1SHOREWALL6-CONNTRAC(5)        Configuration Files       SHOREWALL6-CONNTRAC(5)
2
3
4

NAME

6       conntrack - shorewall conntrack file
7

SYNOPSIS

9       /etc/shorewall[6]/conntrack
10

DESCRIPTION

12       The original intent of the notrack file was to exempt certain traffic
13       from Netfilter connection tracking. Traffic matching entries in the
14       file were not to be tracked.
15
16       The role of the file was expanded in Shorewall 4.4.27 to include all
17       rules that can be added in the Netfilter raw table. In 4.5.7, the
18       file's name was changed to conntrack.
19
20       The file supports three different column layouts: FORMAT 1, FORMAT 2,
21       and FORMAT 3 with FORMAT 1 being the default. The three differ as
22       follows:
23
24       •   in FORMAT 2 and 3, there is an additional leading ACTION column.
25
26       •   in FORMAT 3, the SOURCE column accepts no zone name; rather the
27           ACTION column allows a SUFFIX that determines the chain(s) that the
28           generated rule will be added to.
29
30       When an entry in the following form is encountered, the format of the
31       following entries are assumed to be of the specified format.
32           ?FORMAT
33                 format
34
35       where format is either 1,2 or 3.
36
37       Format 3 was introduced in Shorewall 4.5.10.
38
39       Comments may be attached to Netfilter rules generated from entries in
40       this file through the use of ?COMMENT lines. These lines begin with
41       ?COMMENT; the remainder of the line is treated as a comment which is
42       attached to subsequent rules until another ?COMMENT line is found or
43       until the end of the file is reached. To stop adding comments to rules,
44       use a line containing only ?COMMENT.
45
46       The columns in the file are as follows (where the column name is
47       followed by a different name in parentheses, the different name is used
48       in the alternate specification syntax).
49
50       ACTION -
51       {NOTRACK|CT:helper:name[(arg=val[,...])|CT:ctevents:event[,...]|CT:expevents:new|CT:notrack|DROP|LOG|ULOG(ulog-parameters):NFLOG(nflog-parameters)|IP[6]TABLES(target)}[log-level[:log-tag]][:chain-designator]
52           This column is only present when FORMAT >= 2. Values other than
53           NOTRACK or DROP require CT Targetsupport in your iptables and
54           kernel.
55
56NOTRACK or CT:notrack
57
58               Disables connection tracking for this packet. If a log-level is
59               specified, the packet will also be logged at that level.
60
61CT:helper:name
62
63               Attach the helper identified by the name to this connection.
64               This is more flexible than loading the conntrack helper with
65               preset ports. If a log-level is specified, the packet will also
66               be logged at that level. Beginning with Shorewall 4.6.10, the
67               helper name is optional
68
69               At this writing, the available helpers are:
70
71               amanda
72                   Requires that the amanda netfilter helper is present.
73
74               ftp
75                   Requires that the FTP netfilter helper is present.
76
77               irc
78                   Requires that the IRC netfilter helper is present.
79
80               netbios-ns
81                   Requires that the netbios_ns (sic) helper is present.
82
83               RAS and Q.931
84                   These require that the H323 netfilter helper is present.
85
86               pptp
87                   Requires that the pptp netfilter helper is present.
88
89               sane
90                   Requires that the SANE netfilter helper is present.
91
92               sip
93                   Requires that the SIP netfilter helper is present.
94
95               snmp
96                   Requires that the SNMP netfilter helper is present.
97
98               tftp
99                   Requires that the TFTP netfilter helper is present.
100
101               May be followed by an option list of arg=val pairs in
102               parentheses:
103
104ctevents=event[,...]
105
106                   Only generate the specified conntrack events for this
107                   connection. Possible event types are: new, related,
108                   destroy, reply, assured, protoinfo, helper, mark (this is
109                   connection mark, not packet mark), natseqinfo, and secmark.
110                   If more than one event is listed, the event list must be
111                   enclosed in parentheses (e.g., ctevents=(new,related)).
112
113expevents=new
114
115                   Only generate a new expectation events for this connection.
116
117           •   ctevents:event[,...]
118
119               Added in Shorewall 4.6.10. Only generate the specified
120               conntrack events for this connection. Possible event types are:
121               new, related, destroy, reply, assured, protoinfo, helper, mark
122               (this is connection mark, not packet mark), natseqinfo, and
123               secmark.
124
