1SHOREWALL-NAMES(5) Configuration Files SHOREWALL-NAMES(5)
2
6 names - Shorewall object names
7
9 When you define an object in Shorewall (Zone[1], Logical Interface,
10 ipsets[2], Actions[3], etc., you give it a name. Shorewall names start
11 with a letter and consist of letters, digits or underscores ("_").
12 Except for Zone names, Shorewall does not impose a limit on name
13 length.
14 When an ipset is referenced, the name must be preceded by a plus sign
16 ("+").
17 The last character of an interface may also be a plus sign to indicate
19 a wildcard name.
20 Physical interface names match names shown by 'ip link ls'; if the name
22 includes an at sign ("@"), do not include that character or any
23 character that follows. For example, "sit1@NONE" is referred to as
24 simply 'sit1".
25
27 For a pair of zones, Shorewall creates two Netfilter chains; one for
28 connections in each direction. The names of these chains are formed by
29 separating the names of the two zones by either "2" or "-".
30 Example: Traffic from zone A to zone B would go through chain A2B
32 (think "A to B") or "A-B".
33 In Shorewall 4.6, the default separator is "-" but you can override
35 that by setting ZONE_SEPARATOR="2" in shorewall.conf[4] (5).
36 Note
38 Prior to Shorewall 4.6, the default separator was "2".
39 Zones themselves have names that begin with a letter and are composed
41 of letters, numerals, and "_". The maximum length of a name is
42 dependent on the setting of LOGFORMAT in shorewall.conf[4] (5). See
43 shorewall-zones[1] (5) for details.
44
46 Caution
47 I personally recommend strongly against using DNS names in
48 Shorewall configuration files. If you use DNS names and you are
49 called out of bed at 2:00AM because Shorewall won't start as a
50 result of DNS problems then don't say that you were not forewarned.
51 Host addresses in Shorewall configuration files may be specified as
53 either IP addresses or DNS Names.
54 DNS names in iptables rules aren't nearly as useful as they first
56 appear. When a DNS name appears in a rule, the iptables utility
57 resolves the name to one or more IP addresses and inserts those
58 addresses into the rule. So changes in the DNS->IP address relationship
59 that occur after the firewall has started have absolutely no effect on
60 the firewall's rule set.
61 For some sites, using DNS names is very risky. Here's an example:
63 teastep@ursa:~$ dig pop.gmail.com
65 ; <<>> DiG 9.4.2-P1 <<>> pop.gmail.com
67 ;; global options: printcmd
68 ;; Got answer:
69 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1774
70 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 7, ADDITIONAL: 0
71 ;; QUESTION SECTION:
73 ;pop.gmail.com. IN A
74 ;; ANSWER SECTION:
76 pop.gmail.com. 300 IN CNAME gmail-pop.l.google.com.
77 gmail-pop.l.google.com. 300 IN A 209.85.201.109
78 gmail-pop.l.google.com. 300 IN A 209.85.201.111
79 Note that the TTL is 300 -- 300 seconds is only 5 minutes. So five
81 minutes later, the answer may change!
82 So this rule may work for five minutes then suddently stop working:
84 #ACTION SOURCE DEST PROTO DPORT
86 POP(ACCEPT) loc net:pop.gmail.com
87 There are two options in shorewall[6].conf(5)[4] that affect the use of
89 DNS names in Shorewall[6] config files:
90 • DEFER_DNS_RESOLUTION - When set to No, DNS names are resolved at
92 compile time; when set to Yes, DNS Names are resolved at runtime.
93 • AUTOMAKE - When set to Yes, start, restart and reload only result
95 in compilation if one of the files on the CONFIG_PATH has changed
96 since the the last compilation.
97 So by setting AUTOMAKE=Yes, and DEFER_DNS_RESOLUTION=No, compilation
99 will only take place at boot time if a change had been make to the
100 config but no restart or reload had taken place. This is clearly
101 spelled out in the shorewall.conf manpage. So with these settings, so
102 long as a 'reload' or 'restart' takes place after the Shorewall
103 configuration is changes, there should be no DNS-related problems at
104 boot time.
