1SHOREWALL-FILES(5) Configuration Files SHOREWALL-FILES(5)
2
3
4
6 files - Shorewall Configuration Files
7
9 /etc/shorewall[6]/*
10
12 The following are the Shorewall[6] configuration files:
13
14 · /etc/shorewall/shorewall.conf and
15 /etc/shorewall6/shorewall6.conf[1] - used to set global firewall
16 parameters.
17
18 · /etc/shorewall[6]/params[2] - use this file to set shell variables
19 that you will expand in other files. It is always processed by
20 /bin/sh or by the shell specified through SHOREWALL_SHELL in
21 /etc/shorewall/shorewall.conf.
22
23 · /etc/shorewall[6]/zones[3] - partition the firewall's view of the
24 world into zones.
25
26 · /etc/shorewall[6]/policy[4] - establishes firewall high-level
27 policy.
28
29 · /etc/shorewall[6]/initdone - An optional Perl script that will be
30 invoked by the Shorewall rules compiler when the compiler has
31 finished it's initialization.
32
33 · /etc/shorewall[6]/interfaces[5] - describes the interfaces on the
34 firewall system.
35
36 · /etc/shorewall[6]/hosts[6] - allows defining zones in terms of
37 individual hosts and subnetworks.
38
39 · /etc/shorewall[6]/masq[7] - directs the firewall where to use
40 many-to-one (dynamic) Network Address Translation (a.k.a.
41 Masquerading) and Source Network Address Translation (SNAT).
42 Superseded by /etc/shorewall[6]/snat in Shorewall 5.0.14 and not
43 supported in Shorewall 5.1.0 and later versions.
44
45 · /etc/shorewall[6]/mangle[8] - supersedes /etc/shorewall/tcrules in
46 Shorewall 4.6.0. Contains rules for packet marking, TTL, TPROXY,
47 etc.
48
49 · /etc/shorewall[6]/rules[9] - defines rules that are exceptions to
50 the overall policies established in /etc/shorewall/policy.
51
52 · /etc/shorewall[6]/nat[10] - defines one-to-one NAT rules.
53
54 · /etc/shorewall6/proxyarp[11] - defines use of Proxy ARP.
55
56 · /etc/shorewall6/proxyndp[12] - defines use of Proxy NDP.
57
58 · /etc/shorewall[6]/routestopped - defines hosts accessible when
59 Shorewall is stopped. Superseded in Shorewall 4.6.8 by
60 /etc/shorewall/stoppedrules. Not supported in Shorewall 5.0.0 and
61 later versions.
62
63 · /etc/shorewall[6]/tcrules[13]- The file has a rather unfortunate
64 name because it is used to define marking of packets for later use
65 by both traffic control/shaping and policy routing. This file is
66 superseded by /etc/shorewall/mangle in Shorewall 4.6.0. Not
67 supported in Shorewall 5.0.0 and later releases.
68
69 · /etc/shorewall[6]/tos[14] - defines rules for setting the TOS field
70 in packet headers. Superseded in Shorewall 4.5.1 by the TOS target
71 in /etc/shorewall/tcrules (which file has since been superseded by
72 /etc/shorewall/mangle). Not supported in Shorewall 5.0.0 and later
73 versions.
74
75 · /etc/shorewall[6]/tunnels[15] - defines tunnels (VPN) with
76 end-points on the firewall system.
77
78 · /etc/shorewall[6]/blacklist[16] - Deprecated in favor of
79 /etc/shorewall/blrules. Lists blacklisted IP/subnet/MAC addresses.
80 Not supported in Shorewall 5.0.0 and later releases.
81
82 · /etc/shorewall[6]/blrules — Added in Shorewall 4.5.0. Define
83 blacklisting and whitelisting. Supersedes /etc/shorewall/blacklist.
84
85 · /etc/shorewall[6]/init - shell commands that you wish to execute at
86 the beginning of a “shorewall start”, "shorewall reload" or
87 “shorewall restart”.
