Provided by: sanewall-doc_1.0.2+ds-2_all bug

NAME

       sanewall-router - create a router definition

SYNOPSIS

       router name [rule-params]

DESCRIPTION

       A router definition consists of a set of rules for traffic passing through the host
       running the firewall.

       The default policy for router definitions is RETURN, meaning packets are not dropped by
       any particular router. Packets not matched by any router are dropped at the end of the
       firewall.

       The behaviour of the defined router is controlled by adding subcommands (listed in the
       section called “SEE ALSO”).

PARAMETERS

       name
           This is a name for this router. You should use short names (10 characters maximum)
           without spaces or other symbols.

           A name should be unique for all Sanewall interface and router definitions.

       rule-params
           The set of rule parameters to further restrict the traffic that is matched to this
           router.

           See optional rule parameters: sanewall-rule-params(5) for information on the
           parameters that can be used. Some examples:

               router mylan inface ppp+ outface eth0 src not ${UNROUTABLE_IPS}

               router myrouter

           See Sanewall configuration: sanewall.conf(5) for an explanation of ${UNROUTABLE_IPS}.

WORKING WITH ROUTERS

       Routers create stateful iptables rules which match traffic in both directions.

       To match some client or server traffic, the input/output interface or source/destination
       of the request must be specified. All inface/outface and src/dstoptional rule parameters:
       sanewall-rule-params(5) can be given on the router statement (in which case they will be
       applied to all subcommands for the router) or just within the subcommands of the router.

       For example, to define a router which matches requests from any PPP interface and destined
       for eth0, and on this allowing HTTP servers (on eth0) to be accessed by clients (from PPP)
       and SMTP clients (from eth0) to access any servers (on PPP):

           router mylan inface ppp+ outface eth0
             server http accept
             client smtp accept

           Note
           The client subcommand reverses any optional rule parameters passed to the router, in
           this case the inface and outface.

       Equivalently, to define a router which matches all forwarded traffic and within the the
       router allow HTTP servers on eth0 to be accessible to PPP and any SMTP servers on PPP to
       be accessible from eth0:

           router mylan
             server http accept inface ppp+ outface eth0
             server smtp accept inface eth0 outface ppp

           Note
           In this instance two server subcommands are used since there are no parameters on the
           router to reverse. Avoid the use of the client subcommand in routers unless the inputs
           and outputs are defined as part of the router.

       Any number of routers can be defined and the traffic they match can overlap. Since the
       default policy is RETURN, any traffic that is not matched by any rules in one will proceed
       to the next, in order, until none are left.

SEE ALSO

           Sanewall program: sanewall(1)
           Sanewall configuration: sanewall.conf(5)
           interface definition: sanewall-interface(5)
           policy command: sanewall-policy(5)
           protection command: sanewall-protection(5)
           client command: sanewall-client(5)
           server, route commands: sanewall-server(5)
           group command: sanewall-group(5)
           iptables helper: sanewall-iptables(5)
           masquerade helper: sanewall-masquerade(5)
           tcpmss helper: sanewall-tcpmss(5)

AUTHOR

       Sanewall Team

COPYRIGHT

       Copyright © 2012, 2013 Phil Whineray <phil@sanewall.org>