<?xml version="1.0" encoding="UTF-8"?>
<refentry>
  <refmeta>
    <refentrytitle>shorewall-routestopped</refentrytitle>

    <manvolnum>5</manvolnum>
  </refmeta>

  <refnamediv>
    <refname>routestopped</refname>

    <refpurpose>The Shorewall file that governs what traffic flows through the
    firewall while it is in 'stopped' state.</refpurpose>
  </refnamediv>

  <refsynopsisdiv>
    <cmdsynopsis>
      <command>/etc/shorewall/routestopped</command>
    </cmdsynopsis>
  </refsynopsisdiv>

  <refsect1>
    <title>Description</title>

    <para>This file is used to define the hosts that are accessible when the
    firewall is stopped or when it is in the process of being
    [re]started.</para>

    <para>The columns in the file are as follows.</para>

    <variablelist>
      <varlistentry>
        <term><emphasis role="bold">INTERFACE</emphasis></term>

        <listitem>
          <para>Interface through which host(s) communicate with the
          firewall</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">HOST(S)</emphasis> (Optional)</term>

        <listitem>
          <para>Comma-separated list of IP/subnet addresses. If your kernel
          and iptables include iprange match support, IP address ranges are
          also allowed.</para>

          <para>If left empty or supplied as "-", 0.0.0.0/0 is assumed.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">OPTIONS</emphasis> (Optional)</term>

        <listitem>
          <para>A comma-separated list of options. The order of the options is
          not important but the list can contain no embedded whitespace. The
          currently-supported options are:</para>

          <variablelist>
            <varlistentry>
              <term><emphasis role="bold">routeback</emphasis></term>

              <listitem>
                <para>Set up a rule to ACCEPT traffic from these hosts back to
                themselves.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis role="bold">source</emphasis></term>

              <listitem>
                <para>Allow traffic from these hosts to ANY destination.
                Without this option or the <emphasis
                role="bold">dest</emphasis> option, only traffic from this
                host to other listed hosts (and the firewall) is allowed. If
                <emphasis role="bold">source</emphasis> is specified then
                <emphasis role="bold">routeback</emphasis> is
                redundant.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis role="bold">dest</emphasis></term>

              <listitem>
                <para>Allow traffic to these hosts from ANY source. Without
                this option or the <emphasis role="bold">source</emphasis>
                option, only traffic from this host to other listed hosts (and
                the firewall) is allowed. If <emphasis
                role="bold">dest</emphasis> is specified then <emphasis
                role="bold">routeback</emphasis> is redundant.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis role="bold">critical</emphasis></term>

              <listitem>
                <para>Allow traffic between the firewall and these hosts
                throughout '[re]start', 'stop' and 'clear'. Specifying
                <emphasis role="bold">critical</emphasis> on one or more
                entries will cause your firewall to be "totally open" for a
                brief window during each of those operations.</para>
              </listitem>
            </varlistentry>
          </variablelist>

          <note>
            <para>The <emphasis role="bold">source</emphasis> and <emphasis
            role="bold">dest</emphasis> options work best when used in
            conjunction with ADMINISABSENTMINDED=Yes in
            shorewall.conf(5).</para>
          </note>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>

  <refsect1>
    <title>Example</title>

    <variablelist>
      <varlistentry>
        <term>Example 1:</term>

        <listitem>
          <programlisting>        #INTERFACE      HOST(S)                 OPTIONS
        eth2            192.168.1.0/24
        eth0            192.0.2.44
        br0             -                       routeback
        eth3            -                       source</programlisting>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>

  <refsect1>
    <title>FILES</title>

    <para>/etc/shorewall/routestopped</para>
  </refsect1>

  <refsect1>
    <title>See ALSO</title>

    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
    shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
    shorewall-route_rules(5), shorewall-rules(5), shorewall.conf(5),
    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
</refentry>