SHOREWALL-TCRULES(5) [FIXME: manual] SHOREWALL-TCRULES(5)NAME
tcrules - Shorewall Packet Marking rules file
SYNOPSIS
/etc/shorewall/tcrules
DESCRIPTION
Entries in this file cause packets to be marked as a means of
classifying them for traffic control or policy routing.
Important
Unlike rules in the shorewall-rules[1](5) file, evaluation of rules
in this file will continue after a match. So the final mark for
each packet will be the one assigned by the LAST tcrule that
matches.
If you use multiple internet providers with the 'track' option, in
/etc/shorewall/providers be sure to read the restrictions at
http://shorewall.net/MultiISP.html.
Beginning with Shorewall 4.5.4, the tcrules file supports two different
formats:
FORMAT 1 (default - deprecated)
The older limited-function version of TPROXY is supported.
FORMAT 2
The newer version of TPROXY is supported.
The format is specified by a line as follows:
[?]FORMAT {1|2}
The optional '?' was introduced in Shorewall 4.5.11 and ?FORMAT is the
preferred form; the form without the '?' is deprecated.
The columns in the file are as follows (where the column name is
followed by a different name in parentheses, the different name is used
in the alternate specification syntax).
ACTION (mark) - mark
Where mark may assume one of the following values.
1. A mark value which is an integer in the range 1-255.
Normally will set the mark value. If preceded by a vertical bar
("|"), the mark value will be logically ORed with the current
mark value to produce a new mark value. If preceded by an
ampersand ("&"), will be logically ANDed with the current mark
value to produce a new mark value.
Both "|" and "&" require Extended MARK Target support in your
kernel and iptables; neither may be used with connection marks
(see below).
May optionally be followed by :P, :F,:T or :I where :P
indicates that marking should occur in the PREROUTING chain, :F
indicates that marking should occur in the FORWARD chain, :I
indicates that marking should occur in the INPUT chain (added
in Shorewall 4.4.13), and :T indicates that marking should
occur in the POSTROUTING chain. If neither :P, :F nor :T follow
the mark value then the chain is determined as follows:
- If the SOURCE is
$FW[:address-or-range[,address-or-range]...], then the rule is
inserted into the OUTPUT chain. When HIGH_ROUTE_MARKS=Yes, only
high mark values may be assigned there. Packet marking rules
for traffic shaping of packets originating on the firewall must
be coded in the POSTROUTING chain (see below).
- Otherwise, the chain is determined by the setting of
MARK_IN_FORWARD_CHAIN in shorewall.conf[2](5).
Please note that :I is included for completeness and affects
neither traffic shaping nor policy routing.
If your kernel and iptables include CONNMARK support then you
can also mark the connection rather than the packet.
The mark value may be optionally followed by "/" and a mask
value (used to determine those bits of the connection mark to
actually be set). When a mask is specified, the result of
logically ANDing the mark value with the mask must be the same
as the mark value.
The mark and optional mask are then followed by one of:
C
Mark the connection in the chain determined by the setting
of MARK_IN_FORWARD_CHAIN
CF
Mark the connection in the FORWARD chain
CP
Mark the connection in the PREROUTING chain.
CT
Mark the connection in the POSTROUTING chain
CI
Mark the connection in the INPUT chain. This option is
included for completeness and has no applicability to
traffic shaping or policy routing.
2. A mark range which is a pair of integers separated by a dash
("-"). Added in Shorewall 4.5.9.
May be optionally followed by a slash ("/") and a mask and
requires the Statistics Match capability in iptables and
kernel. Marks in the specified range are assigned to packets on
a round-robin fashion.
When a mask is specified, the result of logically ANDing each
mark value with the mask must be the same as the mark value.
The least significant bit in the mask is used as an increment.
For example, if '0x200-0x400/0xff00' is specified, then the
assigned mark values are 0x200, 0x300 and 0x400 in equal
proportions. If no mask is specified, then ( 2 ** MASK_BITS ) -
1 is assumed (MASK_BITS is set in shorewall.conf[2](5)).
