1SHOREWALL6-CONNTRAC(5) Configuration Files SHOREWALL6-CONNTRAC(5)
2
3
4
6 conntrack - shorewall conntrack file
7
9 /etc/shorewall[6]/conntrack
10
12 The original intent of the notrack file was to exempt certain traffic
13 from Netfilter connection tracking. Traffic matching entries in the
14 file were not to be tracked.
15
16 The role of the file was expanded in Shorewall 4.4.27 to include all
17 rules that can be added in the Netfilter raw table. In 4.5.7, the
18 file's name was changed to conntrack.
19
20 The file supports three different column layouts: FORMAT 1, FORMAT 2,
21 and FORMAT 3 with FORMAT 1 being the default. The three differ as
22 follows:
23
24 · in FORMAT 2 and 3, there is an additional leading ACTION column.
25
26 · in FORMAT 3, the SOURCE column accepts no zone name; rather the
27 ACTION column allows a SUFFIX that determines the chain(s) that the
28 generated rule will be added to.
29
30 When an entry in the following form is encountered, the format of the
31 following entries are assumed to be of the specified format.
32 ?FORMAT
33 format
34
35 where format is either 1,2 or 3.
36
37 Format 3 was introduced in Shorewall 4.5.10.
38
39 Comments may be attached to Netfilter rules generated from entries in
40 this file through the use of ?COMMENT lines. These lines begin with
41 ?COMMENT; the remainder of the line is treated as a comment which is
42 attached to subsequent rules until another ?COMMENT line is found or
43 until the end of the file is reached. To stop adding comments to rules,
44 use a line containing only ?COMMENT.
45
46 The columns in the file are as follows (where the column name is
47 followed by a different name in parentheses, the different name is used
48 in the alternate specification syntax).
49
50 ACTION -
51 {NOTRACK|CT:helper:name[(arg=val[,...])|CT:ctevents:event[,...]|CT:expevents:new|CT:notrack|DROP|LOG|ULOG(ulog-parameters):NFLOG(nflog-parameters)|IP[6]TABLES(target)}[log-level[:log-tag]][:chain-designator]
52 This column is only present when FORMAT >= 2. Values other than
53 NOTRACK or DROP require CT Targetsupport in your iptables and
54 kernel.
55
56 · NOTRACK or CT:notrack
57
58 Disables connection tracking for this packet. If a log-level is
59 specified, the packet will also be logged at that level.
60
61 · CT:helper:name
62
63 Attach the helper identified by the name to this connection.
64 This is more flexible than loading the conntrack helper with
65 preset ports. If a log-level is specified, the packet will also
66 be logged at that level. Beginning with Shorewall 4.6.10, the
67 helper name is optional
68
69 At this writing, the available helpers are:
70
71 amanda
72 Requires that the amanda netfilter helper is present.
73
74 ftp
75 Requires that the FTP netfilter helper is present.
76
77 irc
78 Requires that the IRC netfilter helper is present.
79
80 netbios-ns
81 Requires that the netbios_ns (sic) helper is present.
82
83 RAS and Q.931
84 These require that the H323 netfilter helper is present.
85
86 pptp
87 Requires that the pptp netfilter helper is present.
88
89 sane
90 Requires that the SANE netfilter helper is present.
91
92 sip
93 Requires that the SIP netfilter helper is present.
94
95 snmp
96 Requires that the SNMP netfilter helper is present.
97
98 tftp
99 Requires that the TFTP netfilter helper is present.
100
101 May be followed by an option list of arg=val pairs in
102 parentheses:
103
104 · ctevents=event[,...]
105
106 Only generate the specified conntrack events for this
107 connection. Possible event types are: new, related,
108 destroy, reply, assured, protoinfo, helper, mark (this is
109 connection mark, not packet mark), natseqinfo, and secmark.
110 If more than one event is listed, the event list must be
111 enclosed in parentheses (e.g., ctevents=(new,related)).
112
113 · expevents=new
114
115 Only generate a new expectation events for this connection.
116
117 · ctevents:event[,...]
118
119 Added in Shorewall 4.6.10. Only generate the specified
120 conntrack events for this connection. Possible event types are:
121 new, related, destroy, reply, assured, protoinfo, helper, mark
122 (this is connection mark, not packet mark), natseqinfo, and
123 secmark.
124
125 · expevents=new
126
127 Added in Shorewall 4.6.10. Only generate new expectation events
128 for this connection.
129
130 · DROP
131
132 Added in Shorewall 4.5.10. Silently discard the packet. If a
133 log-level is specified, the packet will also be logged at that
134 level.
135
136 · IP6TABLES(target)
137
138 IPv6 only.
139
140 Added in Shorewall 4.6.0. Allows you to specify any iptables
141 target with target options (e.g., "IP6TABLES(AUDIT --type
142 drop)"). If the target is not one recognized by Shorewall, the
143 following error message will be issued:
144 ERROR: Unknown target
145 (target)
146 This error message may be eliminated by adding target as a
147 builtin action in shorewall-actions[1](5).
