1SHOREWALL6.CONF(5) [FIXME: manual] SHOREWALL6.CONF(5)
2
3
4
6 shorewall6.conf - Shorewall6 global configuration file
7
9 /etc/shorewall6/shorewall6.conf
10
12 This file sets options that apply to Shorewall6 as a whole.
13
14 The file consists of Shell comments (lines beginning with '#'), blank
15 lines and assignment statements (variable=value). If the value contains
16 shell metacharacters or white-space, then it must be enclosed in
17 quotes. Example: LOG_LEVEL="NFLOG(1,0,1)".
18
20 Many options have as their value a log-level. Log levels are a method
21 of describing to syslog (8) the importance of a message and a number of
22 parameters in this file have log levels as their value.
23
24 These levels are defined by syslog and are used to determine the
25 destination of the messages through entries in /etc/syslog.conf (5).
26 The syslog documentation refers to these as "priorities"; Netfilter
27 calls them "levels" and Shorewall6 also uses that term.
28
29 Valid levels are:
30
31 7 debug
32 6 info
33 5 notice
34 4 warning
35 3 err
36 2 crit
37 1 alert
38 0 emerg
39
40 For most Shorewall6 logging, a level of 6 (info) is appropriate.
41 Shorewall6 log messages are generated by NetFilter and are logged using
42 facility 'kern' and the level that you specifify. If you are unsure of
43 the level to choose, 6 (info) is a safe bet. You may specify levels by
44 name or by number.
45
46 If you have built your kernel with NFLOG target support, you may also
47 specify a log level of NFLOG (must be all caps). Rather than log its
48 messages to syslogd, Shorewall6 will direct netfilter to log the
49 messages via the NFLOG target which will send them to a process called
50 'ulogd'. ulogd is available with most Linux distributions (although it
51 probably isn't installed by default). Ulogd is also available from
52 http://www.netfilter.org/projects/ulogd/index.html and can be
53 configured to log all Shorewall6 message to their own log file
54
55 The following options may be set in shorewall6.conf.
56
57 ACCEPT_DEFAULT={action|none}
58
59 DROP_DEFAULT={action|none}
60
61 NFQUEUE_DEFAULT={action|none}
62
63 QUEUE_DEFAULT={action|none}
64
65 REJECT_DEFAULT={action|none}
66 To allow for default rules to be applied when USE_ACTIONS=No, the
67 DROP_DEFAULT, REJECT_DEFAULT, ACCEPT_DEFAULT, QUEUE_DEFAULT and
68 NFQUEUE_DEFAULT options have been added.
69
70 DROP_DEFAULT describes the rules to be applied before a connection
71 request is dropped by a DROP policy; REJECT_DEFAULT describes the
72 rules to be applied if a connection request is rejected by a REJECT
73 policy. The other three are similar for ACCEPT, QUEUE and NFQUEUE
74 policies.
75
76 The value applied to these may be:
77 a) The name of an
78 action.
79 b) The name of a macro
80 (Shorewall6-shell only)
81 c) None or none
82 The default values are:
83 DROP_DEFAULT="Drop"
84 REJECT_DEFAULT="Reject"
85 ACCEPT_DEFAULT="none"
86 QUEUE_DEFAULT="none"
87 NFQUEUE_DEFAULT="None"
88 If USE_ACTIONS=Yes, then these values refer to action.Drop and
89 action.Reject respectively. If USE_ACTIONS=No, then these values
90 refer to macro.Drop and macro.Reject.
91
92 If you set the value of either option to "None" then no default
93 action will be used and the default action or macro must be
94 specified in shorewall6-policy[1](5).
95
96 ACCOUNTING=[Yes|No]
97 Added in Shorewall 4.4.7. If set to Yes, Shorewall6 accounting is
98 enabled (see shorewall6-accounting[2](5)). If not specified or set
99 to the empty value, ACCOUNTING=Yes is assumed.
100
101 ACCOUNTING_TABLE=[filter|mangle]
102 Added in Shorewall 4.4.20. This setting determines which Netfilter
103 table the accounting rules are added in. By default,
104 ACCOUNTING_TABLE=filter is assumed. See also
105 shorewall-accounting[3](5).
106
107 ADMINISABSENTMINDED=[Yes|No]
108 The value of this variable affects Shorewall6's stopped state. When
109 ADMINISABSENTMINDED=No, only traffic to/from those addresses listed
110 in shorewall6-routestopped[4](5) is accepted when Shorewall6 is
111 stopped. When ADMINISABSENTMINDED=Yes, in addition to traffic
112 to/from addresses in shorewall6-routestopped[4](5), connections
113 that were active when Shorewall6 stopped continue to work and all
114 new connections from the firewall system itself are allowed. If
115 this variable is not set or is given the empty value then
116 ADMINISABSENTMINDED=No is assumed.
117
118 AUTO_COMMENT=[Yes|No]
119 If set, if there is not a current comment when a macro is invoked,
120 the behavior is as if the first line of the macro file was "COMMENT
121 <macro name>". The AUTO_COMMENT option has a default value of
122 'Yes'.
123
124 AUTOMAKE=[Yes|No]
125 If set, the behavior of the start and restart commands is change;
126 if no files in /etc/shorewall have been changed since the last
127 successful start or restart command, then the compilation step is
128 skipped and the compiled script that executed the last start or
129 restart command is used. The default is AUTOMAKE=No.
130
131 The setting of the AUTOMAKE option is ignored if the start or
132 restart command includes a directory name (e.g., shorewall6 restart
133 /etc/shorewall.new).
