#
# Shorewall6 - Sample Stoppedrules File for two-interface configuration.
# Copyright (C) 2012-2017 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#------------------------------------------------------------------------------
# For information about entries in this file, type "man shorewall-stoppedrules"
###############################################################################
#
# This file is used to define the hosts that are accessible when the firewall is
# stopped or is being stopped.
#
# Warning
#
# Changes to this file do not take effect until after the next shorewall start,
# shorewall reload, shorewall restart, or shorewall compile command.
#
# The columns in the file are as follows (where the column name is followed by a
# different name in parentheses, the different name is used in the alternate
# specification syntax).
#
# ACTION - ACCEPT|NOTRACK|DROP
#
# Determines the disposition of the packet.
#
# ACCEPT means that the packet will be accepted.
#
# NOTRACK indicates that no conntrack entry should be created for the packet.
# NOTRACK does not imply ACCEPT.
#
# DROP was added in Shorewall 4.6.0 and causes the packet to be dropped in
# the raw table's PREROUTING chain.
#
# SOURCE - [-|[$FW|interface]|[{$FW|interface}[:address[,address]...]]|[address[,
# address]...]
#
# $FW matches packets originating on the firewall itself, while interface
# specifies packets arriving on the named interface.
#
# This column may also include a comma-separated list of IP/subnet addresses.
# If your kernel and iptables include iprange match support, IP address
# ranges are also allowed. Ipsets and exclusion are also supported. When $FW
# or interface are specified, the list must be preceded by a colon (":").
#
# If left empty or supplied as "-", 0.0.0.0/0 is assumed.
#
# DEST - [-|[$FW|interface]|[{$FW|interface}[:address[,address]...]]|[address[,
# address]...]
#
# $FW matches packets addressed the firewall itself, while interface
# specifies packets arriving on the named interface. Neither may be specified
# if the target is NOTRACK or DROP.
#
# This column may also include a comma-separated list of IP/subnet addresses.
# If your kernel and iptables include iprange match support, IP address
# ranges are also allowed. Ipsets and exclusion are also supported. When $FW
# or interface are specified, the list must be preceded by a colon (":").
#
# If left empty or supplied as "-", 0.0.0.0/0 is assumed.
#
# PROTO (Optional) â protocol-name-or-number[,...]
#
# Protocol.
#
# Beginning with Shorewall 4.5.12, this column can accept a comma-separated
# list of protocols.
#
# DPORT â service-name/port-number-list
#
# Optional. A comma-separated list of port numbers and/or service names from
# /etc/services. May also include port ranges of the form low-port:high-port
# if your kernel and iptables include port range support.
#
# This column was formerly labelled DEST PORT(S).
#
# SPORT â service-name/port-number-list
#
# Optional. A comma-separated list of port numbers and/or service names from
# /etc/services. May also include port ranges of the form low-port:high-port
# if your kernel and iptables include port range support.
#
# Beginning with Shorewall 4.5.15, you may place '=' in this column, provided
# that the DPORT column is non-empty. This causes the rule to match when
# either the source port or the destination port in a packet matches one of
# the ports specified in DEST PORTS(S). Use of '=' requires multi-port match
# in your iptables and kernel.
#
# This column was formerly labelled SOURCE PORT(S).
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE
# PORT(S) PORT(S)
ACCEPT LOC_IF -
ACCEPT - LOC_IF
