1SHOREWALL6-RULES(5) [FIXME: manual] SHOREWALL6-RULES(5)
2
6 rules - Shorewall6 rules file
7
9 /etc/shorewall6/rules
10
12 Entries in this file govern connection establishment by defining
13 exceptions to the policies layed out in shorewall6-policy[1](5). By
14 default, subsequent requests and responses are automatically allowed
15 using connection tracking. For any particular (source,dest) pair of
16 zones, the rules are evaluated in the order in which they appear in
17 this file and the first terminating match is the one that determines
18 the disposition of the request. All rules are terminating except LOG
19 and QUEUE rules.
20 The rules file is divided into sections. Each section is introduced by
22 a "Section Header" which is a line beginning with SECTION and followed
23 by the section name.
24 Sections are as follows and must appear in the order listed:
26 ALL
28 This section was added in Shorewall 4.4.23. rules in this section
29 are applied, regardless of the connection tracking state of the
30 packet.
31 ESTABLISHED
33 Packets in the ESTABLISHED state are processed by rules in this
34 section.
35 The only ACTIONs allowed in this section are ACCEPT, DROP, REJECT,
37 LOG and QUEUE
38 There is an implicit ACCEPT rule inserted at the end of this
40 section.
41 RELATED
43 Packets in the RELATED state are processed by rules in this
44 section.
45 The only ACTIONs allowed in this section are ACCEPT, DROP, REJECT,
47 LOG and QUEUE
48 There is an implicit ACCEPT rule inserted at the end of this
50 section.
51 NEW
53 Packets in the NEW, INVALID and UNTRACKED states are processed by
54 rules in this section.
55 Note
57 If you are not familiar with Netfilter to the point where you are
58 comfortable with the differences between the various connection
59 tracking states, then it is suggested that you omit the ESTABLISHED
60 and RELATED sections and place all of your rules in the NEW section
61 (That's after the line that reads SECTION NEW').
62 Warning
64 If you specify FASTACCEPT=Yes in shorewall6.conf[2](5) then the
65 ESTABLISHED and RELATED sections must be empty.
66 You may omit any section that you don't need. If no Section Headers
68 appear in the file then all rules are assumed to be in the NEW section.
69 The columns in the file are as follows.
71 ACTION -
73 {ACCEPT[+|!]|DROP[!]|REJECT[!]|DNAT[-]|SAME[-]|CONTINUE[!]|LOG|QUEUE[!]|NFQUEUE[(queuenumber)]|COMMENT|action|macro[(target)]}[:{log-level|none}[!][:tag]]
74 Specifies the action to be taken if the connection request matches
75 the rule. Must be one of the following.
76 ACCEPT
78 Allow the connection request.
79 ACCEPT!
81 like ACCEPT but exempts the rule from being suppressed by
82 OPTIMIZE=1 in shorewall6.conf[2](5).
83 A_ACCEPT and A_ACCEPT!
85 Added in Shorewall 4.4.20. Audited versions of ACCEPT and
86 ACCEPT! respectively. Require AUDIT_TARGET support in the
87 kernel and ip6tables.
88 DROP
90 Ignore the request.
91 DROP!
93 like DROP but exempts the rule from being suppressed by
94 OPTIMIZE=1 in shorewall6.conf[2](5).
95 A_DROP and A_DROP!
97 Added in Shorewall 4.4.20. Audited versions of DROP and DROP!
98 respectively. Require AUDIT_TARGET support in the kernel and
99 ip6tables.
100 REJECT
102 disallow the request and return an icmp-unreachable or an RST
103 packet.
104 REJECT!
106 like REJECT but exempts the rule from being suppressed by
107 OPTIMIZE=1 in shorewall6.conf[2](5).
108 A_REJECT AND A_REJECT!
110 Added in Shorewall 4.4.20. Audited versions of REJECT and
111 REJECT! respectively. Require AUDIT_TARGET support in the
112 kernel and ip6tables.
113 CONTINUE
115 For experts only.
116 Do not process any of the following rules for this (source
118 zone,destination zone). If the source and/or destination IP
119 address falls into a zone defined later in
120 shorewall6-zones[3](5) or in a parent zone of the source or
121 destination zones, then this connection request will be passed
122 to the rules defined for that (those) zone(s). See
123 shorewall6-nesting[4](5) for additional information.
124 CONTINUE!
126 like CONTINUE but exempts the rule from being suppressed by
127 OPTIMIZE=1 in shorewall6.conf[2](5).
128 LOG
130 Simply log the packet and continue with the next rule.
131 QUEUE
133 Queue the packet to a user-space application such as ftwall
134 (http://p2pwall.sf.net). The application may reinsert the
135 packet for further processing.