134
135 BLACKLIST_DISPOSITION=[DROP|A_DROP|REJECT|A_REJECT]
136 This parameter determines the disposition of packets from
137 blacklisted hosts. It may have the value DROP if the packets are to
138 be dropped or REJECT if the packets are to be replied with an ICMP
139 port unreachable reply or a TCP RST (tcp only). If you do not
140 assign a value or if you assign an empty value then DROP is
141 assumed.
142
143 BLACKLIST_LOGLEVEL=[log-level]
144 This parameter determines if packets from blacklisted hosts are
145 logged and it determines the syslog level that they are to be
146 logged at. Its value is a syslog level (Example:
147 BLACKLIST_LOGLEVEL=debug). If you do not assign a value or if you
148 assign an empty value then packets from blacklisted hosts are not
149 logged.
150
151 BLACKLISTNEWONLY={Yes|No}
152 When set to Yes or yes, blacklists are only consulted for new
153 connections. When set to No or no, blacklists are consulted for
154 every packet (will slow down your firewall noticably if you have
155 large blacklists). If the BLACKLISTNEWONLY option is not set or is
156 set to the empty value then BLACKLISTNEWONLY=No is assumed.
157
158 Note
159 BLACKLISTNEWONLY=No is incompatible with FASTACCEPT=Yes.
160
161 CLAMPMSS=[Yes|No|value]
162 This parameter enables the TCP Clamp MSS to PMTU feature of
163 Netfilter and is usually required when your internet connection is
164 through PPPoE or PPTP. If set to Yes or yes, the feature is
165 enabled. If left blank or set to No or no, the feature is not
166 enabled.
167
168 Important: This option requires CONFIG_IP_NF_TARGET_TCPMSS in your
169 kernel.
170
171 You may also set CLAMPMSS to a numeric value (e.g., CLAMPMSS=1400).
172 This will set the MSS field in TCP SYN packets going through the
173 firewall to the value that you specify.
174
175 CLEAR_TC=[Yes|No]
176 If this option is set to No then Shorewall6 won't clear the current
177 traffic control rules during [re]start. This setting is intended
178 for use by people that prefer to configure traffic shaping when the
179 network interfaces come up rather than when the firewall is
180 started. If that is what you want to do, set TC_ENABLED=Yes and
181 CLEAR_TC=No and do not supply an /etc/shorewall6/tcstart file. That
182 way, your traffic shaping rules can still use the “fwmark”
183 classifier based on packet marking defined in
184 shorewall6-tcrules[5](5). If not specified, CLEAR_TC=No is assumed.
185
186 Warning
187 If you also run Shorewall and if you have TC_ENABLED=Internal
188 in your shorewall-conf[6](5), then you will want CLEAR_TC=No in
189 this file.
190
191 COMPLETE=[Yes|No]
192 Added in Shorewall6 4.4.12. When you set this option to Yes, you
193 are asserting that the configuration is complete so that your set
194 of zones encompasses any hosts that can send or receive traffic
195 to/from/through the firewall. This causes Shorewall6 to omit the
196 rules that catch packets in which the source or destination IP
197 address is outside of any of your zones. Default is No. It is
198 recommended that this option only be set to Yes if:
199
200 · You have defined an interface whose effective physical setting
201 is '+'.
202
203 · That interface is assigned to a zone.
204
205 · You have no CONTINUE policies or rules.
206
207 CONFIG_PATH=[directory[:directory]...]
208 Specifies where configuration files other than shorewall6.conf may
209 be found. CONFIG_PATH is specifies as a list of directory names
210 separated by colons (":"). When looking for a configuration file
211 other than shorewall6.conf:
212
213 · If the command is "try" or a "<configuration directory>" was
214 specified in the command (e.g., shorewall6 check ./gateway)
215 then the directory given in the command is searched first.
216
217 · Next, each directory in the CONFIG_PATH setting is searched in
218 sequence.
219
220 If CONFIG_PATH is not given or if it is set to the empty value then
221 the contents of /usr/share/shorewall6/configpath are used. As
222 released from shorewall.net, that file sets the CONFIG_PATH to
223 /etc/shorewall6:/usr/share/shorewall6:/usr/share/shorewall but your
224 particular distribution may set it differently. See the output of
225 shorewall6 show config for the default on your system.
226
227 Note that the setting in /usr/share/shorewall6/configpath is always
228 used to locate shorewall6.conf.
229
230 DELETE_THEN_ADD={Yes|No}
231 If set to Yes (the default value), entries in the
232 /etc/shorewall6/route_stopped files cause an 'ip rule del' command
233 to be generated in addition to an 'ip rule add' command. Setting
234 this option to No, causes the 'ip rule del' command to be omitted.
235
236 DONT_LOAD=[module[,module]...]
237 Causes Shorewall6 to not load the listed kernel modules.
238
239 DYNAMIC_BLACKLIST={Yes|No}
240 Added in Shorewall 4.4.7. When set to No or no, dynamic
241 blacklisting using the shorewall6 drop, shorewall6 reject,
242 shorewall6 logdrop and shorewall6 logreject is disabled. Default is
243 Yes.
244
245 EXPAND_POLICIES={Yes|No}
246 Normally, when the SOURCE or DEST columns in shorewall-policy(5)
247 contains 'all', a single policy chain is created and the policy is
248 enforced in that chain. For example, if the policy entry is
249
250 #SOURCE DEST POLICY LOG
251 # LEVEL
252 net all DROP info
253
254 then the chain name is 'net2all' which is also the chain named in
255 Shorewall log messages generated as a result of the policy. If
256 EXPAND_POLICIES=Yes, then Shorewall will create a separate chain
257 for each pair of zones covered by the policy. This makes the
258 resulting log messages easier to interpret since the chain in the
259 messages will have a name of the form 'a2b' where 'a' is the SOURCE
260 zone and 'b' is the DEST zone.
