Provided by: sanewall-doc_1.0.2+ds-2_all 
NAME
sanewall-rule-params, sanewall-src, sanewall-dst, sanewall-srctype, sanewall-dsttype,
sanewall-inface, sanewall-outface, sanewall-physin, sanewall-physout, sanewall-custom,
sanewall-log, sanewall-loglimit, sanewall-proto, sanewall-uid, sanewall-gid, sanewall-mac-
param, sanewall-mark-param, sanewall-tos-param, sanewall-dscp-param - optional rule
parameters
SYNOPSIS
Common
src [not] host
dst [not] host
srctype [not] type
dsttype [not] type
proto [not] protocol
mac [not] macaddr
dscp [not] {value | class classid}
mark [not] id
tos [not] id
custom "iptables-options..."
Router Only
inface [not] interface
outface [not] interface
physin [not] interface
physout [not] interface
Interface Only
uid [not] user
gid [not] group
Logging
log "log text" [level loglevel]
loglimit "log text" [level loglevel]
DESCRIPTION
Optional rule parameters are accepted by many commands to narrow the match they make. Not
all parameters are accepted by all commands so you should check the individual commands
for exclusions.
All matches are made against the REQUEST. Sanewall automatically sets up the necessary
stateful rules to deal with replies in the reverse direction.
Use the option not to match any value other than the one(s) specified.
The logging parameters are unusual in that they do not affect the match, they just cause a
log message to be emitted. Therefore, the logging parameters don't support the not option.
Sanewall is designed so that if you specify a parameter that is also used internally by
the command then a warning will be issued (and the internal version will be used).
COMMON
Use src and dst to define the source and destination IP addresses of the request
respectively. host defines the IP or IPs to be matched. Examples:
server smtp accept src not 192.0.2.1
server smtp accept dst 198.51.100.1
server smtp accept src not 192.0.2.1 dst 198.51.100.1
Use srctype or dsttype to define the source or destination IP address type of the request.
type is the address type category as used in the kernel's network stack. It can be one of:
UNSPEC
an unspecified address (i.e. 0.0.0.0)
UNICAST
a unicast address
LOCAL
a local address
BROADCAST
a broadcast address
ANYCAST
an anycast address
MULTICAST
a multicast address
BLACKHOLE
a blackhole address
UNREACHABLE
an unreachable address
PROHIBIT
a prohibited address
THROW, NAT, XRESOLVE
undocumented
See iptables(8) or run iptables -m addrtype --help for more information. Examples:
server smtp accept srctype not "UNREACHABLE PROHIBIT"
Use proto to match by protocol. The protocol can be any accepted by iptables(8).
Use mac to match by MAC address. The macaddr matches to the "remote" host. In an
interface, "remote" always means the non-local host. In a router, "remote" refers to the
source of requests for servers. It refers to the destination of requests for clients.
Examples:
# Only allow pop3 requests to the e6 host
client pop3 accept mac 00:01:01:00:00:e6
# Only allow hosts other than e7/e8 to access smtp
server smtp accept mac not "00:01:01:00:00:e7 00:01:01:00:00:e8"
Use dscp to match the DSCP field on packets. For details on DSCP values and classids, see
dscp config helper: sanewall-dscp(5).
server smtp accept dscp not "0x20 0x30"
server smtp accept dscp not class "BE EF"
Use mark to match marks set on packets. For details on mark ids, see mark config helper:
sanewall-mark(5).
server smtp accept mark not "20 55"
Use tos to match the TOS field on packets. For details on TOS ids, see tos config helper:
sanewall-tos(5).
server smtp accept tos not "Maximize-Throughput 0x10"
Use custom to pass arguments directly to iptables(8). All of the parameters must be in a
single quoted string. To pass an option to iptables(8) that itself contains a space you
need to quote strings in the usual bash(1) manner. For example:
server smtp accept custom "--some-option some-value"
server smtp accept custom "--some-option 'some-value second-value'"
ROUTER ONLY
Use inface and outface to define the interface via which a request is received and
forwarded respectively. Use the same format as interface definition:
sanewall-interface(5). Examples:
server smtp accept inface not eth0
server smtp accept inface not "eth0 eth1"
server smtp accept inface eth0 outface eth1
Use physin and physout to define the physical interface via which a request is received or
send in cases where the inface or outface is known to be a virtual interface; e.g. a
bridge. Use the same format as interface definition: sanewall-interface(5). Examples:
server smtp accept physin not eth0
INTERFACE ONLY
These parameters match information related to information gathered from the local host.
They are silently ignored for incoming requests or requests that will be forwarded.
Use uid to match the operating system user sending the traffic. The user is a username,
uid number or a quoted list of the two.
For example, to limit which users can access POP3 and IMAP:
client "pop3 imap" accept user not "user1 user2 user3"
This will allow all requests to reach the server but prevent replies unless the web server
is running as apache:
server http accept user apache
Use gid to match the operating system group sending the traffic. The group is a group
name, gid number or a quoted list of the two.
Note
The Linux kernel infrastructure to match PID/SID and executable names with pid, sid
and cmd has been removed so these options can no longer be used.
LOGGING
Use log or loglimit to log matching packets to syslog. Unlike iptables(8) logging, this is
not an action: Sanewall will produce multiple iptables commands to accomplish both the
action for the rule and the logging.
Logging is controlled using the SANEWALL_LOG_OPTIONS and SANEWALL_LOG_LEVEL environment
variables (see control variables: sanewall-variables(5)). loglimit additionally honours
the SANEWALL_LOG_FREQUENCY and SANEWALL_LOG_BURST variables.
Specifying level (which takes the same values as SANEWALL_LOG_LEVEL) allows you to
override the log level for a single rule.
INTERNAL USE
In addition to the commands in the synopsis, Sanewall provides limit, sport and dport
which are used internally. These should not normally be used in configuration files unless
you really understand what you are doing.
limit requires the arguments frequency and burst and will limit the matching of traffic in
both directions.
sport requires an argument port which can be a name, number, range (FROM:TO) or a quoted
list of ports. It specifies the source port of a request.
dport requires an argument port which can be a name, number, range (FROM:TO) or a quoted
list of ports. It specifies the destination port of a request.
SEE ALSO
Sanewall program: sanewall(1)
Sanewall configuration: sanewall.conf(5)
client command: sanewall-client(5)
server, route commands: sanewall-server(5)
interface definition: sanewall-interface(5)
router definition: sanewall-router(5)
mark config helper: sanewall-mark(5)
tos config helper: sanewall-tos(5)
dscp config helper: sanewall-dscp(5)
control variables: sanewall-variables(5)
administration tool for IPv4 firewalls: iptables(8)
AUTHOR
Sanewall Team
COPYRIGHT
Copyright © 2012, 2013 Phil Whineray <phil@sanewall.org>