136 QUEUE!
138 like QUEUE but exempts the rule from being suppressed by
139 OPTIMIZE=1 in shorewall6.conf[2](5).
140 NFLOG[(nflog-parameters)]
142 queues matching packets to a backend logging daemon via a
143 netlink socket then continues to the next rule. See
144 http://www.shorewall.net/shorewall_logging.html[5].
145 NFQUEUE
147 Queues the packet to a user-space application using the
148 nfnetlink_queue mechanism. If a queuenumber is not specified,
149 queue zero (0) is assumed.
150 NFQUEUE!
152 like NFQUEUE but exempts the rule from being suppressed by
153 OPTIMIZE=1 in shorewall6.conf[2](5).
154 COMMENT
156 the rest of the line will be attached as a comment to the
157 Netfilter rule(s) generated by the following entries. The
158 comment will appear delimited by "/* ... */" in the output of
159 "shorewall6 show <chain>". To stop the comment from being
160 attached to further rules, simply include COMMENT on a line by
161 itself.
162 action
164 The name of an action declared in shorewall6-actions[6](5) or
165 in /usr/share/shorewall6/actions.std.
166 macro
168 The name of a macro defined in a file named macro.macro. If the
169 macro accepts an action parameter (Look at the macro source to
170 see if it has PARAM in the TARGET column) then the macro name
171 is followed by the parenthesized target (ACCEPT, DROP, REJECT,
172 ...) to be substituted for the parameter.
173 Example: FTP(ACCEPT).
175 The older syntax where the macro name and the target are
177 separated by a slash (e.g. FTP/ACCEPT) is still allowed but is
178 deprecated.
179 The ACTION may optionally be followed by ":" and a syslog log level
181 (e.g, REJECT:info or Web(ACCEPT):debug). This causes the packet to
182 be logged at the specified level.
183 If the ACTION names an action declared in shorewall6-actions[6](5)
185 or in /usr/share/shorewall6/actions.std then:
186 · If the log level is followed by "!' then all rules in the
188 action are logged at the log level.
189 · If the log level is not followed by "!" then only those rules
191 in the action that do not specify logging are logged at the
192 specified level.
193 · The special log level none! suppresses logging by the action.
195 You may also specify NFLOG (must be in upper case) as a log
197 level.This will log to the NFLOG target for routing to a separate
198 log through use of ulogd
199 (http://www.netfilter.org/projects/ulogd/index.html).
200 Actions specifying logging may be followed by a log tag (a string
202 of alphanumeric characters) which is appended to the string
203 generated by the LOGPREFIX (in shorewall6.conf[2](5)).
204 Example: ACCEPT:info:ftp would include 'ftp ' at the end of the log
206 prefix generated by the LOGPREFIX setting.
207 SOURCE -
209 {zone|zone-list[+]|{all|any}[+][-]}[:interface][:<{address-or-range[,address-or-range]...[exclusion]>|exclusion|+ipset}
210 Source hosts to which the rule applies. May be a zone declared in
211 /etc/shorewall6/zones, $FW to indicate the firewall itself, all,
212 all+, all-, all+- or none.
213 Beginning with Shorewall 4.4.13, you may use a zone-list which
215 consists of a comma-separated list of zones declared in
216 shorewall-zones[7] (5). Ths zone-list may be optionally followed by
217 "+" to indicate that the rule is to apply to intra-zone traffic as
218 well as inter-zone traffic.
219 When none is used either in the SOURCE or DEST column, the rule is
221 ignored.
222 all means "All Zones", including the firewall itself. all- means
224 "All Zones, except the firewall itself". When all[-] is used either
225 in the SOURCE or DEST column intra-zone traffic is not affected.
226 When all+[-] is "used, intra-zone traffic is affected. Beginning
227 with Shorewall 4.4.13, exclusion is supported -- see see
228 shorewall6-exclusion[8](5).
229 Except when all[+][-] or any[+][-] is specified, clients may be
231 further restricted to a list of networks and/or hosts by appending
232 ":" and a comma-separated list of network and/or host addresses.
233 Hosts may be specified by IP or MAC address; mac addresses must
234 begin with "~" and must use "-" as a separator.
235 any is equivalent to all when there are no nested zones. When there
237 are nested zones, any only refers to top-level zones (those with no
238 parent zones). Note that any excludes all vserver zones, since
239 those zones are nested within the firewall zone.
