# # Shorewall6 - Sample Stoppedrules File for two-interface configuration. # Copyright (C) 2012-2017 by the Shorewall Team # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public # License as published by the Free Software Foundation; either # version 2.1 of the License, or (at your option) any later version. # # See the file README.txt for further details. #------------------------------------------------------------------------------ # For information about entries in this file, type "man shorewall-stoppedrules" ############################################################################### # # This file is used to define the hosts that are accessible when the firewall is # stopped or is being stopped. # # Warning # # Changes to this file do not take effect until after the next shorewall start, # shorewall reload, shorewall restart, or shorewall compile command. # # The columns in the file are as follows (where the column name is followed by a # different name in parentheses, the different name is used in the alternate # specification syntax). # # ACTION - ACCEPT|NOTRACK|DROP # # Determines the disposition of the packet. # # ACCEPT means that the packet will be accepted. # # NOTRACK indicates that no conntrack entry should be created for the packet. # NOTRACK does not imply ACCEPT. # # DROP was added in Shorewall 4.6.0 and causes the packet to be dropped in # the raw table's PREROUTING chain. # # SOURCE - [-|[$FW|interface]|[{$FW|interface}[:address[,address]...]]|[address[, # address]...] # # $FW matches packets originating on the firewall itself, while interface # specifies packets arriving on the named interface. # # This column may also include a comma-separated list of IP/subnet addresses. # If your kernel and iptables include iprange match support, IP address # ranges are also allowed. Ipsets and exclusion are also supported. When $FW # or interface are specified, the list must be preceded by a colon (":"). # # If left empty or supplied as "-", 0.0.0.0/0 is assumed. # # DEST - [-|[$FW|interface]|[{$FW|interface}[:address[,address]...]]|[address[, # address]...] # # $FW matches packets addressed the firewall itself, while interface # specifies packets arriving on the named interface. Neither may be specified # if the target is NOTRACK or DROP. # # This column may also include a comma-separated list of IP/subnet addresses. # If your kernel and iptables include iprange match support, IP address # ranges are also allowed. Ipsets and exclusion are also supported. When $FW # or interface are specified, the list must be preceded by a colon (":"). # # If left empty or supplied as "-", 0.0.0.0/0 is assumed. # # PROTO (Optional) â protocol-name-or-number[,...] # # Protocol. # # Beginning with Shorewall 4.5.12, this column can accept a comma-separated # list of protocols. # # DPORT â service-name/port-number-list # # Optional. A comma-separated list of port numbers and/or service names from # /etc/services. May also include port ranges of the form low-port:high-port # if your kernel and iptables include port range support. # # This column was formerly labelled DEST PORT(S). # # SPORT â service-name/port-number-list # # Optional. A comma-separated list of port numbers and/or service names from # /etc/services. May also include port ranges of the form low-port:high-port # if your kernel and iptables include port range support. # # Beginning with Shorewall 4.5.15, you may place '=' in this column, provided # that the DPORT column is non-empty. This causes the rule to match when # either the source port or the destination port in a packet matches one of # the ports specified in DEST PORTS(S). Use of '=' requires multi-port match # in your iptables and kernel. # # This column was formerly labelled SOURCE PORT(S). # ############################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE # PORT(S) PORT(S) ACCEPT LOC_IF - ACCEPT - LOC_IF