148
149 · IPTABLES(target)
150
151 IPv4 only.
152
153 Added in Shorewall 4.6.0. Allows you to specify any iptables
154 target with target options (e.g., "IPTABLES(AUDIT --type
155 drop)"). If the target is not one recognized by Shorewall, the
156 following error message will be issued:
157 ERROR: Unknown target
158 (target)
159 This error message may be eliminated by adding target as a
160 builtin action in shorewall-actions[1](5).
161
162 · LOG
163
164 Added in Shoreawll 4.6.0. Logs the packet using the specified
165 log-level and log-tag (if any). If no log-level is specified,
166 then 'info' is assumed.
167
168 · NFLOG
169
170 Added in Shoreawll 4.6.0. Queues the packet to a backend
171 logging daemon using the NFLOG netfilter target with the
172 specified nflog-parameters.
173
174 · ULOG
175
176 IPv4 only. Added in Shoreawll 4.6.0. Queues the packet to a
177 backend logging daemon using the ULOG netfilter target with the
178 specified ulog-parameters.
179
180 When FORMAT = 1, this column is not present and the rule is
181 processed as if NOTRACK had been entered in this column.
182
183 Beginning with Shorewall 4.5.10, when FORMAT = 3, this column can
184 end with a colon followed by a chain-designator. The
185 chain-designator can be one of the following:
186
187 P
188 The rule is added to the raw table PREROUTING chain. This is
189 the default if no chain-designator is present.
190
191 O
192 The rule is added to the raw table OUTPUT chain.
193
194 PO or OP
195 The rule is added to the raw table PREROUTING and OUTPUT
196 chains.
197
198 SOURCE (formats 1 and 2) – {zone[:interface][:address-list]}
199 where zone is the name of a zone, interface is an interface to that
200 zone, and address-list is a comma-separated list of addresses (may
201 contain exclusion - see shorewall-exclusion[2] (5)).
202
203 Beginning with Shorewall 4.5.7, all can be used as the zone name to
204 mean all zones.
205
206 Beginning with Shorewall 4.5.10, all- can be used as the zone name
207 to mean all off-firewall zones.
208
209 SOURCE (format 3 prior to Shorewall 5.1.0) –
210 {-|interface[:address-list]|address-list}
211 Where interface is an interface to that zone, and address-list is a
212 comma-separated list of addresses (may contain exclusion - see
213 shorewall-exclusion[2] (5)).
214
215 SOURCE (format 3 on Shorewall 5.1.0 and later) -
216 {-|[source-spec[,...]]}
217 where source-spec is one of the following:
218
219 interface
220 Where interface is the logical name of an interface defined in
221 shorewall-interface[3](5).
222
223 address[,...][exclusion]
224 where address may be:
225
226 · A host or network IP address.
227
228 · A MAC address in Shorewall format (preceded by a tilde
229 ("~") and using dash ("-") as a separator.
230
231 · The name of an ipset preceded by a plus sign ("+"). See
232 shorewall-ipsets[4](5).
233
234 exclusion is described in shorewall-exclusion[2](5).
235
236 interface:address[,...][exclusion]
237 This form combines the preceding two and requires that both the
238 incoming interface and source address match.
239
240 exclusion
241 See shorewall-exclusion[2] (5)
242
243 Beginning with Shorewall 5.1.0, multiple source-specs separated by
244 commas may be specified provided that the following alternative
245 forms are used: (address[,...][exclusion])
246
247 interface:(address[,...][exclusion])
248
249 (exclusion)
250
251 DEST (Prior to Shorewall 5.1.0) –
252 {-|interface[:address-list]|address-list}
253 where address-list is a comma-separated list of addresses (may
254 contain exclusion - see shorewall-exclusion[2] (5)).
255
256 DEST (Shorewall 5.1.0 and later) - {-|dest-spec[,...]}
257 where dest-spec is one of the following:
258
259 interface
260 Where interface is the logical name of an interface defined in
261 shorewall-interface[3](5).
262
263 address[,...][exclusion]
264 where address may be:
265
266 · A host or network IP address.
267
268 · A MAC address in Shorewall format (preceded by a tilde
269 ("~") and using dash ("-") as a separator.
270
271 · The name of an ipset preceded by a plus sign ("+"). See
272 shorewall-ipsets[4](5).
273
274 exclusion is described in shorewall-exclusion[2](5).
275
276 interface:address[,...][exclusion]
277 This form combines the preceding two and requires that both the
278 outgoing interface and destination address match.
279
280 exclusion
281 See shorewall-exclusion[2] (5)
282
283 Beginning with Shorewall 5.1.0, multiple source-specs separated by
284 commas may be specified provided that the following alternative
285 forms are used: (address[,...][exclusion])
286
287 interface:(address[,...][exclusion])
288
289 (exclusion)
290
291 PROTO – protocol-name-or-number[,...]
292 A protocol name from /etc/protocols or a protocol number. tcp and 6
293 may be optionally followed by :syn to match only the SYN packet
294 (first packet in the three-way handshake).
