Warning: If you copy or edit your configuration files on a system running Microsoft Windows, you must run them through dos2unix before you use them with Shorewall.
Shorewall's configuration files are in the directory /etc/shorewall.
| /etc/shorewall/shorewall.conf - used to set several firewall parameters. |
| /etc/shorewall/params - use this file to set shell variables that you will expand in other files. |
| /etc/shorewall/zones - partition the firewall's view of the world into zones. |
| /etc/shorewall/policy - establishes firewall high-level policy. |
| /etc/shorewall/interfaces - describes the interfaces on the firewall system. |
| /etc/shorewall/hosts - allows defining zones in terms of individual hosts and subnetworks. |
| /etc/shorewall/masq - directs the firewall where to use many-to-one (dynamic) Network Address Translation (a.k.a. Masquerading) and Source Network Address Translation (SNAT). |
| /etc/shorewall/modules - directs the firewall to load kernel modules. |
| /etc/shorewall/rules - defines rules that are exceptions to the overall policies established in /etc/shorewall/policy. |
| /etc/shorewall/nat - defines static NAT rules. |
| /etc/shorewall/proxyarp - defines use of Proxy ARP. |
| /etc/shorewall/routestopped (Shorewall 1.3.4 and later) - defines hosts accessible when Shorewall is stopped. |
| /etc/shorewall/tcrules - defines marking of packets for later use by traffic control/shaping or policy routing. |
| /etc/shorewall/tos - defines rules for setting the TOS field in packet headers. |
| /etc/shorewall/tunnels - defines IPSEC, GRE and IPIP tunnels with end-points on the firewall system. |
| /etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC addresses. |
You may place comments in configuration files by making the first non-whitespace character a pound sign ("#"). You may also place comments at the end of any line, again by delimiting the comment from the rest of the line with a pound sign.
Examples:
# This is a comment
ACCEPT net fw tcp www #This is an end-of-line comment
You may continue lines in the configuration files using the usual backslash ("\") followed immediately by a new line character.
Example:
ACCEPT net fw tcp \ smtp,www,pop3,imap #Services running on the firewall
Where specifying an IP address, a subnet or an interface, you can precede the item with "!" to specify the complement of the item. For example, !192.168.1.4 means "any host but 192.168.1.4".
Comma-separated lists are allowed in a number of contexts within the configuration files. A comma separated list:
| Must not have any embedded white space. Valid: routestopped,dhcp,norfc1918 Invalid: routestopped, dhcp, norfc1818 |
| If you use line continuation to break a comma-separated list, the continuation line(s) must begin in column 1 (or there would be embedded white space) |
| Entries in a comma-separated list may appear in any order. |
Unless otherwise specified, when giving a port number you can use either an integer or a service name from /etc/services.
If you need to specify a range of ports, the proper syntax is <low port number>:<high port number>.
You may use the file /etc/shorewall/params file to set shell variables that you can then use in some of the other configuration files.
It is suggested that variable names begin with an upper case letter to distinguish them from variables used internally within the Shorewall programs
Example:
NET_IF=eth0
NET_BCAST=130.252.100.255
NET_OPTIONS=noping,norfc1918
Example (/etc/shorewall/interfaces record):
net $NET_IF $NET_BCAST $NET_OPTIONS
The result will be the same as if the record had been written
net eth0 130.252.100.255 noping,norfc1918
Variables may be used anywhere in the other configuration files.
Media Access Control (MAC) addresses can be used to specify packet source in several of the configuration files. To use this feature, your kernel must have MAC Address Match support (CONFIG_IP_NF_MATCH_MAC) included.
MAC addresses are 48 bits wide and each Ethernet Controller has a
unique MAC address.
In GNU/Linux, MAC addresses are usually written as a series of 6 hex numbers
separated by colons. Example:
[root@gateway root]# ifconfig eth0
eth0 Link encap:Ethernet HWaddr 02:00:08:E3:FA:55
inet addr:206.124.146.176 Bcast:206.124.146.255
Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2398102 errors:0 dropped:0 overruns:0
frame:0
TX packets:3044698 errors:0 dropped:0 overruns:0
carrier:0
collisions:30394 txqueuelen:100
RX bytes:419871805 (400.4 Mb) TX bytes:1659782221
(1582.8 Mb)
Interrupt:11 Base address:0x1800
Because Shorewall uses colons as a separator for address fields, Shorewall requires
MAC addresses to be written in another way. In Shorewall, MAC addresses
begin with a tilde ("~") and consist of 6 hex numbers separated by
hyphens. In Shorewall, the MAC address in the example above would be
written "~02-00-08-E3-FA-55".
Shorewall allows you to have configuration directories other than /etc/shorewall. The shorewall start and restart commands allow you to specify an alternate configuration directory and Shorewall will use the files in the alternate directory rather than the corresponding files in /etc/shorewall. The alternate directory need not contain a complete configuration; those files not in the alternate directory will be read from /etc/shorewall.
This facility permits you to easily create a test or temporary configuration by:
Updated 8/6/2002 - Tom Eastep