SHOREWALL-STOPPEDRU(5) [FIXME: manual] SHOREWALL-STOPPEDRU(5)NAME
stoppedrules - The Shorewall file that governs what traffic flows
through the firewall while it is in the 'stopped' state.
SYNOPSIS
/etc/shorewall/stoppedrules
DESCRIPTION
This file is used to define the hosts that are accessible when the
firewall is stopped or is being stopped.
Warning
Changes to this file do not take effect until after the next
shorewall start, shorewall restart, or shorewall compile command.
The columns in the file are as follows (where the column name is
followed by a different name in parentheses, the different name is used
in the alternate specification syntax).
ACTION - ACCEPT|NOTRACK
Determines the disposition of the packet. ACCEPT means that the
packet will be accepted. NOTRACK indicates that no conntrack entry
should be created for the packet. NOTRACK does not imply ACCEPT.
SOURCE -
[-|[$FW|interface]|[{$FW|interface}[:address[,address]...]]|[address[,address]...]
$FW matches packets originating on the firewall itself, while
interface specifies packets arriving on the named interface.
This column may also include a comma-separated list of IP/subnet
addresses. If your kernel and iptables include iprange match
support, IP address ranges are also allowed. Ipsets and exclusion
are also supported. When $FW or interface are specified, the list
must be preceded by a colon (":").
If left empty or supplied as "-", 0.0.0.0/0 is assumed.
DEST -
[-|[$FW|interface]|[{$FW|interface}[:address[,address]...]]|[address[,address]...]
$FW matches packets addressed the firewall itself, while interface
specifies packets arriving on the named interface. Neither may be
specified if the target is NOTRACK.
This column may also include a comma-separated list of IP/subnet
addresses. If your kernel and iptables include iprange match
support, IP address ranges are also allowed. Ipsets and exclusion
are also supported. When $FW or interface are specified, the list
must be preceded by a colon (":").
If left empty or supplied as "-", 0.0.0.0/0 is assumed.
PROTO (Optional) – protocol-name-or-number[,...]
Protocol.
Beginning with Shorewall 4.5.12, this column can accept a
comma-separated list of protocols.
DEST PORT(S) (dport) – service-name/port-number-list
Optional. A comma-separated list of port numbers and/or service
names from /etc/services. May also include port ranges of the form
low-port:high-port if your kernel and iptables include port range
support.
SOURCE PORT(S) (sport) – service-name/port-number-list
Optional. A comma-separated list of port numbers and/or service
names from /etc/services. May also include port ranges of the form
low-port:high-port if your kernel and iptables include port range
support.
Beginning with Shorewall 4.5.15, you may place '=' in this column,
provided that the DEST PORT(S) column is non-empty. This causes the
rule to match when either the source port or the destination port
in a packet matches one of the ports specified in DEST PORTS(S).
Use of '=' requires multi-port match in your iptables and kernel.
FILES
/etc/shorewall/stoppedrules
SEE ALSO
http://shorewall.net/starting_and_stopping_shorewall.htm
http://shorewall.net/configuration_file_basics.htm#Pairs
shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
shorewall-rtrules(5), shorewall-rules(5), shorewall.conf(5),
shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
shorewall-zones(5)
[FIXME: source] 12/19/2013 SHOREWALL-STOPPEDRU(5)
