1SHOREWALL-RULES(5) Configuration Files SHOREWALL-RULES(5)
2
6 rules - Shorewall rules file
7
9 /etc/shorewall[6]/rules
10
12 Entries in this file govern connection establishment by defining
13 exceptions to the policies laid out in shorewall-policy[1](5). By
14 default, subsequent requests and responses are automatically allowed
15 using connection tracking. For any particular (source,dest) pair of
16 zones, the rules are evaluated in the order in which they appear in
17 this file and the first terminating match is the one that determines
18 the disposition of the request. All rules are terminating except LOG
19 and COUNT rules.
20 Warning
22 If you masquerade or use SNAT from a local system to the internet,
23 you cannot use an ACCEPT rule to allow traffic from the internet to
24 that system. You must use a DNAT rule instead.
25 The rules file is divided into sections. Each section is introduced by
27 a "Section Header" which is a line beginning with ?SECTION and followed
28 by the section name.
29 Sections are as follows and must appear in the order listed:
31 ALL
33 This section was added in Shorewall 4.4.23. Rules in this section
34 are applied, regardless of the connection tracking state of the
35 packet and are applied before rules in the other sections.
36 ESTABLISHED
38 Packets in the ESTABLISHED state are processed by rules in this
39 section.
40 The only ACTIONs allowed in this section are ACCEPT, DROP, REJECT,
42 LOG, NFLOG, NFQUEUE and QUEUE
43 There is an implicit ACCEPT rule inserted at the end of this
45 section.
46 RELATED
48 Packets in the RELATED state are processed by rules in this
49 section.
50 The only ACTIONs allowed in this section are ACCEPT, DROP, REJECT,
52 LOG, NFLOG, NFQUEUE and QUEUE
53 There is an implicit rule added at the end of this section that
55 invokes the RELATED_DISPOSITION (shorewall.conf[2](5)).
56 INVALID
58 Added in Shorewall 4.5.13. Packets in the INVALID state are
59 processed by rules in this section.
60 The only Actions allowed in this section are ACCEPT, DROP, REJECT,
62 LOG, NFLOG, NFQUEUE and QUEUE.
63 There is an implicit rule added at the end of this section that
65 invokes the INVALID_DISPOSITION (shorewall.conf[2](5)).
66 UNTRACKED
68 Added in Shorewall 4.5.13. Packets in the UNTRACKED state are
69 processed by rules in this section.
70 The only Actions allowed in this section are ACCEPT, DROP, REJECT,
72 LOG, NFLOG, NFQUEUE and QUEUE.
73 There is an implicit rule added at the end of this section that
75 invokes the UNTRACKED_DISPOSITION (shorewall.conf[2](5)).
76 NEW
78 Packets in the NEW state are processed by rules in this section. If
79 the INVALID and/or UNTRACKED sections are empty or not included,
80 then the packets in the corresponding state(s) are also processed
81 in this section.
82 Note
84 If you are not familiar with Netfilter to the point where you are
85 comfortable with the differences between the various connection
86 tracking states, then it is suggested that you place all of your
87 rules in the NEW section (That's after the line that reads ?SECTION
88 NEW').
89 Warning
91 If you specify FASTACCEPT=Yes in shorewall.conf[2](5) then the ALL,
92 ESTABLISHED and RELATED sections must be empty.
93 An exception is made if you are running Shorewall 4.4.27 or later
95 and you have specified a non-default value for RELATED_DISPOSITION
96 or RELATED_LOG_LEVEL. In that case, you may have rules in the
97 RELATED section of this file.
98 You may omit any section that you don't need. If no Section Headers
100 appear in the file then all rules are assumed to be in the NEW section.
101 When defining rules that rewrite the destination IP address and/or port
103 number (namely DNAT and REDIRECT rules), it is important to keep
104 straight which columns in the file specify the packet before rewriting
105 and which specify how the packet will look after rewriting.
106 · The DEST column specifies the final destination for the packet
108 after rewriting and can include the final IP address and/or port
109 number.
110 · The remaining columns specify characteristics of the packet before
112 rewriting. In particular, the ORIGDEST column gives the original
113 destination IP address of the packet and the DPORT column give the
114 original destination port(s).
115 The columns in the file are as follows (where the column name is
117 followed by a different name in parentheses, the different name is used
118 in the alternate specification syntax).
119 ACTION - target[:{log-level|none}[!][:tag]]
121 Specifies the action to be taken if the connection request matches
122 the rule. target must be one of the following.
123 ACCEPT
125 Allow the connection request.
126 ACCEPT+
128 like ACCEPT but also excludes the connection from any
129 subsequent matching DNAT[-] or REDIRECT[-] rules. Use with IPv6
130 requires Shorewall 4.5.14 or later.
131 ACCEPT!
133 like ACCEPT but exempts the rule from being suppressed by
134 OPTIMIZE=1 in shorewall.conf[2](5).
135 action
137 The name of an action declared in shorewall-actions[3](5) or in
138 /usr/share/shorewall[6]/actions.std.
139 ADD(ipset:flags[:timeout])
141 Added in Shorewall 4.4.12. Causes addresses and/or port numbers
142 to be added to the named ipset. The flags specify the address
143 or tuple to be added to the set and must match the type of
144 ipset involved. For example, for an iphash ipset, either the
145 SOURCE or DESTINATION address can be added using flags src or
146 dst respectively (see the -A command in ipset (8)).
147 Beginning with Shorewall 5.0.3, an optional timeout can be
149 specified. This is the number of seconds that the new entry in
150 the ipset is to remain valid and overrides any timeout
151 specified when the ipset was created.
152 ADD is non-terminating. Even if a packet matches the rule, it
154 is passed on to the next rule.
155 AUDIT[(accept|drop|reject)]
157 Added in Shorewall 4.5.10. Audits the packet with the specified
158 type; if the type is omitted, then drop is assumed. Require
159 AUDIT_TARGET support in the kernel and iptables.
160 A_ACCEPT, A_ACCEPT+ and A_ACCEPT!
162 Added in Shorewall 4.4.20. Audited versions of ACCEPT, ACCEPT+
163 and ACCEPT! respectively. Require AUDIT_TARGET support in the
164 kernel and iptables. A_ACCEPT+ with IPv6 requires Shorewall
165 4.5.14 or later.
166 A_DROP and A_DROP!
168 Added in Shorewall 4.4.20. Audited versions of DROP and DROP!
169 respectively. Require AUDIT_TARGET support in the kernel and
170 iptables.