261
262 EXPORTMODULES=[Yes|No]
263 Added in Shorewall 4.4.17. When set to Yes when compiling for use
264 by Shorewall6 Lite (shorewall6 load, shorewall6 reload or
265 shorewall6 export commands), the compiler will copy the modules or
266 helpers file from the administrative system into the script. When
267 set to No or not specified, the compiler will not copy the modules
268 or helpers file from /usr/share/shorewall6 but will copy the found
269 in another location on the CONFIG_PATH.
270
271 When compiling for direct use by Shorewall6, causes the contents of
272 the local module or helpers file to be copied into the compiled
273 script. When set to No or not set, the compiled script reads the
274 file itself.
275
276 EXPORTPARAMS={Yes|No}
277 Deprecated beginning with Shorewall 4.4.17.
278
279 Beginning with Shorewall 4.4.17, the variables set in the 'params'
280 file at compile time are available at run time with
281 EXPORTPARAMS=No. As a consequence, beginning with that version the
282 recommended setting is EXPORTPARAMS=No.
283
284 It is quite difficult to code a 'params' file that assigns other
285 than constant values such that it works correctly with Shorewall6
286 Lite. The EXPORTPARAMS option works around this problem. When
287 EXPORTPARAMS=No, the 'params' file is not copied to the compiler
288 output.
289
290 With EXPORTPARAMS=No, if you need to set environmental variables on
291 the firewall system for use by your extension scripts, then do so
292 in the init extension script.
293
294 The default is EXPORTPARAMS=Yes which is the recommended setting
295 unless you are running Shorewall6 Lite.
296
297 FASTACCEPT={Yes|No}
298 Normally, Shorewall6 defers accepting ESTABLISHED/RELATED packets
299 until these packets reach the chain in which the original
300 connection was accepted. So for packets going from the 'loc' zone
301 to the 'net' zone, ESTABLISHED/RELATED packets are ACCEPTED in the
302 'loc2net' chain.
303
304 If you set FASTACCEPT=Yes, then ESTABLISHED/RELEATED packets are
305 accepted early in the INPUT, FORWARD and OUTPUT chains. If you set
306 FASTACCEPT=Yes then you may not include rules in the ESTABLISHED or
307 RELATED sections of shorewall6-rules[7](5).
308
309 Note
310 FASTACCEPT=Yes is incompatible with BLACKLISTNEWONLY=No.
311
312 FORWARD_CLEAR_MARK={Yes|No}
313 Added in Shorewall 4.4.11 Beta 3. Traditionally, Shorewall has
314 cleared the packet mark in the first rule in the mangle FORWARD
315 chain. This behavior is maintained with the default setting of this
316 option (FORWARD_CLEAR_MARK=Yes). If FORWARD_CLEAR_MARK is set to
317 'No', packet marks set in the mangle PREROUTING chain are retained
318 in the FORWARD chains.
319
320 HIGH_ROUTE_MARKS={Yes|No}
321 You may set HIGH_ROUTE_MARKS=Yes in to effectively divide the
322 packet mark and connection mark into two mark fields.
323
324 The width of the fields are determined by the setting of the
325 WIDE_TC_MARKS option.
326
327 When WIDE_TC_MARKS=No (the default):
328
329 1. The MARK field in the providers file must have a value that is
330 less than 65536 and that is a multiple of 256 (using hex
331 representation, the values are 0x0100-0xFF00 with the low-order
332 8 bits being zero).
333
334 2. You may only set those mark values in the PREROUTING chain.
335
336 3. Marks used for traffic shaping must still be in the range of
337 1-255 and may still not be set in the PREROUTING chain.
338
339 When WIDE_TC_MARKS=Yes:
340
341 1. The MARK field in the providers file must have a value that is
342 a multiple of 65536 (using hex representation, the values are
343 0x010000-0xFF0000 with the low-order 16 bits being zero).
344
345 2. You may only set those mark values in the PREROUTING chain.
346
347 3. Marks used for traffic shaping must be in the range of 1-16383
348 and may still not be set in the PREROUTING chain.
349
350 Regardless of the setting of WIDE_TC_MARKS, when you SAVE or
351 RESTORE in tcrules, only the TC mark value is saved or restored.
352 Shorewall handles saving and restoring the routing (provider)
353 marks.
354
355 IMPLICIT_CONTINUE={Yes|No}
356 When this option is set to Yes, it causes subzones to be treated
357 differently with respect to policies.
358
359 Subzones are defined by following their name with ":" and a list of
360 parent zones (in shorewall6-zones[8](5)). Normally, you want to
361 have a set of special rules for the subzone and if a connection
362 doesn't match any of those subzone-specific rules then you want the
363 parent zone rules and policies to be applied; see
364 shorewall6-nesting[9](5). With IMPLICIT_CONTINUE=Yes, that happens
365 automatically.
366
367 If IMPLICIT_CONTINUE=No or if IMPLICIT_CONTINUE is not set, then
368 subzones are not subject to this special treatment. With
369 IMPLICIT_CONTINUE=Yes, an implicit CONTINUE policy may be
370 overridden by including an explicit policy (one that does not
371 specify "all" in either the SOURCE or the DEST columns).