May optionally be followed by :P, :F,:T or :I where :P
indicates that marking should occur in the PREROUTING chain, :F
indicates that marking should occur in the FORWARD chain, :I
indicates that marking should occur in the INPUT chain (added
in Shorewall 4.4.13), and :T indicates that marking should
occur in the POSTROUTING chain. If neither :P, :F nor :T follow
the mark value then the chain is determined as follows:
- If the SOURCE is
$FW[:address-or-range[,address-or-range]...], then the rule is
inserted into the OUTPUT chain. When HIGH_ROUTE_MARKS=Yes, only
high mark values may be assigned there. Packet marking rules
for traffic shaping of packets originating on the firewall must
be coded in the POSTROUTING chain (see below).
- Otherwise, the chain is determined by the setting of
MARK_IN_FORWARD_CHAIN in shorewall.conf[2](5).
Please note that :I is included for completeness and affects
neither traffic shaping nor policy routing.
If your kernel and iptables include CONNMARK support then you
can also mark the connection rather than the packet.
The mark range and optional mask can then followed by one of:
C
Mark the connection in the chain determined by the setting
of MARK_IN_FORWARD_CHAIN
CF
Mark the connection in the FORWARD chain
CP
Mark the connection in the PREROUTING chain.
CT
Mark the connection in the POSTROUTING chain
CI
Mark the connection in the INPUT chain. This option is
included for completeness and has no applicability to
traffic shaping or policy routing.
3. A classification Id (classid) of the form major:minor where
major and minor are integers. Corresponds to the 'class'
specification in these traffic shaping modules:
atm
cbq
dsmark
pfifo_fast
htb
prio
Classification occurs in the POSTROUTING chain except when the
SOURCE is $FW[:address] in which case classification occurs in
the OUTPUT chain.
When using Shorewall's built-in traffic shaping tool, the major
class is the device number (the first device in
shorewall-tcdevices[3](5) is major class 1, the second device
is major class 2, and so on) and the minor class is the class's
MARK value in shorewall-tcclasses[4](5) preceded by the number
1 (MARK 1 corresponds to minor class 11, MARK 5 corresponds to
minor class 15, MARK 22 corresponds to minor class 122, etc.).
Beginning with Shorewall 4.4.27, the classid may be optionally
followed by ':' and a capital letter designating the chain
where classification is to occur.
F
FORWARD chain.
T
POSTROUTING chain (default).
4. CHECKSUM
Added in Shorewall 4.5.9. Compute and fill in the checksum in a
packet that lacks a checksum. This is particularly useful if
you need to work around old applications, such as dhcp clients,
that do not work well with checksum offloads, but you don't
want to disable checksum offload in your device.
Requires 'Checksum Target' support in your kernel and iptables.
5. [?]COMMENT -- the rest of the line will be attached as a
comment to the Netfilter rule(s) generated by the following
entries. The comment will appear delimited by "/* ... */" in
the output of shorewall show mangle
To stop the comment from being attached to further rules,
simply include COMMENT on a line by itself.
Note
Beginning with Shorewall 4.5.11, ?COMMENT is a synonym for
COMMENT and is preferred.
6. CONTINUE Don't process any more marking rules –in the table.
As in 1) above, may be followed by :P or :F. Currently,
CONTINUE may not be used with exclusion (see the SOURCE and
DEST columns below); that restriction will be removed when
iptables/Netfilter provides the necessary support.
7. DIVERT
Added in Shorewall 4.5.4 and only available when FORMAT is 2.
Two DIVERT rule should precede the TPROXY rule and should
select DEST PORT tcp 80 and SOURCE PORT tcp 80 respectively
(assuming that tcp port 80 is being proxied). DIVERT avoids
sending packets to the TPROXY target once a socket connection
to Squid3 has been established by TPROXY. DIVERT marks the
packet with a unique mark and exempts it from any rules that
follow.
8. DROP
Added in Shorewall 4.5.21.4. Causes matching packets to be
discarded.
