1shorewall.conf(5) shorewall.conf(5)
2
3
4
6 shorewall.conf - Shorewall global configuration file
7
9 /etc/shorewall/shorewall.conf
10
12 This file sets options that apply to Shorewall as a whole.
13
14 The file consists of Shell comments (lines beginning with '#'), blank
15 lines and assignment statements (variable=value).
16
18 Many options have as their value a log-level. Log levels are a method
19 of describing to syslog (8) the importance of a message and a number of
20 parameters in this file have log levels as their value.
21
22 These levels are defined by syslog and are used to determine the desti‐
23 nation of the messages through entries in /etc/syslog.conf (5). The
24 syslog documentation refers to these as "priorities"; Netfilter calls
25 them "levels" and Shorewall also uses that term.
26
27 Valid levels are:
28
29 7 debug
30 6 info
31 5 notice
32 4 warning
33 3 err
34 2 crit
35 1 alert
36 0 emerg
37
38 For most Shorewall logging, a level of 6 (info) is appropriate. Shore‐
39 wall log messages are generated by NetFilter and are logged using fa‐
40 cility 'kern' and the level that you specifify. If you are unsure of
41 the level to choose, 6 (info) is a safe bet. You may specify levels by
42 name or by number.
43
44 If you have built your kernel with ULOG target support, you may also
45 specify a log level of ULOG (must be all caps). Rather than log its
46 messages to syslogd, Shorewall will direct netfilter to log the mes‐
47 sages via the ULOG target which will send them to a process called
48 'ulogd'. ulogd is available with most Linux distributions (although it
49 probably isn't installed by default). Ulogd is also available from
50 ⟨http://www.netfilter.org/projects/ulogd/index.html⟩ and can be config‐
51 ured to log all Shorewall message to their own log file
52
53 The following options may be set in shorewall.conf.
54
55 ACCEPT_DEFAULT={action|macro|none}
56
57 DROP_DEFAULT={action|macro|none}
58
59 REJECT_DEFAULT={action|macro|none}
60
61 QUEUE_DEFAULT={action|macro|none}
62
63 NFQUEUE_DEFAULT={action|macro|none} (Shorewall-perl 4.0.3 and later)
64 In earlier Shorewall versions, a "default action" for DROP and
65 REJECT policies was specified in the file /usr/share/shore‐
66 wall/actions.std.
67
68 To allow for default rules to be applied when USE_ACTIONS=No,
69 the DROP_DEFAULT, REJECT_DEFAULT, ACCEPT_DEFAULT, QUEUE_DEFAULT
70 and NFQUEUE_DEFAULT options have been added.
71
72 DROP_DEFAULT describes the rules to be applied before a connec‐
73 tion request is dropped by a DROP policy; REJECT_DEFAULT de‐
74 scribes the rules to be applied if a connection request is re‐
75 jected by a REJECT policy. The other three are similar for AC‐
76 CEPT, QUEUE and NFQUEUE policies.
77
78 The value applied to these may be:
79
80 a) The name of an action.
81 b) The name of a macro (Shorewall-shell only)
82 c) None or none
83
84 The default values are:
85
86 DROP_DEFAULT="Drop"
87 REJECT_DEFAULT="Reject"
88 ACCEPT_DEFAULT="none"
89 QUEUE_DEFAULT="none"
90 NFQUEUE_DEFAULT="None"
91
92 If USE_ACTIONS=Yes, then these values refer to action.Drop and
93 action.Reject respectively. If USE_ACTIONS=No, then these values
94 refer to macro.Drop and macro.Reject.
95
96 If you set the value of either option to "None" then no default
97 action will be used and the default action or macro must be
98 specified in shorewall-policy ⟨shorewall-policy.html⟩ (5).
99
100 ADD_IP_ALIASES=[Yes|No]
101 This parameter determines whether Shorewall automatically adds
102 the external address(es) in shorewall-nat ⟨shorewall-nat.html⟩
103 (5). If the variable is set to Yes or yes then Shorewall auto‐
104 matically adds these aliases. If it is set to No or no, you must
105 add these aliases yourself using your distribution's network
106 configuration tools.
107
108 If this variable is not set or is given an empty value
109 (ADD_IP_ALIASES="") then ADD_IP_ALIASES=Yes is assumed.
110 Warning
111
112 Addresses added by ADD_IP_ALIASES=Yes are deleted and re-added
113 during shorewall restart. As a consequence, connections using
114 those addresses may be severed.
115
116 ADD_SNAT_ALIASES=[Yes|No]
117 This parameter determines whether Shorewall automatically adds
118 the SNAT ADDRESS in shorewall-masq ⟨shorewall-masq.html⟩ (5). If
119 the variable is set to Yes or yes then Shorewall automatically
120 adds these addresses. If it is set to No or no, you must add
121 these addresses yourself using your distribution's network con‐
122 figuration tools.