171 A_REJECT AND A_REJECT!
173 Added in Shorewall 4.4.20. Audited versions of REJECT and
174 REJECT! respectively. Require AUDIT_TARGET support in the
175 kernel and iptables.
176 ?COMMENT
178 the rest of the line will be attached as a comment to the
179 Netfilter rule(s) generated by the following entries. The
180 comment will appear delimited by "/* ... */" in the output of
181 "shorewall show <chain>". To stop the comment from being
182 attached to further rules, simply include ?COMMENT on a line by
183 itself.
184 CONMARK({mark})
186 Added in Shorewall 5.0.7, CONNMARK is identical to MARK with
187 the exception that the mark is assigned to connection to which
188 the packet belongs is marked rather than to the packet itself.
189 CONTINUE
191 For experts only.
192 Do not process any of the following rules for this (source
194 zone,destination zone). If the source and/or destination IP
195 address falls into a zone defined later in
196 shorewall-zones[4](5) or in a parent zone of the source or
197 destination zones, then this connection request will be passed
198 to the rules defined for that (those) zone(s). See
199 shorewall-nesting[5](5) for additional information.
200 CONTINUE!
202 like CONTINUE but exempts the rule from being suppressed by
203 OPTIMIZE=1 in shorewall.conf[2](5).
204 COUNT
206 Simply increment the rule's packet and byte count and pass the
207 packet to the next rule.
208 DEL(ipset:flags)
210 Added in Shorewall 4.4.12. Causes an entry to be deleted from
211 the named ipset. The flags specify the address or tuple to be
212 deleted from the set and must match the type of ipset involved.
213 For example, for an iphash ipset, either the SOURCE or
214 DESTINATION address can be deleted using flags src or dst
215 respectively (see the -D command in ipset (8)).
216 DEL is non-terminating. Even if a packet matches the rule, it
218 is passed on to the next rule.
219 DNAT
221 Forward the request to another system (and optionally another
222 port). Use with IPv6 requires Shorewall 4.5.14 or later.
223 DNAT-
225 Advanced users only.
226 Like DNAT but only generates the DNAT iptables rule and not the
228 companion ACCEPT rule. Use with IPv6 requires Shorewall 4.5.14
229 or later.
230 DROP
232 Ignore the request.
233 DROP!
235 like DROP but exempts the rule from being suppressed by
236 OPTIMIZE=1 in shorewall.conf[2](5).
237 HELPER
239 Added in Shorewall 4.5.7. This action requires that the HELPER
240 column contains the name of the Netfilter helper to be
241 associated with connections matching this connection. May only
242 be specified in the NEW section and is useful for being able to
243 specify a helper when the applicable policy is ACCEPT. No
244 destination zone should be specified in HELPER rules.
245 INLINE[(action)]
247 Added in Shorewall 4.5.16. This action allows you to construct
248 most of the rule yourself using iptables syntax. The part that
249 you specify must follow two semicolons (';;') and is completely
250 free-form. If the target of the rule (the part following 'j')
251 is something that Shorewall supports in the ACTION column, then
252 you may enclose it in parentheses (e.g., INLINE(ACCEPT)).
253 Otherwise, you can include it after the semicolon(s). In this
254 case, you must declare the target as a builtin action in
255 shorewall-actions[3](5).
256 Some considerations when using INLINE:
258 · The p, s, d, i, o, policy, and state match (state or
260 conntrack --ctstate) matches will always appear in the
261 front of the rule in that order.
262 · When multiple matches are specified, the compiler will keep
264 them in the order in which they appear (excluding the above
265 listed ones), but they will not necessarily be at the end
266 of the generated rule. For example, if addresses are
267 specified in the SOURCE and/or DEST columns, their
268 generated matches will appear after those specified using
269 ';;' or ';'.
270 IPTABLES({iptables-target [option ...])
272 IPv4 only. This action allows you to specify an iptables target
273 with options (e.g., 'IPTABLES(MARK --set-xmark 0x01/0xff)'. If
274 the iptables-target is not one recognized by Shorewall, the
275 following error message will be issued:
276 ERROR: Unknown target (iptables-target)
278 This error message may be eliminated by adding the
280 iptables-target as a builtin action in shorewall-actions[3](5).
281 Important
283 If you specify REJECT as the iptables-target, the target of
284 the rule will be the iptables REJECT target and not
285 Shorewall's builtin 'reject' chain which is used when
286 REJECT (see below) is specified as the target in the ACTION
287 column.
288 IP6TABLES({ip6tables-target [option ...])
290 IPv6 only. This action allows you to specify an ip6tables
291 target with options (e.g., 'IPTABLES(MARK --set-xmark
292 0x01/0xff)'. If the ip6tables-target is not one recognized by
293 Shorewall, the following error message will be issued:
294 ERROR: Unknown target (ip6tables-target)
296 This error message may be eliminated by adding the
298 ip6tables-target as a builtin action in
299 shorewall-actions[6](5).
300 Important
302 If you specify REJECT as the ip6tables-target, the target
303 of the rule will be the i6ptables REJECT target and not
304 Shorewall's builtin 'reject' chain which is used when
305 REJECT (see below) is specified as the target in the ACTION
306 column.
307 LOG:level
309 Simply log the packet and continue with the next rule.
310 macro[(macrotarget)]
312 The name of a macro defined in a file named macro.macro. If the
313 macro accepts an action parameter (Look at the macro source to
314 see if it has PARAM in the TARGET column) then the macro name
315 is followed by the parenthesized macrotarget (ACCEPT, DROP,
316 REJECT, ...) to be substituted for the parameter.
317 Example: FTP(ACCEPT).
319 The older syntax where the macro name and the target are
321 separated by a slash (e.g. FTP/ACCEPT) is still allowed but is
322 deprecated.
323 MARK({mark})
325 where mark is a packet mark value.
326 Added in Shorewall 5.0.7, MARK requires "Mark in filter table"
328 support in your kernel and iptables.
329 Normally will set the mark value of the current packet. If
331 preceded by a vertical bar ("|"), the mark value will be
332 logically ORed with the current mark value to produce a new
333 mark value. If preceded by an ampersand ("&"), will be
334 logically ANDed with the current mark value to produce a new
335 mark value.
336 Both "|" and "&" require Extended MARK Target support in your
338 kernel and iptables.
339 The mark value may be optionally followed by "/" and a mask
341 value (used to determine those bits of the connection mark to
342 actually be set). When a mask is specified, the result of
343 logically ANDing the mark value with the mask must be the same
344 as the mark value.
345 NFLOG[(nflog-parameters)]
347 Added in Shorewall 4.5.9.3. Queues matching packets to a back
348 end logging daemon via a netlink socket then continues to the
349 next rule. See
350 http://www.shorewall.net/shorewall_logging.html[7].