9. DSCP(dscp)
Added in Shorewall 4.5.1. Sets the Differentiated Services Code
Point field in the IP header. The dscp value may be given as an
even number (hex or decimal) or as the name of a DSCP class.
Valid class names and their associated hex numeric values are:
CS0 => 0x00
CS1 => 0x08
CS2 => 0x10
CS3 => 0x18
CS4 => 0x20
CS5 => 0x28
CS6 => 0x30
CS7 => 0x38
BE => 0x00
AF11 => 0x0a
AF12 => 0x0c
AF13 => 0x0e
AF21 => 0x12
AF22 => 0x14
AF23 => 0x16
AF31 => 0x1a
AF32 => 0x1c
AF33 => 0x1e
AF41 => 0x22
AF42 => 0x24
AF43 => 0x26
EF => 0x2e
To indicate more than one class, add their hex values together
and specify the result.
May be optionally followed by ':' and a capital letter
designating the chain where classification is to occur.
F
FORWARD chain.
T
POSTROUTING chain (default).
10. IMQ(number)
Added in Shorewall 4.5.1. Specifies that the packet should be
passed to the IMQ identified by number. Requires IMQ Target
support in your kernel and iptables.
11. IPMARK – Assigns a mark to each matching packet based on the
either the source or destination IP address. By default, it
assigns a mark value equal to the low-order 8 bits of the
source address. Default values are:
src
mask1 = 0xFF
mask2 = 0x00
shift = 0
'src' and 'dst' specify whether the mark is to be based on the
source or destination address respectively. The selected
address is first shifted to the right by shift bits. The result
is then LANDed with mask1 then LORed with mask2.
In a sense, the IPMARK target is more like an IPCLASSIFY target
in that the mark value is later interpreted as a class ID. A
packet mark is 32 bits wide; so is a class ID. The <major>
class occupies the high-order 16 bits and the <minor> class
occupies the low-order 16 bits. So the class ID 1:4ff (remember
that class IDs are always in hex) is equivalent to a mark value
of 0x104ff. Remember that Shorewall uses the interface number
as the <major> number where the first interface in tcdevices
has <major> number 1, the second has <major> number 2, and so
on.
The IPMARK target assigns a mark to each matching packet based
on the either the source or destination IP address. By default,
it assigns a mark value equal to the low-order 8 bits of the
source address. The syntax is as follows:
IPMARK[([{src|dst}][,[mask1][,[mask2][,[shift]]]])] Default
values are:
src
mask1 = 0xFF
mask2 = 0x00
shift = 0
src and dst specify whether the mark is to be based on the
source or destination address respectively. The selected
address is first shifted right by shift, then LANDed with mask1
and then LORed with mask2. The shift argument is intended to be
used primarily with IPv6 addresses.
Example: IPMARK(src,0xff,0x10100)
Suppose that the source IP address is 192.168.4.3 =
0xc0a80403; then
0xc0a80403 >> 0 = 0xc0a80403
0xc0a80403 LAND 0xFF = 0x03
0x03 LOR 0x0x10100 = 0x10103 or class ID
1:103
It is important to realize that, while class IDs are composed
of a major and a minor value, the set of values must be unique.
That is, the same numeric value cannot be used as both a major
and a minor number for the same interface unless class nesting
occurs (which is not currently possible with Shorewall). You
should keep this in mind when deciding how to map IP addresses
to class IDs.
For example, suppose that your internal network is
192.168.1.0/29 (host IP addresses 192.168.1.1 - 192.168.1.6).
Your first notion might be to use IPMARK(src,0xFF,0x10000) so
as to produce class IDs 1:1 through 1:6. But 1:1 is an invalid
class ID since the major and minor classes are equal. So you
might choose instead to use IPMARK(src,0xFF,0x10100) as in the
example above so that all of your minor classes will have a
value > 256.
12. RESTORE[/mask] -- restore the packet's mark from the
connection's mark using the supplied mask if any. Your kernel
and iptables must include CONNMARK support.
