1shorewall-rules(5) shorewall-rules(5)
2
6 rules - Shorewall rules file
7
9 /etc/shorewall/rules
10
12 Entries in this file govern connection establishment by defining excep‐
13 tions to the policies layed out in shorewall-policy
14 ⟨shorewall-policy.html⟩ (5). By default, subsequent requests and re‐
15 sponses are automatically allowed using connection tracking. For any
16 particular (source,dest) pair of zones, the rules are evaluated in the
17 order in which they appear in this file and the first terminating match
18 is the one that determines the disposition of the request. All rules
19 are terminating except LOG and QUEUE rules.
20 Warning
21 If you masquerade or use SNAT from a local system to the inter‐
23 net, you cannot use an ACCEPT rule to allow traffic from the in‐
24 ternet to that system. You must use a DNAT rule instead.
25 The rules file is divided into sections. Each section is introduced by
27 a "Section Header" which is a line beginning with SECTION and followed
28 by the section name.
29 Sections are as follows and must appear in the order listed:
31 ESTABLISHED
33 Packets in the ESTABLISHED state are processed by rules in this
34 section.
35 The only ACTIONs allowed in this section are ACCEPT, DROP, RE‐
37 JECT, LOG and QUEUE
38 There is an implicit ACCEPT rule inserted at the end of this
40 section.
41 RELATED
43 Packets in the RELATED state are processed by rules in this sec‐
44 tion.
45 The only ACTIONs allowed in this section are ACCEPT, DROP, RE‐
47 JECT, LOG and QUEUE
48 There is an implicit ACCEPT rule inserted at the end of this
50 section.
51 NEW Packets in the NEW and INVALID states are processed by rules in
53 this section.
54 Note
55 If you are not familiar with Netfilter to the point where you
57 are comfortable with the differences between the various connec‐
58 tion tracking states, then it is suggested that you omit the ES‐
59 TABLISHED and RELATED sections and place all of your rules in
60 the NEW section (That's after the line that reads SECTION NEW').
61 Warning
62 If you specify FASTACCEPT=Yes in shorewall.conf
64 ⟨shorewall.conf.html⟩ (5) then the ESTABLISHED and RELATED sec‐
65 tions must be empty.
66 You may omit any section that you don't need. If no Section Headers ap‐
68 pear in the file then all rules are assumed to be in the NEW section.
69 When defining rules that rewrite the destination IP address and/or port
71 number (namely DNAT and REDIRECT rules), it is important to keep
72 straight which columns in the file specify the packet before rewriting
73 and which specify how the packet will look after rewriting.
74 · The DEST column specifies the final destination for the packet after
76 rewriting and can include the final IP address and/or port number.
77 · The remaining columns specify characteristics of the packet before
79 rewriting. In particular, the ORIGINAL DEST column gives the original
80 destination IP address of the packet and the DEST PORT(S) column give
81 the original destination port(s).
82 The columns in the file are as follows.
84 ACTION — {ACCEPT[+|!]|NONAT|DROP[!]|REJECT[!]|DNAT[-]|SAME[-]|REDI‐
86 RECT[-]|CONTINUE[!]|LOG|QUEUE[!]|NFQUEUE[/queuenumber]|COMMENT|ac‐
87 tion|macro[/target]}[:{log-level|none}[!][:tag]]
88 Specifies the action to be taken if the connection request
89 matches the rule. Must be one of the following.
90 ACCEPT Allow the connection request.
92 ACCEPT+
94 like ACCEPT but also excludes the connection from any
95 subsequent matching DNAT[-] or REDIRECT[-] rules
96 ACCEPT!
98 like ACCEPT but exempts the rule from being suppressed by
99 OPTIMIZE=1 in shorewall.conf ⟨shorewall.conf.html⟩ (5).
100 NONAT Excludes the connection from any subsequent DNAT[-] or
102 REDIRECT[-] rules but doesn't generate a rule to accept
103 the traffic.
104 DROP Ignore the request.
106 DROP! like DROP but exempts the rule from being suppressed by
108 OPTIMIZE=1 in shorewall.conf ⟨shorewall.conf.html⟩ (5).
109 REJECT disallow the request and return an icmp-unreachable or an
111 RST packet.
112 REJECT!
114 like REJECT but exempts the rule from being suppressed by
115 OPTIMIZE=1 in shorewall.conf ⟨shorewall.conf.html⟩ (5).
116 DNAT Forward the request to another system (and optionally an‐
118 other port).