351 The nflog-parameters are a comma-separated list of up to 3
353 numbers:
354 · The first number specifies the netlink group (0-65535). If
356 omitted (e.g., NFLOG(,0,10)) then a value of 0 is assumed.
357 · The second number specifies the maximum number of bytes to
359 copy. If omitted, 0 (no limit) is assumed.
360 · The third number specifies the number of log messages that
362 should be buffered in the kernel before they are sent to
363 user space. The default is 1.
364 NFLOG is similar to LOG:NFLOG[(nflog-parameters)], except that
366 the log level is not changed when this ACTION is used in an
367 action or macro body and the invocation of that action or macro
368 specifies a log level.
369 NFQUEUE[([queuenumber1[:queuenumber2[c]][,bypass]]|bypass)]
371 Queues the packet to a user-space application using the
372 nfnetlink_queue mechanism. If a queuenumber1 is not specified,
373 queue zero (0) is assumed. Beginning with Shorewall 4.6.10, the
374 keyword bypass can be given. By default, if no userspace
375 program is listening on an NFQUEUE, then all packets that are
376 to be queued are dropped. When this option is used, the NFQUEUE
377 rule is silently bypassed instead. The packet will move on to
378 the next rule. Also beginning in Shorewall 4.6.10, a second
379 queue number (queuenumber2) may be specified. This specifies a
380 range of queues to use. Packets are then balanced across the
381 given queues. This is useful for multicore systems: start
382 multiple instances of the userspace program on queues x, x+1,
383 .. x+n and use "x:x+n". Packets belonging to the same
384 connection are put into the same nfqueue.
385 Beginning with Shorewall 5.1.0, queuenumber2 may be followed by
387 the letter 'c' to indicate that the CPU ID will be used as an
388 index to map packets to the queues. The idea is that you can
389 improve performance if there's a queue per CPU. Requires the
390 NFQUEUE CPU Fanout capability in your kernel and iptables.
391 NFQUEUE![([queuenumber1[:queuenumber2[c]][,bypass]]|bypass)]
393 like NFQUEUE but exempts the rule from being suppressed by
394 OPTIMIZE=1 in shorewall.conf[2](5).
395 NONAT
397 Excludes the connection from any subsequent DNAT[-] or
398 REDIRECT[-] rules but doesn't generate a rule to accept the
399 traffic. Use with IPv6 requires Shorewall 4.5.14 or later.
400 QUEUE
402 Queue the packet to a user-space application such as ftwall
403 (http://p2pwall.sf.net). The application may reinsert the
404 packet for further processing.
405 QUEUE!
407 like QUEUE but exempts the rule from being suppressed by
408 OPTIMIZE=1 in shorewall.conf[2](5).
409 REJECT[(option)]
411 disallow the request and return an icmp-unreachable or an RST
412 packet. If no option is passed, Shorewall selects the
413 appropriate option based on the protocol of the packet.
414 Beginning with Shorewall 5.0.8, the type of reject may be
416 specified in the option paramater. Valid IPv4 option values
417 are:
418 icmp-net-unreachable
419 icmp-host-unreachable
420 icmp-port-unreachable
421 icmp-proto-unreachable
422 icmp-net-prohibited
423 icmp-host-prohibited
424 icmp-admin-prohibited
425 icmp-tcp-reset (the PROTO column
426 must specify TCP). Beginning with
427 Shorewall 5.1.3, this
428 option may also be specified as
429 tcp-reset.
430 Valid IPv6 option values are:
431 icmp6-no-route
432 no-route
433 icmp6-adm-prohibited
434 adm-prohibited
435 icmp6-addr-unreachable
436 addr-unreach
437 icmp6-port-unreachable
438 tcp-reset (the PROTO column must
439 specify TCP)
440 REJECT!
442 like REJECT but exempts the rule from being suppressed by
443 OPTIMIZE=1 in shorewall.conf[2](5).
444 REDIRECT
446 Redirect the request to a server running on the firewall. Use
447 with IPv6 requires Shorewall 4.5.14 or later.
448 REDIRECT-
450 Advanced users only.
451 Like REDIRECT but only generates the REDIRECT iptables rule and
453 not the companion ACCEPT rule. Use with IPv6 requires Shorewall
454 4.5.14 or later.
455 TARPIT [(tarpit | honeypot | reset)]
457 Added in Shorewall 4.6.6.
458 TARPIT captures and holds incoming TCP connections using no
460 local per-connection resources.
461 TARPIT only works with the PROTO column set to tcp (6), and is
463 totally application agnostic. This module will answer a TCP
464 request and play along like a listening server, but aside from
465 sending an ACK or RST, no data is sent. Incoming packets are
466 ignored and dropped. The attacker will terminate the session
467 eventually. This module allows the initial packets of an attack
468 to be captured by other software for inspection. In most cases
469 this is sufficient to determine the nature of the attack.
470 This offers similar functionality to LaBrea
472 <http://www.hackbusters.net/LaBrea/> but does not require
473 dedicated hardware or IPs. Any TCP port that you would normally
474 DROP or REJECT can instead become a tarpit.
475 The target accepts a single optional parameter:
477 tarpit
479 This mode is the default and completes a connection with
480 the attacker but limits the window size to 0, thus keeping
481 the attacker waiting long periods of time. While he is
482 maintaining state of the connection and trying to continue
483 every 60-240 seconds, we keep none, so it is very
484 lightweight. Attempts to close the connection are ignored,
485 forcing the remote side to time out the connection in 12-24
486 minutes.
487 honeypot
489 This mode completes a connection with the attacker, but
490 signals a normal window size, so that the remote side will
491 attempt to send data, often with some very nasty exploit
492 attempts. We can capture these packets for decoding and
493 further analysis. The module does not send any data, so if
494 the remote expects an application level response, the game
495 is up.
496 reset
498 This mode is handy because we can send an inline RST
499 (reset). It has no other function.
500 ULOG[(ulog-parameters)]
502 IPv4 only. Added in Shorewall 4.5.10. Queues matching packets
503 to a back end logging daemon via a netlink socket then
504 continues to the next rule. See shorewall-logging(5)[8].
505 Similar to LOG:ULOG[(ulog-parameters)], except that the log
507 level is not changed when this ACTION is used in an action or
508 macro body and the invocation of that action or macro specifies
509 a log level.