123
124 If this variable is not set or is given an empty value
125 (ADD_SNAT_ALIASES="") then ADD_SNAT_ALIASES=No is assumed.
126 Warning
127
128 Addresses added by ADD_SNAT_ALIASES=Yes are deleted and re-added
129 during shorewall restart. As a consequence, connections using
130 those addresses may be severed.
131
132 ADMINISABSENTMINDED=[Yes|No]
133 The value of this variable affects Shorewall's stopped state.
134 When ADMINISABSENTMINDED=No, only traffic to/from those address‐
135 es listed in shorewall-routestopped
136 ⟨shorewall-routestopped.html⟩ (5) is accepted when Shorewall is
137 stopped. When ADMINISABSENTMINDED=Yes, in addition to traffic
138 to/from addresses in shorewall-routestopped
139 ⟨shorewall-routestopped.html⟩ (5), connections that were active
140 when Shorewall stopped continue to work and all new connections
141 from the firewall system itself are allowed. If this variable
142 is not set or is given the empty value then ADMINISABSENTMIND‐
143 ED=No is assumed.
144
145 BIGDPORTLISTS=[Yes|No]
146 Setting this option to 'Yes' allows you to include arbitrarily
147 long destination port lists in all configuration files.
148
149 BLACKLIST_DISPOSITION=[DROP|REJECT]
150 This parameter determines the disposition of packets from black‐
151 listed hosts. It may have the value DROP if the packets are to
152 be dropped or REJECT if the packets are to be replied with an
153 ICMP port unreachable reply or a TCP RST (tcp only). If you do
154 not assign a value or if you assign an empty value then DROP is
155 assumed.
156
157 BLACKLIST_LOGLEVEL=[log-level]
158 This parameter determines if packets from blacklisted hosts are
159 logged and it determines the syslog level that they are to be
160 logged at. Its value is a syslog level (Example: BLACK‐
161 LIST_LOGLEVEL=debug). If you do not assign a value or if you as‐
162 sign an empty value then packets from blacklisted hosts are not
163 logged.
164
165 BLACKLISTNEWONLY={Yes|No}
166 When set to Yes or yes, blacklists are only consulted for new
167 connections. When set to No or no, blacklists are consulted for
168 every packet (will slow down your firewall noticably if you have
169 large blacklists). If the BLACKLISTNEWONLY option is not set or
170 is set to the empty value then BLACKLISTNEWONLY=No is assumed.
171 Note
172
173 BLACKLISTNEWONLY=No is incompatible with FASTACCEPT=Yes.
174
175 BRIDGING={Yes|No}
176 When set to Yes or yes, enables Shorewall Bridging support.
177
178 Note
179
180 BRIDGING=Yes may not work properly with Linux kernel 2.6.20 or
181 later and is not supported by Shorewall-perl.
182
183 CLAMPMSS=[Yes|No|value]
184 This parameter enables the TCP Clamp MSS to PMTU feature of Net‐
185 filter and is usually required when your internet connection is
186 through PPPoE or PPTP. If set to Yes or yes, the feature is en‐
187 abled. If left blank or set to No or no, the feature is not en‐
188 abled.
189
190 Important: This option requires CONFIG_IP_NF_TARGET_TCPMSS in
191 your kernel.
192
193 You may also set CLAMPMSS to a numeric value (e.g.,
194 CLAMPMSS=1400). This will set the MSS field in TCP SYN packets
195 going through the firewall to the value that you specify.
196
197 CLEAR_TC=[Yes|No]
198 If this option is set to No then Shorewall won't clear the cur‐
199 rent traffic control rules during [re]start. This setting is in‐
200 tended for use by people that prefer to configure traffic shap‐
201 ing when the network interfaces come up rather than when the
202 firewall is started. If that is what you want to do, set TC_EN‐
203 ABLED=Yes and CLEAR_TC=No and do not supply an /etc/shore‐
204 wall/tcstart file. That way, your traffic shaping rules can
205 still use the “fwmark” classifier based on packet marking de‐
206 fined in shorewall-tcrules ⟨shorewall-tcrules.html⟩ (5). If not
207 specified, CLEAR_TC=Yes is assumed.
208
209 CONFIG_PATH=[directory[:directory]...]
210 Specifies where configuration files other than shorewall.conf
211 may be found. CONFIG_PATH is specifies as a list of directory
212 names separated by colons (":"). When looking for a configura‐
213 tion file other than shorewall.conf:
214
215 · If the command is "try" or if a "<configuration directory>"
216 was specified in the command (e.g., shorewall check ./gateway)
217 then the directory given in the command is searched first.
218
219 · Next, each directory in the CONFIG_PATH setting is searched in
220 sequence.
221
222 If CONFIG_PATH is not given or if it is set to the empty value
223 then the contents of /usr/share/shorewall/configpath are used.
224 As released from shorewall.net, that file sets the CONFIG_PATH
225 to /etc/shorewall:/usr/share/shorewall but your particular dis‐
226 tribution may set it differently. See the output of shorewall
227 show config for the default on your system.