119 DNAT- Advanced users only.
121 Like DNAT but only generates the DNAT iptables rule and
123 not the companion ACCEPT rule.
124 SAME Similar to DNAT except that the port may not be remapped
126 and when multiple server addresses are listed, all re‐
127 quests from a given remote system go to the same server.
128 Warning
129 Support for SAME is scheduled for removal from the Linux
131 kernel in 2008.
132 SAME- Advanced users only.
134 Like SAME but only generates the nat iptables rule and
136 not the companion ACCEPT rule.
137 REDIRECT
139 Redirect the request to a server running on the firewall.
140 REDIRECT-
142 Advanced users only.
143 Like REDIRECT but only generates the REDIRECT iptables
145 rule and not the companion ACCEPT rule.
146 CONTINUE
148 For experts only.
149 Do not process any of the following rules for this
151 (source zone,destination zone). If the source and/or des‐
152 tination IP address falls into a zone defined later in
153 shorewall-zones ⟨shorewall-zones.html⟩ (5) or in a parent
154 zone of the source or destination zones, then this con‐
155 nection request will be passed to the rules defined for
156 that (those) zone(s). See shorewall-nesting
157 ⟨shorewall-nesting.html⟩ (5) for additional information.
158 CONTINUE!
160 like CONTINUE but exempts the rule from being suppressed
161 by OPTIMIZE=1 in shorewall.conf ⟨shorewall.conf.html⟩
162 (5).
163 LOG Simply log the packet and continue with the next rule.
165 QUEUE Queue the packet to a user-space application such as ft‐
167 wall (http://p2pwall.sf.net). The application may rein‐
168 sert the packet for further processing.
169 QUEUE! like QUEUE but exempts the rule from being suppressed by
171 OPTIMIZE=1 in shorewall.conf ⟨shorewall.conf.html⟩ (5).
172 NFQUEUE
174 Only supported by Shorewall-perl >= 4.0.3.
175 Queues the packet to a user-space application using the
177 nfnetlink_queue mechanism. If a queuenumber is not speci‐
178 fied, queue zero (0) is assumed.
179 NFQUEUE!
181 like NFQUEUE but exempts the rule from being suppressed
182 by OPTIMIZE=1 in shorewall.conf ⟨shorewall.conf.html⟩
183 (5).
184 COMMENT
186 the rest of the line will be attached as a comment to the
187 Netfilter rule(s) generated by the following entries. The
188 comment will appear delimited by "/* ... */" in the out‐
189 put of "shorewall show <chain>". To stop the comment from
190 being attached to further rules, simply include COMMENT
191 on a line by itself.
192 action The name of an action declared in shorewall-actions
194 ⟨shorewall-actions.html⟩ (5) or in /usr/share/shore‐
195 wall/actions.std.
196 macro The name of a macro defined in a file named macro.macro.
198 If the macro accepts an action parameter (Look at the
199 macro source to see if it has PARAM in the TARGET column)
200 then the macro name is followed by "/" and the target
201 (ACCEPT, DROP, REJECT, ...) to be substituted for the pa‐
202 rameter.
203 Example: FTP/ACCEPT.
205 .fi
207 The ACTION may optionally
208 be followed by ":" and a syslog log level (e.g, REJECT:info or
209 DNAT:debug). This causes the packet to be logged at the specified
210 level. Note that if the ACTION
211 involves destination network address translation (DNAT, REDIRECT,
212 SAME, etc.) then the packet is logged before the destination address is
213 rewritten.
214 If the ACTION names an
216 action declared in
217 shorewall-actions
218 ⟨shorewall-actions.html⟩
219 (5) or in
220 /usr/share/shorewall/actions.std then:
221 · If the log level is followed by "!' then all rules in
223 the action are logged at the log level.
224 · If the log level is not followed by "!" then only those
226 rules in the action that do not specify logging are logged at
227 the specified level.
228 · The special log level none! suppresses logging by the
230 action.
231 You may also specify ULOG
233 (must be in upper case) as a log level.This will log to the ULOG
234 target for routing to a separate log through use of ulogd (⟨http://www.netfilter.org/projects/ulogd/index.html⟩).
235 Actions specifying logging may be followed by a log tag (a
237 string of alphanumeric characters) which is appended to the string
238 generated by the LOGPREFIX (in
239 shorewall.conf
240 ⟨shorewall.conf.html⟩
241 (5)).