125           •   expevents=new
126
127               Added in Shorewall 4.6.10. Only generate new expectation events
128               for this connection.
129
130DROP
131
132               Added in Shorewall 4.5.10. Silently discard the packet. If a
133               log-level is specified, the packet will also be logged at that
134               level.
135
136IP6TABLES(target)
137
138               IPv6 only.
139
140               Added in Shorewall 4.6.0. Allows you to specify any iptables
141               target with target options (e.g., "IP6TABLES(AUDIT --type
142               drop)"). If the target is not one recognized by Shorewall, the
143               following error message will be issued:
144                   ERROR: Unknown target
145                                   (target)
146               This error message may be eliminated by adding target as a
147               builtin action in shorewall-actions[1](5).
148
149IPTABLES(target)
150
151               IPv4 only.
152
153               Added in Shorewall 4.6.0. Allows you to specify any iptables
154               target with target options (e.g., "IPTABLES(AUDIT --type
155               drop)"). If the target is not one recognized by Shorewall, the
156               following error message will be issued:
157                   ERROR: Unknown target
158                                   (target)
159               This error message may be eliminated by adding target as a
160               builtin action in shorewall-actions[1](5).
161
162LOG
163
164               Added in Shoreawll 4.6.0. Logs the packet using the specified
165               log-level and log-tag (if any). If no log-level is specified,
166               then 'info' is assumed.
167
168NFLOG
169
170               Added in Shoreawll 4.6.0. Queues the packet to a backend
171               logging daemon using the NFLOG netfilter target with the
172               specified nflog-parameters.
173
174ULOG
175
176               IPv4 only. Added in Shoreawll 4.6.0. Queues the packet to a
177               backend logging daemon using the ULOG netfilter target with the
178               specified ulog-parameters.
179
180           When FORMAT = 1, this column is not present and the rule is
181           processed as if NOTRACK had been entered in this column.
182
183           Beginning with Shorewall 4.5.10, when FORMAT = 3, this column can
184           end with a colon followed by a chain-designator. The
185           chain-designator can be one of the following:
186
187           P
188               The rule is added to the raw table PREROUTING chain. This is
189               the default if no chain-designator is present.
190
191           O
192               The rule is added to the raw table OUTPUT chain.
193
194           PO or OP
195               The rule is added to the raw table PREROUTING and OUTPUT
196               chains.
197
198       SOURCE (formats 1 and 2) – {zone[:interface][:address-list]}
199           where zone is the name of a zone, interface is an interface to that
200           zone, and address-list is a comma-separated list of addresses (may
201           contain exclusion - see shorewall-exclusion[2] (5)).
202
203           Beginning with Shorewall 4.5.7, all can be used as the zone name to
204           mean all zones.
205
206           Beginning with Shorewall 4.5.10, all- can be used as the zone name
207           to mean all off-firewall zones.
208
209       SOURCE (format 3 prior to Shorewall 5.1.0) –
210       {-|interface[:address-list]|address-list}
211           Where interface is an interface to that zone, and address-list is a
212           comma-separated list of addresses (may contain exclusion - see
213           shorewall-exclusion[2] (5)).
214
215       SOURCE (format 3 on Shorewall 5.1.0 and later) -
216       {-|[source-spec[,...]]}
217           where source-spec is one of the following:
218
219           interface
220               Where interface is the logical name of an interface defined in
221               shorewall-interface[3](5).
222
223           address[,...][exclusion]
224               where address may be:
225
226               •   A host or network IP address.
227
228               •   A MAC address in Shorewall format (preceded by a tilde
229                   ("~") and using dash ("-") as a separator.
230
231               •   The name of an ipset preceded by a plus sign ("+"). See
232                   shorewall-ipsets[4](5).
233
234               exclusion is described in shorewall-exclusion[2](5).
235
236           interface:address[,...][exclusion]
237               This form combines the preceding two and requires that both the
238               incoming interface and source address match.
239
240           exclusion
241               See shorewall-exclusion[2] (5)
242
243           Beginning with Shorewall 5.1.0, multiple source-specs separated by
244           commas may be specified provided that the following alternative
245           forms are used: (address[,...][exclusion])
246
247           interface:(address[,...][exclusion])
248
249           (exclusion)
250