240 Hosts may also be specified as an IP address range using the syntax
242 lowaddress-highaddress. This requires that your kernel and
243 ip6tables contain iprange match support. If your kernel and
244 ip6tables have ipset match support then you may give the name of an
245 ipset prefaced by "+". The ipset name may be optionally followed by
246 a number from 1 to 6 enclosed in square brackets ([]) to indicate
247 the number of levels of source bindings to be matched.
248 Beginning with Shorewall6 4.4.17, the primary IP address of a
250 firewall interface can be specified by an apersand ('&') followed
251 by the logican name of the interface as found in the INTERFACE
252 column of shorewall6-interfaces[9] (5).
253 When an interface is not specified, you may omit the angled
255 brackets ('<' and '>') around the address(es) or you may supply
256 them to improve readability.
257 You may exclude certain hosts from the set already defined through
259 use of an exclusion (see shorewall6-exclusion[8](5)).
260 Examples:
262 dmz:2002:ce7c::92b4:1::2
264 Host 2002:ce7c:92b4:1::2 in the DMZ
265 net:2001:4d48:ad51:24::/64
267 Subnet 2001:4d48:ad51:24::/64 on the Internet
268 loc:<2002:cec792b4:1::2,2002:cec792b4:1::44>
270 Hosts 2002:cec792b4:1::2 and 2002:cec792b4:1::44 in the local
271 zone.
272 loc:~00-A0-C9-15-39-78
274 Host in the local zone with MAC address 00:A0:C9:15:39:78.
275 net:2001:4d48:ad51:24::/64!2001:4d48:ad51:24:6:/80!2001:4d48:ad51:24:6:/80
277 Subnet 2001:4d48:ad51:24::/64 on the Internet except for
278 2001:4d48:ad51:24:6:/80.
279 $FW:ð0
281 The primary IP address of eth0 in the firewall zone (Shorewall6
282 4.4.17 and later).
283 Alternatively, clients may be specified by interface by appending
285 ":" to the zone name followed by the interface name. For example,
286 loc:eth1 specifies a client that communicates with the firewall
287 system through eth1. This may be optionally followed by another
288 colon (":") and an IP/MAC/subnet address as described above (e.g.,
289 loc:eth1:<2002:ce7c::92b4:1::2>).
290 Examples:
292 loc:eth1:<2002:cec792b4:1::2,2002:cec792b4:1::44>
294 Hosts 2002:cec792b4:1::2 and 2002:cec792b4:1::44 in the Local
295 zone, with both originating from eth1
296 DEST -
298 {zone|zone-list[+]|all[+][-]}[:interface][:<{address-or-range[,address-or-range]...[exclusion]>|exclusion|+ipset}
299 Location of Server. May be a zone declared in
300 shorewall6-zones[3](5), $FW to indicate the firewall itself, all.
301 all+ or none.
302 Beginning with Shorewall 4.4.13, you may use a zone-list which
304 consists of a comma-separated list of zones declared in
305 shorewall-zones[7] (5). Ths zone-list may be optionally followed by
306 "+" to indicate that the rule is to apply to intra-zone traffic as
307 well as inter-zone traffic. Beginning with Shorewall-4.4.13,
308 exclusion is supported -- see see shorewall6-exclusion[8](5).
309 Beginning with Shorewall6 4.4.17, the primary IP address of a
311 firewall interface can be specified by an apersand ('&') followed
312 by the logican name of the interface as found in the INTERFACE
313 column of shorewall6-interfaces[9] (5).
314 When none is used either in the SOURCE or DEST column, the rule is
316 ignored.
317 When all is used either in the SOURCE or DEST column intra-zone
319 traffic is not affected. When all+ is used, intra-zone traffic is
320 affected.
321 If the DEST zone is a bport zone, then either:
323 1. the SOURCE must be all[+][-], or
325 2. the SOURCE zone must be another bport zone associated with the
327 same bridge, or
328 3. the SOURCE zone must be an ipv4 zone that is associated with
330 only the same bridge.
331 Except when all[+]|[-] is specified, the server may be further
334 restricted to a particular network, host or interface by appending
335 ":" and the network, host or interface. See SOURCE above.
336 You may exclude certain hosts from the set already defined through
338 use of an exclusion (see shorewall6-exclusion[8](5)).
339 Restrictions:
341 1. MAC addresses are not allowed (this is a Netfilter restriction).
343 If you kernel and ip6tables have ipset match support then you may
345 give the name of an ipset prefaced by "+". The ipset name may be
346 optionally followed by a number from 1 to 6 enclosed in square
347 brackets ([]) to indicate the number of levels of destination
348 bindings to be matched. Only one of the SOURCE and DEST columns may
349 specify an ipset name.