242 Example: ACCEPT:info:ftp would include 'ftp ' at the end of
244 the log prefix generated by the LOGPREFIX setting.
245 SOURCE — {zone|all[+][-]}[:interface][:{address-or-range[,address-or-range]...[exclusion]|exclusion|+ipset}
247 Source hosts to which the rule applies. May be a zone declared
248 in /etc/shorewall/zones, $FW to
249 indicate the firewall itself, all,
250 all+, all-, all+-
251 or none.
252 When none is used either in
254 the SOURCE or DEST column, the rule is ignored.
255 all means "All Zones",
257 including the firewall itself. all-
258 means "All Zones, except the firewall itself". When all[-] is
259 used either in the SOURCE or
260 DEST column intra-zone traffic is
261 not affected. When all+[-] is "used, intra-zone traffic is
262 affected.
263 Except when all[+][-] is
265 specified, clients may be further restricted to a list of networks
266 and/or hosts by appending ":" and a comma-separated list of network
267 and/or host addresses. Hosts may be specified by IP or MAC address;
268 mac addresses must begin with "~" and must use "-" as a
269 separator.
270 Hosts may also be specified as an IP address range using the
272 syntax
273 lowaddress-highaddress.
274 This requires that your kernel and iptables contain iprange match
275 support. If your kernel and iptables have ipset match support then
276 you may give the name of an ipset prefaced by "+". The ipset name
277 may be optionally followed by a number from 1 to 6 enclosed in
278 square brackets ([]) to indicate the number of levels of source
279 bindings to be matched.
280 You may exclude certain hosts from the set already defined
282 through use of an exclusion (see
283 shorewall-exclusion
284 ⟨shorewall-exclusion.html⟩
285 (5)).
286 Examples:
288 dmz:192.168.2.2
290 Host 192.168.2.2 in the DMZ
291 net:155.186.235.0/24
293 Subnet 155.186.235.0/24 on the Internet
294 loc:192.168.1.1,192.168.1.2
296 Hosts 192.168.1.1 and 192.168.1.2 in the local
297 zone.
298 loc:~00-A0-C9-15-39-78
300 Host in the local zone with MAC address
301 00:A0:C9:15:39:78.
302 net:192.0.2.11-192.0.2.17
304 Hosts 192.0.2.11-192.0.2.17 in the net zone.
305 net:!192.0.2.11-192.0.2.17
307 All hosts in the net zone except for
308 192.0.2.11-192.0.2.17.
309 net:155.186.235.0/24!155.186.235.16/28
311 Subnet 155.186.235.0/24 on the Internet except for
312 155.186.235.16/28
313 Alternatively, clients may be specified by interface by
314 appending ":" to the zone name followed by the interface name. For
315 example, loc:eth1 specifies a
316 client that communicates with the firewall system through eth1.
317 This may be optionally followed by another colon (":") and an
318 IP/MAC/subnet address as described above (e.g., loc:eth1:192.168.1.5).
319 It is important to note that when using
321 Shorewall-shell and specifying an address list that will
322 be split (i.e., a comma separated list), there is a subtle behavior
323 which has the potential to cause confusion. Consider the two
324 examples below:
325 Examples:
327 loc:eth1:192.168.1.3,192.168.1.5
329 Hosts 192.168.1.3 and 192.168.1.5 in the Local zone,
330 with 192.168.1.3 coming from eth1 and 192.168.1.5 originating
331 from any interface in the zone.
332 loc:eth1:192.168.1.3,eth1:192.168.1.5
334 Hosts 192.168.1.3 and 192.168.1.5 in the Local zone,
335 with both originating from
336 eth1.
337 That is, the interface name must be explicitly stated for
338 each member of the comma separated list. Again, this distinction
339 in behavior only occurs when using
340 Shorewall-shell.
341 DEST — {zone|all[+][-]}[:{interface|address-or-range[,address-or-range]...[exclusion]|exclusion|+ipset}][:port[:random]]
343 Location of Server. May be a zone declared in
344 shorewall-zones
345 ⟨shorewall-zones.html⟩
346 (5), $FW to indicate the firewall itself, all. all+ or
347 none.
348 When none is used either in
350 the SOURCE or DEST column, the rule is ignored.