510 The target may optionally be followed by ":" and a syslog log level
512 (e.g, REJECT:info or Web(ACCEPT):debug). This causes the packet to
513 be logged at the specified level. Note that if the ACTION involves
514 destination network address translation (DNAT, REDIRECT, etc.) then
515 the packet is logged before the destination address is rewritten.
516 If the ACTION names an action declared in shorewall-actions[3](5)
518 or in /usr/share/shorewall/actions.std then:
519 · If the log level is followed by "!' then all rules in the
521 action are logged at the log level.
522 · If the log level is not followed by "!" then only those rules
524 in the action that do not specify logging are logged at the
525 specified level.
526 · The special log level none! suppresses logging by the action.
528 You may also specify ULOG (IPv4 only) or NFLOG (must be in upper
530 case) as a log level.This will log to the ULOG or NFLOG target for
531 routing to a separate log through use of ulogd
532 (shorewall-logging(5)[8]).
533 Actions specifying logging may be followed by a log tag (a string
535 of alphanumeric characters) which is appended to the string
536 generated by the LOGPREFIX (in shorewall.conf[2](5)).
537 Example: ACCEPT:info:ftp would include 'ftp ' at the end of the log
539 prefix generated by the LOGPREFIX setting.
540 SOURCE - source-spec[,...]
542 Source hosts to which the rule applies.
543 source-spec is one of the following:
545 zone[,...[+]]
547 The name of a zone defined in shorewall-zones[4](5). When only
548 the zone name is specified, the packet source may be any host
549 in that zone.
550 zone may also be one of the following:
552 all[+][-]
554 all, without the "-" means "All Zones, including the
555 firewall zone". If the "-" is included, the firewall zone
556 is omitted. Normally all omits intra-zone traffic, but
557 intra-zone traffic can be included specifying "+".
558 any[+][-]
560 any is equivalent to all when there are no nested zones.
561 When there are nested zones, any only refers to top-level
562 zones (those with no parent zones). Note that any excludes
563 all vserver zones, since those zones are nested within the
564 firewall zone.
565 none
567 When none is used either in the SOURCE or DEST column, the
568 rule is ignored.
569 Similar to with all and any, intra-zone traffic is normally
571 excluded when multiple zones are listed. Intra-zone traffic may
572 be included by following the list with a plus sign ("+").
573 all and any may be followed by an exclamation point ("!") and a
575 comma-separated list of zone names to be omitted.
576 zone:interface
578 When this form is used, interface must be the name of an
579 interface associated with the named zone in either
580 shorewall-interfaces[9](5) or shorewall-hosts[10](5). Only
581 packets from hosts in the zone that arrive through the named
582 interface will match the rule.
583 zone:address[,...]
585 where address can be:
586 · A host or network IP address. A network address may be
588 followed by exclusion (see shorewall-exclusion[11](5)).
589 · An address range, specified using the syntax
591 lowaddress-highaddress.
592 · +ipset where ipset is the name of an ipset and must be
594 preceded by a plus sign ("+").
595 · A MAC address in Shorewall format (preceded by a tilde
597 ("~") and with the hex byte values separated by dashes
598 (e.g., "~00-0a-f6-04-9c-7d").
599 · ^country-code where country-code is a two-character
601 ISO-3661 country code preceded by a caret ("^").
602 · ^country-code-list where country-code-list is a
604 comma-separated list of up to 15 ISO-3661 country codes
605 enclosed in square brackets ("[...]").
606 · The primary IP address of a firewall interface can be
608 specified by an ampersand ('&') followed by the logical
609 name of the interface as found in the INTERFACE column of
610 shorewall-interfaces[9] (5).
611 zone:interface:address[,...]
613 This form combines the preceding two and requires that both the
614 incoming interface and source address match.
615 zone:exclusion
617 This form matches if the host IP address does not match any of
618 the entries in the exclusion (see shorewall-exclusion[11](5)).
619 zone:interface:exclusion
621 This form matches packets from the named zone entering through
622 the specified interface where the source address does not match
623 any entry in the exclusion.
624 Beginning with Shorewall 5.1.0, multiple source-specs may be
626 listed, provided that extended forms of the source-spec are used:
627 zone:(interface)
628 zone:(address[,...])
630 zone:(interface:address[,...])
632 zone:(exclusion)
634 zone:(interface:exclusion) Examples:
636 dmz:192.168.2.2
638 Host 192.168.2.2 in the DMZ
639 net:155.186.235.0/24
641 Subnet 155.186.235.0/24 on the Internet
642 loc:192.168.1.1,192.168.1.2
644 Hosts 192.168.1.1 and 192.168.1.2 in the local zone.
645 loc:~00-A0-C9-15-39-78
647 Host in the local zone with MAC address 00:A0:C9:15:39:78.
648 net:192.0.2.11-192.0.2.17
650 Hosts 192.0.2.11-192.0.2.17 in the net zone.
651 net:!192.0.2.11-192.0.2.17
653 All hosts in the net zone except for 192.0.2.11-192.0.2.17.
654 net:155.186.235.0/24!155.186.235.16/28
656 Subnet 155.186.235.0/24 on the Internet except for
657 155.186.235.16/28
658 $FW:ð0
660 The primary IP address of eth0 in the firewall zone.
661 loc,dmz
663 Both the loc and dmz zones.
664 all!dmz
666 All but the dmz zone.
667 net:^CN
669 China.
670 loc:(eth1:1.2.3.4,2.3.4.5),dmz:(eth2:5.6.7.8,9.10.11.12),net
672 Hosts 1.2.3.4 and 2.3.4.5 in the loc zone when the packet
673 arrives through eth1 plus hosts 5.6.7.8 and 9.10.11.12 in the
674 dmz zone when the packet arrives through eth2 plus all of the
675 net zone.
676 dmz:[2002:ce7c:2b4:1::2]
678 Host 2002:ce7c:92b4:1::2 in the DMZ
679 net:2001:4d48:ad51:24::/64
681 Subnet 2001:4d48:ad51:24::/64 on the Internet
682 loc:[2002:cec792b4:1::2],[2002:cec792b4:1::44]
684 Hosts 2002:cec792b4:1::2 and 2002:cec792b4:1::44 in the local
685 zone.
686 loc:~00-A0-C9-15-39-78
688 Host in the local zone with MAC address 00:A0:C9:15:39:78.
689 net:[2001:4d48:ad51:24::]/64![2001:4d48:ad51:24:6::]/80
691 Subnet 2001:4d48:ad51:24::/64 on the Internet except for
692 2001:4d48:ad51:24:6::/80.
693 DEST - dest-spec[,...]
695 Destination hosts to which the rule applies.
696 dest-spec is one of the following:
698 zone[,...[+]]
700 The name of a zone defined in shorewall-zones[4](5). When only
701 the zone name is specified, the packet destination may be any
702 host in that zone.
