<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> <refentry> <refmeta> <refentrytitle>shorewall6-routestopped</refentrytitle> <manvolnum>5</manvolnum> </refmeta> <refnamediv> <refname>routestopped</refname> <refpurpose>The Shorewall6 file that governs what traffic flows through the firewall while it is in 'stopped' state.</refpurpose> </refnamediv> <refsynopsisdiv> <cmdsynopsis> <command>/etc/shorewall6/routestopped</command> </cmdsynopsis> </refsynopsisdiv> <refsect1> <title>Description</title> <para>This file is used to define the hosts that are accessible when the firewall is stopped or is being stopped. When shorewall6-shell is being used, the file also determines those hosts that are accessible when the firewall is in the process of being [re]started.</para> <para>The columns in the file are as follows (where the column name is followed by a different name in parentheses, the different name is used in the alternate specification syntax).</para> <variablelist> <varlistentry> <term><emphasis role="bold">INTERFACE</emphasis> - <emphasis>interface</emphasis></term> <listitem> <para>Interface through which host(s) communicate with the firewall</para> </listitem> </varlistentry> <varlistentry> <term><emphasis role="bold">HOST(S)</emphasis> - [<emphasis role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...]</term> <listitem> <para>Optional comma-separated list of IP/subnet addresses. If your kernel and ip6tables include iprange match support, IP address ranges are also allowed.</para> <para>If left empty or supplied as "-", 0.0.0.0/0 is assumed.</para> </listitem> </varlistentry> <varlistentry> <term><emphasis role="bold">OPTIONS</emphasis> - [<emphasis role="bold">-</emphasis>|<emphasis>option</emphasis>[<emphasis role="bold">,</emphasis><emphasis>option</emphasis>]...]</term> <listitem> <para>An optional comma-separated list of options. The order of the options is not important but the list can contain no embedded whitespace. The currently-supported options are:</para> <variablelist> <varlistentry> <term><emphasis role="bold">routeback</emphasis></term> <listitem> <para>Set up a rule to ACCEPT traffic from these hosts back to themselves. Beginning with Shorewall 4.4.9, this option is automatically set if <emphasis role="bold">routeback</emphasis> is specified in <ulink url="shorewall6-interfaces.html">shorewall6-interfaces</ulink> (5) or if the rules compiler detects that the interface is a bridge.</para> </listitem> </varlistentry> <varlistentry> <term><emphasis role="bold">source</emphasis></term> <listitem> <para>Allow traffic from these hosts to ANY destination. Without this option or the <emphasis role="bold">dest</emphasis> option, only traffic from this host to other listed hosts (and the firewall) is allowed. If <emphasis role="bold">source</emphasis> is specified then <emphasis role="bold">routeback</emphasis> is redundant.</para> </listitem> </varlistentry> <varlistentry> <term><emphasis role="bold">dest</emphasis></term> <listitem> <para>Allow traffic to these hosts from ANY source. Without this option or the <emphasis role="bold">source</emphasis> option, only traffic from this host to other listed hosts (and the firewall) is allowed. If <emphasis role="bold">dest</emphasis> is specified then <emphasis role="bold">routeback</emphasis> is redundant.</para> </listitem> </varlistentry> <varlistentry> <term><emphasis role="bold">critical</emphasis></term> <listitem> <para>Allow traffic between the firewall and these hosts throughout '[re]start', 'stop' and 'clear'. Specifying <emphasis role="bold">critical</emphasis> on one or more entries will cause your firewall to be "totally open" for a brief window during each of those operations. Examples of where you might want to use this are:</para> <itemizedlist> <listitem> <para>'Ping' nodes with heartbeat.</para> </listitem> <listitem> <para>LDAP server(s) if you use LDAP Authentication</para> </listitem> <listitem> <para>NFS Server if you have an NFS-mounted root filesystem.</para> </listitem> </itemizedlist> </listitem> </varlistentry> </variablelist> </listitem> </varlistentry> </variablelist> <note> <para>The <emphasis role="bold">source</emphasis> and <emphasis role="bold">dest</emphasis> options work best when used in conjunction with ADMINISABSENTMINDED=Yes in <ulink url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para> </note> </refsect1> <refsect1> <title>Example</title> <variablelist> <varlistentry> <term>Example 1:</term> <listitem> <programlisting> #INTERFACE HOST(S) OPTIONS eth2 2002:ce7c:92b4::/64 eth0 2002:ce7c:92b4:1::/64 br0 - routeback eth3 - source</programlisting> </listitem> </varlistentry> </variablelist> </refsect1> <refsect1> <title>FILES</title> <para>/etc/shorewall6/routestopped</para> </refsect1> <refsect1> <title>See ALSO</title> <para><ulink url="http://shorewall.net/starting_and_stopping_shorewall.htm">http://shorewall.net/starting_and_stopping_shorewall.htm</ulink></para> <para><ulink url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para> <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5), shorewall6-route_rules(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)</para> </refsect1> </refentry>