As in 1) above, may be followed by :P or :F
13. SAME Some websites run applications that require multiple
connections from a client browser. Where multiple 'balanced'
providers are configured, this can lead to problems when some
of the connections are routed through one provider and some
through another. The SAME target allows you to work around that
problem. SAME may be used in the PREROUTING and OUTPUT chains.
When used in PREROUTING, it causes matching connections from an
individual local system to all use the same provider. For
example:
#ACTION SOURCE DEST PROTO DEST
# PORT(S)
SAME:P 192.168.1.0/24 0.0.0.0/0 tcp 80,443
If a host in 192.168.1.0/24 attempts a connection on TCP port
80 or 443 and it has sent a packet on either of those ports in
the last five minutes then the new connection will use the same
provider as the connection over which that last packet was
sent.
When used in the OUTPUT chain, it causes all matching
connections to an individual remote system to all use the same
provider. For example:
#ACTION SOURCE DEST PROTO DEST
# PORT(S)
SAME $FW 0.0.0.0/0 tcp 80,443
If the firewall attempts a connection on TCP port 80 or 443 and
it has sent a packet on either of those ports in the last five
minutes to the same remote system then the new connection will
use the same provider as the connection over which that last
packet was sent.
14. SAVE[/mask] -- save the packet's mark to the connection's mark
using the supplied mask if any. Your kernel and iptables must
include CONNMARK support.
As in 1) above, may be followed by :P or :F
15. STATE {NEW|RELATED|ESTABLISHED|INVALID} [,...]
Added in Shorewall 4.5.9. The rule will only match if the
packet's connection is in one of the listed states.
16. TOS(tos[/mask])
Added in Shorewall 4.5.1. Sets the Type of Service field in the
IP header. The tos value may be given as an number (hex or
decimal) or as the name of a TOS type. Valid type names and
their associated hex numeric values are:
Minimize-Delay => 0x10,
Maximize-Throughput => 0x08,
Maximize-Reliability => 0x04,
Minimize-Cost => 0x02,
Normal-Service => 0x00
To indicate more than one class, add their hex values together
and specify the result.
When tos is given as a number, it may be optionally followed by
'/' and a mask. When no mask is given, the value 0xff is
assumed. When tos is given as a type name, the mask 0x3f is
assumed.
The action performed is to zero out the bits specified by the
mask, then set the bits specified by tos.
May be optionally followed by ':' and a capital letter
designating the chain where classification is to occur.
F
FORWARD chain.
T
POSTROUTING chain.
17. TPROXY(mark[,[port][,[address]]]) -- FORMAT 1
Transparently redirects a packet without altering the IP
header. Requires a local provider to be defined in
shorewall-providers[5](5).
There are three parameters to TPROXY - only the first (mark) is
required:
· mark - the MARK value corresponding to the local provider
in shorewall-providers[5](5).
· port - the port on which the proxy server is listening. If
omitted, the original destination port.
· address - a local (to the firewall) IP address on which the
proxy server is listening. If omitted, the IP address of
the interface on which the request arrives.
18. TPROXY([port][,address]) -- FORMAT 2
Transparently redirects a packet without altering the IP
header. Requires a tproxy provider to be defined in
shorewall-providers[5](5).
There are three parameters to TPROXY - neither is required:
· port - the port on which the proxy server is listening. If
omitted, the original destination port.
· address - a local (to the firewall) IP address on which the
proxy server is listening. If omitted, the IP address of
the interface on which the request arrives.
19. TTL([-|+]number)
Added in Shorewall 4.4.24.
Prior to Shorewall 4.5.7.2, may be optionally followed by :F
but the resulting rule is always added to the FORWARD chain.
Beginning with Shorewall 4.5.7.s, it may be optionally followed
by :P, in which case the rule is added to the PREROUTING chain.
If + is included, packets matching the rule will have their TTL
incremented by number. Similarly, if - is included, matching
packets have their TTL decremented by number. If neither + nor
- is given, the TTL of matching packets is set to number. The
valid range of values for number is 1-255.