350 PROTO (Optional) -
352 {-|tcp:syn|ipp2p|ipp2p:udp|ipp2p:all|protocol-number|protocol-name|all}
353 Protocol - ipp2p* requires ipp2p match support in your kernel and
354 ip6tables. tcp:syn implies tcp plus the SYN flag must be set and
355 the RST,ACK and FIN flags must be reset.
356 Beginning with Shorewall6 4.4.19, this column can contain a
358 comma-separated list of protocol-numbers and/or protocol names
359 (e.g., tcp,udp).
360 DEST PORT(S) (Optional) -
362 {-|port-name-number-or-range[,port-name-number-or-range]...}
363 Destination Ports. A comma-separated list of Port names (from
364 services(5)), port numbers or port ranges; if the protocol is icmp,
365 this column is interpreted as the destination icmp-type(s). ICMP
366 types may be specified as a numeric type, a numberic type and code
367 separated by a slash (e.g., 3/4), or a typename. See
368 http://www.shorewall.net/configuration_file_basics.htm#ICMP. Note
369 that prior to Shorewall6 4.4.19, only a single ICMP type may be
370 listsed.
371 If the protocol is ipp2p, this column is interpreted as an ipp2p
373 option without the leading "--" (example bit for bit-torrent). If
374 no port is given, ipp2p is assumed.
375 A port range is expressed as lowport:highport.
377 This column is ignored if PROTO = all but must be entered if any of
379 the following columns are supplied. In that case, it is suggested
380 that this field contain a dash (-).
381 If your kernel contains multi-port match support, then only a
383 single Netfilter rule will be generated if in this list and the
384 CLIENT PORT(S) list below:
385 1. There are 15 or less ports listed.
387 2. No port ranges are included or your kernel and ip6tables contain
389 extended multiport match support.
390 SOURCE PORT(S) (Optional) -
392 {-|port-name-number-or-range[,port-name-number-or-range]...}
393 Port(s) used by the client. If omitted, any source port is
394 acceptable. Specified as a comma- separated list of port names,
395 port numbers or port ranges.
396 Warning
398 Unless you really understand IP, you should leave this column
399 empty or place a dash (-) in the column. Most people who try to
400 use this column get it wrong.
401 If you don't want to restrict client ports but need to specify a
402 later column, then place "-" in this column.
403 If your kernel contains multi-port match support, then only a
405 single Netfilter rule will be generated if in this list and the
406 DEST PORT(S) list above:
407 1. There are 15 or less ports listed.
409 2. No port ranges are included or your kernel and ip6tables contain
411 extended multiport match support.
412 ORIGINAL DEST (Optional) - [-]
414 Included for compatibility with Shorewall. Enter '-' in this column
415 if you need to specify one of the later columns.
416 RATE LIMIT (Optional) -
418 [-|[{s|d}:[[name]:]]]rate/{sec|min|hour|day}[:burst]
419 You may rate-limit the rule by placing a value in this column:
420 rate is the number of connections per interval (sec or min) and
422 burst is the largest burst permitted. If no burst is given, a value
423 of 5 is assumed. There may be no no whitespace embedded in the
424 specification.
425 Example: 10/sec:20
427 When s: or d: is specified, the rate applies per source IP address
429 or per destination IP address respectively. The name may be chosen
430 by the user and specifies a hash table to be used to count matching
431 connections. If not given, the name shorewallN (where N is a unique
432 integer) is assumed. Where more than one POLICY specifies the same
433 name, the connections counts for the rules are aggregated and the
434 individual rates apply to the aggregated count.
435 USER/GROUP (Optional) - [!][user-name-or-number][:group-name-or-number]
437 This column may only be non-empty if the SOURCE is the firewall
438 itself.
439 When this column is non-empty, the rule applies only if the program
441 generating the output is running under the effective user and/or
442 group specified (or is NOT running under that id if "!" is given).
443 Examples:
445 joe
447 program must be run by joe
448 :kids
450 program must be run by a member of the 'kids' group
451 !:kids
453 program must not be run by a member of the 'kids' group
454 MARK - [!]value[/mask][:C]
456 Defines a test on the existing packet or connection mark. The rule
457 will match only if the test returns true.
458 If you don't want to define a test but need to specify anything in
460 the following columns, place a "-" in this field.
461 !
463 Inverts the test (not equal)
464 value
466 Value of the packet or connection mark.
467 mask
469 A mask to be applied to the mark before testing.
470 :C
472 Designates a connection mark. If omitted, the packet mark's
473 value is tested.