351 When all is used either in
353 the SOURCE or DEST column intra-zone traffic is not
354 affected. When all+ is used,
355 intra-zone traffic is affected.
356 If the DEST zone is a bport zone,
358 then either:
359 1. the SOURCE must be all[+][-], or
361 2. the SOURCE zone must be
363 another bport zone associated with the same bridge, or
364 3. the SOURCE zone must be an
366 ipv4 zone that is associated with only the same bridge.
367 Except when all[+]|[-] is specified, the server may be
369 further restricted to a particular network, host or interface by
370 appending ":" and the network, host or interface. See SOURCE above.
371 You may exclude certain hosts from the set already defined
373 through use of an exclusion (see
374 shorewall-exclusion
375 ⟨shorewall-exclusion.html⟩
376 (5)).
377 Restrictions:
379 1. MAC addresses are not allowed (this is a Netfilter
381 restriction).
382 2. In DNAT rules, only IP
384 addresses are allowed; no FQDNs or subnet addresses are
385 permitted.
386 3. You may not specify both an interface and an
388 address.
389 Like in the SOURCE column,
391 you may specify a range of IP addresses using the syntax
392 lowaddress-highaddress.
393 When the ACTION is DNAT or DNAT-, the connections will be assigned to
394 addresses in the range in a round-robin fashion.
395 If you kernel and iptables have ipset match support then you
397 may give the name of an ipset prefaced by "+". The ipset name may
398 be optionally followed by a number from 1 to 6 enclosed in square
399 brackets ([]) to indicate the number of levels of destination
400 bindings to be matched. Only one of the SOURCE and DEST columns may specify an ipset
401 name.
402 The port that the server is
404 listening on may be included and separated from the server's IP
405 address by ":". If omitted, the firewall will not modifiy the
406 destination port. A destination port may only be included if the
407 ACTION is DNAT or REDIRECT.
408 Example:
410 loc:192.168.1.3:3128
411 specifies a local server at IP address 192.168.1.3 and
412 listening on port 3128.
413 If you are using Shorewall-shell or Shorewall-perl before
415 version 4.0.5, then the port number MUST be specified as an
416 integer and not as a name from services(5). Shorewall-perl 4.0.5
417 and later permit the port to be specified as
418 a service name. Additionally, Shorewall-perl 4.0.5 and later
419 permit specifying a port range in the form
420 lowport-highport to cause connections to be
421 assigned to ports in the range in round-robin fashion. When a port
422 range is specified, lowport and
423 highport must be given as integers; service
424 names are not permitted. Beginning with Shorewall 4.0.6, the port
425 range may be optionally followed by :random which causes assignment to ports in
426 the list to be random.
427 If the ACTION is REDIRECT or REDIRECT-, this column needs only to
429 contain the port number on the firewall that the request should be
430 redirected to. That is equivalent to specifying
431 $FW::port.
432 PROTO (Optional) — {-|tcp:syn|ipp2p|ipp2p:udp|ipp2p:all|protocol-number|protocol-name|all}
434 Protocol - ipp2p* requires
435 ipp2p match support in your kernel and iptables. tcp:syn implies tcp plus the SYN flag must be set and the
436 RST,ACK and FIN flags must be reset.
437 DEST PORT(S) (Optional) — {-|port-name-number-or-range[,port-name-number-or-range]...}
439 Destination Ports. A comma-separated list of Port names (from
440 services(5)), port numbers or port ranges; if the protocol is
441 icmp, this column is interpreted as
442 the destination icmp-type(s).
443 If the protocol is ipp2p,
445 this column is interpreted as an ipp2p option without the leading
446 "--" (example bit for bit-torrent).
447 If no port is given, ipp2p is
448 assumed.
449 A port range is expressed as
451 lowport:highport.
452 This column is ignored if PROTO = all
454 but must be entered if any of the following columns are supplied. In
455 that case, it is suggested that this field contain a dash (-).
456 If your kernel contains multi-port match support, then only a
458 single Netfilter rule will be generated if in this list and the
459 CLIENT PORT(S) list below:
460 1. There are 15 or less ports listed.
462 2. No port ranges are included or your kernel and iptables
464 contain extended multiport match support.
465 Otherwise, unless you are using
467 Shorewall-perl
468 ⟨../Shorewall-perl.html⟩
469 , a separate rule
470 will be generated for each port. Shorewall-perl does not
471 automatically break up lists into individual rules.