SOURCE -
{-|{interface|$FW}|[{interface|$FW}:]address-or-range[,address-or-range]...}[exclusion]
May be:
1. An interface name - matches traffic entering the firewall on
the specified interface. May not be used in classify rules or
in rules using the :T chain qualifier.
2. A comma-separated list of host or network IP addresses or MAC
addresses. This form will not match traffic that originates on
the firewall itself unless either <major><minor> or the :T
chain qualifier is used in the ACTION column.
Examples:.RS 4 0.0.0.0/0
192.168.1.0/24, 172.20.4.0/24
3. An interface name followed by a colon (":") followed by a
comma-separated list of host or network IP addresses or MAC
addresses. May not be used in classify rules or in rules using the
:T chain qualifier.
4. $FW optionally followed by a colon (":") and a comma-separated list
of host or network IP addresses. Matches packets originating on the
firewall. May not be used with a chain qualifier (:P, :F, etc.) in
the ACTION column.
MAC addresses must be prefixed with "~" and use "-" as a separator.
Example: ~00-A0-C9-15-39-78
You may exclude certain hosts from the set already defined through use
of an exclusion (see shorewall-exclusion[6](5)).
DEST -
{-|{interface|$FW}|[{interface|$FW}:]address-or-range[,address-or-range]...}[exclusion]
May be:
1. An interface name. May not be used in the PREROUTING chain (:P
in the mark column or no chain qualifier and
MARK_IN_FORWARD_CHAIN=No in shorewall.conf[7] (5)). The
interface name may be optionally followed by a colon (":") and
an IP address list.
2. A comma-separated list of host or network IP addresses. The
list may include ip address ranges if your kernel and iptables
include iprange support.
3. Beginning with Shorewall 4.4.13, $FW may be specified by itself
or qualified by an address list. This causes marking to occur
in the INPUT chain.
You may exclude certain hosts from the set already defined through
use of an exclusion (see shorewall-exclusion[6](5)).
PROTO -
{-|{tcp:syn|ipp2p|ipp2p:udp|ipp2p:all|protocol-number|protocol-name|all}[,...]}
Protocol - ipp2p requires ipp2p match support in your kernel and
iptables.
Beginning with Shorewall 4.5.12, this column can accept a
comma-separated list of protocols.
PORT(S) (dport) -
[-|port-name-number-or-range[,port-name-number-or-range]...]
Optional destination Ports. A comma-separated list of Port names
(from services(5)), port numbers or port ranges; if the protocol is
icmp, this column is interpreted as the destination icmp-type(s).
ICMP types may be specified as a numeric type, a numeric type and
code separated by a slash (e.g., 3/4), or a typename. See
http://www.shorewall.net/configuration_file_basics.htm#ICMP.
If the protocol is ipp2p, this column is interpreted as an ipp2p
option without the leading "--" (example bit for bit-torrent). If
no PORT is given, ipp2p is assumed.
An entry in this field requires that the PROTO column specify icmp
(1), tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if any
of the following field is supplied.
SOURCE PORT(S) (sport) -
[-|port-name-number-or-range[,port-name-number-or-range]...]
Optional source port(s). If omitted, any source port is acceptable.
Specified as a comma-separated list of port names, port numbers or
port ranges.
An entry in this field requires that the PROTO column specify tcp
(6), udp (17), sctp (132) or udplite (136). Use '-' if any of the
following fields is supplied.
Beginning with Shorewall 4.5.15, you may place '=' in this column,
provided that the DEST PORT(S) column is non-empty. This causes the
rule to match when either the source port or the destination port
in a packet matches one of the ports specified in DEST PORTS(S).
Use of '=' requires multi-port match in your iptables and kernel.
USER - [!][user-name-or-number][:group-name-or-number][+program-name]
This optional column may only be non-empty if the SOURCE is the
firewall itself.
When this column is non-empty, the rule applies only if the program
generating the output is running under the effective user and/or
group specified (or is NOT running under that id if "!" is given).
Examples:
joe
program must be run by joe
:kids
program must be run by a member of the 'kids' group
!:kids
program must not be run by a member of the 'kids' group
+upnpd
#program named upnpd
Important
The ability to specify a program name was removed from
Netfilter in kernel version 2.6.14.
