shorewall.conf.5

sharewall is very good

\fBBRIDGING=\fR{\fBYes\fR|\fBNo\fR}
.RS 4
When set to
\fBYes\fR
or
\fByes\fR, enables Shorewall Bridging support\&.
.sp
.if n \{\
.sp
.\}
.RS 4
.BM yellow
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBNote\fR
.ps -1
.br
BRIDGING=Yes may not work properly with Linux kernel 2\&.6\&.20 or later and is not supported by Shorewall\-perl\&.
.sp .5v
.EM yellow
.RE
.RE
.PP
\fBCLAMPMSS=[\fR\fBYes\fR|\fBNo\fR|\fIvalue\fR]
.RS 4
This parameter enables the TCP Clamp MSS to PMTU feature of Netfilter and is usually required when your internet connection is through PPPoE or PPTP\&. If set to
\fBYes\fR
or
\fByes\fR, the feature is enabled\&. If left blank or set to
\fBNo\fR
or
\fBno\fR, the feature is not enabled\&.
.sp
\fBImportant\fR: This option requires CONFIG_IP_NF_TARGET_TCPMSS in your kernel\&.
.sp
You may also set CLAMPMSS to a numeric
\fIvalue\fR
(e\&.g\&., CLAMPMSS=1400)\&. This will set the MSS field in TCP SYN packets going through the firewall to the
\fIvalue\fR
that you specify\&.
.RE
.PP
\fBCLEAR_TC=\fR[\fBYes\fR|\fBNo\fR]
.RS 4
If this option is set to
\fBNo\fR
then Shorewall won\'t clear the current traffic control rules during [re]start\&. This setting is intended for use by people that prefer to configure traffic shaping when the network interfaces come up rather than when the firewall is started\&. If that is what you want to do, set TC_ENABLED=Yes and CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file\&. That way, your traffic shaping rules can still use the \(lqfwmark\(rq classifier based on packet marking defined in
\m[blue]\fBshorewall\-tcrules\fR\m[]\&\s-2\u[5]\d\s+2(5)\&. If not specified, CLEAR_TC=Yes is assumed\&.
.RE
.PP
\fBCONFIG_PATH\fR=[\fIdirectory\fR[:\fIdirectory\fR]\&.\&.\&.]
.RS 4
Specifies where configuration files other than shorewall\&.conf may be found\&. CONFIG_PATH is specifies as a list of directory names separated by colons (":")\&. When looking for a configuration file other than shorewall\&.conf:
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
If the command is "try" or a "<configuration directory>" was specified in the command (e\&.g\&.,
\fBshorewall check \&./gateway\fR) then the directory given in the command is searched first\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Next, each directory in the CONFIG_PATH setting is searched in sequence\&.
.RE
.RS 4
.sp
If CONFIG_PATH is not given or if it is set to the empty value then the contents of /usr/share/shorewall/configpath are used\&. As released from shorewall\&.net, that file sets the CONFIG_PATH to /etc/shorewall:/usr/share/shorewall but your particular distribution may set it differently\&. See the output of shorewall show config for the default on your system\&.
.sp
Note that the setting in /usr/share/shorewall/configpath is always used to locate shorewall\&.conf\&.
.RE
.PP
\fBDELAYBLACKLISTLOAD=\fR{\fBYes\fR|\fBNo\fR}
.RS 4
Users with a large static black list (\m[blue]\fBshorewall\-blacklist\fR\m[]\&\s-2\u[6]\d\s+2(5)) may want to set the DELAYBLACKLISTLOAD option to
\fBYes\fR\&. When DELAYBLACKLISTLOAD=Yes, Shorewall will enable new connections before loading the blacklist rules\&. While this may allow connections from blacklisted hosts to slip by during construction of the blacklist, it can substantially reduce the time that all new connections are disabled during
\fBshorewall\fR
[\fBre\fR]\fBstart\fR\&.