88
89 · /etc/shorewall[6]/start - shell commands that you wish to execute
90 near the completion of a “shorewall start”, "shorewall reload" or
91 “shorewall restart”
92
93 · /etc/shorewall[6]/started - shell commands that you wish to execute
94 after the completion of a “shorewall start”, "shorewall reload" or
95 “shorewall restart”
96
97 · /etc/shorewall[6]/stop- commands that you wish to execute at the
98 beginning of a “shorewall stop”.
99
100 · /etc/shorewall[6]/stopped - shell commands that you wish to execute
101 at the completion of a “shorewall stop”.
102
103 · /etc/shorewall/ecn[17] - disable Explicit Congestion Notification
104 (ECN - RFC 3168) to remote hosts or networks. Superseded by ECN
105 entries in /etc/shorewall/mangle in Shorewall 5.0.6.
106
107 · /etc/shorewall/accounting[18] - define IP traffic accounting rules
108
109 · /etc/shorewall[6]/actions[19] and
110 /usr/share/shorewall[6]/action.template allow user-defined actions.
111
112 · /etc/shorewall[6]/providers[20] - defines alternate routing tables.
113
114 · /etc/shorewall[6]/rtrules[21] - Defines routing rules to be used in
115 conjunction with the routing tables defined in
116 /etc/shorewall/providers.
117
118 · /etc/shorewall[6]/tcdevices[22], /etc/shorewall[6]/tcclasses[23],
119 /etc/shorewall[6]/tcfilters[24] - Define complex traffic shaping.
120
121 · /etc/shorewall[6]/tcrules[13] - Mark or classify traffic for
122 traffic shaping or multiple providers. Deprecated in Shorewall
123 4.6.0 in favor of /etc/shorewall/mangle. Not supported in Shorewall
124 5.0.0 and later releases.
125
126 · /etc/shorewall[6]/tcinterfaces[25] and /etc/shorewall[6]/tcpri[26]
127 - Define simple traffic shaping.
128
129 · /etc/shorewall[6]/secmarks[27] - Added in Shorewall 4.4.13. Attach
130 an SELinux context to selected packets.
131
132 · /etc/shorewall[6]/vardir[28] - Determines the directory where
133 Shorewall maintains its state.
134
135 · /etc/shorewall/arprules[29] — Added in Shorewall 4.5.12. Allows
136 specification of arptables rules.
137
138 · /etc/shorewall/mangle[8] -- Added in Shorewall 4.6.0.
139 Supersedes/etc/shorewall/tcrules.
140
141 · /etc/shorewall[6]/snat[30] - directs the firewall where to use
142 many-to-one (dynamic) Network Address Translation (a.k.a.
143 Masquerading) and Source Network Address Translation (SNAT).
144 Superseded /etc/shorewall[6]/masq in Shorewall 5.0.14
145
146 · /usr/share/shorewall[6]/actions.std - Actions defined by Shorewall.
147
148 · /usr/share/shorewall[6]/action.* - Details of actions defined by
149 Shorewall.
150
151 · /usr/share/shorewall[6]/macro.* - Details of macros defined by
152 Shorewall.
153
154 · /usr/share/shorewall[6]/modules — Specifies the kernel modules to
155 be loaded during shorewall start/restart.
156
157 · /usr/share/shorewall[6]/helpers — Added in Shorewall 4.4.7.
158 Specifies the kernel modules to be loaded during shorewall
159 start/restart when LOAD_HELPERS_ONLY=Yes in shorewall.conf.
160
162 The CONFIG_PATH option in shorewall[6].conf(5)[20] determines where the
163 compiler searches for configuration files. The default setting is
164 CONFIG_PATH=/etc/shorewall:/usr/share/shorewall which means that the
165 compiler first looks in /etc/shorewall and if it doesn't find the file,
166 it then looks in /usr/share/shorewall.
167
168 You can change this setting to have the compiler look in different
169 places. For example, if you want to put your own versions of standard
170 macros in /etc/shorewall/Macros, then you could set
171 CONFIG_PATH=/etc/shorewall:/etc/shorewall/Macros:/usr/share/shorewall
172 and the compiler will use your versions rather than the standard ones.
