Provided by: shorewall_5.2.3.4-1_all 
NAME
files - Shorewall Configuration Files
SYNOPSIS
/etc/shorewall[6]/*
DESCRIPTION
The following are the Shorewall[6] configuration files:
• /etc/shorewall/shorewall.conf and /etc/shorewall6/shorewall6.conf[1] - used to set
global firewall parameters.
• /etc/shorewall[6]/params[2] - use this file to set shell variables that you will
expand in other files. It is always processed by /bin/sh or by the shell specified
through SHOREWALL_SHELL in /etc/shorewall/shorewall.conf.
• /etc/shorewall[6]/zones[3] - partition the firewall's view of the world into zones.
• /etc/shorewall[6]/policy[4] - establishes firewall high-level policy.
• /etc/shorewall[6]/initdone - An optional Perl script that will be invoked by the
Shorewall rules compiler when the compiler has finished it's initialization.
• /etc/shorewall[6]/interfaces[5] - describes the interfaces on the firewall system.
• /etc/shorewall[6]/hosts[6] - allows defining zones in terms of individual hosts and
subnetworks.
• /etc/shorewall[6]/masq[7] - directs the firewall where to use many-to-one (dynamic)
Network Address Translation (a.k.a. Masquerading) and Source Network Address
Translation (SNAT). Superseded by /etc/shorewall[6]/snat in Shorewall 5.0.14 and not
supported in Shorewall 5.1.0 and later versions.
• /etc/shorewall[6]/mangle[8] - supersedes /etc/shorewall/tcrules in Shorewall 4.6.0.
Contains rules for packet marking, TTL, TPROXY, etc.
• /etc/shorewall[6]/rules[9] - defines rules that are exceptions to the overall policies
established in /etc/shorewall/policy.
• /etc/shorewall[6]/nat[10] - defines one-to-one NAT rules.
• /etc/shorewall6/proxyarp[11] - defines use of Proxy ARP.
• /etc/shorewall6/proxyndp[12] - defines use of Proxy NDP.
• /etc/shorewall[6]/routestopped - defines hosts accessible when Shorewall is stopped.
Superseded in Shorewall 4.6.8 by /etc/shorewall/stoppedrules. Not supported in
Shorewall 5.0.0 and later versions.
• /etc/shorewall[6]/tcrules[13]- The file has a rather unfortunate name because it is
used to define marking of packets for later use by both traffic control/shaping and
policy routing. This file is superseded by /etc/shorewall/mangle in Shorewall 4.6.0.
Not supported in Shorewall 5.0.0 and later releases.
• /etc/shorewall[6]/tos[14] - defines rules for setting the TOS field in packet headers.
Superseded in Shorewall 4.5.1 by the TOS target in /etc/shorewall/tcrules (which file
has since been superseded by /etc/shorewall/mangle). Not supported in Shorewall 5.0.0
and later versions.
• /etc/shorewall[6]/tunnels[15] - defines tunnels (VPN) with end-points on the firewall
system.
• /etc/shorewall[6]/blacklist[16] - Deprecated in favor of /etc/shorewall/blrules. Lists
blacklisted IP/subnet/MAC addresses. Not supported in Shorewall 5.0.0 and later
releases.
• /etc/shorewall[6]/blrules — Added in Shorewall 4.5.0. Define blacklisting and
whitelisting. Supersedes /etc/shorewall/blacklist.
• /etc/shorewall[6]/init - shell commands that you wish to execute at the beginning of a
“shorewall start”, "shorewall reload" or “shorewall restart”.
• /etc/shorewall[6]/start - shell commands that you wish to execute near the completion
of a “shorewall start”, "shorewall reload" or “shorewall restart”
• /etc/shorewall[6]/started - shell commands that you wish to execute after the
completion of a “shorewall start”, "shorewall reload" or “shorewall restart”
• /etc/shorewall[6]/stop- commands that you wish to execute at the beginning of a
“shorewall stop”.
• /etc/shorewall[6]/stopped - shell commands that you wish to execute at the completion
of a “shorewall stop”.
• /etc/shorewall/ecn[17] - disable Explicit Congestion Notification (ECN - RFC 3168) to
remote hosts or networks. Superseded by ECN entries in /etc/shorewall/mangle in
Shorewall 5.0.6.
