphasis>)
            in the column. Most people who try to use this column get it
            wrong.</para>
          </warning>

          <blockquote>
            <para>If you don't want to restrict client ports but need to
            specify an <emphasis role="bold">ORIGINAL DEST</emphasis> in the
            next column, then place "-" in this column.</para>

            <para>If your kernel contains multi-port match support, then only
            a single Netfilter rule will be generated if in this list and the
            <emphasis role="bold">DEST PORT(S)</emphasis> list above:</para>

            <para>1. There are 15 or less ports listed.</para>

            <para>2. No port ranges are included or your kernel and iptables
            contain extended multiport match support.</para>
          </blockquote>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">ORIGINAL DEST</emphasis> (origdest) -
        [<emphasis
        role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>]</term>

        <listitem>
          <para>Optional. If ACTION is <emphasis
          role="bold">DNAT</emphasis>[<emphasis role="bold">-</emphasis>] or
          <emphasis role="bold">REDIRECT</emphasis>[<emphasis
          role="bold">-</emphasis>] then if this column is included and is
          different from the IP address given in the <emphasis
          role="bold">DEST</emphasis> column, then connections destined for
          that address will be forwarded to the IP and port specified in the
          <emphasis role="bold">DEST</emphasis> column.</para>

          <para>A comma-separated list of addresses may also be used. This is
          most useful with the <emphasis role="bold">REDIRECT</emphasis>
          target where you want to redirect traffic destined for particular
          set of hosts. Finally, if the list of addresses begins with "!"
          (<emphasis>exclusion</emphasis>) then the rule will be followed only
          if the original destination address in the connection request does
          not match any of the addresses listed.</para>

          <para>Beginning with Shorewall 4.4.17, the primary IP address of a
          firewall interface can be specified by an apersand ('&amp;')
          followed by the logical name of the interface as found in the
          INTERFACE column of <ulink
          url="shorewall-interfaces.html">shorewall-interfaces</ulink>
          (5).</para>

          <para>For other actions, this column may be included and may contain
          one or more addresses (host or network) separated by commas. Address
          ranges are not allowed. When this column is supplied, rules are
          generated that require that the original destination address matches
          one of the listed addresses. This feature is most useful when you
          want to generate a filter rule that corresponds to a <emphasis
          role="bold">DNAT-</emphasis> or <emphasis
          role="bold">REDIRECT-</emphasis> rule. In this usage, the list of
          addresses should not begin with "!".</para>

          <para>It is also possible to specify a set of addresses then exclude
          part of those addresses. For example, <emphasis
          role="bold">192.168.1.0/24!192.168.1.16/28</emphasis> specifies the
          addresses 192.168.1.0-182.168.1.15 and 192.168.1.32-192.168.1.255.
          See <ulink
          url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>

          <para>See <ulink
          url="../PortKnocking.html">http://shorewall.net/PortKnocking.html</ulink>
          for an example of using an entry in this column with a user-defined
          action rule.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">RATE LIMIT</emphasis> (rate) - [<emphasis
        role="bold">-</emphasis>|[{<emphasis>s</emphasis>|<emphasis
        role="bold">d</emphasis>}:[[<replaceable>name</replaceable>]:]]]<emphasis>rate</emphasis><emphasis
        role="bold">/</emphasis>{<emphasis
        role="bold">sec</emphasis>|<emphasis
        role="bold">min</emphasis>|<emphasis
        role="bold">hour</emphasis>|<emphasis
        role="bold">day</emphasis>}[:<emphasis>burst</emphasis>]</term>

        <listitem>
          <para>You may optionally rate-limit the rule by placing a value in
          this column:</para>

          <para><emphasis>rate</emphasis> is the number of connections per
          interval (<emphasis role="bold">sec</emphasis> or <emphasis
          role="bold">min</emphasis>) and <emphasis>burst</emphasis> is the
          largest burst permitted. If no <emphasis>burst</emphasis> is given,
          a value of 5 is assumed. There may be no no whitespace embedded in
          the specification.</para>

          <para>Example: <emphasis role="bold">10/sec:20</emphasis></para>

          <para>When <option>s:</option> or <option>d:</option> is specified,
          the rate applies per source IP address or per destination IP address
          respectively. The <replaceable>name</replaceable> may be chosen by
          the user and specifies a hash table to be used to count matching
          connections. If not given, the name <emphasis
          role="bold">shorewallN</emphasis> (where N is a unique integer) is
          assumed. Where more than one rule specifies the same name, the
          connections counts for the rules are aggregated and the individual
          rates apply to the aggregated count.</para>