173
175 You may place comments in configuration files by making the first
176 non-whitespace character a pound sign (“#”). You may also place
177 comments at the end of any line, again by delimiting the comment from
178 the rest of the line with a pound sign.
179
180 Example 1. Comments in a Configuration File
181
182 # This is a comment
183 ACCEPT net $FW tcp www #This is an end-of-line comment
184
185 Important
186 Except in shorewall.conf(5)[1] and params(5)[2], if a comment ends
187 with a backslash ("\"), the next line will also be treated as a
188 comment. See Line Continuation below.
189
191 Most of the configuration files are organized into space-separated
192 columns. If you don't want to supply a value in a column but want to
193 supply a value in a following column, simply enter '-' to make the
194 column appear empty.
195
196 Example:
197
198 #INTERFACE BROADCAST OPTIONS
199 br0 - routeback
200
202 Lines may be continued using the usual backslash (“\”) followed
203 immediately by a new line character (Enter key).
204
205 ACCEPT net $FW tcp \↵
206 smtp,www,pop3,imap #Services running on the firewall
207
208
209 Important
210 What follows does NOT apply to shorewall-params(5)[31] and
211 shorewall.conf(5)[1].
212
213 In certain cases, leading white space is ignored in continuation lines:
214
215 1. The continued line ends with a colon (":")
216
217 2. The continued line ends with a comma (",")
218
219 Example (/etc/shorewall/rules):
220
221 #ACTION SOURCE DEST PROTO DPORT
222 ACCEPT net:\
223 206.124.146.177,\
224 206.124.146.178,\
225 206.124.146.180\
226 dmz tcp 873
227
228 The leading white space on the first through third continuation lines
229 is ignored so the SOURCE column effectively contains
230 "net:206.124.146.177,206.124.147.178,206.124.146.180". Because the
231 third continuation line does not end with a comma or colon, the leading
232 white space in the last line is not ignored.
233
234 Important
235 A trailing backslash is not ignored in a comment. So the continued
236 rule above can be commented out with a single '#' as follows:
237
238 #ACTION SOURCE DEST PROTO DPORT
239 #ACCEPT net:\
240 206.124.146.177,\
241 206.124.146.178,\
242 206.124.146.180\
243 dmz tcp 873
244
246 Some of the configuration files now have a large number of columns.
247 That makes it awkward to specify a value for one of the right-most
248 columns as you must have the correct number of intervening '-' columns.
249
250 This problem is addressed by allowing column values to be specified as
251 column-name/value pairs.
252
253 There is considerable flexibility in how you specify the pairs:
254
255 · At any point, you can enter a left curly bracket ('{') followed by
256 one or more specifications of the following forms:
257 column-name=value
258 column-name=>value
259 column-name:value
260 The pairs must be followed by a right curly bracket ("}").
261
262 The value may optionally be enclosed in double quotes.
263
264 The pairs must be separated by white space, but you can add a comma
265 adjacent to the values for readability as in:
266 { proto=>udp, port=1024
267 }
268
269 · You can also separate the pairs from columns by using a semicolon:
270 ; proto:udp,
271 port:1024
272
273 In Shorewall 5.0.3, the sample configuration files and the man pages
274 were updated to use the same column names in both the column headings
275 and in the alternate specification format. The following table shows
276 the column names for each of the table-oriented configuration files.