.if n \{\
.sp
.\}
.RS 4
.BM yellow
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBNote\fR
.ps -1
.br
DELAYBLACKLISTLOAD=Yes is not supported by Shorewall\-perl\&.
.sp .5v
.EM yellow
.RE
.RE
.PP
\fBDELETE_THEN_ADD=\fR{\fBYes\fR|\fBNo\fR}
.RS 4
Added in Shorewall 4\&.0\&.4\&. If set to Yes (the default value), entries in the /etc/shorewall/route_stopped files cause an \'ip rule del\' command to be generated in addition to an \'ip rule add\' command\&. Setting this option to No, causes the \'ip rule del\' command to be omitted\&.
.RE
.PP
\fBDETECT_DNAT_IPADDRS=\fR[\fBYes\fR|\fBNo\fR]
.RS 4
If set to
\fBYes\fR
or
\fByes\fR, Shorewall will detect the first IP address of the interface to the source zone and will include this address in DNAT rules as the original destination IP address\&. If set to
\fBNo\fR
or
\fBno\fR, Shorewall will not detect this address and any destination IP address will match the DNAT rule\&. If not specified or empty, \(lqDETECT_DNAT_IPADDRS=Yes\(rq is assumed\&.
.RE
.PP
\fBDISABLE_IPV6=\fR[\fBYes\fR|\fBNo\fR]
.RS 4
If set to
\fBYes\fR
or
\fByes\fR, IPv6 traffic to, from and through the firewall system is disabled\&. If set to
\fBNo\fR
or
\fBno\fR, Shorewall will take no action with respect to allowing or disallowing IPv6 traffic\&. If not specified or empty, \(lqDISABLE_IPV6=No\(rq is assumed\&.
.RE
.PP
\fBDONT_LOAD=\fR[\fImodule\fR[,\fImodule\fR]\&.\&.\&.]
.RS 4
Added in Shorewall\-4\&.0\&.6\&. Causes Shorewall to not load the listed modules\&.
.RE
.PP
\fBDYNAMIC_ZONES=\fR{\fBYes\fR|\fBNo\fR}
.RS 4
When set to
\fBYes\fR
or
\fByes\fR, enables dynamic zones\&. DYNAMIC_ZONES=Yes is not allowed in configurations that will run under Shorewall Lite\&.
.sp
DYNAMIC_ZONES=Yes is not supported by Shorewall\-perl 4\&.2\&.0 and later\&.
.RE
.PP
\fBEXPAND_POLICIES=\fR{\fBYes\fR|\fBNo\fR}
.RS 4
Normally, when the SOURCE or DEST columns in shorewall\-policy(5) contains \'all\', a single policy chain is created and the policy is enforced in that chain\&. For example, if the policy entry is
.sp
.if n \{\
.RS 4
.\}
.fam C
.ps -1
.nf
.BB lightgray
#SOURCE DEST POLICY LOG
#                   LEVEL
net     all  DROP   info
.EB lightgray
.fi
.fam
.ps +1
.if n \{\
.RE
.\}
.sp
then the chain name is \'net2all\' which is also the chain named in Shorewall log messages generated as a result of the policy\&. If EXPAND_POLICIES=Yes, then Shorewall\-perl will create a separate chain for each pair of zones covered by the policy\&. This makes the resulting log messages easier to interpret since the chain in the messages will have a name of the form \'a2b\' where \'a\' is the SOURCE zone and \'b\' is the DEST zone\&.
.RE
.PP
\fBEXPORTPARAMS=\fR{\fBYes\fR|\fBNo\fR}
.RS 4
It is quite difficult to code a \'params\' file that assigns other than constant values such that it works correctly with Shorewall Lite\&. The EXPORTPARAMS option works around this problem\&. When EXPORTPARAMS=No, the \'params\' file is not copied to the compiler output\&.
.sp
With EXPORTPARAMS=No, if you need to set environmental variables on the firewall system for use by your extension scripts, then do so in the init extension script\&.
