1SHOREWALL-EXCLUSION(5)          [FIXME: manual]         SHOREWALL-EXCLUSION(5)
2
3
4

NAME

6       exclusion - Exclude a set of hosts from a definition in a shorewall
7       configuration file.
8

SYNOPSIS

10       !address-or-range[,address-or-range]...
11
12       !zone-name[,zone-name]...
13

DESCRIPTION

15       The first form of exclusion is used when you wish to exclude one or
16       more addresses from a definition. An exclaimation point is followed by
17       a comma-separated list of addresses. The addresses may be single host
18       addresses (e.g., 192.168.1.4) or they may be network addresses in CIDR
19       format (e.g., 192.168.1.0/24). If your kernel and iptables include
20       iprange support, you may also specify ranges of ip addresses of the
21       form lowaddress-highaddress
22
23       No embedded whitespace is allowed.
24
25       Exclusion can appear after a list of addresses and/or address ranges.
26       In that case, the final list of address is formed by taking the first
27       list and then removing the addresses defined in the exclusion.
28
29       Beginning in Shorewall 4.4.13, the second form of exclusion is allowed
30       after all and any in the SOURCE and DEST columns of
31       /etc/shorewall/rules. It allows you to omit arbitrary zones from the
32       list generated by those key words.
33
34           Warning
35           If you omit a sub-zone and there is an explicit or explicit
36           CONTINUE policy, a connection to/from that zone can still be
37           matched by the rule generated for a parent zone.
38
39           For example:
40
41           /etc/shorewall/zones:
42
43               #ZONE          TYPE
44               z1             ip
45               z2:z1          ip
46               ...
47
48           /etc/shorewall/policy:
49
50               #SOURCE         DEST          POLICY
51               z1              net           CONTINUE
52               z2              net           REJECT
53
54           /etc/shorewall/rules:
55
56               #ACTION         SOURCE        DEST        PROTO         DEST
57               #                                                       PORT(S)
58               ACCEPT          all!z2        net         tcp           22
59
60           In this case, SSH connections from z2 to net will be accepted by
61           the generated z1 to net ACCEPT rule.
62
63       In most contexts, ipset names can be used as an address-or-range.
64       Beginning with Shorewall 4.4.14, ipset lists enclosed in +[...] may
65       also be included (see shorewall-ipsets[1] (5)). The semantics of these
66       lists when used in an exclusion are as follows:
67
68       ·   !+[set1,set2,...setN] produces a packet match if the packet does
69           not match at least one of the sets. In other words, it is like NOT
70           match set1 OR NOT match set2 ... OR NOT match setN.
71
72       ·   +[!set1,!set2,...!setN] produces a packet match if the packet does
73           not match any of the sets. In other words, it is like NOT match
74           set1 AND NOT match set2 ... AND NOT match setN.
75

EXAMPLES

77       Example 1 - All IPv4 addresses except 192.168.3.4
78           !192.168.3.4
79
80       Example 2 - All IPv4 addresses except the network 192.168.1.0/24 and
81       the host 10.2.3.4
82           !192.168.1.0/24,10.1.3.4
83
84       Example 3 - All IPv4 addresses except the range
85       192.168.1.3-192.168.1.12 and the network 10.0.0.0/8
86           !192.168.1.3-192.168.1.12,10.0.0.0/8
87
88       Example 4 - The network 192.168.1.0/24 except hosts 192.168.1.3 and
89       192.168.1.9
90           192.168.1.0/24!192.168.1.3,192.168.1.9
91
92       Example 5 - All parent zones except loc
93           any!loc
94

FILES

96       /etc/shorewall/hosts
97
98       /etc/shorewall/masq
99
100       /etc/shorewall/rules
101
102       /etc/shorewall/tcrules
103

SEE ALSO

105       shorewall(8), shorewall-accounting(5), shorewall-actions(5),
106       shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
107       shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
108       shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
109       shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
110       shorewall-route_rules(5), shorewall-routestopped(5),
111       shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
112       shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
113       shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)
114

NOTES

116        1. shorewall-ipsets
117           http://www.shorewall.net/manpages/shorewall-ipsets.html
118
119
120
121[FIXME: source]                   09/16/2011            SHOREWALL-EXCLUSION(5)
Impressum