          <para>Example: <emphasis role="bold">s:ssh:3/min:5</emphasis></para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">USER/GROUP</emphasis> (user) - [<emphasis
        role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
        role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][<emphasis
        role="bold">+</emphasis><emphasis>program-name</emphasis>]</term>

        <listitem>
          <para>This optional column may only be non-empty if the SOURCE is
          the firewall itself.</para>

          <para>When this column is non-empty, the rule applies only if the
          program generating the output is running under the effective
          <emphasis>user</emphasis> and/or <emphasis>group</emphasis>
          specified (or is NOT running under that id if "!" is given).</para>

          <para>Examples:</para>

          <variablelist>
            <varlistentry>
              <term>joe</term>

              <listitem>
                <para>program must be run by joe</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term>:kids</term>

              <listitem>
                <para>program must be run by a member of the 'kids'
                group</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term>!:kids</term>

              <listitem>
                <para>program must not be run by a member of the 'kids'
                group</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term>+upnpd</term>

              <listitem>
                <para>program named upnpd</para>

                <important>
                  <para>The ability to specify a program name was removed from
                  Netfilter in kernel version 2.6.14.</para>
                </important>
              </listitem>
            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">MARK</emphasis> - [<emphasis
        role="bold">!</emphasis>]<emphasis>value</emphasis>[/<emphasis>mask</emphasis>][<emphasis
        role="bold">:C</emphasis>]</term>

        <listitem>
          <para>Defines a test on the existing packet or connection mark. The
          rule will match only if the test returns true.</para>

          <para>If you don't want to define a test but need to specify
          anything in the following columns, place a "-" in this field.</para>

          <variablelist>
            <varlistentry>
              <term>!</term>

              <listitem>
                <para>Inverts the test (not equal)</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis>value</emphasis></term>

              <listitem>
                <para>Value of the packet or connection mark.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis>mask</emphasis></term>

              <listitem>
                <para>A mask to be applied to the mark before testing.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis role="bold">:C</emphasis></term>

              <listitem>
                <para>Designates a connection mark. If omitted, the packet
                mark's value is tested.</para>
              </listitem>
            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">CONNLIMIT</emphasis> - [<emphasis
        role="bold">!</emphasis>]<emphasis>limit</emphasis>[:<emphasis>mask</emphasis>]</term>

        <listitem>
          <para>May be used to limit the number of simultaneous connections
          from each individual host to <replaceable>limit</replaceable>
          connections. Requires connlimit match in your kernel and iptables.
          While the limit is only checked on rules specifying CONNLIMIT, the
          number of current connections is calculated over all current
          connections from the SOURCE host. By default, the limit is applied
          to each host but can be made to apply to networks of hosts by
          specifying a <replaceable>mask</replaceable>. The
          <replaceable>mask</replaceable> specifies the width of a VLSM mask
          to be applied to the source address; the number of current
          connections is then taken over all hosts in the subnet
          <replaceable>source-address</replaceable>/<replaceable>mask</replaceable>.
          When<option> !</option> is specified, the rule matches when the
          number of connection exceeds the
          <replaceable>limit</replaceable>.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">TIME</emphasis> -
        <emphasis>timeelement</emphasis>[&amp;<emphasis>timelement</emphasis>...]</term>

        <listitem>
          <para>May be used to limit the rule to a particular time period each
          day, to particular days of the week or month, or to a range defined
          by dates and times. Requires time match support in your kernel and
          iptables.</para>

          <para><replaceable>timeelement</replaceable> may be:</para>

          <variablelist>
            <varlistentry>
              <term>timestart=<replaceable>hh</replaceable>:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]</term>

              <listitem>
                <para>Defines the starting time of day.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term>timestop=<replaceable>hh</replaceable>:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]</term>

              <listitem>
                <para>Defines the ending time of day.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term>utc</term>

              <listitem>
                <para>Times are expressed in Greenwich Mean Time.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term>localtz</term>

              <listitem>
                <para>Times are expressed in Local Civil Time
                (default).</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term>weekdays=ddd[,ddd]...</term>

              <listitem>
                <para>where <replaceable>ddd</replaceable> is one of
                <option>Mon</option>, <option>Tue</option>,
                <option>Wed</option>, <option>Thu</option>,
                <option>Fri</option>, <option>Sat</option> or
                <option>Sun</option></para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term>monthdays=dd[,dd],...</term>

              <listitem>
                <para>where <replaceable>dd</replaceable> is an ordinal day of
                the month</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term>datestart=<replaceable>yyyy</replaceable>[-<replaceable>mm</replaceable>[-<replaceable>dd</replaceable>[<option>T</option><replaceable>hh</replaceable>[:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]]]]]</term>

