shorewall.conf.5

sharewall is very good

.\}
.sp
then traffic from 192\&.168\&.1\&.4 to 10\&.0\&.3\&.9 will be accepted even though you also have:
.sp
.if n \{\
.RS 4
.\}
.fam C
.ps -1
.nf
.BB lightgray
    #SUBNETS                 TARGET
    10\&.0\&.0\&.0/8               logdrop
.EB lightgray
.fi
.fam
.ps +1
.if n \{\
.RE
.\}
.sp
Setting RFC1918_STRICT=Yes in shorewall\&.conf will cause such traffic to be logged and dropped since while the packet\'s source matches the RETURN rule, the packet\'s destination matches the \'logdrop\' rule\&.
.sp
If not specified or specified as empty (e\&.g\&., RFC1918_STRICT="") then RFC1918_STRICT=No is assumed\&.
.sp
.if n \{\
.sp
.\}
.RS 4
.BM yellow
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBWarning\fR
.ps -1
.br
RFC1918_STRICT=Yes requires that your kernel and iptables support \'Connection Tracking\' match\&.
.sp .5v
.EM yellow
.RE
.RE
.PP
\fBROUTE_FILTER=\fR[\fBYes\fR|\fBNo\fR|Keep]
.RS 4
If this parameter is given the value
\fBYes\fR
or
\fByes\fR
then route filtering (anti\-spoofing) is enabled on all network interfaces which are brought up while Shorewall is in the started state\&. The default value is
\fBno\fR\&.
.sp
The value
\fBKeep\fR
is only allowed under Shorewall\-perl\&. It causes Shorewall to ignore the option\&. If the option is set to
\fBYes\fR, then route filtering occurs on all interfaces\&. If the option is set to
\fBNo\fR, then route filtering is disabled on all interfaces except those specified in
\m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[10]\d\s+2(5)\&.
.RE
.PP
\fBSAVE_IPSETS=\fR{\fBYes\fR|\fBNo\fR}
.RS 4
If SAVE_IPSETS=Yes, then the current contents of your ipsets will be saved by the
\fBshorewall save\fR
command\&. Regardless of the setting of SAVE_IPSETS, if saved ipset contents are available then they will be restored by
\fBshorewall restore\fR\&.
.RE
.PP
\fBSHOREWALL_COMPILER=\fR{\fBperl\fR|\fBshell\fR}
.RS 4
Specifies the compiler to use to generate firewall scripts when both compilers are installed\&. The value of this option can be either
\fBperl\fR
or
\fBshell\fR\&. If both compilers are installed and SHOREWALL_SHELL is not set, then SHOREWALL_SHELL=shell is assumed\&.
.sp
If you add \'SHOREWALL_COMPILER=perl\' to
\FC/etc/shorewall/shorewall\&.conf\F[]
then by default, the Shorewall\-perl compiler will be used on the system\&. If you add it to
\FCshorewall\&.conf\F[]
in a separate directory (such as a Shorewall\-lite export directory) then the Shorewall\-perl compiler will only be used when you compile from that directory\&.
.sp
If you only install one compiler, it is suggested that you do not set SHOREWALL_COMPILER\&.
.sp
This setting may be overriden in those commands that invoke the compiler by using the \-C command option (see
\m[blue]\fBshorewall\fR\m[]\&\s-2\u[15]\d\s+2(8))\&.
.RE
.PP
\fBSHOREWALL_SHELL=\fR[\fIpathname\fR]
.RS 4
This option is used to specify the shell program to be used to run the Shorewall compiler and to interpret the compiled script\&. If not specified or specified as a null value, /bin/sh is assumed\&. Using a light\-weight shell such as ash or dash can significantly improve performance\&.
.RE
.PP
\fBSMURF_LOG_LEVEL=\fR[\fIlog\-level\fR]
.RS 4
Specifies the logging level for smurf packets (see the nosmurfs option in
\m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[10]\d\s+2(5))\&. If set to the empty value ( SMURF_LOG_LEVEL="" ) then smurfs are not logged\&.
.RE
.PP
\fBSTARTUP_ENABLED=\fR{\fBYes\fR|\fBNo\fR}
.RS 4
Determines if Shorewall is allowed to start\&. As released from shorewall\&.net, this option is set to
\fBNo\fR\&. When set to
\fBYes\fR
or
\fByes\fR, Shorewall may be started\&. Used as a guard against Shorewall being accidentally started before it has been configured\&.
.RE
.PP
\fBSTARTUP_LOG=\fR[\fIpathname\fR]
.RS 4
If specified, determines where Shorewall will log the details of each
\fBstart\fR,
\fBrestart\fR
and
\fBrefresh\fR
command\&. Logging verbosity is determined by the setting of LOG_VERBOSITY above\&.