277
278 Note
279 Column names are case-insensitive.
280
281 ┌──────────────────────┬───────────────────────────────────────────────────────────────────────────────────────────────────┐
282 │File │ Column names │
283 ├──────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
284 │accounting │ action,chain, source, │
285 │ │ dest, proto, dport, sport, │
286 │ │ user, │
287 │ │ mark, ipsec, │
288 │ │ headers │
289 ├──────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
290 │conntrack │ action,source,dest,proto,dport,sport,user,switch │
291 ├──────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
292 │blacklist │ networks,proto,port,options │
293 ├──────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
294 │blrules │ action,source,dest,proto,dport,sport,origdest,rate,user,mark,connlimit,time,headers,switch,helper │
295 ├──────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
296 │ecn │ interface,hosts. Beginning with Shorewall 4.5.4, 'host' is │
297 │ │ a synonym for 'hosts'. │
298 ├──────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
299 │hosts │ zone,hosts,options. Beginning with Shorewall 4.5.4, 'host' │
300 │ │ is a synonym for 'hosts'. │
301 ├──────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
302 │interfaces │ zone,interface,broadcast,options │
303 ├──────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
304 │maclist │ disposition,interface,mac,addresses │
305 ├──────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
306 │mangle │ action,source,dest,proto,dport,sport,user,test,length,tos,connbytes,helper,headers │
307 ├──────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
308 │masq │ interface,source,address,proto,port,ipsec,mark,user,switch │
309 ├──────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
310 │nat │ external,interface,internal,allints,local │
311 ├──────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
312 │netmap │ type,net1,interface,net2,net3,proto,dport,sport │
313 ├──────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
314 │notrack │ source,dest,proto,dport,sport,user │
315 ├──────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
316 │policy │ source,dest,policy,loglevel,limit,connlimit │
317 ├──────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
318 │providers │ table,number,mark,duplicate,interface,gateway,options,copy │
319 ├──────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
320 │proxyarp and proxyndp │ address,interface,external,haveroute,persistent │
321 ├──────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
322 │rtrules │ source,dest,provider,priority │
323 ├──────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
324 │routes │ provider,dest,gateway,device │
325 ├──────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
326 │routestopped │ interface,hosts,options,proto,dport,sport │
327 ├──────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
328 │rules │ action,source,dest,proto,dport,sport,origdest,rate,user,mark,connlimit,time,headers,switch,helper │
329 ├──────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
330 │secmarks │ secmark,chain,source,dest,proto,dport,sport,user,mark │
331 ├──────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
332 │tcclasses │ interface,mark,rate,ceil,prio,options │
333 ├──────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
334 │tcdevices │ interface,in_bandwidth,out_bandwidth,options,redirect │
335 ├──────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
336 │tcfilters │ class,source,dest,proto,dport,sport,tos,length │
337 ├──────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
338 │tcinterfaces │ interface,type,in_bandwidth,out_bandwidth │
339 ├──────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
340 │tcpri │ band,proto,port,address,interface,helper │
341 ├──────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
342 │tcrules │ mark,source,dest,proto,dport,sport,user,test,length,tos,connbytes,helper,headers. │
343 │ │ Beginning with Shorewall 4.5.3, 'action' is a synonym for │
344 │ │ 'mark'. │
345 ├──────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
346 │tos │ source,dest,proto,dport,sport,tos,mark │
347 ├──────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
348 │tunnels │ type,zone,gateway,gateway_zone. Beginning with Shorewall │
349 │ │ 4.5.3, 'gateways' is a synonym for 'gateway'. Beginning with │
350 │ │ Shorewall 4.5.4, 'gateway_zones' is a synonym for │
351 │ │ 'gateway_zone'. │
352 ├──────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
353 │zones │ zone,type,options,in_options,out_options │
354 └──────────────────────┴───────────────────────────────────────────────────────────────────────────────────────────────────┘
355
356 Example (rules file):
357
358 #ACTION SOURCE DEST PROTO DPORT
359 DNAT net loc:10.0.0.1 tcp 80 ; mark="88"
360
361 Here's the same line in several equivalent formats:
362
363 { action=>DNAT, source=>net, dest=>loc:10.0.0.1, proto=>tcp, dport=>80, mark=>88 }
364 ; action:"DNAT" source:"net" dest:"loc:10.0.0.1" proto:"tcp" dport:"80" mark:"88"
365 DNAT { source=net dest=loc:10.0.0.1 proto=tcp dport=80 mark=88 }
366
367 Beginning with Shorewall 5.0.11, ip[6]table comments can be attached to
368 individual rules using the comment keyword.