.sp
The default is EXPORTPARAMS=Yes
.RE
.PP
\fBFASTACCEPT=\fR{\fBYes\fR|\fBNo\fR}
.RS 4
Normally, Shorewall defers accepting ESTABLISHED/RELATED packets until these packets reach the chain in which the original connection was accepted\&. So for packets going from the \'loc\' zone to the \'net\' zone, ESTABLISHED/RELATED packets are ACCEPTED in the \'loc2net\' chain\&.
.sp
If you set FASTACCEPT=Yes, then ESTABLISHED/RELEATED packets are accepted early in the INPUT, FORWARD and OUTPUT chains\&. If you set FASTACCEPT=Yes then you may not include rules in the ESTABLISHED or RELATED sections of
\m[blue]\fBshorewall\-rules\fR\m[]\&\s-2\u[7]\d\s+2(5)\&.
.sp
.if n \{\
.sp
.\}
.RS 4
.BM yellow
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBNote\fR
.ps -1
.br
FASTACCEPT=Yes is incompatible with BLACKLISTNEWONLY=No\&.
.sp .5v
.EM yellow
.RE
.RE
.PP
\fBHIGH_ROUTE_MARKS=\fR{\fBYes\fR|\fBNo\fR}
.RS 4
Prior to version 3\&.2\&.0, it was not possible to use connection marking in
\m[blue]\fBshorewall\-tcrules\fR\m[]\&\s-2\u[5]\d\s+2(5) if you have a multi\-ISP configuration that uses the track option\&.
.sp
Beginning with release 3\&.2\&.0, you may now set HIGH_ROUTE_MARKS=Yes in to effectively divide the packet mark and connection mark into two 8\-byte mark fields\&.
.sp
When you do this:
.sp
.RS 4
.ie n \{\
\h'-04' 1.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "  1." 4.2
.\}
The MARK field in the providers file must have a value that is less than 65536 and that is a multiple of 256 (using hex representation, the values are 0x0100\-0xFF00 with the low\-order 8 bits being zero)\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 2.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "  2." 4.2
.\}
You may only set those mark values in the PREROUTING chain\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 3.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "  3." 4.2
.\}
Marks used for traffic shaping must still be in the range of 1\-255 and may still not be set in the PREROUTING chain\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 4.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "  4." 4.2
.\}
When you SAVE or RESTORE in tcrules, only the TC mark value is saved or restored\&. Shorewall handles saving and restoring the routing (provider) marks\&.
.RE
.RE
.PP
\fBIMPLICIT_CONTINUE=\fR{\fBYes\fR|\fBNo\fR}
.RS 4
When this option is set to
\fBYes\fR, it causes subzones to be treated differently with respect to policies\&.
.sp
Subzones are defined by following their name with ":" and a list of parent zones (in
\m[blue]\fBshorewall\-zones\fR\m[]\&\s-2\u[8]\d\s+2(5))\&. Normally, you want to have a set of special rules for the subzone and if a connection doesn\'t match any of those subzone\-specific rules then you want the parent zone rules and policies to be applied; see
\m[blue]\fBshorewall\-nesting\fR\m[]\&\s-2\u[9]\d\s+2(5)\&. With IMPLICIT_CONTINUE=Yes, that happens automatically\&.
.sp
If IMPLICIT_CONTINUE=No or if IMPLICIT_CONTINUE is not set, then subzones are not subject to this special treatment\&. With IMPLICIT_CONTINUE=Yes, an implicit CONTINUE policy may be overridden by including an explicit policy (one that does not specify "all" in either the SOURCE or the DEST columns)\&.
.RE
.PP
\fBIP_FORWARDING=\fR[\fBOn\fR|\fBOff\fR|\fBKeep\fR]
.RS 4
This parameter determines whether Shorewall enables or disables IPV4 Packet Forwarding (/proc/sys/net/ipv4/ip_forward)\&. Possible values are:
.PP
\fBOn\fR or \fBon\fR
.RS 4
packet forwarding will be enabled\&.