.RE
.PP
\fBSUBSYSLOCK=\fR[\fIpathname\fR]
.RS 4
This parameter should be set to the name of a file that the firewall should create if it starts successfully and remove when it stops\&. Creating and removing this file allows Shorewall to work with your distribution\'s initscripts\&. For RedHat and OpenSuSE, this should be set to /var/lock/subsys/shorewall\&. For Debian, the value is /var/lock/shorewall and in LEAF it is /var/run/shorwall\&.
.RE
.PP
\fBTC_ENABLED=\fR[\fBYes\fR|\fBNo\fR|\fBInternal\fR]
.RS 4
If you say
\fBYes\fR
or
\fByes\fR
here, Shorewall will use a script that you supply to configure traffic shaping\&. The script must be named \'tcstart\' and must be placed in a directory on your CONFIG_PATH\&.
.sp
If you say
\fBNo\fR
or
\fBno\fR
then traffic shaping is not enabled\&.
.sp
If you set TC_ENABLED=Internal or internal or leave the option empty then Shorewall will use its builtin traffic shaper (tc4shorewall written by Arne Bernin\&.
.RE
.PP
\fBTC_EXPERT=\fR{\fBYes\fR|\fBNo\fR}
.RS 4
Normally, Shorewall tries to protect users from themselves by preventing PREROUTING and OUTPUT tcrules from being applied to packets that have been marked by the \'track\' option in
\m[blue]\fBshorewall\-providers\fR\m[]\&\s-2\u[16]\d\s+2(5)\&.
.sp
If you know what you are doing, you can set TC_EXPERT=Yes and Shorewall will not include these cautionary checks\&.
.RE
.PP
\fBTCP_FLAGS_DISPOSITION=\fR[\fBACCEPT\fR|\fBDROP\fR|\fBREJECT\fR]
.RS 4
Determines the disposition of TCP packets that fail the checks enabled by the
\fBtcpflags\fR
interface option (see
\m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[10]\d\s+2(5)) and must have a value of ACCEPT (accept the packet), REJECT (send an RST response) or DROP (ignore the packet)\&. If not set or if set to the empty value (e\&.g\&., TCP_FLAGS_DISPOSITION="") then TCP_FLAGS_DISPOSITION=DROP is assumed\&.
.RE
.PP
\fBTCP_FLAGS_LOG_LEVEL=\fR[\fIlog\-level\fR]
.RS 4
Determines the syslog level for logging packets that fail the checks enabled by the tcpflags interface option\&. The value must be a valid syslogd log level\&. If you don\'t want to log these packets, set to the empty value (e\&.g\&., TCP_FLAGS_LOG_LEVEL="")\&.
.RE
.PP
\fBUSE_ACTIONS=\fR{\fBYes\fR|\fBNo\fR}
.RS 4
While Shorewall Actions can be very useful, they also require a sizable amount of code to implement\&. By setting USE_ACTIONS=No, embedded Shorewall installations can omit the large library /usr/share/shorewall\-shell/lib\&.actions\&.
.if n \{\
.sp
.\}
.RS 4
.BM yellow
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBNote\fR
.ps -1
.br
USE_ACTIONS=No is not supported by Shorewall\-perl\&.
.sp .5v
.EM yellow
.RE
.RE
.PP
\fBUSE_DEFAULT_RT=\fR[\fBYes\fR|\fBNo\fR]
.RS 4
When set to \'Yes\', this option causes the Shorewall multi\-ISP feature to create a different set of routing rules which are resilient to changes in the main routing table\&. Such changes can occur for a number of reasons, VPNs going up and down being an example\&. The idea is to send packets through the main table prior to applying any of the Shorewall\-generated routing rules\&. So changes to the main table will affect the routing of packets by default\&.
.sp
When USE_DEFAULT_RT=Yes:
.sp
.RS 4
.ie n \{\
\h'-04' 1.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "  1." 4.2
.\}
Both the DUPLICATE and the COPY columns in
\m[blue]\fBproviders\fR\m[]\&\s-2\u[16]\d\s+2(5) file must remain empty (or contain "\-")\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 2.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "  2." 4.2
.\}
The default route is added to the the \'default\' table rather than to the main table\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 3.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "  3." 4.2
.\}
\fBbalance\fR
is assumed unless
\fBloose\fR
is specified\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 4.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "  4." 4.2
.\}
Packets are sent through the main routing table by a rule with priority 999\&. In
\m[blue]\fBrouting_rules\fR\m[]\&\s-2\u[17]\d\s+2(5), the range 1\-998 may be used for inserting rules that bypass the main table\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 5.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "  5." 4.2
.\}
All provider gateways must be specified explicitly in the GATEWAY column\&.