228
229 Note that the setting in /usr/share/shorewall/configpath is al‐
230 ways used to locate shorewall.conf.
231
232 DELAYBLACKLISTLOAD={Yes|No}
233 Users with a large static black list ( shorewall-blacklist
234 ⟨shorewall-blacklist.html⟩ (5)) may want to set the DELAYBLACK‐
235 LISTLOAD option to Yes. When DELAYBLACKLISTLOAD=Yes, Shorewall
236 will enable new connections before loading the blacklist rules.
237 While this may allow connections from blacklisted hosts to slip
238 by during construction of the blacklist, it can substantially
239 reduce the time that all new connections are disabled during
240 shorewall [re]start.
241 Note
242
243 DELAYBLACKLISTLOAD=Yes is not supported by Shorewall-perl.
244
245 DELETE_THEN_ADD={Yes|No}
246 Added in Shorewall 4.0.4. If set to Yes (the default value), en‐
247 tries in the /etc/shorewall/route_stopped files cause an 'ip
248 rule del' command to be generated in addition to an 'ip rule
249 add' command. Setting this option to No, causes the 'ip rule
250 del' command to be omitted.
251
252 DETECT_DNAT_IPADDRS=[Yes|No]
253 If set to Yes or yes, Shorewall will detect the first IP address
254 of the interface to the source zone and will include this ad‐
255 dress in DNAT rules as the original destination IP address. If
256 set to No or no, Shorewall will not detect this address and any
257 destination IP address will match the DNAT rule. If not speci‐
258 fied or empty, “DETECT_DNAT_IPADDRS=Yes” is assumed.
259
260 DONT_LOAD=[module[,module]...]
261 Added in Shorewall-4.0.6. Causes Shorewall to not load the list‐
262 ed modules.
263
264 DYNAMIC_ZONES={Yes|No}
265 When set to Yes or yes, enables dynamic zones. DYNAMIC_ZONES=Yes
266 is not allowed in configurations that will run under Shorewall
267 Lite.
268
269 EXPAND_POLICIES={Yes|No}
270 Normally, when the SOURCE or DEST columns in shorewall-policy(5)
271 contains 'all', a single policy chain is created and the policy
272 is enforced in that chain. For example, if the policy entry is
273
274 #SOURCE DEST POLICY LOG
275 # LEVEL
276 net all DROP info
277
278 then the chain name is 'net2all' which is also the chain named
279 in Shorewall log messages generated as a result of the policy.
280 If EXPAND_POLICIES=Yes, then Shorewall-perl will create a sepa‐
281 rate chain for each pair of zones covered by the policy. This
282 makes the resulting log messages easier to interpret since the
283 chain in the messages will have a name of the form 'a2b' where
284 'a' is the SOURCE zone and 'b' is the DEST zone.
285
286 EXPORTPARAMS={Yes|No}
287 It is quite difficult to code a 'params' file that assigns other
288 than constant values such that it works correctly with Shorewall
289 Lite. The EXPORTPARAMS option works around this problem. When
290 EXPORTPARAMS=No, the 'params' file is not copied to the compiler
291 output.
292
293 With EXPORTPARAMS=No, if you need to set environmental variables
294 on the firewall system for use by your extension scripts, then
295 do so in the init extension script.
296
297 The default is EXPORTPARAMS=Yes
298
299 FASTACCEPT={Yes|No}
300 Normally, Shorewall defers accepting ESTABLISHED/RELATED packets
301 until these packets reach the chain in which the original con‐
302 nection was accepted. So for packets going from the 'loc' zone
303 to the 'net' zone, ESTABLISHED/RELATED packets are ACCEPTED in
304 the 'loc2net' chain.
305
306 If you set FASTACCEPT=Yes, then ESTABLISHED/RELEATED packets are
307 accepted early in the INPUT, FORWARD and OUTPUT chains. If you
308 set FASTACCEPT=Yes then you may not include rules in the ESTAB‐
309 LISHED or RELATED sections of shorewall-rules
310 ⟨shorewall-rules.html⟩ (5).
311
312 Note
313
314 FASTACCEPT=Yes is incompatible with BLACKLISTNEWONLY=No.
315
316 HIGH_ROUTE_MARKS={Yes|No}
317 Prior to version 3.2.0, it was not possible to use connection
318 marking in shorewall-tcrules ⟨shorewall-tcrules.html⟩ (5) if you
319 have a multi-ISP configuration that uses the track option.
320
321 Beginning with release 3.2.0, you may now set
322 HIGH_ROUTE_MARKS=Yes in to effectively divide the packet mark
323 and connection mark into two 8-byte mark fields.
324
325 When you do this:
326
327 1. The MARK field in the providers file must have a value that
328 is less than 65536 and that is a multiple of 256 (using hex
329 representation, the values are 0x0100-0xFF00 with the low-
330 order 8 bits being zero).
