1SHOREWALL-EXCLUSION(5)        Configuration Files       SHOREWALL-EXCLUSION(5)
2
3
4

NAME

6       exclusion - Exclude a set of hosts from a definition in a shorewall
7       configuration file.
8

SYNOPSIS

10       !address-or-range[,address-or-range]...
11
12       !zone-name[,zone-name]...
13

DESCRIPTION

15       The first form of exclusion is used when you wish to exclude one or
16       more addresses from a definition. An exclamation point is followed by a
17       comma-separated list of addresses. The addresses may be single host
18       addresses (e.g., 192.168.1.4) or they may be network addresses in CIDR
19       format (e.g., 192.168.1.0/24). If your kernel and iptables include
20       iprange support, you may also specify ranges of ip addresses of the
21       form lowaddress-highaddress
22
23       No embedded white-space is allowed.
24
25       Exclusion can appear after a list of addresses and/or address ranges.
26       In that case, the final list of address is formed by taking the first
27       list and then removing the addresses defined in the exclusion.
28
29       Beginning in Shorewall 4.4.13, the second form of exclusion is allowed
30       after all and any in the SOURCE and DEST columns of
31       shorewall-rules[1](5). It allows you to omit arbitrary zones from the
32       list generated by those key words.
33
34           Warning
35           If you omit a sub-zone and there is an explicit or explicit
36           CONTINUE policy, a connection to/from that zone can still be
37           matched by the rule generated for a parent zone.
38
39           For example:
40
41           /etc/shorewall/zones:
42
43               #ZONE          TYPE
44               z1             ip
45               z2:z1          ip
46               ...
47
48           /etc/shorewall/policy:
49
50               #SOURCE         DEST          POLICY
51               z1              net           CONTINUE
52               z2              net           REJECT
53
54           /etc/shorewall/rules:
55
56               #ACTION         SOURCE        DEST        PROTO         DPORT
57               ACCEPT          all!z2        net         tcp           22
58
59           In this case, SSH connections from z2 to net will be accepted by
60           the generated z1 to net ACCEPT rule.
61
62       In most contexts, ipset names can be used as an address-or-range.
63       Beginning with Shorewall 4.4.14, ipset lists enclosed in +[...] may
64       also be included (see shorewall-ipsets[2] (5)). The semantics of these
65       lists when used in an exclusion are as follows:
66
67       ·   !+[set1,set2,...setN] produces a packet match if the packet does
68           not match at least one of the sets. In other words, it is like NOT
69           match set1 OR NOT match set2 ... OR NOT match setN.
70
71       ·   +[!set1,!set2,...!setN] produces a packet match if the packet does
72           not match any of the sets. In other words, it is like NOT match
73           set1 AND NOT match set2 ... AND NOT match setN.
74

EXAMPLES

76       IPv4 Example 1 - All IPv4 addresses except 192.168.3.4
77           !192.168.3.4
78
79       IPv4 Example 2 - All IPv4 addresses except the network 192.168.1.0/24
80       and the host 10.2.3.4
81           !192.168.1.0/24,10.1.3.4
82
83       IPv4 Example 3 - All IPv4 addresses except the range
84       192.168.1.3-192.168.1.12 and the network 10.0.0.0/8
85           !192.168.1.3-192.168.1.12,10.0.0.0/8
86
87       IPv4 Example 4 - The network 192.168.1.0/24 except hosts 192.168.1.3
88       and 192.168.1.9
89           192.168.1.0/24!192.168.1.3,192.168.1.9
90
91       Example 5 - All parent zones except loc
92           any!loc
93

FILES

95       /etc/shorewall/hosts
96
97       /etc/shorewall/masq
98
99       /etc/shorewall/rules
100
101       /etc/shorewall/tcrules
102

SEE ALSO

104       shorewall(8)
105

NOTES

107        1. shorewall-rules
108           https://shorewall.org/manpages/shorewall-rules.html
109
110        2. shorewall-ipsets
111           https://shorewall.org/manpages/shorewall-ipsets.html
112
113
114
115Configuration Files               01/15/2020            SHOREWALL-EXCLUSION(5)
Impressum