703 zone may also be one of the following:
705 all[+][-]
707 all, without the "-" means "All Zones, including the
708 firewall zone". If the "-" is included, the firewall zone
709 is omitted. Normally all omits intra-zone traffic, but
710 intra-zone traffic can be included specifying "+".
711 any[+][-]
713 any is equivalent to all when there are no nested zones.
714 When there are nested zones, any only refers to top-level
715 zones (those with no parent zones). Note that any excludes
716 all vserver zones, since those zones are nested within the
717 firewall zone.
718 none
720 When none is used either in the SOURCE or DEST column, the
721 rule is ignored.
722 Similar to with all and any, intra-zone traffic is normally
724 excluded when multiple zones are listed. Intra-zone traffic may
725 be included by following the list with a plus sign ("+").
726 all and any may be followed by an exclamation point ("!") and a
728 comma-separated list of zone names to be omitted.
729 zone:interface
731 When this form is used, interface must be the name of an
732 interface associated with the named zone in either
733 shorewall-interfaces[9](5) or shorewall-hosts[12](5). Only
734 packets to hosts in the zone that are sent through the named
735 interface will match the rule.
736 zone:address[,...]
738 where address can be:
739 · A host or network IP address. A network address may be
741 followed by exclusion (see shorewall-exclusion[11](5)).
742 · An address range, specified using the syntax
744 lowaddress-highaddress.
745 · +ipset where ipset is the name of an ipset and must be
747 preceded by a plus sign ("+").
748 · ^country-code where country-code is a two-character
750 ISO-3661 country code preceded by a caret ("^").
751 · ^country-code-list where country-code-list is a
753 comma-separated list of up to 15 ISO-3661 country codes
754 enclosed in square brackets ("[...]").
755 · The primary IP address of a firewall interface can be
757 specified by an ampersand ('&') followed by the logical
758 name of the interface as found in the INTERFACE column of
759 shorewall-interfaces[9] (5).
760 zone:interface:address[,...]
762 This form combines the preceding two and requires that both the
763 outgoing interface and destinationaddress match.
764 zone:exclusion
766 This form matches if the host IP address does not match any of
767 the entries in the exclusion (see shorewall-exclusion[11](5)).
768 zone:interface:exclusion
770 This form matches packets to the named zone leaving through the
771 specified interface where the destination address does not
772 match any entry in the exclusion.
773 [zone]:[server-IP][:port-or-port-range[:random]]
775 This form applies when the ACTION is DNAT[-] or REDIRECT[-].
776 The zone may be omitted in REDIRECT rules ($FW is assumed) and
777 must be omitted in DNAT-, REDIRECT- and NONAT rules.
778 server-IP is not allowed in REDIRECT rules and may be omitted
780 in DNAT[-] rules provided that port-or-port-range is included.
781 · The IP address of the server to which the packet is to be
783 sent.
784 · A range of IP address with the low and high address
786 separated by a dash (:"-"). Connections are distributed
787 among the IP addresses in the range.
788 If server-IP is omitted in a DNAT[-] rule, only the destination
790 port number is modified by the rule.
791 port-or-port-range may be:
793 · An integer port number in the range 1 - 65535.
795 · The name of a service from /etc/services.
797 · A port range with the low and high integer port numbers
799 separated by a dash ("-"). Connections are distributed
800 among the ports in the range.
801 If random is specified, port mapping will be randomized.
803 If the DEST zone is a bport zone, then either:
805 1. the SOURCE must be all[+][-], or
807 2. the SOURCE zone must be another bport zone associated with the
809 same bridge, or
810 3. the SOURCE zone must be an ipv4 zone that is associated with
812 only the same bridge.
813 Beginning with Shorewall 5.1.0, multiple dest-specs may be listed,
815 provided that extended forms of the source-spec are used:
816 zone:(interface)
817 zone:(address[,...])
819 zone:(interface:address[,...])
821 zone:(exclusion)
823 zone:(interface:exclusion) Multiple dest-specs are not permitted in
825 DNAT[-] and REDIRECT[-] rules.
826 Examples:
828 dmz:192.168.2.2
830 Host 192.168.2.2 in the DMZ
831 net:155.186.235.0/24
833 Subnet 155.186.235.0/24 on the Internet
834 loc:192.168.1.1,192.168.1.2
836 Hosts 192.168.1.1 and 192.168.1.2 in the local zone.
837 net:192.0.2.11-192.0.2.17
839 Hosts 192.0.2.11-192.0.2.17 in the net zone.
840 net:!192.0.2.11-192.0.2.17
842 All hosts in the net zone except for 192.0.2.11-192.0.2.17.
843 net:155.186.235.0/24!155.186.235.16/28
845 Subnet 155.186.235.0/24 on the Internet except for
846 155.186.235.16/28
847 $FW:ð0
849 The primary IP address of eth0 in the firewall zone.
850 loc,dmz
852 Both the loc and dmz zones.
853 all!dmz
855 All but the dmz zone.
856 net:^CN
858 China.
859 dmz:192.168.10.4:25
861 Port 25 on server 192.168.10.4 in the dmz zone (DNAT rule).
862 loc:(eth1:1.2.3.4,2.3.4.5),dmz:(eth2:5.6.7.8,9.10.11.12),net
864 Hosts 1.2.3.4 and 2.3.4.5 in the loc zone when the packet
865 arrives through eth1 plus hosts 5.6.7.8 and 9.10.11.12 in the
866 dmz zone when the packet arrives through eth2 plus all of the
867 net zone.
868 PROTO-
870 {-|tcp:[!]syn|ipp2p|ipp2p:udp|ipp2p:all|protocol-number|protocol-name|all}
871 Optional Protocol - ipp2p* requires ipp2p match support in your
872 kernel and iptables. tcp:syn implies tcp plus the SYN flag must be
873 set and the RST, ACK and FIN flags must be reset. Beginning with
874 Shorewall 5.1.3, you may also specify tcp:!syn, which matches if
875 SYN is not set or if RST, ACK or FIN is set.
876 Beginning with Shorewall 4.4.19, this column can contain a
878 comma-separated list of protocol-numbers and/or protocol names.
879 DPORT -
881 {-|port-name-number-or-range[,port-name-number-or-range]...|+ipset}
882 Optional destination Ports. A comma-separated list of Port names
883 (from services(5)), port numbers or port ranges; if the protocol is
884 icmp, this column is interpreted as the destination icmp-type(s).