331
332 2. You may only set those mark values in the PREROUTING chain.
333
334 3. Marks used for traffic shaping must still be in the range of
335 1-255 and may still not be set in the PREROUTING chain.
336
337 4. When you SAVE or RESTORE in tcrules, only the TC mark value
338 is saved or restored. Shorewall handles saving and restoring
339 the routing (provider) marks.
340
341 IMPLICIT_CONTINUE={Yes|No}
342 When this option is set to Yes, it causes subzones to be treated
343 differently with respect to policies.
344
345 Subzones are defined by following their name with ":" and a list
346 of parent zones (in shorewall-zones ⟨shorewall-zones.html⟩ (5)).
347 Normally, you want to have a set of special rules for the sub‐
348 zone and if a connection doesn't match any of those subzone-spe‐
349 cific rules then you want the parent zone rules and policies to
350 be applied; see shorewall-nesting ⟨shorewall-nesting.html⟩ (5).
351 With IMPLICIT_CONTINUE=Yes, that happens automatically.
352
353 If IMPLICIT_CONTINUE=No or if IMPLICIT_CONTINUE is not set, then
354 subzones are not subject to this special treatment. With IMPLIC‐
355 IT_CONTINUE=Yes, an implicit CONTINUE policy may be overridden
356 by including an explicit policy (one that does not specify "all"
357 in either the SOURCE or the DEST columns).
358
359 IP_FORWARDING=[On|Off|Keep]
360 This parameter determines whether Shorewall enables or disables
361 IPV4 Packet Forwarding (/proc/sys/net/ipv4/ip_forward). Possi‐
362 ble values are:
363
364 On or on
365 packet forwarding will be enabled.
366
367 Off or off
368 packet forwarding will be disabled.
369
370 Keep or keep
371 Shorewall will neither enable nor disable packet forward‐
372 ing.
373
374 If this variable is not set or is given an empty value (IP_FOR‐
375 WARD="") then IP_FORWARD=On is assumed.
376
377 IPSECFILE={zones|ipsec}
378 This should be set to zones for all new Shorewall installations.
379 IPSECFILE=ipsec is only used for compatibility with pre-Shore‐
380 wall-3.0 configurations.
381
382 IPTABLES=[pathname]
383 This parameter names the iptables executable to be used by
384 Shorewall. If not specified or if specified as a null value,
385 then the iptables executable located using the PATH option is
386 used.
387
388 Regardless of how the IPTABLES utility is located (specified via
389 IPTABLES= or located via PATH), Shorewall uses the iptables-re‐
390 store and iptables-save utilities from that same directory.
391
392 KEEP_RT_TABLES={Yes|No}
393 Added in Shorewall 4.0.3. When set to Yes, this option prevents
394 scripts generated by Shorewall-perl from altering the
395 /etc/iproute2/rt_tables database when there are entries in
396 /etc/shorewall/providers. If you set this option to Yes while
397 Shorewall (Shorewall-lite) is running, you should remove the
398 file /var/lib/shorewall/rt_tables (/var/lib/shore‐
399 wall-lite/rt_tables) before your next stop, refresh, restore on
400 restart command.
401
402 The default is KEEP_RT_TABLES=No.
403
404 LOG_MARTIANS=[Yes|No|Keep]
405 If set to Yes or yes, sets /proc/sys/net/ipv4/conf/all/log_mar‐
406 tians and /proc/sys/net/ipv4/conf/default/log_martians to 1. De‐
407 fault is No which sets both of the above to zero. If you do not
408 enable martian logging for all interfaces, you may still enable
409 it for individual interfaces using the logmartians interface op‐
410 tion in shorewall-interfaces ⟨shorewall-interfaces.html⟩ (5).
411
412 The value Keep is only allowed under Shorewall-perl. It causes
413 Shorewall to ignore the option. If the option is set to Yes,
414 then martians are logged on all interfaces. If the option is set
415 to No, then martian logging is disabled on all interfaces except
416 those specified in shorewall-interfaces
417 ⟨shorewall-interfaces.html⟩ (5).
418
419 LOGALLNEW=[log-level]
420 This option is intended for use as a debugging aid. When set to
421 a log level, this option causes Shorewall to generate a logging
422 rule as the first rule in each builtin chain.
423
424 · The table name is used as the chain name in the log prefix.
425
426 · The chain name is used as the target in the log prefix.
427
428 For example, using the default LOGFORMAT, the log prefix for
429 logging from the nat table's PREROUTING chain is:
430
431 Shorewall:nat:PREROUTING
432
433 Important
434
435 To help insure that all packets in the NEW state are
436 logged, rate limiting (LOGBURST and LOGLIMIT) should be
437 disabled when using LOGALLNEW. Use LOGALLNEW at your own
438 risk; it may cause high CPU and disk utilization and you
439 may not be able to control your firewall after you enable
440 this option.