369
370 Example from the rules file:
371
372 ACCEPT net $FW { proto=tcp, dport=22, comment="Accept \"SSH\"" }
373
374 As shown in that example, when the comment contains whitespace, it must
375 be enclosed in double quotes and any embedded double quotes must be
376 escaped using a backslash ("\").
377
379 Several of the files include a TIME column that allows you to specify
380 times when the rule is to be applied. Contents of this column is a list
381 of timeelements separated by apersands (&).
382
383 Each timeelement is one of the following:
384
385 timestart=hh:mm[:ss]
386 Defines the starting time of day.
387
388 timestop=hh:mm[:ss]
389 Defines the ending time of day.
390
391 contiguous
392 Added in Shoreawll 5.0.12. When timestop is smaller than timestart
393 value, match this as a single time period instead of distinct
394 intervals. See the Examples below.
395
396 utc
397 Times are expressed in Greenwich Mean Time.
398
399 localtz
400 Deprecated by the Netfilter team in favor of kerneltz. Times are
401 expressed in Local Civil Time (default).
402
403 kerneltz
404 Added in Shorewall 4.5.2. Times are expressed in Local Kernel Time
405 (requires iptables 1.4.12 or later).
406
407 weekdays=ddd[,ddd]...
408 where ddd is one of Mon, Tue, Wed, Thu, Fri, Sat or Sun
409
410 monthdays=dd[,dd],...
411 where dd is an ordinal day of the month
412
413 datestart=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
414 Defines the starting date and time.
415
416 datestop=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
417 Defines the ending date and time.
418
419 Examples:
420
421 To match on weekends, use:
422
423 weekdays=Sat,Sun
424
425 Or, to match (once) on a national holiday block:
426
427 datestart=2016-12-24&datestop=2016-12-27
428
429 Since the stop time is actually inclusive, you would need the following
430 stop time to not match the first second of the new day:
431
432 datestart=2016-12-24T17:00&datestop=2016-12-27T23:59:59
433
434 During Lunch Hour
435
436 The fourth Friday in the month:
437
438 weekdays=Fri&monthdays=22,23,24,25,26,27,28
439
440 Matching across days might not do what is expected. For instance,
441
442 weekdays=Mon×tart=23:00×top=01:00
443
444 Will match Monday, for one hour from midnight to 1 a.m., and then
445 again for another hour from 23:00 onwards. If this is unwanted,
446 e.g. if you would like 'match for two hours from Montay 23:00
447 onwards' you need to also specify the contiguous option in the
448 example above.
449
451 here are times when you would like to enable or disable one or more
452 rules in the configuration without having to do a shorewall reload or
453 shorewall restart. This may be accomplished using the SWITCH column in
454 shorewall-rules[32] (5) or shorewall6-rules[32] (5). Using this column
455 requires that your kernel and iptables include Condition Match Support
456 and you must be running Shorewall 4.4.24 or later. See the output of
457 shorewall show capabilities and shorewall version to determine if you
458 can use this feature.
459
460 The SWITCH column contains the name of a switch. Each switch is
461 initially in the off position. You can turn on the switch named switch1
462 by:
463 echo 1 >
464 /proc/net/nf_condition/switch1
465
466 You can turn it off again by:
467 echo 0 >
468 /proc/net/nf_condition/switch1
469
470 If you simply include the switch name in the SWITCH column, then the
471 rule is enabled only when the switch is on. If you precede the switch
472 name with ! (e.g., !switch1), then the rule is enabled only when the
473 switch is off. Switch settings are retained over shorewall reload.
474
475 Shorewall requires that switch names:
476
477 · begin with a letter and be composed of letters, digits, underscore
478 ('_') or hyphen ('-'); and
479
480 · be 30 characters or less in length.