251       DEST (Prior to Shorewall 5.1.0) –
252       {-|interface[:address-list]|address-list}
253           where address-list is a comma-separated list of addresses (may
254           contain exclusion - see shorewall-exclusion[2] (5)).
255
256       DEST (Shorewall 5.1.0 and later) - {-|dest-spec[,...]}
257           where dest-spec is one of the following:
258
259           interface
260               Where interface is the logical name of an interface defined in
261               shorewall-interface[3](5).
262
263           address[,...][exclusion]
264               where address may be:
265
266               •   A host or network IP address.
267
268               •   A MAC address in Shorewall format (preceded by a tilde
269                   ("~") and using dash ("-") as a separator.
270
271               •   The name of an ipset preceded by a plus sign ("+"). See
272                   shorewall-ipsets[4](5).
273
274               exclusion is described in shorewall-exclusion[2](5).
275
276           interface:address[,...][exclusion]
277               This form combines the preceding two and requires that both the
278               outgoing interface and destination address match.
279
280           exclusion
281               See shorewall-exclusion[2] (5)
282
283           Beginning with Shorewall 5.1.0, multiple source-specs separated by
284           commas may be specified provided that the following alternative
285           forms are used: (address[,...][exclusion])
286
287           interface:(address[,...][exclusion])
288
289           (exclusion)
290
291       PROTO – protocol-name-or-number[,...]
292           A protocol name from /etc/protocols or a protocol number. tcp and 6
293           may be optionally followed by :syn to match only the SYN packet
294           (first packet in the three-way handshake).
295
296           Beginning with Shorewall 4.5.12, this column can accept a
297           comma-separated list of protocols and either proto or protos is
298           accepted in the alternate input format.
299
300           Beginning with Shorewall 5.1.11, when tcp or 6 is specified and the
301           ACTION is CT, the compiler will default to :syn. If you wish the
302           rule to match packets with any valid combination of TCP flags, you
303           may specify tcp:all or 6:all.
304
305       DPORT - port-number/service-name-list
306           A comma-separated list of port numbers and/or service names from
307           /etc/services. May also include port ranges of the form
308           low-port:high-port if your kernel and iptables include port range
309           support.
310
311           This column was formerly labelled DEST PORT(S).
312
313       SPORT - port-number/service-name-list
314           A comma-separated list of port numbers and/or service names from
315           /etc/services. May also include port ranges of the form
316           low-port:high-port if your kernel and iptables include port range
317           support.
318
319           Beginning with Shorewall 4.5.15, you may place '=' in this column,
320           provided that the DPORT column is non-empty. This causes the rule
321           to match when either the source port or the destination port in a
322           packet matches one of the ports specified in DPORT. Use of '='
323           requires multi-port match in your iptables and kernel.
324
325           This column was formerly labelled SOURCE PORT(S).
326
327       USER – [user][:group]
328           This column was formerly named USER/GROUP and may only be specified
329           if the SOURCE zone is $FW. Specifies the effective user id and or
330           group id of the process sending the traffic.
331
332       SWITCH - [!]switch-name[={0|1}]
333           Added in Shorewall 4.5.10 and allows enabling and disabling the
334           rule without requiring shorewall restart.
335
336           The rule is enabled if the value stored in
337           /proc/net/nf_condition/switch-name is 1. The rule is disabled if
338           that file contains 0 (the default). If '!' is supplied, the test is
339           inverted such that the rule is enabled if the file contains 0.
340
341           Within the switch-name, '@0' and '@{0}' are replaced by the name of
342           the chain to which the rule is a added. The switch-name (after
343           '...' expansion) must begin with a letter and be composed of
344           letters, decimal digits, underscores or hyphens. Switch names must
345           be 30 characters or less in length.
346
347           Switches are normally off. To turn a switch on:
348               echo 1 >
349                           /proc/net/nf_condition/switch-name
350           To turn it off again:
351               echo 0 >
352                           /proc/net/nf_condition/switch-name
353           Switch settings are retained over shorewall restart.
354
355           When the switch-name is followed by =0 or =1, then the switch is
356           initialized to off or on respectively by the start command. Other
357           commands do not affect the switch setting.
358