441
442 Caution
443
444 Do not use this option if the resulting log messages will
445 be sent to another system.
446
447 LOGFILE=[pathname]
448 This parameter tells the /sbin/shorewall program where to look
449 for Shorewall messages when processing the dump, logwatch, show
450 log, and hits commands. If not assigned or if assigned an empty
451 value, /var/log/messages is assumed.
452
453 LOGFORMAT=["formattemplate"]
454 The value of this variable generate the --log-prefix setting for
455 Shorewall logging rules. It contains a “printf” formatting tem‐
456 plate which accepts three arguments (the chain name, logging
457 rule number (optional) and the disposition). To use LOGFORMAT
458 with fireparse, set it as:
459
460 LOGFORMAT="fp=%s:%d a=%s "
461
462 If the LOGFORMAT value contains the substring “%d” then the log‐
463 ging rule number is calculated and formatted in that position;
464 if that substring is not included then the rule number is not
465 included. If not supplied or supplied as empty (LOGFORMAT="")
466 then “Shorewall:%s:%s:” is assumed.
467
468 LOGBURST=[burst]
469
470 LOGRATE=[rate/{minute|second}]
471 These parameters set the match rate and initial burst size for
472 logged packets. Please see iptables(8) for a description of the
473 behavior of these parameters (the iptables option --limit is set
474 by LOGRATE and --limit-burst is set by LOGBURST). If both param‐
475 eters are set empty, no rate-limiting will occur.
476
477 Example:
478
479 LOGRATE=10/minute
480 LOGBURST=5
481
482 For each logging rule, the first time the rule is reached, the
483 packet will be logged; in fact, since the burst is 5, the first
484 five packets will be logged. After this, it will be 6 seconds (1
485 minute divided by the rate of 10) before a message will be
486 logged from the rule, regardless of how many packets reach it.
487 Also, every 6 seconds which passes without matching a packet,
488 one of the bursts will be regained; if no packets hit the rule
489 for 30 seconds, the burst will be fully recharged; back where we
490 started.
491
492 LOGTAGONLY=[Yes|No]
493 Using the default LOGFORMAT, chain names may not exceed 11 char‐
494 acters or truncation of the log prefix may occur. Longer chain
495 names may be used with log tags if you set LOGTAGONLY=Yes. With
496 LOGTAGONLY=Yes, if a log tag is specified then the tag is in‐
497 cluded in the log prefix in place of the chain name.
498
499 MACLIST_DISPOSITION=[ACCEPT|DROP|REJECT]
500 Determines the disposition of connections requests that fail MAC
501 Verification and must have the value ACCEPT (accept the connec‐
502 tion request anyway), REJECT (reject the connection request) or
503 DROP (ignore the connection request). If not set or if set to
504 the empty value (e.g., MACLIST_DISPOSITION="") then MACLIST_DIS‐
505 POSITION=REJECT is assumed.
506
507 MACLIST_LOG_LEVEL=[log-level]
508 Determines the syslog level for logging connection requests that
509 fail MAC Verification. The value must be a valid syslogd log
510 level. If you don't want to log these connection requests, set
511 to the empty value (e.g., MACLIST_LOG_LEVEL="").
512
513 MACLIST_TABLE=[filter|mangle]
514 Normally, MAC verification occurs in the filter table (INPUT and
515 FORWARD) chains. When forwarding a packet from an interface with
516 MAC verification to a bridge interface, that doesn't work.
517
518 This problem can be worked around by setting MACLIST_TABLE=man‐
519 gle which will cause Mac verification to occur out of the PRE‐
520 ROUTING chain. Because REJECT isn't available in that environ‐
521 ment, you may not specify MACLIST_DISPOSITION=REJECT with
522 MACLIST_TABLE=mangle.
523
524 MACLIST_TTL=[number]
525 The performance of configurations with a large numbers of en‐
526 tries in shorewall-maclist ⟨shorewall-maclist.html⟩ (5) can be
527 improved by setting the MACLIST_TTL variable in shorewall.conf
528 ⟨shorewall.conf.html⟩ (5).
529
530 If your iptables and kernel support the "Recent Match" (see the
531 output of "shorewall check" near the top), you can cache the re‐
532 sults of a 'maclist' file lookup and thus reduce the overhead
533 associated with MAC Verification.
534
535 When a new connection arrives from a 'maclist' interface, the
536 packet passes through then list of entries for that interface in
537 shorewall-maclist ⟨shorewall-maclist.html⟩ (5). If there is a
538 match then the source IP address is added to the 'Recent' set
539 for that interface. Subsequent connection attempts from that IP
540 address occurring within $MACLIST_TTL seconds will be accepted
541 without having to scan all of the entries. After $MACLIST_TTL
542 from the first accepted connection request from an IP address,
543 the next connection request from that IP address will be checked
544 against the entire list.
545
546 If MACLIST_TTL is not specified or is specified as empty (e.g,
547 MACLIST_TTL="" or is specified as zero then 'maclist' lookups
548 will not be cached).