372
373 IP=[pathname]
374 If specified, gives the pathname of the 'ip' executable. If not
375 specified, 'ip' is assumed and the utility will be located using
376 the current PATH setting.
377
378 IP_FORWARDING=[On|Off|Keep]
379 This rather useless parameter determines whether Shorewall6 enables
380 or disables IPV6 Packet Forwarding on all interfaces
381 (/proc/sys/net/ipv6/config/all/forwarding). Possible values are:
382
383 On or on
384 packet forwarding will be enabled.
385
386 Off or off
387 packet forwarding will be disabled.
388
389 Keep or keep
390 Shorewall6 will neither enable nor disable packet forwarding
391
392 If this variable is not set or is given an empty value
393 (IP_FORWARD="") then IP_FORWARD=On is assumed.
394
395 IP6TABLES=[pathname]
396 This parameter names the ip6tables executable to be used by
397 Shorewall6. If not specified or if specified as a null value, then
398 the ip6tables executable located using the PATH option is used.
399
400 Regardless of how the ip6tables utility is located (specified via
401 IP6TABLES= or located via PATH), Shorewall6 uses the
402 ip6tables-restore and ip6tables-save utilities from that same
403 directory.
404
405 IPSET=[pathname]
406 If specified, gives the pathname of the 'ipset' executable. If not
407 specified, 'ipset' is assumed and the utility will be located using
408 the current PATH setting.
409
410 KEEP_RT_TABLES={Yes|No}
411 When set to Yes, this option prevents scripts generated by
412 Shorewall6 from altering the /etc/iproute2/rt_tables database when
413 there are entries in /etc/shorewall6/providers. If you set this
414 option to Yes while Shorewall6 (Shorewall6-lite) is running, you
415 should remove the file /var/lib/shorewall6/rt_tables
416 (/var/lib/shorewall6-lite/rt_tables) before your next stop,
417 refresh, restore on restart command.
418
419 The default is KEEP_RT_TABLES=No.
420
421 LEGACY_FASTSTART={Yes|No}
422 Added in Shorewall6 4.4.20. If not specified, the default is Yes
423 which preserves the legacy behavior of start -f (the modification
424 times of the files in /etc/shorewall6 are compare with that of
425 /var/lib/shorewall6/restore). If set to No, then the times are
426 compared with that of /var/lib/shorewall6/firewall, which is
427 consistant with the way that restart -f works.
428
429 LOAD_HELPERS_ONLY={Yes|No}
430 Added in Shorewall 4.4.7. When set to Yes, restricts the set of
431 modules loaded by shorewall to those listed in
432 /var/lib/shorewall6/helpers and those that are actually used. When
433 not set, or set to the empty value, LOAD_HELPERS_ONLY=No is
434 assumed.
435
436 LOG_VERBOSITY=[number]
437 This option controls the amount of information logged to the file
438 specified in the STARTUP_LOG option.
439
440 Values are:
441 -1 - Logging is disabled
442 0 - Silent. Only error messages are logged.
443 1 - Major progress messages logged.
444 2 - All progress messages logged
445 If not specified, then -1 is assumed.
446
447 LOGALLNEW=[log-level]
448 This option is intended for use as a debugging aid. When set to a
449 log level, this option causes Shorewall6 to generate a logging rule
450 as the first rule in each builtin chain.
451
452 · The table name is used as the chain name in the log prefix.
453
454 · The chain name is used as the target in the log prefix.
455
456
457 For example, using the default LOGFORMAT, the log prefix for
458 logging from the nat table's PREROUTING chain is:
459
460 Shorewall:nat:PREROUTING
461
462
463 Important
464 To help insure that all packets in the NEW state are logged,
465 rate limiting (LOGBURST and LOGRATE) should be disabled when
466 using LOGALLNEW. Use LOGALLNEW at your own risk; it may cause
467 high CPU and disk utilization and you may not be able to
468 control your firewall after you enable this option.
469
470 Caution
471 Do not use this option if the resulting log messages will be
472 sent to another system.
473
474 LOGFILE=[pathname]
475 This parameter tells the /sbin/shorewall6 program where to look for
476 Shorewall6 messages when processing the dump, logwatch, show log,
477 and hits commands. If not assigned or if assigned an empty value,
478 /var/log/messages is assumed.
479
480 LOGFORMAT=["formattemplate"]
481 The value of this variable generate the --log-prefix setting for
482 Shorewall6 logging rules. It contains a “printf” formatting
483 template which accepts three arguments (the chain name, logging
484 rule number (optional) and the disposition). To use LOGFORMAT with
485 fireparse, set it as:
486
487 LOGFORMAT="fp=%s:%d a=%s "
488
489 If the LOGFORMAT value contains the substring “%d” then the logging
490 rule number is calculated and formatted in that position; if that
491 substring is not included then the rule number is not included. If
492 not supplied or supplied as empty (LOGFORMAT="") then
493 “Shorewall6:%s:%s:” is assumed.
494
495 Note
496 The setting of LOGFORMAT has an effect of the permitted length
497 of zone names. See shorewall6-zones[8] (5).
498
499 LOGLIMIT=[[{s|d}:]rate/{sec|min|hour|day}[:burst]]
500 Added in Shorewall 4.4.12. Limits the logging rate, either overall,
501 or by source or destination IP address.
502
503 If the value starts with 's:' then logging is limited per source
504 IP. If the value starts with 'd:', then logging is limited per
505 destination IP. Otherwise, the overall logging rate is limited.
