1SHOREWALL-EXCLUSION(5) [FIXME: manual] SHOREWALL-EXCLUSION(5)
2
3
4
6 exclusion - Exclude a set of hosts from a definition in a shorewall
7 configuration file.
8
10 !address-or-range[,address-or-range]...
11
12 !zone-name[,zone-name]...
13
15 The first form of exclusion is used when you wish to exclude one or
16 more addresses from a definition. An exclaimation point is followed by
17 a comma-separated list of addresses. The addresses may be single host
18 addresses (e.g., 192.168.1.4) or they may be network addresses in CIDR
19 format (e.g., 192.168.1.0/24). If your kernel and iptables include
20 iprange support, you may also specify ranges of ip addresses of the
21 form lowaddress-highaddress
22
23 No embedded whitespace is allowed.
24
25 Exclusion can appear after a list of addresses and/or address ranges.
26 In that case, the final list of address is formed by taking the first
27 list and then removing the addresses defined in the exclusion.
28
29 Beginning in Shorewall 4.4.13, the second form of exclusion is allowed
30 after all and any in the SOURCE and DEST columns of
31 /etc/shorewall/rules. It allows you to omit arbitrary zones from the
32 list generated by those key words.
33
34 Warning
35 If you omit a sub-zone and there is an explicit or explicit
36 CONTINUE policy, a connection to/from that zone can still be
37 matched by the rule generated for a parent zone.
38
39 For example:
40
41 /etc/shorewall/zones:
42
43 #ZONE TYPE
44 z1 ip
45 z2:z1 ip
46 ...
47
48 /etc/shorewall/policy:
49
50 #SOURCE DEST POLICY
51 z1 net CONTINUE
52 z2 net REJECT
53
54 /etc/shorewall/rules:
55
56 #ACTION SOURCE DEST PROTO DEST
57 # PORT(S)
58 ACCEPT all!z2 net tcp 22
59
60 In this case, SSH connections from z2 to net will be accepted by
61 the generated z1 to net ACCEPT rule.
62
63 In most contexts, ipset names can be used as an address-or-range.
64 Beginning with Shorewall 4.4.14, ipset lists enclosed in +[...] may
65 also be included (see shorewall-ipsets[1] (5)). The semantics of these
66 lists when used in an exclusion are as follows:
67
68 · !+[set1,set2,...setN] produces a packet match if the packet does
69 not match at least one of the sets. In other words, it is like NOT
70 match set1 OR NOT match set2 ... OR NOT match setN.
71
72 · +[!set1,!set2,...!setN] produces a packet match if the packet does
73 not match any of the sets. In other words, it is like NOT match
74 set1 AND NOT match set2 ... AND NOT match setN.
75
77 Example 1 - All IPv4 addresses except 192.168.3.4
78 !192.168.3.4
79
80 Example 2 - All IPv4 addresses except the network 192.168.1.0/24 and
81 the host 10.2.3.4
82 !192.168.1.0/24,10.1.3.4
83
84 Example 3 - All IPv4 addresses except the range
85 192.168.1.3-192.168.1.12 and the network 10.0.0.0/8
86 !192.168.1.3-192.168.1.12,10.0.0.0/8
87
88 Example 4 - The network 192.168.1.0/24 except hosts 192.168.1.3 and
89 192.168.1.9
90 192.168.1.0/24!192.168.1.3,192.168.1.9
91
92 Example 5 - All parent zones except loc
93 any!loc
94
96 /etc/shorewall/hosts
97
98 /etc/shorewall/masq
99
100 /etc/shorewall/rules
101
102 /etc/shorewall/tcrules
103
105 shorewall(8), shorewall-accounting(5), shorewall-actions(5),
106 shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
107 shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
108 shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
109 shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
110 shorewall-route_rules(5), shorewall-routestopped(5),
111 shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
112 shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
113 shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)
114
116 1. shorewall-ipsets
117 http://www.shorewall.net/manpages/shorewall-ipsets.html
118
119
120
121[FIXME: source] 09/16/2011 SHOREWALL-EXCLUSION(5)