472 SOURCE PORT(S) (Optional) — {-|port-name-number-or-range[,port-name-number-or-range]...}
474 Port(s) used by the client. If omitted, any source port is
475 acceptable. Specified as a comma- separated list of port names, port
476 numbers or port ranges.
477 Warning
478 Unless you really understand IP, you should leave this
480 column empty or place a dash (-)
481 in the column. Most people who try to use this column get it
482 wrong.
483 If you don't want to restrict client ports but need to
484 specify an ORIGINAL DEST in the
485 next column, then place "-" in this column.
486 If your kernel contains multi-port match support, then only
488 a single Netfilter rule will be generated if in this list and the
489 DEST PORT(S) list above:
490 1. There are 15 or less ports listed.
492 2. No port ranges are included or your kernel and iptables
494 contain extended multiport match support.
495 Otherwise, unless you are using
497 Shorewall-perl
498 ⟨../Shorewall-perl.html⟩
499 , a separate
500 rule will be generated for each port. Shorewall-perl does not
501 automatically break up lists into individual rules.
502 ORIGINAL DEST (Optional) — [-|address[,address]...[exclusion]|exclusion]
504 If ACTION is DNAT[-] or REDIRECT[-]
505 then if this column is included and is different from the IP address
506 given in the SERVER column, then
507 connections destined for that address will be forwarded to the IP
508 and port specified in the DEST
509 column.
510 A comma-separated list of addresses may also be used. This is
512 most useful with the REDIRECT
513 target where you want to redirect traffic destined for particular
514 set of hosts. Finally, if the list of addresses begins with "!"
515 (exclusion) then the rule will be followed only
516 if the original destination address in the connection request does
517 not match any of the addresses listed.
518 For other actions, this column may be included and may contain
520 one or more addresses (host or network) separated by commas. Address
521 ranges are not allowed. When this column is supplied, rules are
522 generated that require that the original destination address matches
523 one of the listed addresses. This feature is most useful when you
524 want to generate a filter rule that corresponds to a DNAT- or REDIRECT- rule. In this usage, the list of
525 addresses should not begin with "!".
526 It is also possible to specify a set of addresses then exclude
528 part of those addresses. For example, 192.168.1.0/24!192.168.1.16/28 specifies the
529 addresses 192.168.1.0-182.168.1.15 and 192.168.1.32-192.168.1.255.
530 See
531 shorewall-exclusion
532 ⟨shorewall-exclusion.html⟩
533 (5).
534 See
536 http://shorewall.net/PortKnocking.html
537 ⟨../PortKnocking.html⟩
538 for an example of using an entry in this column with a user-defined
539 action rule.
540 RATE LIMIT (Optional) — [-|rate/{sec|min}[:burst]
542 You may rate-limit the rule by placing a value in this
543 column:
544 rate is the number of connections per
546 interval (sec or min) and burst is the
547 largest burst permitted. If no burst is given,
548 a value of 5 is assumed. There may be no no whitespace embedded in
549 the specification.
550 Example: 10/sec:20
552 USER/GROUP (Optional) — [!][user-name-or-number][:group-name-or-number][+program-name]
554 This column may only be non-empty if the SOURCE is the
555 firewall itself.
556 When this column is non-empty, the rule applies only if the
558 program generating the output is running under the effective
559 user and/or group
560 specified (or is NOT running under that id if "!" is given).
561 Examples:
563 joe program must be run by joe
565 :kids program must be run by a member of the 'kids'
567 group
568 !:kids program must not be run by a member of the 'kids'
570 group
571 +upnpd #program named upnpd
573 Important
574 The ability to specify a program name was removed from
576 Netfilter in kernel version 2.6.14.
577 MARK — [!]value[/mask][:C]
579 Defines a test on the existing packet or connection mark. The
580 rule will match only if the test returns true.
581 If you don't want to define a test but need to specify
583 anything in the following columns, place a "-" in this field.
584 ! Inverts the test (not equal)
586 value Value of the packet or connection mark.
588 mask A mask to be applied to the mark before testing.
590 :C Designates a connection mark. If omitted, the packet
592 mark's value is tested. This option is only supported by
593 Shorewall-perl.
594
596 Unless you are using Shorewall-perl ⟨../Shorewall-perl.html⟩ and your
597 iptables/kernel have Repeat Match support (see the output of shorewall
598 show capabilities), if you specify a list of DEST PORT(S), then you may
599 not specify SOURCE PORT(S) and vice versa.