• /etc/shorewall/accounting[18] - define IP traffic accounting rules
• /etc/shorewall[6]/actions[19] and /usr/share/shorewall[6]/action.template allow
user-defined actions.
• /etc/shorewall[6]/providers[20] - defines alternate routing tables.
• /etc/shorewall[6]/rtrules[21] - Defines routing rules to be used in conjunction with
the routing tables defined in /etc/shorewall/providers.
• /etc/shorewall[6]/tcdevices[22], /etc/shorewall[6]/tcclasses[23],
/etc/shorewall[6]/tcfilters[24] - Define complex traffic shaping.
• /etc/shorewall[6]/tcrules[13] - Mark or classify traffic for traffic shaping or
multiple providers. Deprecated in Shorewall 4.6.0 in favor of /etc/shorewall/mangle.
Not supported in Shorewall 5.0.0 and later releases.
• /etc/shorewall[6]/tcinterfaces[25] and /etc/shorewall[6]/tcpri[26] - Define simple
traffic shaping.
• /etc/shorewall[6]/secmarks[27] - Added in Shorewall 4.4.13. Attach an SELinux context
to selected packets.
• /etc/shorewall[6]/vardir[28] - Determines the directory where Shorewall maintains its
state.
• /etc/shorewall/arprules[29] — Added in Shorewall 4.5.12. Allows specification of
arptables rules.
• /etc/shorewall/mangle[8] -- Added in Shorewall 4.6.0.
Supersedes/etc/shorewall/tcrules.
• /etc/shorewall[6]/snat[30] - directs the firewall where to use many-to-one (dynamic)
Network Address Translation (a.k.a. Masquerading) and Source Network Address
Translation (SNAT). Superseded /etc/shorewall[6]/masq in Shorewall 5.0.14
• /usr/share/shorewall[6]/actions.std - Actions defined by Shorewall.
• /usr/share/shorewall[6]/action.* - Details of actions defined by Shorewall.
• /usr/share/shorewall[6]/macro.* - Details of macros defined by Shorewall.
• /usr/share/shorewall[6]/modules — Specifies the kernel modules to be loaded during
shorewall start/restart.
• /usr/share/shorewall[6]/helpers — Added in Shorewall 4.4.7. Specifies the kernel
modules to be loaded during shorewall start/restart when LOAD_HELPERS_ONLY=Yes in
shorewall.conf.
CONFIG_PATH
The CONFIG_PATH option in shorewall[6].conf(5)[20] determines where the compiler searches
for configuration files. The default setting is
CONFIG_PATH=/etc/shorewall:/usr/share/shorewall which means that the compiler first looks
in /etc/shorewall and if it doesn't find the file, it then looks in /usr/share/shorewall.
You can change this setting to have the compiler look in different places. For example, if
you want to put your own versions of standard macros in /etc/shorewall/Macros, then you
could set CONFIG_PATH=/etc/shorewall:/etc/shorewall/Macros:/usr/share/shorewall and the
compiler will use your versions rather than the standard ones.
COMMENTS
You may place comments in configuration files by making the first non-whitespace character
a pound sign (“#”). You may also place comments at the end of any line, again by
delimiting the comment from the rest of the line with a pound sign.
Example 1. Comments in a Configuration File
# This is a comment
ACCEPT net $FW tcp www #This is an end-of-line comment
Important
Except in shorewall.conf(5)[1] and params(5)[2], if a comment ends with a backslash
("\"), the next line will also be treated as a comment. See Line Continuation below.
BLANK LINES
Most of the configuration files are organized into space-separated columns. If you don't
want to supply a value in a column but want to supply a value in a following column,
simply enter '-' to make the column appear empty.
Example:
#INTERFACE BROADCAST OPTIONS
br0 - routeback
LINE CONTINUATION
Lines may be continued using the usual backslash (“\”) followed immediately by a new line
character (Enter key).
ACCEPT net $FW tcp \↵
smtp,www,pop3,imap #Services running on the firewall
Important
What follows does NOT apply to shorewall-params(5)[31] and shorewall.conf(5)[1].