EXAMPLE

360       IPv4 Example 1:
361
362           #ACTION                       SOURCE            DEST               PROTO            DPORT             SPORT               USER
363           CT:helper:ftp(expevents=new)  fw                -                  tcp              21
364
365       IPv4 Example 2 (Shorewall 4.5.10 or later):
366
367       Drop traffic to/from all zones to IP address 1.2.3.4
368
369           ?FORMAT 2
370           #ACTION                       SOURCE             DEST               PROTO           DPORT             SPORT               USER
371           DROP                          all-:1.2.3.4       -
372           DROP                          all                1.2.3.4
373
374       or
375
376           ?FORMAT 3
377           #ACTION                       SOURCE             DEST               PROTO           DPORT             SPORT               USER
378           DROP:P                        1.2.3.4            -
379           DROP:PO                       -                  1.2.3.4
380
381       IPv6 Example 1:
382
383       Use the FTP helper for TCP port 21 connections from the firewall
384       itself.
385
386           FORMAT 2
387           #ACTION                       SOURCE            DEST               PROTO            DPORT             SPORT               USER
388           CT:helper:ftp(expevents=new)  fw                -                  tcp              21
389
390       IPv6 Example 2 (Shorewall 4.5.10 or later):
391
392       Drop traffic to/from all zones to IP address 2001:1.2.3::4
393
394           FORMAT 2
395           #ACTION                       SOURCE             DEST               PROTO            DPORT             SPORT               USER
396           DROP                          all-:2001:1.2.3::4 -
397           DROP                          all                2001:1.2.3::4
398
399       or
400
401           FORMAT 3
402           #ACTION                       SOURCE             DEST               PROTO            DPORT             SPORT               USER
403           DROP:P                        2001:1.2.3::4      -
404           DROP:PO                       -                  2001:1.2.3::4
405

FILES

407       /etc/shorewall/conntrack
408
409       /etc/shorewall6/conntrack
410

SEE ALSO

412       https://shorewall.org/configuration_file_basics.htm#Pairs[5]
413
414       shorewall(8)
415

NOTES

417        1. shorewall-actions
418           https://shorewall.org/manpages/shorewall-actions.html
419
420        2. shorewall-exclusion
421           https://shorewall.org/manpages/shorewall-exclusion.html
422
423        3. shorewall-interface
424           https://shorewall.org/manpages/shorewall-interfaces.html
425
426        4. shorewall-ipsets
427           https://shorewall.org/manpages/shorewall-ipsets.html
428
429        5. https://shorewall.org/configuration_file_basics.htm#Pairs
430           https://shorewall.org/configuration_file_basics.htm#Pairs
431
432
433
434Configuration Files               09/24/2020            SHOREWALL6-CONNTRAC(5)
Impressum