885 ICMP types may be specified as a numeric type, a numeric type and
886 code separated by a slash (e.g., 3/4), or a typename. See
887 http://www.shorewall.net/configuration_file_basics.htm#ICMP[13].
888 Note that prior to Shorewall 4.4.19, only a single ICMP type may be
889 listed.
890 If the protocol is ipp2p, this column is interpreted as an ipp2p
892 option without the leading "--" (example bit for bit-torrent). If
893 no port is given, ipp2p is assumed.
894 A port range is expressed as lowport:highport.
896 This column is ignored if PROTO = all but must be entered if any of
898 the following columns are supplied. In that case, it is suggested
899 that this field contain a dash (-).
900 If your kernel contains multi-port match support, then only a
902 single Netfilter rule will be generated if in this list and the
903 SPORT list below:
904 1. There are 15 or less ports listed.
906 2. No port ranges are included or your kernel and iptables contain
908 extended multi-port match support.
909 Beginning with Shorewall 4.6.0, an ipset name can be specified in
911 this column. This is intended to be used with bitmap:port ipsets.
912 This column was formerly labelled DEST PORT(S).
914 SPORT -
916 {-|port-name-number-or-range[,port-name-number-or-range]...|+ipset}
917 Optional port(s) used by the client. If omitted, any source port is
918 acceptable. Specified as a comma- separated list of port names,
919 port numbers or port ranges.
920 Beginning with Shorewall 4.5.15, you may place '=' in this column,
922 provided that the DPORT column is non-empty. This causes the rule
923 to match when either the source port or the destination port in a
924 packet matches one of the ports specified in DEST PORTS(S). Use of
925 '=' requires multi-port match in your iptables and kernel.
926 Warning
928 Unless you really understand IP, you should leave this column
929 empty or place a dash (-) in the column. Most people who try to
930 use this column get it wrong.
931 If you don't want to restrict client ports but need to specify an
932 ORIGDEST in the next column, then place "-" in this column.
933 If your kernel contains multi-port match support, then only a
935 single Netfilter rule will be generated if in this list and the
936 DPORT list above:
937 1. There are 15 or less ports listed.
939 2. No port ranges are included or your kernel and iptables contain
941 extended multi-port match support.
942 Beginning with Shorewall 4.6.0, an ipset name can be specified in
944 this column. This is intended to be used with bitmap:port ipsets.
945 This column was formerly labelled SOURCE PORT(S).
947 ORIGDEST - [-|address[,address]...[exclusion]|exclusion]
949 Optional. If ACTION is DNAT[-] or REDIRECT[-] then if this column
950 is included and is different from the IP address given in the DEST
951 column, then connections destined for that address will be
952 forwarded to the IP and port specified in the DEST column.
953 A comma-separated list of addresses may also be used. This is most
955 useful with the REDIRECT target where you want to redirect traffic
956 destined for particular set of hosts. Finally, if the list of
957 addresses begins with "!" (exclusion) then the rule will be
958 followed only if the original destination address in the connection
959 request does not match any of the addresses listed.
960 Beginning with Shorewall 4.4.17, the primary IP address of a
962 firewall interface can be specified by an ampersand ('&') followed
963 by the logical name of the interface as found in the INTERFACE
964 column of shorewall-interfaces[9] (5).
965 For other actions, this column may be included and may contain one
967 or more addresses (host or network) separated by commas. Address
968 ranges are not allowed. When this column is supplied, rules are
969 generated that require that the original destination address
970 matches one of the listed addresses. This feature is most useful
971 when you want to generate a filter rule that corresponds to a DNAT-
972 or REDIRECT- rule. In this usage, the list of addresses should not
973 begin with "!".
974 It is also possible to specify a set of addresses then exclude part
976 of those addresses. For example, 192.168.1.0/24!192.168.1.16/28
977 specifies the addresses 192.168.1.0-182.168.1.15 and
978 192.168.1.32-192.168.1.255. See shorewall-exclusion[11](5).
979 See http://www.shorewall.net/PortKnocking.html[14] for an example
981 of using an entry in this column with a user-defined action rule.
982 This column was formerly labelled ORIGINAL DEST.
984 RATE - limit
986 where limit is one of:
987 [-|[{s|d}:[[name]:]]]rate/{sec|min|hour|day}[:burst]
988 [name1]:rate1/{sec|min|hour|day}[:burst1],[name2]:rate2/{sec|min|hour|day}[:burst2]
989 You may optionally rate-limit the rule by placing a value in this
990 column:
991 rate* is the number of connections per interval (sec or min) and
993 burst* is the largest burst permitted. If no burst is given, a
994 value of 5 is assumed. There may be no no white-space embedded in
995 the specification.
996 Example: 10/sec:20
998 When s: or d: is specified, the rate applies per source IP address
1000 or per destination IP address respectively. The names may be chosen
1001 by the user and specify a hash table to be used to count matching
1002 connections. If not given, the name shorewallN (where N is a unique
1003 integer) is assumed. Where more than one rule or POLICY specifies
1004 the same name, the connections counts for the rules are aggregated
1005 and the individual rates apply to the aggregated count.
1006 Beginning with Shorewall 4.6.5, two limits may be specified,
1008 separated by a comma. In this case, the first limit (name1, rate1,
1009 burst1) specifies the per-source IP limit and the second limit
1010 specifies the per-destination IP limit.
1011 Example: client:10/sec:20,:60/sec:100
1013 In this example, the 'client' hash table will be used to enforce
1015 the per-source limit and the compiler will pick a unique name for
1016 the hash table that tracks the per-destination limit.
1017 This column was formerly labelled RATE LIMIT.
1019 USER - [!][user-name-or-number][:group-name-or-number][,...]
1021 This optional column may only be non-empty if the SOURCE is the
1022 firewall itself.
1023 When this column is non-empty, the rule applies only if the program
1025 generating the output is running under the effective user and/or
1026 group specified (or is NOT running under that id if "!" is given).
1027 Beginning with Shorewall 4.5.8, multiple user or group names/ids
1029 separated by commas may be specified.
1030 Examples:
1032 joe
1034 program must be run by joe
1035 :kids
1037 program must be run by a member of the 'kids' group
1038 !:kids
1040 program must not be run by a member of the 'kids' group
1041 2001-2099
1043 UIDs 2001 through 2099 (Shorewall 4.5.6 and later)
1044 This column was formerly labelled USER/GROUP.
1046 MARK - [!]value[/mask][:C]
1048 Defines a test on the existing packet or connection mark. The rule
1049 will match only if the test returns true.
1050 If you don't want to define a test but need to specify anything in
1052 the following columns, place a "-" in this field.
