SHOREWALL-ROUTESTOP(5)SHOREWALL-ROUTESTOP(5)NAME
routestopped - The Shorewall file that governs what traffic flows
through the firewall while it is in 'stopped' state.
SYNOPSIS
/etc/shorewall/routestopped
DESCRIPTION
This file is used to define the hosts that are accessible when the
firewall is stopped or is being stopped. When shorewall-shell is being
used, the file also determines those hosts that are accessible when the
firewall is in the process of being [re]started.
The columns in the file are as follows.
INTERFACE - interface
Interface through which host(s) communicate with the firewall
HOST(S) (Optional) - [-|address[,address]...]
Comma-separated list of IP/subnet addresses. If your kernel and
iptables include iprange match support, IP address ranges are also
allowed.
If left empty or supplied as "-", 0.0.0.0/0 is assumed.
OPTIONS (Optional) - [-|option[,option]...]
A comma-separated list of options. The order of the options is not
important but the list can contain no embedded whitespace. The
currently-supported options are:
routeback
Set up a rule to ACCEPT traffic from these hosts back to
themselves.
source
Allow traffic from these hosts to ANY destination. Without this
option or the dest option, only traffic from this host to other
listed hosts (and the firewall) is allowed. If source is
specified then routeback is redundant.
dest
Allow traffic to these hosts from ANY source. Without this
option or the source option, only traffic from this host to
other listed hosts (and the firewall) is allowed. If dest is
specified then routeback is redundant.
critical
Allow traffic between the firewall and these hosts throughout
´[re]start´, ´stop´ and ´clear´. Specifying critical on one or
more entries will cause your firewall to be "totally open" for
a brief window during each of those operations. Examples of
where you might want to use this are:
· ´Ping´ nodes with heartbeat.
· LDAP server(s) if you use LDAP Authentication
· NFS Server if you have an NFS-mounted root filesystem.
notrack
The traffic will be exempted from conntection tracking.
PROTO (Optional) – protocol-name-or-number
Only available with Shorewall-perl 4.2.7 and later.
DEST PORT(S) (Optional) – service-name/port-number-list
Only available with Shorewall-perl 4.2.7 and later. A
comma-separated list of port numbers and/or service names from
/etc/services. May also include port ranges of the form
low-port:high-port if your kernel and iptables include port range
support.
SOURCE PORT(S) (Optional) – service-name/port-number-list
Only available with Shorewall-perl 4.2.7 and later. A
comma-separated list of port numbers and/or service names from
/etc/services. May also include port ranges of the form
low-port:high-port if your kernel and iptables include port range
support.
Note
The source and dest options work best when used in conjunction with
ADMINISABSENTMINDED=Yes in shorewall.conf[1](5).
EXAMPLE
Example 1:
#INTERFACE HOST(S) OPTIONS PROTO DEST SOURCE
# PORT(S)PORT(S)
eth2 192.168.1.0/24
eth0 192.0.2.44
br0 - routeback
eth3 - source
eth4 - notrack 41
FILES
/etc/shorewall/routestopped
SEE ALSO
http://shorewall.net/starting_and_stopping_shorewall.htm
shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
shorewall-route_rules(5), shorewall-rules(5), shorewall.conf(5),
shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)NOTES
1. shorewall.conf
shorewall.conf.html
09/05/2009 SHOREWALL-ROUTESTOP(5)
