1SHOREWALL-EXCLUSION(5) Configuration Files SHOREWALL-EXCLUSION(5)
2
3
4
6 exclusion - Exclude a set of hosts from a definition in a shorewall
7 configuration file.
8
10 !address-or-range[,address-or-range]...
11
12 !zone-name[,zone-name]...
13
15 The first form of exclusion is used when you wish to exclude one or
16 more addresses from a definition. An exclamation point is followed by a
17 comma-separated list of addresses. The addresses may be single host
18 addresses (e.g., 192.168.1.4) or they may be network addresses in CIDR
19 format (e.g., 192.168.1.0/24). If your kernel and iptables include
20 iprange support, you may also specify ranges of ip addresses of the
21 form lowaddress-highaddress
22
23 No embedded white-space is allowed.
24
25 Exclusion can appear after a list of addresses and/or address ranges.
26 In that case, the final list of address is formed by taking the first
27 list and then removing the addresses defined in the exclusion.
28
29 Beginning in Shorewall 4.4.13, the second form of exclusion is allowed
30 after all and any in the SOURCE and DEST columns of
31 shorewall-rules[1](5). It allows you to omit arbitrary zones from the
32 list generated by those key words.
33
34 Warning
35 If you omit a sub-zone and there is an explicit or explicit
36 CONTINUE policy, a connection to/from that zone can still be
37 matched by the rule generated for a parent zone.
38
39 For example:
40
41 /etc/shorewall/zones:
42
43 #ZONE TYPE
44 z1 ip
45 z2:z1 ip
46 ...
47
48 /etc/shorewall/policy:
49
50 #SOURCE DEST POLICY
51 z1 net CONTINUE
52 z2 net REJECT
53
54 /etc/shorewall/rules:
55
56 #ACTION SOURCE DEST PROTO DPORT
57 ACCEPT all!z2 net tcp 22
58
59 In this case, SSH connections from z2 to net will be accepted by
60 the generated z1 to net ACCEPT rule.
61
62 In most contexts, ipset names can be used as an address-or-range.
63 Beginning with Shorewall 4.4.14, ipset lists enclosed in +[...] may
64 also be included (see shorewall-ipsets[2] (5)). The semantics of these
65 lists when used in an exclusion are as follows:
66
67 · !+[set1,set2,...setN] produces a packet match if the packet does
68 not match at least one of the sets. In other words, it is like NOT
69 match set1 OR NOT match set2 ... OR NOT match setN.
70
71 · +[!set1,!set2,...!setN] produces a packet match if the packet does
72 not match any of the sets. In other words, it is like NOT match
73 set1 AND NOT match set2 ... AND NOT match setN.
74
76 IPv4 Example 1 - All IPv4 addresses except 192.168.3.4
77 !192.168.3.4
78
79 IPv4 Example 2 - All IPv4 addresses except the network 192.168.1.0/24
80 and the host 10.2.3.4
81 !192.168.1.0/24,10.1.3.4
82
83 IPv4 Example 3 - All IPv4 addresses except the range
84 192.168.1.3-192.168.1.12 and the network 10.0.0.0/8
85 !192.168.1.3-192.168.1.12,10.0.0.0/8
86
87 IPv4 Example 4 - The network 192.168.1.0/24 except hosts 192.168.1.3
88 and 192.168.1.9
89 192.168.1.0/24!192.168.1.3,192.168.1.9
90
91 Example 5 - All parent zones except loc
92 any!loc
93
95 /etc/shorewall/hosts
96
97 /etc/shorewall/masq
98
99 /etc/shorewall/rules
100
101 /etc/shorewall/tcrules
102
104 shorewall(8)
105
107 1. shorewall-rules
108 https://shorewall.org/manpages/shorewall-rules.html
109
110 2. shorewall-ipsets
111 https://shorewall.org/manpages/shorewall-ipsets.html
112
113
114
115Configuration Files 01/15/2020 SHOREWALL-EXCLUSION(5)