1053 !
1055 Inverts the test (not equal)
1056 value
1058 Value of the packet or connection mark.
1059 mask
1061 A mask to be applied to the mark before testing.
1062 :C
1064 Designates a connection mark. If omitted, the packet mark's
1065 value is tested.
1066 CONNLIMIT - [d:][!]limit[:mask]
1068 May be used to limit the number of simultaneous connections to/from
1069 each individual host or network to limit connections. Requires
1070 connlimit match in your kernel and iptables. While the limit is
1071 only checked on rules specifying CONNLIMIT, the number of current
1072 connections is calculated over all current connections from the
1073 SOURCE or DESTINATION host. By default, limiting is done by SOURCE
1074 host or net, but if the specification begins with d:, then limiting
1075 will be donw by destination host or net.
1076 By default, the limit is applied to each host but can be made to
1078 apply to networks of hosts by specifying a mask. The mask specifies
1079 the width of a VLSM mask to be applied to the source address; the
1080 number of current connections is then taken over all hosts in the
1081 subnet source-address/mask. When ! is specified, the rule matches
1082 when the number of connection exceeds the limit.
1083 TIME - timeelement[&timeelement...]
1085 May be used to limit the rule to a particular time period each day,
1086 to particular days of the week or month, or to a range defined by
1087 dates and times. Requires time match support in your kernel and
1088 iptables.
1089 timeelement may be:
1091 timestart=hh:mm[:ss]
1093 Defines the starting time of day.
1094 timestop=hh:mm[:ss]
1096 Defines the ending time of day.
1097 contiguous
1099 Added in Shoreawll 5.0.12. When timestop is smaller than
1100 timestart value, match this as a single time period instead of
1101 distinct intervals.
1102 utc
1104 Times are expressed in Greenwich Mean Time.
1105 localtz
1107 Deprecated by the Netfilter team in favor of kerneltz. Times
1108 are expressed in Local Civil Time (default).
1109 kerneltz
1111 Added in Shorewall 4.5.2. Times are expressed in Local Kernel
1112 Time (requires iptables 1.4.12 or later).
1113 weekdays=ddd[,ddd]...
1115 where ddd is one of Mon, Tue, Wed, Thu, Fri, Sat or Sun
1116 monthdays=dd[,dd],...
1118 where dd is an ordinal day of the month
1119 datestart=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
1122 Defines the starting date and time.
1123 datestop=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
1125 Defines the ending date and time.
1126 HEADERS - [!][any:|exactly:]header-list (Optional - Added in Shorewall
1128 4.4.15)
1129 This column is only used in IPv6. In IPv4, supply "-" in this
1130 column if you with to place a value in one of the following
1131 columns.
1132 The header-list consists of a comma-separated list of headers from
1134 the following list.
1135 auth, ah, or 51
1137 Authentication Headers extension header.
1138 esp, or 50
1140 Encrypted Security Payload extension header.
1141 hop, hop-by-hop or 0
1143 Hop-by-hop options extension header.
1144 route, ipv6-route or 43
1146 IPv6 Route extension header.
1147 frag, ipv6-frag or 44
1149 IPv6 fragmentation extension header.
1150 none, ipv6-nonxt or 59
1152 No next header
1153 proto, protocol or 255
1155 Any protocol header.
1156 If any: is specified, the rule will match if any of the listed
1158 headers are present. If exactly: is specified, the will match
1159 packets that exactly include all specified headers. If neither is
1160 given, any: is assumed.
1161 If ! is entered, the rule will match those packets which would not
1163 be matched when ! is omitted.
1164 SWITCH - [!]switch-name[={0|1}]
1166 Added in Shorewall 4.4.24 and allows enabling and disabling the
1167 rule without requiring shorewall restart.
1168 The rule is enabled if the value stored in
1170 /proc/net/nf_condition/switch-name is 1. The rule is disabled if
1171 that file contains 0 (the default). If '!' is supplied, the test is
1172 inverted such that the rule is enabled if the file contains 0.
1173 Within the switch-name, '@0' and '@{0}' are replaced by the name of
1175 the chain to which the rule is a added. The switch-name (after
1176 '@...' expansion) must begin with a letter and be composed of
1177 letters, decimal digits, underscores or hyphens. Switch names must
1178 be 30 characters or less in length.
1179 Switches are normally off. To turn a switch on:
1181 echo 1 >
1182 /proc/net/nf_condition/switch-name
1183 To turn it off again:
1184 echo 0 >
1185 /proc/net/nf_condition/switch-name
1186 Switch settings are retained over shorewall restart.
1187 Beginning with Shorewall 4.5.10, when the switch-name is followed
1189 by =0 or =1, then the switch is initialized to off or on
1190 respectively by the start command. Other commands do not affect the
1191 switch setting.
1192 HELPER - [helper]
1194 Added in Shorewall 4.5.7.
1195 In the NEW section, causes the named conntrack helper to be
1197 associated with this connection; the contents of this column are
1198 ignored unless ACTION is ACCEPT*, DNAT* or REDIRECT*.
1199 In the RELATED section, will only match if the related connection
1201 has the named helper associated with it.
1202 The helper may be one of:
1204 amanda
1205 ftp
1206 irc
1207 netbios-ns
1208 pptp
1209 Q.931
1210 RAS
1211 sane
1212 sip
1213 snmp
1214 tftp
1215 If the HELPERS option is specified in shorewall.conf[2](5), then
1216 any module specified in this column must be listed in the HELPERS
1217 setting.
1218
1220 Example 1:
1221 Accept SMTP requests from the DMZ to the internet
1222 #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
1224 ACCEPT dmz net tcp smtp
1225 Example 2:
1227 Forward all ssh and http connection requests from the internet to
1228 local system 192.168.1.3
1229 #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
1231 DNAT net loc:192.168.1.3 tcp ssh,http
1232 Example 3:
1234 Forward all http connection requests from the internet to local
1235 system 192.168.1.3 with a limit of 3 per second and a maximum burst
1236 of 10
1237 #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE
1239 DNAT net loc:192.168.1.3 tcp http - - 3/sec:10
1240 Example 4:
1242 Redirect all locally-originating www connection requests to port
1243 3128 on the firewall (Squid running on the firewall system) except
1244 when the destination address is 192.168.2.2
1245 #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
1247 REDIRECT loc 3128 tcp www - !192.168.2.2
1248 Example 5:
1250 All http requests from the internet to address 130.252.100.69 are
1251 to be forwarded to 192.168.1.3
1252 #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
1254 DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69
1255 Example 6:
1257 You want to accept SSH connections to your firewall only from
1258 internet IP addresses 130.252.100.69 and 130.252.100.70
1259 #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
1261 ACCEPT net:130.252.100.69,130.252.100.70 \
1262 $FW tcp 22
1263 Example 7:
1265 You wish to accept connections from the internet to your firewall
1266 on port 2222 and you want to forward them to local system
1267 192.168.1.3, port 22
1268 #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
1270 DNAT net loc:192.168.1.3:22 tcp 2222
1271 Example 8:
1273 You want to redirect connection requests to port 80 randomly to the
1274 port range 81-90.