506
507 If burst is not specified, then a value of 5 is assumed.
508
509 LOGBURST=[burst]
510 Deprecated in Shorewall 4.4.12.
511
512 LOGRATE=[rate/{minute|second}]
513 As of Shorewall 4.4.12, these parameters are Deprecated.
514
515 These parameters set the match rate and initial burst size for
516 logged packets. Please see ip6tables(8) for a description of the
517 behavior of these parameters (the ip6tables option --limit is set
518 by LOGRATE and --limit-burst is set by LOGBURST). If both
519 parameters are set empty, no rate-limiting will occur. If you
520 supply one of these, then you should also supply the other.
521
522 Example:
523
524 LOGRATE=10/minute
525 LOGBURST=5
526
527 For each logging rule, the first time the rule is reached, the
528 packet will be logged; in fact, since the burst is 5, the first
529 five packets will be logged. After this, it will be 6 seconds (1
530 minute divided by the rate of 10) before a message will be logged
531 from the rule, regardless of how many packets reach it. Also, every
532 6 seconds, one of the bursts will be regained; if no packets hit
533 the rule for 30 seconds, the burst will be fully recharged; back
534 where we started.
535
536 LOGTAGONLY=[Yes|No]
537 Using the default LOGFORMAT, chain names may not exceed 11
538 characters or truncation of the log prefix may occur. Longer chain
539 names may be used with log tags if you set LOGTAGONLY=Yes. With
540 LOGTAGONLY=Yes, if a log tag is specified then the tag is included
541 in the log prefix in place of the chain name.
542
543 MACLIST_DISPOSITION=[ACCEPT|DROP|REJECT|A_DROP|A_REJECT]
544 Determines the disposition of connections requests that fail MAC
545 Verification and must have the value ACCEPT (accept the connection
546 request anyway), REJECT (reject the connection request) or DROP
547 (ignore the connection request). If not set or if set to the empty
548 value (e.g., MACLIST_DISPOSITION="") then
549 MACLIST_DISPOSITION=REJECT is assumed.
550
551 A_DROP and A_REJECT are audited versions of DROP and REJECT
552 respectively and were added in Shorewall 4.4.20. They require
553 AUDIT_TARGET in the kernel and ip6tables.
554
555 MACLIST_LOG_LEVEL=[log-level]
556 Determines the syslog level for logging connection requests that
557 fail MAC Verification. The value must be a valid syslogd log level.
558 If you don't want to log these connection requests, set to the
559 empty value (e.g., MACLIST_LOG_LEVEL="").
560
561 MACLIST_TABLE=[filter|mangle]
562 Normally, MAC verification occurs in the filter table (INPUT and
563 FORWARD) chains. When forwarding a packet from an interface with
564 MAC verification to a bridge interface, that doesn't work.
565
566 This problem can be worked around by setting MACLIST_TABLE=mangle
567 which will cause Mac verification to occur out of the PREROUTING
568 chain. Because REJECT isn't available in that environment, you may
569 not specify MACLIST_DISPOSITION=REJECT with MACLIST_TABLE=mangle.
570
571 MACLIST_TTL=[number]
572 The performance of configurations with a large numbers of entries
573 in shorewall-maclist[10](5) can be improved by setting the
574 MACLIST_TTL variable in shorewall.conf[11](5).
575
576 If your iptables and kernel support the "Recent Match" (see the
577 output of "shorewall check" near the top), you can cache the
578 results of a 'maclist' file lookup and thus reduce the overhead
579 associated with MAC Verification.
580
581 When a new connection arrives from a 'maclist' interface, the
582 packet passes through then list of entries for that interface in
583 shorewall-maclist[10](5). If there is a match then the source IP
584 address is added to the 'Recent' set for that interface. Subsequent
585 connection attempts from that IP address occurring within
586 $MACLIST_TTL seconds will be accepted without having to scan all of
587 the entries. After $MACLIST_TTL from the first accepted connection
588 request from an IP address, the next connection request from that
589 IP address will be checked against the entire list.
590
591 If MACLIST_TTL is not specified or is specified as empty (e.g,
592 MACLIST_TTL="" or is specified as zero then 'maclist' lookups will
593 not be cached).
594
595 MANGLE_ENABLED=[Yes|No]
596 Determines whether Shorewall will generate rules in the Netfilter
597 mangle table. Setting MANGLE_ENABLED=No disables all Shorewall
598 features that require the mangle table. The default is
599 MANGLE_ENABLED=Yes.
600
601 MARK_IN_FORWARD_CHAIN=[Yes|No]
602 If your kernel has a FORWARD chain in the mangle table, you may set
603 MARK_IN_FORWARD_CHAIN=Yes to cause the marking specified in the
604 tcrules file to occur in that chain rather than in the PREROUTING
605 chain. This permits you to mark inbound traffic based on its
606 destination address when DNAT is in use. To determine if your
607 kernel has a FORWARD chain in the mangle table, use the
608 /sbin/shorewall6 show mangle command; if a FORWARD chain is
609 displayed then your kernel will support this option. If this option
610 is not specified or if it is given the empty value (e.g.,
611 MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed.
612
613 MODULE_SUFFIX=["extension ..."]
614 The value of this option determines the possible file extensions of
615 kernel modules. The default value is "ko ko.gz o o.gz gz".
616
617 MODULESDIR=[pathname[:pathname]...]
618 This parameter specifies the directory/directories where your
619 kernel netfilter modules may be found. If you leave the variable
620 empty, Shorewall6 will supply "/lib/modules/`uname
621 -r`/kernel/net/ipv4/netfilter:/lib/modules/`uname
622 -r`/kernel/net/ipv4/netfilter".