105 Important
107 When DEFER_DNS_RESOLUTION=No and AUTOMAKE=Yes and a DNS change
108 makes it necessary to recompile an existing firewall script, the -c
109 option must be used with the reload or restart command to force
110 recompilation.
111 If your firewall rules include DNS names then, even if
113 DEFER_DNS_RESOLUTION=No and AUTOMAKE=Yes:
114 • If your /etc/resolv.confis wrong then your firewall may not start.
116 • If your /etc/nsswitch.conf is wrong then your firewall may not
118 start.
119 • If your Name Server(s) is(are) down then your firewall may not
121 start.
122 • If your startup scripts try to start your firewall before starting
124 your DNS server then your firewall may not start.
125 • Factors totally outside your control (your ISP's router is down for
127 example), can prevent your firewall from starting.
128 • You must bring up your network interfaces prior to starting your
130 firewall, or the firewall may not start.
131 Each DNS name must be fully qualified and include a minimum of two
133 periods (although one may be trailing). This restriction is imposed by
134 Shorewall to insure backward compatibility with existing configuration
135 files.
136 Example 1. Valid DNS Names
138 • mail.shorewall.net
140 • shorewall.net. (note the trailing period).
142 Example 2. Invalid DNS Names
144 • mail (not fully qualified)
146 • shorewall.net (only one period)
148 DNS names may not be used as:
150 • The server address in a DNAT rule (/etc/shorewall/rules file)
152 • In the ADDRESS column of an entry in /etc/shorewall/masq.
154 •
156 • In the /etc/shorewall/nat file.
158 These restrictions are imposed by Netfilter and not by Shorewall.
160
162 When dealing with a complex configuration, it is often awkward to use
163 physical interface names in the Shorewall configuration.
164 • You need to remember which interface is which.
166 • If you move the configuration to another firewall, the interface
168 names might not be the same.
169 Beginning with Shorewall 4.4.4, you can use logical interface names
171 which are mapped to the actual interface using the physical option in
172 shorewall-interfaces[5] (5).
173 Here is an example:
175 #ZONE INTERFACE OPTIONS
177 net COM_IF dhcp,blacklist,tcpflags,optional,upnp,routefilter=0,nosmurfs,logmartians=0,physical=eth0
178 net EXT_IF dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartians=0,proxyarp=1,physical=eth2
179 loc INT_IF dhcp,logmartians=1,routefilter=1,tcpflags,nets=172.20.1.0/24,physical=eth1
180 dmz VPS_IF logmartians=1,routefilter=0,routeback,physical=venet0
181 loc TUN_IF physical=tun+
182 In this example, COM_IF is a logical interface name that refers to
184 Ethernet interface eth0, EXT_IF is a logical interface name that refers
185 to Ethernet interface eth2, and so on.
186 Here are a couple of more files from the same configuration:
188 shorewall-masq[6] (5):
190 #INTERFACE SOURCE ADDRESS
192 COMMENT Masquerade Local Network
194 COM_IF 0.0.0.0/0
195 EXT_IF !206.124.146.0/24 206.124.146.179:persistent
196 shorewall-providers[7] (5)
198 #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
200 Avvanta 1 0x10000 main EXT_IF 206.124.146.254 loose,fallback INT_IF,VPS_IF,TUN_IF
201 Comcast 2 0x20000 main COM_IF detect balance INT_IF,VPS_IF,TUN_IF
202 Note in particular that Shorewall translates TUN_IF to tun* in the COPY
204 column.
205
207 1. Zone
208 https://shorewall.org/manpages/shorewall-zones.html
209 2. ipsets
211 https://shorewall.org/manpages/ipsets.html
212 3. Actions
214 https://shorewall.org/manpages/Actions.html
215 4. shorewall.conf
217 https://shorewall.org/manpages/shorewall.conf.html
218 5. shorewall-interfaces
220 https://shorewall.org/manpages/shorewall-interfaces.html
221 6. shorewall-masq
223 https://shorewall.org/manpages/shorewall-masq.html
224 7. shorewall-providers
226 https://shorewall.org/manpages/shorewall-providers.html
227Configuration Files 09/24/2020 SHOREWALL-NAMES(5)