Provided by: shorewall-common_4.0.12-1_all bug

NAME

       routestopped  -  The  Shorewall  file  that  governs what traffic flows
       through the firewall while it is in ’stopped’ state.

SYNOPSIS

       /etc/shorewall/routestopped

DESCRIPTION

       This file is used to define the hosts  that  are  accessible  when  the
       firewall  is stopped or is being stopped. When shorewall-shell is being
       used, the file also determines those hosts that are accessible when the
       firewall is in the process of being [re]started.

       The columns in the file are as follows.

       INTERFACEinterface
              Interface through which host(s) communicate with the firewall

       HOST(S) (Optional) — [-|address[,address]...]
              Comma-separated  list of IP/subnet addresses. If your kernel and
              iptables include iprange match support, IP  address  ranges  are
              also allowed.

              If left empty or supplied as "-", 0.0.0.0/0 is assumed.

       OPTIONS (Optional) — [-|option[,option]...]
              A  comma-separated  list of options. The order of the options is
              not important but the list can contain no  embedded  whitespace.
              The currently-supported options are:

              routeback
                     Set  up a rule to ACCEPT traffic from these hosts back to
                     themselves.

              source Allow  traffic  from  these  hosts  to  ANY  destination.
                     Without this option or the dest option, only traffic from
                     this host to other listed hosts  (and  the  firewall)  is
                     allowed.   If  source  is  specified  then  routeback  is
                     redundant.

              dest   Allow traffic to these hosts  from  ANY  source.  Without
                     this  option or the source option, only traffic from this
                     host to other listed hosts (and the firewall) is allowed.
                     If dest is specified then routeback is redundant.

              critical
                     Allow  traffic  between  the  firewall  and  these  hosts
                     throughout ’[re]start’, ’stop’  and  ’clear’.  Specifying
                     critical  on one or more entries will cause your firewall
                     to be "totally open" for a brief window  during  each  of
                     those operations. Examples of where you might want to use
                     this are:

                     · ’Ping’ nodes with heartbeat.

                     · LDAP server(s) if you use LDAP Authentication

                     · NFS Server if you have an NFS-mounted root  filesystem.
              Note

              The  source  and dest options work best when used in conjunction
              with       ADMINISABSENTMINDED=Yes       in       shorewall.conf
              〈shorewall.conf.html〉 (5).

EXAMPLE

       Example 1:
                      #INTERFACE      HOST(S)                 OPTIONS
                      eth2            192.168.1.0/24
                      eth0            192.0.2.44
                      br0             -                       routeback
                      eth3            -                       source

FILES

       /etc/shorewall/routestopped

SEE ALSO

http://shorewall.net/starting_and_stopping_shorewall.htmshorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-
       blacklist(5), shorewall-hosts(5),  shorewall-interfaces(5),  shorewall-
       ipsec(5),  shorewall-maclist(5),  shorewall-masq(5),  shorewall-nat(5),
       shorewall-netmap(5),     shorewall-params(5),      shorewall-policy(5),
       shorewall-providers(5),        shorewall-proxyarp(5),        shorewall-
       route_rules(5),   shorewall-rules(5),   shorewall.conf(5),   shorewall-
       tcclasses(5),  shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-
       tos(5), shorewall-tunnels(5), shorewall-zones(5)

                                 24 June 2008        shorewall-routestopped(5)