NAME

       sanewall-router - create a router definition

SYNOPSIS

       router name [rule-params]

DESCRIPTION

       A router definition consists of a set of rules for traffic passing through the host running the firewall.

       The default policy for router definitions is RETURN, meaning packets are not dropped by any particular
       router. Packets not matched by any router are dropped at the end of the firewall.

       The behaviour of the defined router is controlled by adding subcommands (listed in the section called
       “SEE ALSO”).

PARAMETERS

       name
           This is a name for this router. You should use short names (10 characters maximum) without spaces or
           other symbols.

           A name should be unique for all Sanewall interface and router definitions.

       rule-params
           The set of rule parameters to further restrict the traffic that is matched to this router.

           See optional rule parameters: sanewall-rule-params(5) for information on the parameters that can be
           used. Some examples:

               router mylan inface ppp+ outface eth0 src not ${UNROUTABLE_IPS}

               router myrouter

           See Sanewall configuration: sanewall.conf(5) for an explanation of ${UNROUTABLE_IPS}.

WORKING WITH ROUTERS

       Routers create stateful iptables rules which match traffic in both directions.

       To match some client or server traffic, the input/output interface or source/destination of the request
       must be specified. All inface/outface and src/dstoptional rule parameters: sanewall-rule-params(5) can be
       given on the router statement (in which case they will be applied to all subcommands for the router) or
       just within the subcommands of the router.

       For example, to define a router which matches requests from any PPP interface and destined for eth0, and
       on this allowing HTTP servers (on eth0) to be accessed by clients (from PPP) and SMTP clients (from eth0)
       to access any servers (on PPP):

           router mylan inface ppp+ outface eth0
             server http accept
             client smtp accept

           Note

           The client subcommand reverses any optional rule parameters passed to the router, in this case the
           inface and outface.

       Equivalently, to define a router which matches all forwarded traffic and within the the router allow HTTP
       servers on eth0 to be accessible to PPP and any SMTP servers on PPP to be accessible from eth0:

           router mylan
             server http accept inface ppp+ outface eth0
             server smtp accept inface eth0 outface ppp

           Note

           In this instance two server subcommands are used since there are no parameters on the router to
           reverse. Avoid the use of the client subcommand in routers unless the inputs and outputs are defined
           as part of the router.

       Any number of routers can be defined and the traffic they match can overlap. Since the default policy is
       RETURN, any traffic that is not matched by any rules in one will proceed to the next, in order, until
       none are left.

SEE ALSO

           Sanewall program: sanewall(1)
           Sanewall configuration: sanewall.conf(5)
           interface definition: sanewall-interface(5)
           policy command: sanewall-policy(5)
           protection command: sanewall-protection(5)
           client command: sanewall-client(5)
           server, route commands: sanewall-server(5)
           group command: sanewall-group(5)
           iptables helper: sanewall-iptables(5)
           masquerade helper: sanewall-masquerade(5)
           tcpmss helper: sanewall-tcpmss(5)

AUTHOR

       Sanewall Team

COPYRIGHT

       Copyright © 2012, 2013 Phil Whineray <phil@sanewall.org>

Sanewall 1.0.2                                  Built 01 Jun 2013                        ROUTER DEFINITION: S(5)