In certain cases, leading white space is ignored in continuation lines:
1. The continued line ends with a colon (":")
2. The continued line ends with a comma (",")
Example (/etc/shorewall/rules):
#ACTION SOURCE DEST PROTO DPORT
ACCEPT net:\
206.124.146.177,\
206.124.146.178,\
206.124.146.180\
dmz tcp 873
The leading white space on the first through third continuation lines is ignored so the
SOURCE column effectively contains "net:206.124.146.177,206.124.147.178,206.124.146.180".
Because the third continuation line does not end with a comma or colon, the leading white
space in the last line is not ignored.
Important
A trailing backslash is not ignored in a comment. So the continued rule above can be
commented out with a single '#' as follows:
#ACTION SOURCE DEST PROTO DPORT
#ACCEPT net:\
206.124.146.177,\
206.124.146.178,\
206.124.146.180\
dmz tcp 873
ALTERNATIVE SPECIFICATION OF COLUMN VALUES
Some of the configuration files now have a large number of columns. That makes it awkward
to specify a value for one of the right-most columns as you must have the correct number
of intervening '-' columns.
This problem is addressed by allowing column values to be specified as column-name/value
pairs.
There is considerable flexibility in how you specify the pairs:
• At any point, you can enter a left curly bracket ('{') followed by one or more
specifications of the following forms:
column-name=value
column-name=>value
column-name:value
The pairs must be followed by a right curly bracket ("}").
The value may optionally be enclosed in double quotes.
The pairs must be separated by white space, but you can add a comma adjacent to the
values for readability as in:
{ proto=>udp, port=1024
}
• You can also separate the pairs from columns by using a semicolon:
; proto:udp,
port:1024
In Shorewall 5.0.3, the sample configuration files and the man pages were updated to use
the same column names in both the column headings and in the alternate specification
format. The following table shows the column names for each of the table-oriented
configuration files.
Note
Column names are case-insensitive.
┌──────────────────────┬───────────────────────────────────────────────────────────────────────────────────────────────────┐
│File │ Column names │
├──────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
│accounting │ action,chain, source, dest, │
│ │ proto, dport, sport, user, │
│ │ mark, ipsec, headers │
├──────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
│conntrack │ action,source,dest,proto,dport,sport,user,switch │
├──────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
│blacklist │ networks,proto,port,options │
├──────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
│blrules │ action,source,dest,proto,dport,sport,origdest,rate,user,mark,connlimit,time,headers,switch,helper │
├──────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
│ecn │ interface,hosts. Beginning with Shorewall 4.5.4, 'host' is │
│ │ a synonym for 'hosts'. │
├──────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
│hosts │ zone,hosts,options. Beginning with Shorewall 4.5.4, 'host' │
│ │ is a synonym for 'hosts'. │
├──────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
│interfaces │ zone,interface,broadcast,options │
├──────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
│maclist │ disposition,interface,mac,addresses │
├──────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
│mangle │ action,source,dest,proto,dport,sport,user,test,length,tos,connbytes,helper,headers │
├──────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
│masq │ interface,source,address,proto,port,ipsec,mark,user,switch │
├──────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
│nat │ external,interface,internal,allints,local │
├──────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
│netmap │ type,net1,interface,net2,net3,proto,dport,sport │
├──────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
│notrack │ source,dest,proto,dport,sport,user │
├──────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
│policy │ source,dest,policy,loglevel,limit,connlimit │
├──────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
│providers │ table,number,mark,duplicate,interface,gateway,options,copy │
├──────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
│proxyarp and proxyndp │ address,interface,external,haveroute,persistent │
├──────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
│rtrules │ source,dest,provider,priority │
├──────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
│routes │ provider,dest,gateway,device │
├──────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
│routestopped │ interface,hosts,options,proto,dport,sport │
├──────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
│rules │ action,source,dest,proto,dport,sport,origdest,rate,user,mark,connlimit,time,headers,switch,helper │