623
624 MUTEX_TIMEOUT=[seconds]
625 The value of this variable determines the number of seconds that
626 programs will wait for exclusive access to the Shorewall6 lock
627 file. After the number of seconds corresponding to the value of
628 this variable, programs will assume that the last program to hold
629 the lock died without releasing the lock.
630
631 If not set or set to the empty value, a value of 60 (60 seconds) is
632 assumed.
633
634 An appropriate value for this parameter would be twice the length
635 of time that it takes your firewall system to process a shorewall6
636 restart command.
637
638 OPTIMIZE=[value]
639 The specified value enables certain optimizations. Each
640 optimization category is associated with a power of two. To enable
641 multiple optimization categories, simply add their corresponding
642 numbers together.
643
644 · Optimization category 1 - Traditionally, Shorewall has created
645 rules for the complete matrix of host groups defined by the
646 zones, interfaces and hosts files[12]. Any traffic that didn't
647 correspond to an element of that matrix was rejected in one of
648 the built-in chains. When the matrix is sparse, this results in
649 lots of largely useless rules.
650
651 These extra rules can be eliminated by setting the 1 bit in
652 OPTIMIZE.
653
654 The 1 bit setting also controls the suppression of redundant
655 wildcard rules (those specifying "all" in the SOURCE or DEST
656 column). A wildcard rule is considered to be redundant when it
657 has the same ACTION and Log Level as the applicable policy.
658
659 · Optimization category 2 - Added in Shorewall 4.4.7. When set,
660 suppresses superfluous ACCEPT rules in a policy chain that
661 implements an ACCEPT policy. Any ACCEPT rules that immediately
662 preceed the final blanket ACCEPT rule in the chain are now
663 omitted.
664
665 · Optimization category 4 - Added in Shorewall 4.4.7. When set,
666 causes short chains (those with less than 2 rules) to be
667 optimized away. The following chains are excluded from
668 optimization:
669
670 · accounting chains (unless OPTIMIZE_ACCOUNTING=Yes)
671
672 · action chains (user-defined)
673
674 · 'blacklst' chain
675
676 · dynamic
677
678 Additionally:
679
680 · If a built-in chain has a single rule that branches to a
681 second chain, then the rules from the second chain are
682 moved to the built-in chain and the target chain is
683 omitted.
684
685 · Chains with no references are deleted.
686
687 · Accounting chains are subject to optimization if the
688 OPTIMIZE_ACCOUNTING option is set to 'Yes'.
689
690 · If a chain ends with an unconditional branch to a second
691 chain (other than to 'reject'), then the branch is deleted
692 from the first chain and the rules from the second chain
693 are appended to it.
694
695 · Optimization category 8 - Added in Shorewall 4.4.9. When set,
696 causes chains with duplicate rules to be collapsed into a
697 single chain.
698
699 The default value is zero which disables all optimizations.
700
701 OPTIMIZE_ACCOUNTING=[Yes|No]
702 Added in Shorewall 4.4.7. If set to Yes, Shorewall accounting
703 changes are subject to optimization (OPTIMIZE=4,5,6 or 7). If not
704 specified or set to the empty value, OPTIMIZE_ACCOUNTING=No is
705 assumed.
706
707 PATH=pathname[:pathname]...
708 Determines the order in which Shorewall6 searches directories for
709 executable files.
710
711 PERL=pathname
712 Added in Shorewall 4.4.11 RC1. Specifies the path name of the Perl
713 executable. Default is /usr/bin/perl. If the pathname specified by
714 this option does not exist or the named file is not executable,
715 then Shorewall6 falls back to /usr/bin/perl/
716
717 RCP_COMMAND="command"
718
719 RSH_COMMAND="command"
720 Eariler generations of Shorewall6 Lite required that remote root
721 login via ssh be enabled in order to use the load and reload
722 commands. Beginning with release 3.9.5, you may define an
723 alternative means for accessing the remote firewall system. In that
724 release, two new options were added to shorewall6.conf:.RS 4
725 RSH_COMMAND
726 RCP_COMMAND
727 The default values for these are as follows:.RS 4 RSH_COMMAND: ssh
728 ${root}@${system} ${command}
729 RCP_COMMAND: scp ${files}
730 ${root}@${system}:${destination}
731 Shell variables that will be set when the commands are envoked are as
732 follows:.RS 4 root - root user. Normally
733 root but may be overridden using the '-r'
734 option.
735 system - The name/IP address
736 of the remote firewall system.
737 command - For RSH_COMMAND,
738 the command to be executed on the firewall system.
739 files - For RCP_COMMAND, a
740 space-separated list of files to be copied to the
741 remote
742 firewall system.
743 destination - The directory
744 on the remote system that the files are to be copied
745 into.
746
747 REQUIRE_INTERFACE=[Yes|No]
748 Added in Shorewall 4.4.10. The default is No. If set to Yes, at
749 least one optional interface must be up in order for the firewall
750 to be in the started state. Intended to be used with the Shorewall
751 Init Package[13].
752
753 RESTOREFILE=filename
754 Specifies the simple name of a file in /var/lib/shorewall6 to be
755 used as the default restore script in the shorewall6 save,
756 shorewall6 restore, shorewall6 forget and shorewall6 -f start
757 commands.
758
759 SHOREWALL_SHELL=[pathname]
760 This option is used to specify the shell program to be used to
761 interpret the compiled script. If not specified or specified as a
762 null value, /bin/sh is assumed. Using a light-weight shell such as
763 ash or dash can significantly improve performance.