.RE
.PP
\fBOff\fR or \fBoff\fR
.RS 4
packet forwarding will be disabled\&.
.RE
.PP
\fBKeep\fR or \fBkeep\fR
.RS 4
Shorewall will neither enable nor disable packet forwarding\&.
.RE
.sp

If this variable is not set or is given an empty value (IP_FORWARD="") then IP_FORWARD=On is assumed\&.
.RE
.PP
\fBIPSECFILE=\fR{\fBzones\fR|\fBipsec\fR}
.RS 4
This should be set to
\fBzones\fR
for all new Shorewall installations\&. IPSECFILE=ipsec is only used for compatibility with pre\-Shorewall\-3\&.0 configurations\&.
.RE
.PP
\fBIPTABLES=\fR[\fIpathname\fR]
.RS 4
This parameter names the iptables executable to be used by Shorewall\&. If not specified or if specified as a null value, then the iptables executable located using the PATH option is used\&.
.sp
Regardless of how the IPTABLES utility is located (specified via IPTABLES= or located via PATH), Shorewall uses the iptables\-restore and iptables\-save utilities from that same directory\&.
.RE
.PP
\fBKEEP_RT_TABLES=\fR{\fBYes\fR|\fBNo\fR}
.RS 4
Added in Shorewall 4\&.0\&.3\&. When set to
\fBYes\fR, this option prevents scripts generated by Shorewall\-perl from altering the /etc/iproute2/rt_tables database when there are entries in
\FC/etc/shorewall/providers\F[]\&. If you set this option to
\fBYes\fR
while Shorewall (Shorewall\-lite) is running, you should remove the file
\FC/var/lib/shorewall/rt_tables\F[]
(\FC/var/lib/shorewall\-lite/rt_tables\F[]) before your next
\fBstop\fR,
\fBrefresh\fR,
\fBrestore\fR
on
\fBrestart\fR
command\&.
.sp
The default is KEEP_RT_TABLES=No\&.
.RE
.PP
\fBLOG_MARTIANS=\fR[\fBYes\fR|\fBNo\fR|Keep]
.RS 4
If set to
\fBYes\fR
or
\fByes\fR, sets /proc/sys/net/ipv4/conf/all/log_martians and /proc/sys/net/ipv4/conf/default/log_martians to 1\&. In Shorewall versions prior to 4\&.1\&.5, the default is
\fBNo\fR
which sets both of the above to zero\&. In Shorewall 4\&.1\&.5, the default value was chaned to
\fBYes\fR
which sets both of the above to one\&. If you do not enable martian logging for all interfaces, you may still enable it for individual interfaces using the
\fBlogmartians\fR
interface option in
\m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[10]\d\s+2(5)\&.
.sp
The value
\fBKeep\fR
is only allowed under Shorewall\-perl\&. It causes Shorewall to ignore the option\&. If the option is set to
\fBYes\fR, then martians are logged on all interfaces\&. If the option is set to
\fBNo\fR, then martian logging is disabled on all interfaces except those specified in
\m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[10]\d\s+2(5)\&.
.RE
.PP
\fBLOG_VERBOSITY=\fR[\fInumber\fR]
.RS 4
This option controls the amount of information logged to the file specified in the STARTUP_LOG option\&.
.sp
Values are:
.RS 4
\-1 \- Logging is disabled
.RE
.RS 4
0 \- Silent\&. Only error messages are logged\&.
.RE
.RS 4
1 \- Major progress messages logged\&.
.RE
.RS 4
2 \- All progress messages logged
.RE
If not specified, then \-1 is assumed\&.
.RE
.PP
\fBLOGALLNEW=\fR[\fIlog\-level\fR]
.RS 4
This option is intended for use as a debugging aid\&. When set to a log level, this option causes Shorewall to generate a logging rule as the first rule in each builtin chain\&.
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
The table name is used as the chain name in the log prefix\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\