600
602 Example 1:
603 Accept SMTP requests from the DMZ to the internet
604 #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
606 # PORT PORT(S) DEST
607 ACCEPT dmz net tcp smtp
608 Example 2:
610 Forward all ssh and http connection requests from the internet
611 to local system 192.168.1.3
612 #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
614 # PORT PORT(S) DEST
615 DNAT net loc:192.168.1.3 tcp ssh,http
616 Example 3:
618 Forward all http connection requests from the internet to local
619 system 192.168.1.3 with a limit of 3 per second and a maximum
620 burst of 10
621 #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
623 # PORT PORT(S) DEST LIMIT
624 DNAT net loc:192.168.1.3 tcp http - - 3/sec:10
625 Example 4:
627 Redirect all locally-originating www connection requests to port
628 3128 on the firewall (Squid running on the firewall system) ex‐
629 cept when the destination address is 192.168.2.2
630 #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
632 # PORT PORT(S) DEST
633 REDIRECT loc 3128 tcp www - !192.168.2.2
634 Example 5:
636 All http requests from the internet to address 130.252.100.69
637 are to be forwarded to 192.168.1.3
638 #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
640 # PORT PORT(S) DEST
641 DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69
642 Example 6:
644 You want to accept SSH connections to your firewall only from
645 internet IP addresses 130.252.100.69 and 130.252.100.70
646 #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
648 # PORT PORT(S) DEST
649 ACCEPT net:130.252.100.69,130.252.100.70 $FW \
650 tcp 22
651 Example 7:
653 You wish to accept connections from the internet to your fire‐
654 wall on port 2222 and you want to forward them to local system
655 192.168.1.3, port 22
656 #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
658 # PORT PORT(S) DEST
659 DNAT net loc:192.168.1.3:22 tcp 2222
660 Example 8:
662 You want to redirect connection requests to port 80 randomly to
663 the port range 81-90.
664 #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
666 # PORT PORT(S) DEST
667 REDIRECT net $FW::81-90:random tcp www
668 Example 9:
670 Shorewall does not impose as much structure on the Netfilter
671 rules in the 'nat' table as it does on those in the filter ta‐
672 ble. As a consequence, care must be exercised when using DNAT
673 and REDIRECT rules with zones defined with wildcard interfaces
674 (those ending with '+'. Here is an example:
675 shorewall-zones ⟨shorewall-zones.html⟩ (8):
677 #ZONE TYPE OPTIONS
679 fw firewall
680 net ipv4
681 dmz ipv4
682 loc ipv4
683 shorewall-interfaces ⟨shorewall-interfaces.html⟩ (8):
685 #ZONE INTERFACE BROADCAST OPTIONS
687 net ppp0
688 loc eth1 detect
689 dmz eth2 detect
690 - ppp+ # Addresses are assigned from 192.168.3.0/24
691 shorewall-host ⟨shorewall-hosts.html⟩ (8):
693 #ZONE HOST(S) OPTIONS
695 loc ppp+:192.168.3.0/24
696 rules:
698 #ACTION SOURCE DEST PROTO DEST
700 # PORT(S)
701 REDIRECT loc 3128 tcp 80
702 Note that it would have been tempting to simply define the loc
704 zone entirely in shorewall-interfaces(8):
705 #******************* INCORRECT *****************
707 #ZONE INTERFACE BROADCAST OPTIONS
708 net ppp0
709 loc eth1 detect
710 loc ppp+
711 dmz eth2
712 This would have made it impossible to run a internet-accessible
714 web server in the DMZ because all traffic entering ppp+ inter‐
715 faces would have been redirected to port 3128 on the firewall
716 and there would have been no net->fw ACCEPT rule for that traf‐
717 fic.
718
720 /etc/shorewall/rules
721
723 shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-
724 blacklist(5), shorewall-hosts(5), shorewall-interfaces(5), shorewall-
725 ipsec(5), shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
726 shorewall-netmap(5), shorewall-params(5), shorewall-policy(5), shore‐
727 wall-providers(5), shorewall-proxyarp(5), shorewall-route_routes(5),
728 shorewall-routestopped(5), shorewall.conf(5), shorewall-tcclasses(5),
729 shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5), shore‐
730 wall-tunnels(5), shorewall-zones(5)
731 19 May 2008 shorewall-rules(5)