764
765 SMURF_DISPOSITION=[DROP|A_DROP]
766 Added in Shorewall 4.4.20. The default setting is DROP which causes
767 smurf packets (see the nosmurfs option in
768 shorewall-interfaces[14](5)) to be dropped. A_DROP causes the
769 packets to be audited prior to being dropped and requires
770 AUDIT_TARGET support in the kernel and ip6tables.
771
772 SMURF_LOG_LEVEL=[log-level]
773 Specifies the logging level for smurf packets (see the nosmurfs
774 option in shorewall6-interfaces[15](5)). If set to the empty value
775 ( SMURF_LOG_LEVEL="" ) then smurfs are not logged.
776
777 SFILTER_DISPOSITION=[DROP|REJECT|A_DROP|A_REJECT]
778 Added in Shorewall 4.4.20. Determines the disposition of packets
779 matching the filter option (see shorewall6-interfaces[15](5)) and
780 of hairpin packets on interfaces without the routeback option.[16]
781 interfaces without the routeback option.
782
783 SFILTER_LOG_LEVEL=log-level
784 Added on Shorewall 4.4.20. Determines the logging of packets
785 matching the filter option (see shorewall6-interfaces[15](5)) and
786 of hairpin packets on interfaces without the routeback option.[17]
787 interfaces without the routeback option. The default is info. If
788 you don't wish for these packets to be logged, use
789 SFILTER_LOG_LEVEL=none.
790
791 STARTUP_ENABLED={Yes|No}
792 Determines if Shorewall6 is allowed to start. As released from
793 shorewall.net, this option is set to No. When set to Yes or yes,
794 Shorewall6 may be started. Used as a guard against Shorewall6 being
795 accidentally started before it has been configured.
796
797 STARTUP_LOG=[pathname]
798 If specified, determines where Shorewall6 will log the details of
799 each start, restart and refresh command. Logging verbosity is
800 determined by the setting of LOG_VERBOSITY above.
801
802 SUBSYSLOCK=[pathname]
803 This parameter should be set to the name of a file that the
804 firewall should create if it starts successfully and remove when it
805 stops. Creating and removing this file allows Shorewall6 to work
806 with your distribution's initscripts. For RedHat, this should be
807 set to /var/lock/subsys/shorewall6. For Debian, the value is
808 /var/lock/shorewall6 and in LEAF it is /var/run/shorwall.
809
810 TC=[pathname]
811 If specified, gives the pathname of the 'tc' executable. If not
812 specified, 'tc' is assumed and the utility will be located using
813 the current PATH setting.
814
815 TC_ENABLED=[Yes|No|Internal|Shared]
816 If you say Yes or yes here, Shorewall6 will use a script that you
817 supply to configure traffic shaping. The script must be named
818 'tcstart' and must be placed in a directory on your CONFIG_PATH.
819
820 If you say No or no then traffic shaping is not enabled.
821
822 If you set TC_ENABLED=Internal or internal or leave the option
823 empty then Shorewall6 will use its builtin traffic shaper
824 (tc4shorewall6 written by Arne Bernin.
825
826 Beginning with Shorewall 4.4.15, if you set TC_ENABLED=Shared or
827 shared, then you should create symbolic links from your Shorewall6
828 configuration directory (normally /etc/shorewall6/) to your
829 Shorewall tcdevices and tcclasses files. This allows the compiler
830 to have access to your Shorewall traffic shaping configuration so
831 that it can validate CLASSIFY rules in shorewall6-tcrules[18] (5).
832
833 Warning
834 If you also run Shorewall and if you have TC_ENABLED=Internal
835 in your shorewall-conf[6](5), then you will want TC_ENABLED=No
836 or TC_ENABLED=Shared in this file.
837
838 TC_EXPERT={Yes|No}
839 Normally, Shorewall6 tries to protect users from themselves by
840 preventing PREROUTING and OUTPUT tcrules from being applied to
841 packets that have been marked by the 'track' option in
842 shorewall6-providers[19](5).
843
844 If you know what you are doing, you can set TC_EXPERT=Yes and
845 Shorewall6 will not include these cautionary checks.
846
847 TC_PRIOMAP=map
848 Added in Shorewall 4.4.6. Determines the mapping of a packet's TOS
849 field to priority bands. See shorewall6-tcpri[20](5). The map
850 consists of 16 space-separated digits with values 1, 2 or 3. A
851 value of 1 corresponds to Linux priority 0, 2 to Linux priority 1,
852 and 3 to Linux Priority 2. The first entry gives the priority of
853 TOS value 0, the second of TOS value 1, and so on. See tc-prio(8)
854 for additional information.
855
856 The default setting is TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2
857 2".
858
859 TCP_FLAGS_DISPOSITION=[ACCEPT|DROP|REJECT]
860 Determines the disposition of TCP packets that fail the checks
861 enabled by the tcpflags interface option (see
862 shorewall6-interfaces[15](5)) and must have a value of ACCEPT
863 (accept the packet), REJECT (send an RST response) or DROP (ignore
864 the packet). If not set or if set to the empty value (e.g.,
865 TCP_FLAGS_DISPOSITION="") then TCP_FLAGS_DISPOSITION=DROP is
866 assumed.
867
868 TCP_FLAGS_LOG_LEVEL=[log-level]
869 Determines the syslog level for logging packets that fail the
870 checks enabled by the tcpflags interface option. The value must be
871 a valid syslogd log level. If you don't want to log these packets,
872 set to the empty value (e.g., TCP_FLAGS_LOG_LEVEL="").
