Provided by: shorewall-lite_4.0.12-1_all
shorewall-lite.conf - Shorewall Lite global configuration file
This file sets options that apply to Shorewall Lite as a whole.
The file consists of Shell comments (lines beginning with ’#’), blank
lines and assignment statements (variable=value). Each variable’s
setting is preceded by comments that describe the variable and it’s
Any option not specified in this file gets its value from the
shorewall.conf file used during compilation of /var/lib/shorewall-
lite/firewall. Those settings may be found in the file
The following options may be set in shorewall.conf.
This parameter names the iptables executable to be used by
Shorewall. If not specified or if specified as a null value,
then the iptables executable located using the PATH option is
This parameter tells the /sbin/shorewall program where to look
for Shorewall messages when processing the dump, logwatch, show
log, and hits commands. If not assigned or if assigned an empty
value, /var/log/messages is assumed.
The value of this variable generate the --log-prefix setting for
Shorewall logging rules. It contains a “printf” formatting
template which accepts three arguments (the chain name, logging
rule number (optional) and the disposition). To use LOGFORMAT
with fireparse, set it as:
LOGFORMAT="fp=%s:%d a=%s "
If the LOGFORMAT value contains the substring “%d” then the
logging rule number is calculated and formatted in that
position; if that substring is not included then the rule number
is not included. If not supplied or supplied as empty
(LOGFORMAT="") then “Shorewall:%s:%s:” is assumed.
Determines the order in which Shorewall searches directories for
Specifies the simple name of a file in /var/lib/shorewall to be
used as the default restore script in the shorewall save,
shorewall restore, shorewall forget and shorewall -f start
This option is used to specify the shell program to be used to
run the Shorewall compiler and to interpret the compiled script.
If not specified or specified as a null value, /bin/sh is
assumed. Using a light-weight shell such as ash or dash can
significantly improve performance.
This parameter should be set to the name of a file that the
firewall should create if it starts successfully and remove when
it stops. Creating and removing this file allows Shorewall to
work with your distribution’s initscripts. For RedHat, this
should be set to /var/lock/subsys/shorewall. For Debian, the
value is /var/state/shorewall and in LEAF it is
Shorewall has traditionally been very noisy (produced lots of
output). You may set the default level of verbosity using the
0 — Silent. You may make it more verbose using the -v option
1 — Major progress messages displayed
2 — All progress messages displayed (old default behavior)
If not specified, then 2 is assumed.
shorewall-lite(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5), shorewall-
nat(5), shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
shorewall-providers(5), shorewall-proxyarp(5), shorewall-
route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)
24 June 2008 shorewall-lite.conf(5)