549
550 MAPOLDACTIONS=[Yes|No]
551 Previously, Shorewall included a large number of standard ac‐
552 tions (AllowPing, AllowFTP, ...). These have been replaced with
553 parameterized macros. For compatibility, Shorewall can map the
554 old names into invocations of the new macros if you set
555 MAPOLDACTIONS=Yes. If this option is not set or is set to the
556 empty value (MAPOLDACTIONS="") then MAPOLDACTIONS=Yes is as‐
557 sumed.
558
559 Note
560
561 MAPOLDACTIONS=Yes is not supported by Shorewall-perl. With
562 Shorewall-perl, if MAPOLDACTIONS is not set or is set to the
563 ampty value then MAPOLDACTIONS=No is assumed.
564
565 MARK_IN_FORWARD_CHAIN=[Yes|No]
566 If your kernel has a FORWARD chain in the mangle table, you may
567 set MARK_IN_FORWARD_CHAIN=Yes to cause the marking specified in
568 the tcrules file to occur in that chain rather than in the PRE‐
569 ROUTING chain. This permits you to mark inbound traffic based on
570 its destination address when DNAT is in use. To determine if
571 your kernel has a FORWARD chain in the mangle table, use the
572 /sbin/shorewall show mangle command; if a FORWARD chain is dis‐
573 played then your kernel will support this option. If this option
574 is not specified or if it is given the empty value (e.g.,
575 MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is as‐
576 sumed.
577
578 MODULE_SUFFIX=["extension ..."]
579 The value of this option determines the possible file extensions
580 of kernel modules. The default value is "o gz ko o.gz".
581
582 MODULESDIR=[pathname[:pathname]...]
583 This parameter specifies the directory/directories where your
584 kernel netfilter modules may be found. If you leave the variable
585 empty, Shorewall will supply the value "/lib/modules/`uname
586 -r`/kernel/net/ipv4/netfilter" in versions of Shorewall prior to
587 3.2.4 and "/lib/modules/`uname -r`/kernel/net/ipv4/netfil‐
588 ter:/lib/modules/`uname -r`/kernel/net/ipv4/netfilter" in later
589 versions.
590
591 MULTICAST=[Yes|No]
592 This option will normally be set to 'No' (the default). It
593 should be set to 'Yes' under the following circumstances:
594
595 1. You have an interface that has parallel zones defined via
596 /etc/shorewall/hosts.
597
598 2. You want to forward multicast packets to two or more of
599 those parallel zones.
600
601 In such cases, you will configure a destonly network on each zone re‐
602 ceiving multicasts.
603
604 The MULTICAST option is only recognized by Shorewall-perl and is ig‐
605 nored by Shorewall-shell.
606
607 MUTEX_TIMEOUT=[seconds]
608 The value of this variable determines the number of seconds that
609 programs will wait for exclusive access to the Shorewall lock
610 file. After the number of seconds corresponding to the value of
611 this variable, programs will assume that the last program to
612 hold the lock died without releasing the lock.
613
614 If not set or set to the empty value, a value of 60 (60 seconds)
615 is assumed.
616
617 An appropriate value for this parameter would be twice the
618 length of time that it takes your firewall system to process a
619 shorewall restart command.
620
621 OPTIMIZE=[0|1]
622 Traditionally, Shorewall has created rules for the complete ma‐
623 trix of host groups defined by the zones, interfaces
624 and hosts files ⟨../ScalabilityAndPerformance.html⟩ . Any traf‐
625 fic that didn't correspond to an element of that matrix was re‐
626 jected in one of the built-in chains. When the matrix is sparse,
627 this results in lots of largely useless rules.
628
629 These extra rules can be eliminated by setting OPTIMIZE=1.
630
631 The OPTIMIZE setting also controls the suppression of redundant
632 wildcard rules (those specifying "all" in the SOURCE or DEST
633 column). A wildcard rule is considered to be redundant when it
634 has the same ACTION and Log Level as the applicable policy.
635
636 PATH=pathname[:pathname]...
637 Determines the order in which Shorewall searches directories for
638 executable files.
639
640 PKTTYPE={Yes|No}
641 Normally Shorewall attempts to use the iptables packet type
642 match extension to determine broadcast and multicast packets.
643
644 1. This can cause a message to appear during shorewall start
645 (modprobe: cant locate module ipt_pkttype).
646
647 2. Some users have found problems with the packet match exten‐
648 sion with the result that their firewall log is flooded with
649 messages relating to broadcast packets.
650
651 If you are experiencing either of these problems, setting PKT‐
652 TYPE=No will prevent Shorewall from trying to use the packet
653 type match extension and to use IP address matching to determine
654 which packets are broadcasts or multicasts.