              <listitem>
                <para>Defines the starting date and time.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term>datestop=<replaceable>yyyy</replaceable>[-<replaceable>mm</replaceable>[-<replaceable>dd</replaceable>[<option>T</option><replaceable>hh</replaceable>[:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]]]]]</term>

              <listitem>
                <para>Defines the ending date and time.</para>
              </listitem>
            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">HEADERS</emphasis></term>

        <listitem>
          <para>Added in Shorewall 4.4.15. Not used in IPv4 configurations. If
          you with to supply a value for one of the later columns, enter '-'
          in this column.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">SWITCH -
        [!]<replaceable>switch-name</replaceable></emphasis></term>

        <listitem>
          <para>Added in Shorewall 4.4.24 and allows enabling and disabling
          the rule without requiring <command>shorewall
          restart</command>.</para>

          <para>The rule is enabled if the value stored in
          <filename>/proc/net/nf_condition/<replaceable>switch-name</replaceable></filename>
          is 1. The rule is disabled if that file contains 0 (the default). If
          '!' is supplied, the test is inverted such that the rule is enabled
          if the file contains 0. <replaceable>switch-name</replaceable> must
          begin with a letter and be composed of letters, decimal digits,
          underscores or hyphens. Switch names must be 30 characters or less
          in length.</para>

          <para>Switches are normally <emphasis role="bold">off</emphasis>. To
          turn a switch <emphasis role="bold">on</emphasis>:</para>

          <simplelist>
            <member><command>echo 1 &gt;
            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
          </simplelist>

          <para>To turn it <emphasis role="bold">off</emphasis> again:</para>

          <simplelist>
            <member><command>echo 0 &gt;
            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
          </simplelist>

          <para>Switch settings are retained over <command>shorewall
          restart</command>.</para>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>

  <refsect1>
    <title>Examples</title>

    <variablelist>
      <varlistentry>
        <term>Example 1:</term>

        <listitem>
          <para>Accept SMTP requests from the DMZ to the internet</para>

          <programlisting>         #ACTION SOURCE  DEST PROTO      DEST    SOURCE  ORIGINAL
         #                               PORT    PORT(S) DEST
         ACCEPT  dmz     net       tcp   smtp</programlisting>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>Example 2:</term>

        <listitem>
          <para>Forward all ssh and http connection requests from the internet
          to local system 192.168.1.3</para>

          <programlisting>        #ACTION SOURCE  DEST            PROTO   DEST    SOURCE  ORIGINAL
        #                                       PORT    PORT(S) DEST
        DNAT    net     loc:192.168.1.3 tcp     ssh,http</programlisting>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>Example 3:</term>

        <listitem>
          <para>Forward all http connection requests from the internet to
          local system 192.168.1.3 with a limit of 3 per second and a maximum
          burst of 10<programlisting>        #ACTION SOURCE DEST            PROTO  DEST  SOURCE  ORIGINAL RATE
        #                                     PORT  PORT(S) DEST     LIMIT
        DNAT    net    loc:192.168.1.3 tcp    http  -       -        3/sec:10</programlisting></para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>Example 4:</term>

        <listitem>
          <para>Redirect all locally-originating www connection requests to
          port 3128 on the firewall (Squid running on the firewall system)
          except when the destination address is 192.168.2.2</para>

          <programlisting>        #ACTION  SOURCE DEST      PROTO DEST    SOURCE  ORIGINAL
        #                               PORT    PORT(S) DEST
        REDIRECT loc    3128      tcp   www      -      !192.168.2.2</programlisting>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>Example 5:</term>

        <listitem>
          <para>All http requests from the internet to address 130.252.100.69
          are to be forwarded to 192.168.1.3</para>

          <programlisting>        #ACTION  SOURCE DEST            PROTO   DEST    SOURCE  ORIGINAL
        #                                       PORT    PORT(S) DEST
        DNAT      net   loc:192.168.1.3 tcp     80      -       130.252.100.69</programlisting>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>Example 6:</term>

        <listitem>
          <para>You want to accept SSH connections to your firewall only from
          internet IP addresses 130.252.100.69 and 130.252.100.70</para>

          <programlisting>        #ACTION  SOURCE DEST            PROTO   DEST    SOURCE  ORIGINAL
        #                                       PORT    PORT(S) DEST
        ACCEPT   net:130.252.100.69,130.252.100.70 $FW \
                                        tcp     22</programlisting>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>Example 7:</term>

        <listitem>
          <para>You wish to accept connections from the internet to your
          firewall on port 2222 and you want to forward them to local system
          192.168.1.3, port 22</para>