├──────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
│secmarks │ secmark,chain,source,dest,proto,dport,sport,user,mark │
├──────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
│tcclasses │ interface,mark,rate,ceil,prio,options │
├──────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
│tcdevices │ interface,in_bandwidth,out_bandwidth,options,redirect │
├──────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
│tcfilters │ class,source,dest,proto,dport,sport,tos,length │
├──────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
│tcinterfaces │ interface,type,in_bandwidth,out_bandwidth │
├──────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
│tcpri │ band,proto,port,address,interface,helper │
├──────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
│tcrules │ mark,source,dest,proto,dport,sport,user,test,length,tos,connbytes,helper,headers. │
│ │ Beginning with Shorewall 4.5.3, 'action' is a synonym for │
│ │ 'mark'. │
├──────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
│tos │ source,dest,proto,dport,sport,tos,mark │
├──────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
│tunnels │ type,zone,gateway,gateway_zone. Beginning with Shorewall │
│ │ 4.5.3, 'gateways' is a synonym for 'gateway'. Beginning with │
│ │ Shorewall 4.5.4, 'gateway_zones' is a synonym for │
│ │ 'gateway_zone'. │
├──────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
│zones │ zone,type,options,in_options,out_options │
└──────────────────────┴───────────────────────────────────────────────────────────────────────────────────────────────────┘
Example (rules file):
#ACTION SOURCE DEST PROTO DPORT
DNAT net loc:10.0.0.1 tcp 80 ; mark="88"
Here's the same line in several equivalent formats:
{ action=>DNAT, source=>net, dest=>loc:10.0.0.1, proto=>tcp, dport=>80, mark=>88 }
; action:"DNAT" source:"net" dest:"loc:10.0.0.1" proto:"tcp" dport:"80" mark:"88"
DNAT { source=net dest=loc:10.0.0.1 proto=tcp dport=80 mark=88 }
Beginning with Shorewall 5.0.11, ip[6]table comments can be attached to individual rules
using the comment keyword.
Example from the rules file:
ACCEPT net $FW { proto=tcp, dport=22, comment="Accept \"SSH\"" }
As shown in that example, when the comment contains whitespace, it must be enclosed in
double quotes and any embedded double quotes must be escaped using a backslash ("\").
TIME COLUMNS
Several of the files include a TIME column that allows you to specify times when the rule
is to be applied. Contents of this column is a list of timeelements separated by apersands
(&).
Each timeelement is one of the following:
timestart=hh:mm[:ss]
Defines the starting time of day.
timestop=hh:mm[:ss]
Defines the ending time of day.
contiguous
Added in Shoreawll 5.0.12. When timestop is smaller than timestart value, match this
as a single time period instead of distinct intervals. See the Examples below.
utc
Times are expressed in Greenwich Mean Time.
localtz
Deprecated by the Netfilter team in favor of kerneltz. Times are expressed in Local
Civil Time (default).
kerneltz
Added in Shorewall 4.5.2. Times are expressed in Local Kernel Time (requires iptables
1.4.12 or later).
weekdays=ddd[,ddd]...
where ddd is one of Mon, Tue, Wed, Thu, Fri, Sat or Sun
monthdays=dd[,dd],...
where dd is an ordinal day of the month
datestart=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
Defines the starting date and time.
datestop=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
Defines the ending date and time.
Examples:
To match on weekends, use:
weekdays=Sat,Sun
Or, to match (once) on a national holiday block:
datestart=2016-12-24&datestop=2016-12-27
Since the stop time is actually inclusive, you would need the following stop time to not
match the first second of the new day:
datestart=2016-12-24T17:00&datestop=2016-12-27T23:59:59
During Lunch Hour
The fourth Friday in the month:
weekdays=Fri&monthdays=22,23,24,25,26,27,28
Matching across days might not do what is expected. For instance,
weekdays=Mon×tart=23:00×top=01:00
Will match Monday, for one hour from midnight to 1 a.m., and then again for another
hour from 23:00 onwards. If this is unwanted, e.g. if you would like 'match for two
hours from Montay 23:00 onwards' you need to also specify the contiguous option in the
example above.
SWITCHES
here are times when you would like to enable or disable one or more rules in the
configuration without having to do a shorewall reload or shorewall restart. This may be
accomplished using the SWITCH column in shorewall-rules[32] (5) or shorewall6-rules[33]
(5). Using this column requires that your kernel and iptables include Condition Match
Support and you must be running Shorewall 4.4.24 or later. See the output of shorewall
show capabilities and shorewall version to determine if you can use this feature.