474 CONNLIMIT - [!]limit[:mask]
476 May be used to limit the number of simultaneous connections from
477 each individual host to limit connections. Requires connlimit match
478 in your kernel and ip6tables. While the limit is only checked on
479 rules specifying CONNLIMIT, the number of current connections is
480 calculated over all current connections from the SOURCE host. By
481 default, the limit is applied to each host but can be made to apply
482 to networks of hosts by specifying a mask. The mask specifies the
483 width of a VLSM mask to be applied to the source address; the
484 number of current connections is then taken over all hosts in the
485 subnet source-address/mask. When ! is specified, the rule matches
486 when the number of connection exceeds the limit.
487 TIME - timeelement[&timelement...]
489 May be used to limit the rule to a particular time period each day,
490 to particular days of the week or month, or to a range defined by
491 dates and times. Requires time match support in your kernel and
492 ip6tables.
493 timeelement may be:
495 timestart=hh:mm[:ss]
497 Defines the starting time of day.
498 timestop=hh:mm[:ss]
500 Defines the ending time of day.
501 utc
503 Times are expressed in Greenwich Mean Time.
504 localtz
506 Times are expressed in Local Civil Time (default).
507 weekdays=ddd[,ddd]...
509 where ddd is one of Mon, Tue, Wed, Thu, Fri, Sat or Sun
510 monthdays=dd[,dd],...
512 where dd is an ordinal day of the month
513 datestart=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
515 Defines the starting date and time.
516 datestop=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
518 Defines the ending date and time.
519 HEADERS - [!][any:|exactly:]header-list (Optional - Added in Shorewall
521 4.4.15)
522 The header-list consists of a comma-separated list of headers from
523 the following list.
524 auth, ah, or 51
526 Authentication Headers extension header.
527 esp, or 50
529 Encrypted Security Payload extension header.
530 hop, hop-by-hop or 0
532 Hop-by-hop options extension header.
533 route, ipv6-route or 41
535 IPv6 Route extension header.
536 frag, ipv6-frag or 44
538 IPv6 fragmentation extension header.
539 none, ipv6-nonxt or 59
541 No next header
542 proto, protocol or 255
544 Any protocol header.
545 If any: is specified, the rule will match if any of the listed
547 headers are present. If exactly: is specified, the will match
548 packets that exactly include all specified headers. If neither is
549 given, any: is assumed.
550 If ! is entered, the rule will match those packets which would not
552 be matched when ! is omitted.
553
555 Example 1:
556 Accept SMTP requests from the DMZ to the internet
557 #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
559 # PORT PORT(S) DEST
560 ACCEPT dmz net tcp smtp
561 Example 4:
563 You want to accept SSH connections to your firewall only from
564 internet IP addresses 2002:ce7c::92b4:1::2 and
565 2002:ce7c::92b4:1::22
566 #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
568 # PORT PORT(S) DEST
569 ACCEPT net:<2002:ce7c::92b4:1::2,2002:ce7c::92b4:1::22> \
570 $FW tcp 22
571 Example 5:
573 You wish to limit SSH connections from remote systems to 1/min with
574 a burst of three (to allow for limited retry):
575 #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
577 # PORT(S) PORT(S) DEST LIMIT
578 SSH(ACCEPT) net all - - - - s:1/min:3
579
581 /etc/shorewall6/rules
582
584 shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
585 shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
586 shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
587 shorewall6-providers(5), shorewall6-route_rules(5),
588 shorewall6-routestopped(5), shorewall6.conf(5), shorewall6-secmarks(5),
589 shorewall6-tcclasses(5), shorewall6-tcdevices(5),
590 shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5),
591 shorewall6-zones(5)
592
594 1. shorewall6-policy
595 http://www.shorewall.net/manpages6/shorewall6-policy.html
596 2. shorewall6.conf
598 http://www.shorewall.net/manpages6/shorewall6.conf.html
599 3. shorewall6-zones
601 http://www.shorewall.net/manpages6/shorewall6-zones.html
602 4. shorewall6-nesting
604 http://www.shorewall.net/manpages6/shorewall6-nesting.html
605 5. http://www.shorewall.net/shorewall_logging.html
607 http://www.shorewall.net/shorewall.logging.html
608 6. shorewall6-actions
610 http://www.shorewall.net/manpages6/shorewall6-actions.html
611 7. shorewall-zones
613 http://www.shorewall.net/manpages6/shorewall-zones.html
614 8. shorewall6-exclusion
616 http://www.shorewall.net/manpages6/shorewall6-exclusion.html
617 9. shorewall6-interfaces
619 http://www.shorewall.net/manpages6/shorewall-interfaces.html
620[FIXME: source] 09/16/2011 SHOREWALL6-RULES(5)