873
874 TRACK_PROVIDERS={Yes|No}
875 Added in Shorewall 4.4.3. When set to Yes, causes the track option
876 to be assumed on all providers defined in
877 shorewall6-providers[19](5). May be overridden on an individual
878 provider through use of the notrack option. The default value is
879 'No'.
880
881 Beginning in Shorewall 4.4.6, setting this option to 'Yes' also
882 simplifies PREROUTING rules in shorewall6-tcrules[5](5).
883 Previously, when TC_EXPERT=No, packets arriving through 'tracked'
884 provider interfaces were unconditionally passed to the PREROUTING
885 tcrules. This was done so that tcrules could reset the packet mark
886 to zero, thus allowing the packet to be routed using the 'main'
887 routing table. Using the main table allowed dynamic routes (such as
888 those added for VPNs) to be effective. The
889 shorewall6-route_rules[21](5) file was created to provide a better
890 alternative to clearing the packet mark. As a consequence, passing
891 these packets to PREROUTING complicates things without providing
892 any real benefit. Beginning with Shorewall 4.4.6, when
893 TRACK_PROVIDERS=Yes and TC_EXPERT=No, packets arriving through
894 'tracked' interfaces will not be passed to the PREROUTING rules.
895 Since TRACK_PROVIDERS was just introduced in 4.4.3, this change
896 should be transparent to most, if not all, users.
897
898 VERBOSITY=[number]
899 Shorewall6 has traditionally been very noisy (produced lots of
900 output). You may set the default level of verbosity using the
901 VERBOSITY OPTION.
902
903 Values are:
904 0 - Silent. You may make it more verbose using the -v
905 option
906 1 - Major progress messages displayed
907 2 - All progress messages displayed (pre Shorewall6-3.2.0
908 behavior)
909 If not specified, then 2 is assumed.
910
911 WIDE_TC_MARKS={Yes|No}
912 When set to No (the default), traffic shaping marks are 8 bytes
913 wide (possible values are 1-255). When WIDE_TC_MARKS=Yes, traffic
914 shaping marks are 14 bytes wide (values 1-16383). The setting of
915 WIDE_TC_MARKS also has an effect on the HIGH_ROUTE_MARKS option
916 (see above).
917
918 ZONE2ZONE={2|-}
919 Added in Shorewall 4.4.4. This option determines how Shorewall
920 constructs chain names involving zone names and/or 'all'. The
921 default is '2' (e.g., fw2net).
922
924 /etc/shorewall6/shorewall6.conf
925
927 shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
928 shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
929 shorewall6-ipsec(5), shorewall6-maclist(5), shorewall6-masq(5),
930 shorewall6-nat(5), shorewall6-netmap(5), shorewall6-params(5),
931 shorewall6-policy(5), shorewall6-providers(5), shorewall6-proxyarp(5),
932 shorewall6-route_rules(5), shorewall6-routestopped(5),
933 shorewall6-rules(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
934 shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5),
935 shorewall6-zones(5)
936
938 1. shorewall6-policy
939 http://www.shorewall.net/manpages6/shorewall6-policy.html
940
941 2. shorewall6-accounting
942 http://www.shorewall.net/manpages6/shorewall6-accounting.html
943
944 3. shorewall-accounting
945 http://www.shorewall.net/manpages6/shorewall-accounting.html
946
947 4. shorewall6-routestopped
948 http://www.shorewall.net/manpages6/shorewall6-routestopped.html
949
950 5. shorewall6-tcrules
951 http://www.shorewall.net/manpages6/shorewall6-tcrules.html
952
953 6. shorewall-conf
954 http://www.shorewall.net/manpages6/../manpages/shorewall.conf.html
955
956 7. shorewall6-rules
957 http://www.shorewall.net/manpages6/shorewall6-rules.html
958
959 8. shorewall6-zones
960 http://www.shorewall.net/manpages6/shorewall6-zones.html
961
962 9. shorewall6-nesting
963 http://www.shorewall.net/manpages6/shorewall6-nesting.html
964
965 10. shorewall-maclist
966 http://www.shorewall.net/manpages6/shorewall-maclist.html
967
968 11. shorewall.conf
969 http://www.shorewall.net/manpages6/shorewall.conf.html
970
971 12. the complete matrix of host groups defined by the zones, interfaces
972 and hosts files
973 http://www.shorewall.net/manpages6/../ScalabilityAndPerformance.html
974
975 13. Shorewall Init Package
976 http://www.shorewall.net/manpages6/../Manpages/shorewall-init.html
977
978 14. shorewall-interfaces
979 http://www.shorewall.net/manpages6/shorewall-interfaces.html
980
981 15. shorewall6-interfaces
982 http://www.shorewall.net/manpages6/shorewall6-interfaces.html
983
984 16. Hairpin packets are packets that are routed out of the same
985 interface that they arrived on.
986
987 17. Hairpin packets are packets that are routed out of the same
988 interface that they arrived on.
989
990 18. shorewall6-tcrules
991 http://www.shorewall.net/manpages6/shorewall-tcrules.html
992
993 19. shorewall6-providers
994 http://www.shorewall.net/manpages6/shorewall6-providers.html
995
996 20. shorewall6-tcpri
997 http://www.shorewall.net/manpages6/shorewall6-tcpri.html
998
999 21. shorewall6-route_rules
1000 http://www.shorewall.net/manpages6/shorewall6-route_rules.html
1001
1002
1003
1004[FIXME: source] 09/16/2011 SHOREWALL6.CONF(5)