\fBdetect\fR
may not be specified\&..if n \{\
.sp
.\}
.RS 4
.BM yellow
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBNote\fR
.ps -1
.br
Beginning with Shorewall 4\&.2\&.6,
\fBdetect\fR
may be specified for interfaces whose configuration is managed by dhcpcd\&. Shorewall will use dhcpcd\'s database to find the interfaces\'s gateway\&.
.sp .5v
.EM yellow
.RE
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 6.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "  6." 4.2
.\}
You should disable all default route management outside of Shorewall\&. If a default route is added to the main table while Shorewall is started, then all policy routing will stop working (except for those routing rules in the priority range 1\-998)\&.
.RE
.RS 4
If USE_DEFAULT_RT is not set or if it is set to the empty string then USE_DEFAULT_RT=No is assumed\&.
.RE
.PP
\fBVERBOSITY=\fR[\fInumber\fR]
.RS 4
Shorewall has traditionally been very noisy (produced lots of output)\&. You may set the default level of verbosity using the VERBOSITY OPTION\&.
.sp
Values are:
.RS 4
0 \- Silent\&. You may make it more verbose using the \-v
            option
.RE
.RS 4
1 \- Major progress messages displayed
.RE
.RS 4
2 \- All progress messages displayed (pre Shorewall\-3\&.2\&.0
            behavior)
.RE
If not specified, then 2 is assumed\&.
.RE
.SH "FILES"
.PP
/etc/shorewall/shorewall\&.conf
.SH "See ALSO"
.PP
shorewall(8), shorewall\-accounting(5), shorewall\-actions(5), shorewall\-blacklist(5), shorewall\-hosts(5), shorewall\-interfaces(5), shorewall\-ipsec(5), shorewall\-maclist(5), shorewall\-masq(5), shorewall\-nat(5), shorewall\-netmap(5), shorewall\-params(5), shorewall\-policy(5), shorewall\-providers(5), shorewall\-proxyarp(5), shorewall\-route_rules(5), shorewall\-routestopped(5), shorewall\-rules(5), shorewall\-tcclasses(5), shorewall\-tcdevices(5), shorewall\-tcrules(5), shorewall\-tos(5), shorewall\-tunnels(5), shorewall\-zones(5)
.SH "Notes"
.IP " 1." 4
shorewall-policy
.RS 4
\%http://www.shorewall.net/manpages/shorewall-policy.html
.RE
.IP " 2." 4
shorewall-nat
.RS 4
\%http://www.shorewall.net/manpages/shorewall-nat.html
.RE
.IP " 3." 4
shorewall-masq
.RS 4
\%http://www.shorewall.net/manpages/shorewall-masq.html
.RE
.IP " 4." 4
shorewall-routestopped
.RS 4
\%http://www.shorewall.net/manpages/shorewall-routestopped.html
.RE
.IP " 5." 4
shorewall-tcrules
.RS 4
\%http://www.shorewall.net/manpages/shorewall-tcrules.html
.RE
.IP " 6." 4
shorewall-blacklist
.RS 4
\%http://www.shorewall.net/manpages/shorewall-blacklist.html
.RE
.IP " 7." 4
shorewall-rules
.RS 4
\%http://www.shorewall.net/manpages/shorewall-rules.html
.RE
.IP " 8." 4
shorewall-zones
.RS 4
\%http://www.shorewall.net/manpages/shorewall-zones.html
.RE
.IP " 9." 4
shorewall-nesting
.RS 4
\%http://www.shorewall.net/manpages/shorewall-nesting.html
.RE
.IP "10." 4
shorewall-interfaces
.RS 4
\%http://www.shorewall.net/manpages/shorewall-interfaces.html
.RE
.IP "11." 4
shorewall-maclist
.RS 4
\%http://www.shorewall.net/manpages/shorewall-maclist.html
.RE
.IP "12." 4
shorewall.conf
.RS 4
\%http://www.shorewall.net/manpages/shorewall.conf.html
.RE
.IP "13." 4
the complete matrix of host groups defined by the zones, interfaces and hosts files
.RS 4
\%http://www.shorewall.net/manpages/../ScalabilityAndPerformance.html
.RE
.IP "14." 4
shorewall-rfc1918
.RS 4
\%http://www.shorewall.net/manpages/shorewall-rfc1918.html
.RE
.IP "15." 4
shorewall
.RS 4
\%http://www.shorewall.net/manpages/shorewall.html
.RE
.IP "16." 4
shorewall-providers
.RS 4
\%http://www.shorewall.net/manpages/shorewall-providers.html
.RE
.IP "17." 4
routing_rules
.RS 4
\%http://www.shorewall.net/manpages/shorewall-routing_rules.html
.RE