Tom Eastep 2005 2008 2010 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License. This article applies to Shorewall 4.4 and later. If you are running a version of Shorewall earlier than Shorewall 4.3.5 then please see the documentation for that release.

Ipsets are an extension to Netfilter/iptables that are currently available in xtables-addons. Instructions for installing xtables-addons may be found in the Dynamic Zones article. Ipset allows you to create one or more named sets of addresses then use those sets to define Netfilter/iptables rules. Possible uses of ipsets include: Blacklists. Ipsets provide an efficient way to represent large sets of addresses and you can maintain the lists without the need to restart or even refresh your Shorewall configuration. Zone definition. Using the /etc/shorewall/hosts file, you can define a zone based on the (dynamic) contents of an ipset. Again, you can then add or delete addresses to the ipset without restarting Shorewall. In most configuration files when an address list is accepted, the list may include ipsets using the syntax described below. See the ipsets site (URL above) for additional information about ipsets.

Support for ipsets was introduced in Shorewall version 2.3.0. In most places where a host or network address may be used, you may also use the name of an ipset prefaced by "+". Example: "+Mirrors" When using Shorewall, the names of ipsets are restricted as follows: They must begin with a letter (after the '+'). They must be composed of letters, digits or underscores ("_"). To generate a negative match, prefix the "+" with "!" as in "!+Mirrors". When an ipset name appears in the SOURCE column of a file, Shorewall generates a 'src' match ("-m set --match-set set-name src") and when the name appears in the DEST column, a 'dst' match is generated (-m set --match-set set-name dst"). Some set types allow matching on more than one address and require a comma-separated list of 'src' and/or 'dst' flags. This list may be enclosed in square brackets ("[...]") following the set name. Example: +setlist[src,dst] If the flags are homogenous, you may use an integer to represent the number of entries. In other words, [2] is equivalent to [src,src] in the SOURCE column and is equivalent to [dst,dst] in the DEST column. Example 1: Blacklist all hosts in an ipset named "blacklist" /etc/shorewall/blacklist#ADDRESS/SUBNET PROTOCOL PORT +blacklist Example 2: Allow SSH from all hosts in an ipset named "sshok: /etc/shorewall/rules#ACTION SOURCE DEST PROTO DEST PORT(S) ACCEPT net:+sshok $FW tcp 22

The SAVE_IPSETS option in shorewall.conf (5) allows you to have Shorewall automatically save your ipset contents during shorewall stop and restore them during shorewall start. SAVE_IPSETS is implicitly set to Yes when the configuration includes one or more dynamic zones. When SAVE_IPSETS=Yes, Shorewall disallows ipsets to be specified in shorewall-routestopped (8). SAVE_IPSET support was added in Shorewall 4.4.6.