481
482 Multiple rules can be controlled by the same switch.
483
484 Example:
485
486 Forward port 80 to dmz host $BACKUP if switch 'primary_down' is on.
487
488 #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH
489 DNAT net dmz:$BACKUP tcp 80 - - - - - - - - primary_down
490
492 /etc/shorewall[6]/*
493
495 1. /etc/shorewall/shorewall.conf
496 and /etc/shorewall6/shorewall6.conf
497 https://shorewall.org/manpages/shorewall.conf.html
498
499 2. /etc/shorewall[6]/params
500 https://shorewall.org/manpages/shorewall-params.html
501
502 3. /etc/shorewall[6]/zones
503 https://shorewall.org/manpages/shorewall-zones.html
504
505 4. /etc/shorewall[6]/policy
506 https://shorewall.org/manpages/shorewall-policy.html
507
508 5. /etc/shorewall[6]/interfaces
509 https://shorewall.org/manpages/shorewall-interfaces.html
510
511 6. /etc/shorewall[6]/hosts
512 https://shorewall.org/manpages/shorewall-hosts.html
513
514 7. /etc/shorewall[6]/masq
515 https://shorewall.org/manpages/shorewall-masq.html
516
517 8. /etc/shorewall[6]/mangle
518 https://shorewall.org/manpages/shorewall-mangle.html
519
520 9. /etc/shorewall[6]/rules
521 https://shorewall.org/manpages/shorewall-rules.html
522
523 10. /etc/shorewall[6]/nat
524 https://shorewall.org/manpages/shorewall-nat.html
525
526 11. /etc/shorewall6/proxyarp
527 https://shorewall.org/manpages/shorewall-proxyarp.html
528
529 12. /etc/shorewall6/proxyndp
530 https://shorewall.org/manpages/shorewall-proxyndp.html
531
532 13. /etc/shorewall[6]/tcrules
533 https://shorewall.org/manpages/shorewall-tcrules.html
534
535 14. /etc/shorewall[6]/tos
536 https://shorewall.org/manpages/shorewall-tos.html
537
538 15. /etc/shorewall[6]/tunnels
539 https://shorewall.org/manpages/shorewall-tunnels.html
540
541 16. /etc/shorewall[6]/blacklist
542 https://shorewall.org/manpages/shorewall-blacklist.html
543
544 17. /etc/shorewall/ecn
545 https://shorewall.org/manpages/shorewall-ecn.html
546
547 18. /etc/shorewall/accounting
548 https://shorewall.org/manpages/shorewall-accounting.html
549
550 19. /etc/shorewall[6]/actions
551 https://shorewall.org/manpages/shorewall-actions.html
552
553 20. /etc/shorewall[6]/providers
554 https://shorewall.org/manpages/???
555
556 21. /etc/shorewall[6]/rtrules
557 https://shorewall.org/manpages/shorewall-rtrules.html
558
559 22. /etc/shorewall[6]/tcdevices
560 https://shorewall.org/manpages/shorewall-tcdevices.html
561
562 23. /etc/shorewall[6]/tcclasses
563 https://shorewall.org/manpages/shorewall-tcclasses.html
564
565 24. /etc/shorewall[6]/tcfilters
566 https://shorewall.org/manpages/shorewall-tcfilters.html
567
568 25. /etc/shorewall[6]/tcinterfaces
569 https://shorewall.org/manpages/shorewall-tcinterfaces.html
570
571 26. /etc/shorewall[6]/tcpri
572 https://shorewall.org/manpages/shorewall-tcpri.html
573
574 27. /etc/shorewall[6]/secmarks
575 https://shorewall.org/manpages/shorewall-secmarks.html
576
577 28. /etc/shorewall[6]/vardir
578 https://shorewall.org/manpages/shorewall-vardir.html
579
580 29. /etc/shorewall/arprules
581 https://shorewall.org/manpages/shorewall-arprules.html
582
583 30. /etc/shorewall[6]/snat
584 https://shorewall.org/manpages/shorewall-snat.html
585
586 31. shorewall-params(5)
587 https://shorewall.org/manpages/shorewall-params.html
588
589 32. shorewall-rules
590 https://shorewall.org/manpages/shorewall-rules.html
591
592
593
594Configuration Files 07/29/2020 SHOREWALL-FILES(5)