The SWITCH column contains the name of a switch. Each switch is initially in the off
position. You can turn on the switch named switch1 by:
echo 1 >
/proc/net/nf_condition/switch1
You can turn it off again by:
echo 0 >
/proc/net/nf_condition/switch1
If you simply include the switch name in the SWITCH column, then the rule is enabled only
when the switch is on. If you precede the switch name with ! (e.g., !switch1), then the
rule is enabled only when the switch is off. Switch settings are retained over shorewall
restart.
Shorewall requires that switch names:
• begin with a letter and be composed of letters, digits, underscore ('_') or hyphen
('-'); and
• be 30 characters or less in length.
Multiple rules can be controlled by the same switch.
Example:
Forward port 80 to dmz host $BACKUP if switch 'primary_down' is on.
#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH
DNAT net dmz:$BACKUP tcp 80 - - - - - - - - primary_down
FILES
/etc/shorewall[6]/*
NOTES
1. /etc/shorewall/shorewall.conf
and /etc/shorewall6/shorewall6.conf
http://www.shorewall.orgshorewall.conf.html
2. /etc/shorewall[6]/params
http://www.shorewall.orgshorewall-params.html
3. /etc/shorewall[6]/zones
http://www.shorewall.orgshorewall-zones.html
4. /etc/shorewall[6]/policy
http://www.shorewall.orgshorewall-policy.html
5. /etc/shorewall[6]/interfaces
http://www.shorewall.orgshorewall-interfaces.html
6. /etc/shorewall[6]/hosts
http://www.shorewall.orgshorewall-hosts.html
7. /etc/shorewall[6]/masq
http://www.shorewall.orgshorewall-masq.html
8. /etc/shorewall[6]/mangle
http://www.shorewall.orgshorewall-mangle.html
9. /etc/shorewall[6]/rules
http://www.shorewall.orgshorewall-rules.html
10. /etc/shorewall[6]/nat
http://www.shorewall.orgshorewall-nat.html
11. /etc/shorewall6/proxyarp
http://www.shorewall.orgshorewall-proxyarp.html
12. /etc/shorewall6/proxyndp
http://www.shorewall.orgshorewall-proxyndp.html
13. /etc/shorewall[6]/tcrules
http://www.shorewall.orgshorewall-tcrules.html
14. /etc/shorewall[6]/tos
http://www.shorewall.orgshorewall-tos.html
15. /etc/shorewall[6]/tunnels
http://www.shorewall.orgshorewall-tunnels.html
16. /etc/shorewall[6]/blacklist
http://www.shorewall.orgshorewall-blacklist.html
17. /etc/shorewall/ecn
http://www.shorewall.orgshorewall-ecn.html
18. /etc/shorewall/accounting
http://www.shorewall.orgshorewall-accounting.html
19. /etc/shorewall[6]/actions
http://www.shorewall.orgshorewall-actions.html
20. /etc/shorewall[6]/providers
http://www.shorewall.org???
21. /etc/shorewall[6]/rtrules
http://www.shorewall.orgshorewall-rtrules.html
22. /etc/shorewall[6]/tcdevices
http://www.shorewall.orgshorewall-tcdevices.html
23. /etc/shorewall[6]/tcclasses
http://www.shorewall.orgshorewall-tcclasses.html
24. /etc/shorewall[6]/tcfilters
http://www.shorewall.orgshorewall-tcfilters.html
25. /etc/shorewall[6]/tcinterfaces
http://www.shorewall.orgshorewall-tcinterfaces.html
26. /etc/shorewall[6]/tcpri
http://www.shorewall.orgshorewall-tcpri.html
27. /etc/shorewall[6]/secmarks
http://www.shorewall.orgshorewall-secmarks.html
28. /etc/shorewall[6]/vardir
http://www.shorewall.orgshorewall-vardir.html
29. /etc/shorewall/arprules
http://www.shorewall.orgshorewall-arprules.html
30. /etc/shorewall[6]/snat
http://www.shorewall.orgshorewall-snat.html
31. shorewall-params(5)
http://www.shorewall.orgmanpages/shorewall-params.html
32. shorewall-rules
http://www.shorewall.orgmanpages/shorewall-rules.html
33. shorewall6-rules
http://www.shorewall.orgmanpages6/shorewall6-rules.html