655
656 RCP_COMMAND="command"
657
658 RSH_COMMAND="command"
659 Eariler generations of Shorewall Lite required that remote root
660 login via ssh be enabled in order to use the load and reload
661 commands. Beginning with release 3.9.5, you may define an al‐
662 ternative means for accessing the remote firewall system. In
663 that release, two new options were added to shorewall.conf:
664
665 RSH_COMMAND
666 RCP_COMMAND
667
668 The default values for these are as follows:
669
670 RSH_COMMAND: ssh ${root}@${system} ${command}
671 RCP_COMMAND: scp ${files} ${root}@${system}:${destination}
672
673 Shell variables that will be set when the commands are envoked
674 are as follows:
675
676 root - root user. Normally root but may be overridden using the
677 '-r' option.
678 system - The name/IP address of the remote firewall system.
679 command - For RSH_COMMAND, the command to be executed on the
680 firewall system.
681 files - For RCP_COMMAND, a space-separated list of files to be
682 copied to the remote firewall system.
683 destination - The directory on the remote system that the files
684 are to be copied into.
685
686 RESTOREFILE=filename
687 Specifies the simple name of a file in /var/lib/shorewall to be
688 used as the default restore script in the shorewall save, shore‐
689 wall restore, shorewall forget and shorewall -f start commands.
690
691 RETAIN_ALIASES={Yes|No}
692 During shorewall start, IP addresses to be added as a conse‐
693 quence of ADD_IP_ALIASES=Yes and ADD_SNAT_ALIASES=Yes are quiet‐
694 ly deleted when shorewall-nat ⟨shorewall-nat.html⟩ (5) and
695 shorewall-masq ⟨shorewall-masq.html⟩ (5) are processed then are
696 re-added later. This is done to help ensure that the addresses
697 can be added with the specified labels but can have the undesir‐
698 able side effect of causing routes to be quietly deleted. When
699 RETAIN_ALIASES is set to Yes, existing addresses will not be
700 deleted. Regardless of the setting of RETAIN_ALIASES, addresses
701 added during shorewall start are still deleted at a subsequent
702 shorewall stop or shorewall restart.
703
704 RFC1918_LOG_LEVEL=[log-level]
705 This parameter determines the level at which packets logged un‐
706 der the norfc1918 mechanism are logged. The value must be a
707 valid syslog level and if no level is given, then info is as‐
708 sumed.
709
710 RFC1918_STRICT=[Yes|No]
711 Traditionally, the RETURN target in the 'rfc1918' file has
712 caused norfc1918 processing to cease for a packet if the pack‐
713 et's source IP address matches the rule. Thus, if you have this
714 entry in shorewall-rfc1918 ⟨shorewall-rfc1918.html⟩ (5):
715
716 #SUBNETS TARGET
717 192.168.1.0/24 RETURN
718
719 then traffic from 192.168.1.4 to 10.0.3.9 will be accepted even
720 though you also have:
721
722 #SUBNETS TARGET
723 10.0.0.0/8 logdrop
724
725 Setting RFC1918_STRICT=Yes in shorewall.conf will cause such
726 traffic to be logged and dropped since while the packet's source
727 matches the RETURN rule, the packet's destination matches the
728 'logdrop' rule.
729
730 If not specified or specified as empty (e.g., RFC1918_STRICT="")
731 then RFC1918_STRICT=No is assumed.
732
733 Warning
734
735 RFC1918_STRICT=Yes requires that your kernel and iptables sup‐
736 port 'Connection Tracking' match.
737
738 ROUTE_FILTER=[Yes|No|Keep]
739 If this parameter is given the value Yes or yes then route fil‐
740 tering (anti-spoofing) is enabled on all network interfaces
741 which are brought up while Shorewall is in the started state.
742 The default value is no.
743
744 The value Keep is only allowed under Shorewall-perl. It causes
745 Shorewall to ignore the option. If the option is set to Yes,
746 then route filtering occurs on all interfaces. If the option is
747 set to No, then route filtering is disabled on all interfaces
748 except those specified in shorewall-interfaces
749 ⟨shorewall-interfaces.html⟩ (5).
750
751 SAVE_IPSETS={Yes|No}
752 If SAVE_IPSETS=Yes, then the current contents of your ipsets
753 will be saved by the shorewall save command. Regardless of the
754 setting of SAVE_IPSETS, if saved ipset contents are available
755 then they will be restored by shorewall restore.
756
757 SHOREWALL_COMPILER={perl|shell}
758 Specifies the compiler to use to generate firewall scripts when
759 both compilers are installed. The value of this option can be
760 either perl or shell. If both compilers are installed and SHORE‐
761 WALL_SHELL is not set, then SHOREWALL_SHELL=shell is assumed.
762
763 If you add 'SHOREWALL_COMPILER=perl' to /etc/shorewall/shore‐
764 wall.conf then by default, the Shorewall-perl compiler will be
765 used on the system. If you add it to shorewall.conf in a sepa‐
766 rate directory (such as a Shorewall-lite export directory) then
767 the Shorewall-perl compiler will only be used when you compile
768 from that directory.