          <programlisting>        #ACTION  SOURCE DEST                PROTO   DEST    SOURCE  ORIGINAL
        #                                           PORT    PORT(S) DEST
        DNAT     net    loc:192.168.1.3:22  tcp     2222</programlisting>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>Example 8:</term>

        <listitem>
          <para>You want to redirect connection requests to port 80 randomly
          to the port range 81-90.</para>

          <programlisting>        #ACTION  SOURCE DEST                PROTO DEST    SOURCE  ORIGINAL
        #                                         PORT    PORT(S) DEST
        REDIRECT net    $FW::81-90:random   tcp   www</programlisting>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>Example 9:</term>

        <listitem>
          <para>Shorewall does not impose as much structure on the Netfilter
          rules in the 'nat' table as it does on those in the filter table. As
          a consequence, when using Shorewall versions before 4.1.4, care must
          be exercised when using DNAT and REDIRECT rules with zones defined
          with wildcard interfaces (those ending with '+'. Here is an
          example:</para>

          <para><ulink
          url="shorewall-zones.html">shorewall-zones</ulink>(8):<programlisting>        #ZONE       TYPE    OPTIONS
        fw          firewall
        net         ipv4
        dmz         ipv4
        loc         ipv4</programlisting></para>

          <para><ulink
          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(8):<programlisting>        #ZONE       INTERFACE       BROADCAST      OPTIONS
        net         ppp0
        loc         eth1            detect
        dmz         eth2            detect
        -           ppp+                           # Addresses are assigned from 192.168.3.0/24</programlisting></para>

          <para><ulink
          url="shorewall-hosts.html">shorewall-host</ulink>(8):<programlisting>        #ZONE       HOST(S)              OPTIONS
        loc         ppp+:192.168.3.0/24</programlisting></para>

          <para>rules:</para>

          <programlisting>        #ACTION     SOURCE          DEST       PROTO       DEST
        #                                                  PORT(S)
        REDIRECT    loc             3128       tcp         80                                                   </programlisting>

          <simpara>Note that it would have been tempting to simply define the
          loc zone entirely in shorewall-interfaces(8):</simpara>

          <para><programlisting>        #******************* INCORRECT *****************
        #ZONE       INTERFACE       BROADCAST      OPTIONS
        net         ppp0
        loc         eth1            detect
        loc         ppp+
        dmz         eth2</programlisting></para>

          <para>This would have made it impossible to run a
          internet-accessible web server in the DMZ because all traffic
          entering ppp+ interfaces would have been redirected to port 3128 on
          the firewall and there would have been no net-&gt;fw ACCEPT rule for
          that traffic.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>Example 10:</term>

        <listitem>
          <para>Add the tupple (source IP, dest port, dest IP) of an incoming
          SSH connection to the ipset S:</para>

          <programlisting>        #ACTION                       SOURCE           DEST           PROTO       DEST
        #                                                             PORT(S)        
        ADD(+S:dst,src,dst)           net              fw             tcp         22</programlisting>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>Example 11:</term>

        <listitem>
          <para>You wish to limit SSH connections from remote systems to 1/min
          with a burst of three (to allow for limited retry):</para>

          <programlisting>        #ACTION     SOURCE          DEST       PROTO       DEST         SOURCE    ORIGINAL         RATE
        #                                                  PORT(S)      PORT(S)   DEST             LIMIT
        SSH(ACCEPT) net             all        -           -            -         -                s:1/min:3</programlisting>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>Example 12:</term>

        <listitem>
          <para>Forward port 80 to dmz host $BACKUP if switch 'primary_down'
          is on.</para>

          <programlisting>        #ACTION     SOURCE          DEST        PROTO       DEST         SOURCE    ORIGINAL   RATE      USER/     MARK    CONNLIMIT     TIME     HEADERS    SWITCH
        #                                                   PORT(S)      PORT(S)   DEST       LIMIT     GROUP
        DNAT        net             dmz:$BACKUP tcp         80           -         -          -         -         -       -             -        -          primary_down</programlisting>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>

  <refsect1>
    <title>FILES</title>

    <para>/etc/shorewall/rules</para>
  </refsect1>

  <refsect1>
    <title>See ALSO</title>

    <para><ulink
    url="http://www.shorewall.net/ipsets.html">http://www.shorewall.net/ipsets.html</ulink></para>

    <para><ulink
    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>

    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
    shorewall-route_rules(5), shorewall-routestopped(5), shorewall.conf(5),
    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
    shorewall-zones(5)</para>
  </refsect1>
</refentry>