295
296 Beginning with Shorewall 4.5.12, this column can accept a
297 comma-separated list of protocols and either proto or protos is
298 accepted in the alternate input format.
299
300 Beginning with Shorewall 5.1.11, when tcp or 6 is specified and the
301 ACTION is CT, the compiler will default to :syn. If you wish the
302 rule to match packets with any valid combination of TCP flags, you
303 may specify tcp:all or 6:all.
304
305 DPORT - port-number/service-name-list
306 A comma-separated list of port numbers and/or service names from
307 /etc/services. May also include port ranges of the form
308 low-port:high-port if your kernel and iptables include port range
309 support.
310
311 This column was formerly labelled DEST PORT(S).
312
313 SPORT - port-number/service-name-list
314 A comma-separated list of port numbers and/or service names from
315 /etc/services. May also include port ranges of the form
316 low-port:high-port if your kernel and iptables include port range
317 support.
318
319 Beginning with Shorewall 4.5.15, you may place '=' in this column,
320 provided that the DPORT column is non-empty. This causes the rule
321 to match when either the source port or the destination port in a
322 packet matches one of the ports specified in DPORT. Use of '='
323 requires multi-port match in your iptables and kernel.
324
325 This column was formerly labelled SOURCE PORT(S).
326
327 USER – [user][:group]
328 This column was formerly named USER/GROUP and may only be specified
329 if the SOURCE zone is $FW. Specifies the effective user id and or
330 group id of the process sending the traffic.
331
332 SWITCH - [!]switch-name[={0|1}]
333 Added in Shorewall 4.5.10 and allows enabling and disabling the
334 rule without requiring shorewall restart.
335
336 The rule is enabled if the value stored in
337 /proc/net/nf_condition/switch-name is 1. The rule is disabled if
338 that file contains 0 (the default). If '!' is supplied, the test is
339 inverted such that the rule is enabled if the file contains 0.
340
341 Within the switch-name, '@0' and '@{0}' are replaced by the name of
342 the chain to which the rule is a added. The switch-name (after
343 '...' expansion) must begin with a letter and be composed of
344 letters, decimal digits, underscores or hyphens. Switch names must
345 be 30 characters or less in length.
346
347 Switches are normally off. To turn a switch on:
348 echo 1 >
349 /proc/net/nf_condition/switch-name
350 To turn it off again:
351 echo 0 >
352 /proc/net/nf_condition/switch-name
353 Switch settings are retained over shorewall restart.
354
355 When the switch-name is followed by =0 or =1, then the switch is
356 initialized to off or on respectively by the start command. Other
357 commands do not affect the switch setting.
358
360 IPv4 Example 1:
361
362 #ACTION SOURCE DEST PROTO DPORT SPORT USER
363 CT:helper:ftp(expevents=new) fw - tcp 21
364
365 IPv4 Example 2 (Shorewall 4.5.10 or later):
366
367 Drop traffic to/from all zones to IP address 1.2.3.4
368
369 ?FORMAT 2
370 #ACTION SOURCE DEST PROTO DPORT SPORT USER
371 DROP all-:1.2.3.4 -
372 DROP all 1.2.3.4
373
374 or
375
376 ?FORMAT 3
377 #ACTION SOURCE DEST PROTO DPORT SPORT USER
378 DROP:P 1.2.3.4 -
379 DROP:PO - 1.2.3.4
380
381 IPv6 Example 1:
382
383 Use the FTP helper for TCP port 21 connections from the firewall
384 itself.
385
386 FORMAT 2
387 #ACTION SOURCE DEST PROTO DPORT SPORT USER
388 CT:helper:ftp(expevents=new) fw - tcp 21
389
390 IPv6 Example 2 (Shorewall 4.5.10 or later):
391
392 Drop traffic to/from all zones to IP address 2001:1.2.3::4
393
394 FORMAT 2
395 #ACTION SOURCE DEST PROTO DPORT SPORT USER
396 DROP all-:2001:1.2.3::4 -
397 DROP all 2001:1.2.3::4
398
399 or
400
401 FORMAT 3
402 #ACTION SOURCE DEST PROTO DPORT SPORT USER
403 DROP:P 2001:1.2.3::4 -
404 DROP:PO - 2001:1.2.3::4
405
407 /etc/shorewall/conntrack
408
409 /etc/shorewall6/conntrack
410
412 http://www.shorewall.net/configuration_file_basics.htm#Pairs[5]
413
414 shorewall(8)
415
417 1. shorewall-actions
418 https://shorewall.org/manpages/shorewall-actions.html
419
420 2. shorewall-exclusion
421 https://shorewall.org/manpages/shorewall-exclusion.html
422
423 3. shorewall-interface
424 https://shorewall.orgshorewall-interfaces.html
425
426 4. shorewall-ipsets
427 https://shorewall.orgshorewall-ipsets.html
428
429 5. http://www.shorewall.net/configuration_file_basics.htm#Pairs
430 https://shorewall.org/configuration_file_basics.htm#Pairs
431
432
433
434Configuration Files 01/15/2020 SHOREWALL6-CONNTRAC(5)