1275 #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
1277 REDIRECT net $FW::81-90:random tcp www
1278 Example 9:
1280 Shorewall does not impose as much structure on the Netfilter rules
1281 in the 'nat' table as it does on those in the filter table. As a
1282 consequence, when using Shorewall versions before 4.1.4, care must
1283 be exercised when using DNAT and REDIRECT rules with zones defined
1284 with wildcard interfaces (those ending with '+'. Here is an
1285 example:
1286 shorewall-zones[4](5):
1288 #ZONE TYPE OPTIONS
1290 fw firewall
1291 net ipv4
1292 dmz ipv4
1293 loc ipv4
1294 shorewall-interfaces[9](5):
1296 #ZONE INTERFACE BROADCAST OPTIONS
1298 net ppp0
1299 loc eth1 detect
1300 dmz eth2 detect
1301 - ppp+ # Addresses are assigned from 192.168.3.0/24
1302 shorewall-host[12](5):
1304 #ZONE HOST(S) OPTIONS
1306 loc ppp+:192.168.3.0/24
1307 rules:
1309 #ACTION SOURCE DEST PROTO DPORT
1311 REDIRECT loc 3128 tcp 80
1312 Note that it would have been tempting to simply define the loc zone
1314 entirely in shorewall-interfaces(8):
1315 #******************* INCORRECT *****************
1317 #ZONE INTERFACE BROADCAST OPTIONS
1318 net ppp0
1319 loc eth1 detect
1320 loc ppp+
1321 dmz eth2
1322 This would have made it impossible to run a internet-accessible web
1324 server in the DMZ because all traffic entering ppp+ interfaces
1325 would have been redirected to port 3128 on the firewall and there
1326 would have been no net->fw ACCEPT rule for that traffic.
1327 Example 10:
1329 Add the tuple (source IP, dest port, dest IP) of an incoming SSH
1330 connection to the ipset S:
1331 #ACTION SOURCE DEST PROTO DPORT
1333 ADD(+S:dst,src,dst) net fw tcp 22
1334 Example 11:
1336 You wish to limit SSH connections from remote systems to 1/min with
1337 a burst of three (to allow for limited retry):
1338 #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE
1340 SSH(ACCEPT) net all - - - - s:1/min:3
1341 Example 12:
1343 Forward port 80 to dmz host $BACKUP if switch 'primary_down' is on.
1344 #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH
1346 DNAT net dmz:$BACKUP tcp 80 - - - - - - - - primary_down
1347 Example 13:
1349 Drop all email from the Anonymous Proxy and Satellite Provider
1350 address ranges:
1351 #ACTION SOURCE DEST PROTO DPORT
1353 DROP net:^A1,A2 fw tcp 25
1354 Example 14:
1356 You want to generate your own rule involving iptables targets and
1357 matches not supported by Shorewall.
1358 #ACTION SOURCE DEST PROTO DPORT
1360 INLINE $FW net ; -p 6 -m mickey-mouse --name test -m set --match-set set1 src -m mickey-mouse --name test2 -j SECCTX --name test3
1361 The above will generate the following iptables-restore input:
1363 -A fw2net -p 6 -m mickey-mouse --name test -m set --match-set set1 src -m mickey-mouse --name test2 -j SECCTX --name test3
1365 Note that SECCTX must be defined as a builtin action in
1367 shorewall-actions[3](5):
1368 #ACTION OPTIONS
1370 SECCTX builtin
1371 Example 15:
1373 You want to accept SSH connections to your firewall only from
1374 internet IP addresses 2002:ce7c::92b4:1::2 and
1375 2002:ce7c::92b4:1::22
1376 #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
1378 ACCEPT net:<2002:ce7c::92b4:1::2,2002:ce7c::92b4:1::22> \
1379 $FW tcp 22
1380
1382 /etc/shorewall/rules
1383 /etc/shorewall6/rules
1385
1387 shorewall-logging(5)[8]
1388 http://www.shorewall.net/ipsets.html[15]
1390 http://www.shorewall.net/configuration_file_basics.htm#Pairs[16]
1392 shorewall(8)
1394
1396 1. shorewall-policy
1397 http://www.shorewall.net/manpages/shorewall-policy.html
1398 2. shorewall.conf
1400 http://www.shorewall.net/manpages/shorewall.conf.html
1401 3. shorewall-actions
1403 http://www.shorewall.net/manpages/shorewall-actions.html
1404 4. shorewall-zones
1406 http://www.shorewall.net/manpages/shorewall-zones.html
1407 5. shorewall-nesting
1409 http://www.shorewall.net/manpages/shorewall-nesting.html
1410 6. shorewall-actions
1412 http://www.shorewall.net/manpages6/shorewall6-actions.html
1413 7. http://www.shorewall.net/shorewall_logging.html
1415 http://www.shorewall.net/shorewall_logging.html
1416 8. shorewall-logging(5)
1418 http://www.shorewall.netshorewall-logging.html
1419 9. shorewall-interfaces
1421 http://www.shorewall.net/manpages/shorewall-interfaces.html
1422 10. shorewall-hosts
1424 http://www.shorewall.net/manpages/shorewall.hosts.html
1425 11. shorewall-exclusion
1427 http://www.shorewall.net/manpages/shorewall-exclusion.html
1428 12. shorewall-hosts
1430 http://www.shorewall.net/manpages/shorewall-hosts.html
1431 13. http://www.shorewall.net/configuration_file_basics.htm#ICMP
1433 http://www.shorewall.net/configuration_file_basics.htm#ICMP
1434 14. http://www.shorewall.net/PortKnocking.html
1436 http://www.shorewall.net/PortKnocking.html
1437 15. http://www.shorewall.net/ipsets.html
1439 http://www.shorewall.net/ipsets.html
1440 16. http://www.shorewall.net/configuration_file_basics.htm#Pairs
1442 http://www.shorewall.net/configuration_file_basics.htm#Pairs
1443Configuration Files 08/05/2018 SHOREWALL-RULES(5)