769
770 If you only install one compiler, it is suggested that you do
771 not set SHOREWALL_COMPILER.
772
773 This setting may be overriden in those commands that invoke the
774 compiler by using the -C command option (see shorewall
775 ⟨shorewall.html⟩ (8)).
776
777 SHOREWALL_SHELL=[pathname]
778 This option is used to specify the shell program to be used to
779 run the Shorewall compiler and to interpret the compiled script.
780 If not specified or specified as a null value, /bin/sh is as‐
781 sumed. Using a light-weight shell such as ash or dash can sig‐
782 nificantly improve performance.
783
784 SMURF_LOG_LEVEL=[log-level]
785 Specifies the logging level for smurf packets (see the nosmurfs
786 option in shorewall-interfaces ⟨shorewall-interfaces.html⟩ (5)).
787 If set to the empty value ( SMURF_LOG_LEVEL="" ) then smurfs are
788 not logged.
789
790 STARTUP_ENABLED={Yes|No}
791 Determines if Shorewall is allowed to start. As released from
792 shorewall.net, this option is set to No. When set to Yes or yes,
793 Shorewall may be started. Used as a guard against Shorewall be‐
794 ing accidentally started before it has been configured.
795
796 SUBSYSLOCK=[pathname]
797 This parameter should be set to the name of a file that the
798 firewall should create if it starts successfully and remove when
799 it stops. Creating and removing this file allows Shorewall to
800 work with your distribution's initscripts. For RedHat, this
801 should be set to /var/lock/subsys/shorewall. For Debian, the
802 value is /var/state/shorewall and in LEAF it is
803 /var/run/shorwall.
804
805 TC_ENABLED=[Yes|No|Internal]
806 If you say Yes or yes here, Shorewall will use a script that you
807 supply to configure traffic shaping. The script must be named
808 'tcstart' and must be placed in a directory on your CONFIG_PATH.
809
810 If you say No or no then traffic shaping is not enabled.
811
812 If you set TC_ENABLED=Internal or internal or leave the option
813 empty then Shorewall will use its builtin traffic shaper
814 (tc4shorewall written by Arne Bernin.
815
816 TC_EXPERT={Yes|No}
817 Normally, Shorewall tries to protect users from themselves by
818 preventing PREROUTING and OUTPUT tcrules from being applied to
819 packets that have been marked by the 'track' option in shore‐
820 wall-providers ⟨shorewall-providers.html⟩ (5).
821
822 If you know what you are doing, you can set TC_EXPERT=Yes and
823 Shorewall will not include these cautionary checks.
824
825 TCP_FLAGS_DISPOSITION=[ACCEPT|DROP|REJECT]
826 Determines the disposition of TCP packets that fail the checks
827 enabled by the tcpflags interface option (see shorewall-inter‐
828 faces ⟨shorewall-interfaces.html⟩ (5)) and must have a value of
829 ACCEPT (accept the packet), REJECT (send an RST response) or
830 DROP (ignore the packet). If not set or if set to the empty val‐
831 ue (e.g., TCP_FLAGS_DISPOSITION="") then TCP_FLAGS_DISPOSI‐
832 TION=DROP is assumed.
833
834 TCP_FLAGS_LOG_LEVEL=[log-level]
835 Determines the syslog level for logging packets that fail the
836 checks enabled by the tcpflags interface option. The value must
837 be a valid syslogd log level. If you don't want to log these
838 packets, set to the empty value (e.g., TCP_FLAGS_LOG_LEVEL="").
839
840 USE_ACTIONS={Yes|No}
841 While Shorewall Actions can be very useful, they also require a
842 sizable amount of code to implement. By setting USE_ACTIONS=No,
843 embedded Shorewall installations can omit the large library
844 /usr/share/shorewall/lib.actions.
845 Note
846
847 USE_ACTIONS=No is not supported by Shorewall-perl.
848
849 VERBOSITY=[number]
850 Shorewall has traditionally been very noisy (produced lots of
851 output). You may set the default level of verbosity using the
852 VERBOSITY OPTION.
853
854 Values are:
855
856 0 — Silent. You may make it more verbose using the -v option
857 1 — Major progress messages displayed
858 2 — All progress messages displayed (pre Shorewall-3.2.0 behav‐
859 ior)
860
861 If not specified, then 2 is assumed.
862
864 /etc/shorewall/shorewall.conf
865
867 shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-
868 blacklist(5), shorewall-hosts(5), shorewall-interfaces(5), shorewall-
869 ipsec(5), shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
870 shorewall-netmap(5), shorewall-params(5), shorewall-policy(5), shore‐
871 wall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
872 shorewall-routestopped(5), shorewall-rules(5), shorewall-tcclasses(5),
873 shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5), shore‐
874 wall-tunnels(5), shorewall-zones(5)
875
876
877
878 19 May 2008 shorewall.conf(5)