<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
  <refmeta>
    <refentrytitle>shorewall6-routestopped</refentrytitle>

    <manvolnum>5</manvolnum>
  </refmeta>

  <refnamediv>
    <refname>routestopped</refname>

    <refpurpose>The Shorewall6 file that governs what traffic flows through
    the firewall while it is in 'stopped' state.</refpurpose>
  </refnamediv>

  <refsynopsisdiv>
    <cmdsynopsis>
      <command>/etc/shorewall6/routestopped</command>
    </cmdsynopsis>
  </refsynopsisdiv>

  <refsect1>
    <title>Description</title>

    <para>This file is used to define the hosts that are accessible when the
    firewall is stopped or is being stopped. When shorewall6-shell is being
    used, the file also determines those hosts that are accessible when the
    firewall is in the process of being [re]started.</para>

    <para>The columns in the file are as follows (where the column name is
    followed by a different name in parentheses, the different name is used in
    the alternate specification syntax).</para>

    <variablelist>
      <varlistentry>
        <term><emphasis role="bold">INTERFACE</emphasis> -
        <emphasis>interface</emphasis></term>

        <listitem>
          <para>Interface through which host(s) communicate with the
          firewall</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">HOST(S)</emphasis> - [<emphasis
        role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...]</term>

        <listitem>
          <para>Optional comma-separated list of IP/subnet addresses. If your
          kernel and ip6tables include iprange match support, IP address
          ranges are also allowed.</para>

          <para>If left empty or supplied as "-", 0.0.0.0/0 is assumed.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">OPTIONS</emphasis> - [<emphasis
        role="bold">-</emphasis>|<emphasis>option</emphasis>[<emphasis
        role="bold">,</emphasis><emphasis>option</emphasis>]...]</term>

        <listitem>
          <para>An optional comma-separated list of options. The order of the
          options is not important but the list can contain no embedded
          whitespace. The currently-supported options are:</para>

          <variablelist>
            <varlistentry>
              <term><emphasis role="bold">routeback</emphasis></term>

              <listitem>
                <para>Set up a rule to ACCEPT traffic from these hosts back to
                themselves. Beginning with Shorewall 4.4.9, this option is
                automatically set if <emphasis
                role="bold">routeback</emphasis> is specified in <ulink
                url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>
                (5) or if the rules compiler detects that the interface is a
                bridge.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis role="bold">source</emphasis></term>

              <listitem>
                <para>Allow traffic from these hosts to ANY destination.
                Without this option or the <emphasis
                role="bold">dest</emphasis> option, only traffic from this
                host to other listed hosts (and the firewall) is allowed. If
                <emphasis role="bold">source</emphasis> is specified then
                <emphasis role="bold">routeback</emphasis> is
                redundant.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis role="bold">dest</emphasis></term>

              <listitem>
                <para>Allow traffic to these hosts from ANY source. Without
                this option or the <emphasis role="bold">source</emphasis>
                option, only traffic from this host to other listed hosts (and
                the firewall) is allowed. If <emphasis
                role="bold">dest</emphasis> is specified then <emphasis
                role="bold">routeback</emphasis> is redundant.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis role="bold">critical</emphasis></term>

              <listitem>
                <para>Allow traffic between the firewall and these hosts
                throughout '[re]start', 'stop' and 'clear'. Specifying
                <emphasis role="bold">critical</emphasis> on one or more
                entries will cause your firewall to be "totally open" for a
                brief window during each of those operations. Examples of
                where you might want to use this are:</para>

                <itemizedlist>
                  <listitem>
                    <para>'Ping' nodes with heartbeat.</para>
                  </listitem>

                  <listitem>
                    <para>LDAP server(s) if you use LDAP Authentication</para>
                  </listitem>

                  <listitem>
                    <para>NFS Server if you have an NFS-mounted root
                    filesystem.</para>
                  </listitem>
                </itemizedlist>
              </listitem>
            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
    </variablelist>

    <note>
      <para>The <emphasis role="bold">source</emphasis> and <emphasis
      role="bold">dest</emphasis> options work best when used in conjunction
      with ADMINISABSENTMINDED=Yes in <ulink
      url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
    </note>
  </refsect1>

  <refsect1>
    <title>Example</title>

    <variablelist>
      <varlistentry>
        <term>Example 1:</term>

        <listitem>
          <programlisting>        #INTERFACE      HOST(S)                 OPTIONS
        eth2            2002:ce7c:92b4::/64
        eth0            2002:ce7c:92b4:1::/64
        br0             -                       routeback
        eth3            -                       source</programlisting>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>

  <refsect1>
    <title>FILES</title>

    <para>/etc/shorewall6/routestopped</para>
  </refsect1>

  <refsect1>
    <title>See ALSO</title>

    <para><ulink
    url="http://shorewall.net/starting_and_stopping_shorewall.htm">http://shorewall.net/starting_and_stopping_shorewall.htm</ulink></para>

    <para><ulink
    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>

    <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
    shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
    shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5),
    shorewall6-policy(5), shorewall6-providers(5), shorewall6-route_rules(5),
    shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
    shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
    shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>
  </refsect1>
</refentry>