TEST - [!]value[/mask][:C]
Optional - Defines a test on the existing packet or connection
mark. The rule will match only if the test returns true.
If you don't want to define a test but need to specify anything in
the following columns, place a "-" in this field.
!
Inverts the test (not equal)
value
Value of the packet or connection mark.
mask
A mask to be applied to the mark before testing.
:C
Designates a connection mark. If omitted, the packet mark's
value is tested.
LENGTH - [length|[min]:[max]]
Optional - packet payload length. This field, if present allow you
to match the length of a packet payload (Layer 4 data ) against a
specific value or range of values. You must have iptables length
support for this to work. A range is specified in the form min:max
where either min or max (but not both) may be omitted. If min is
omitted, then 0 is assumed; if max is omitted, than any packet that
is min or longer will match.
TOS - tos
Type of service. Either a standard name, or a numeric value to
match.
Minimize-Delay (16)
Maximize-Throughput (8)
Maximize-Reliability (4)
Minimize-Cost (2)
Normal-Service (0)
CONNBYTES - [!]min:[max[:{O|R|B}[:{B|P|A}]]]
Optional connection Bytes; defines a byte or packet range that the
connection must fall within in order for the rule to match.
A packet matches if the the packet/byte count is within the range
defined by min and max (unless ! is given in which case, a packet
matches if the packet/byte count is not within the range). min is
an integer which defines the beginning of the byte/packet range.
max is an integer which defines the end of the byte/packet range;
if omitted, only the beginning of the range is checked. The first
letter gives the direction which the range refers to:O - The
original direction of the connection. .sp - The opposite direction
from the original connection. .sp B - The total of both directions.
If omitted, B is assumed.
The second letter determines what the range refers to.B - Bytes .sp
P - Packets .sp A - Average packet size.If omitted, B is assumed.
HELPER - helper
Names a Netfilter protocol helper module such as ftp, sip, amanda,
etc. A packet will match if it was accepted by the named helper
module.
Example: Mark all FTP data connections with mark 4:
#ACTION SOURCE DEST PROTO PORT(S) SOURCE USER TEST LENGTH TOS CONNBYTES HELPER
# PORT(S)
4:T 0.0.0.0/0 0.0.0.0/0 TCP - - - - - - - ftp
PROBABILITY - [probability]
Added in Shorewall 4.5.0. When non-empty, requires the Statistics
Match capability in your kernel and ip6tables and causes the rule
to match randomly but with the given probability. The probability
is a number 0 < probability <= 1 and may be expressed at up to 8
decimal points of precision.
DSCP - [[!]dscp]
Added in Shorewall 4.5.1. When non-empty, match packets whose
Differentiated Service Code Point field matches the supplied value
(when '!' is given, the rule matches packets whose DSCP field does
not match the supplied value). The dscp value may be given as an
even number (hex or decimal) or as the name of a DSCP class. Valid
class names and their associated hex numeric values are:
CS0 => 0x00
CS1 => 0x08
CS2 => 0x10
CS3 => 0x18
CS4 => 0x20
CS5 => 0x28
CS6 => 0x30
CS7 => 0x38
BE => 0x00
AF11 => 0x0a
AF12 => 0x0c
AF13 => 0x0e
AF21 => 0x12
AF22 => 0x14
AF23 => 0x16
AF31 => 0x1a
AF32 => 0x1c
AF33 => 0x1e
AF41 => 0x22
AF42 => 0x24
AF43 => 0x26
EF => 0x2e
EXAMPLE
Example 1:
Mark all ICMP echo traffic with packet mark 1. Mark all peer to
peer traffic with packet mark 4.
This is a little more complex than otherwise expected. Since the
ipp2p module is unable to determine all packets in a connection are
P2P packets, we mark the entire connection as P2P if any of the
packets are determined to match.
We assume packet/connection mark 0 means unclassified.
#ACTION SOURCE DEST PROTO PORT(S) SOURCE USER TEST
# PORT(S)
1:T 0.0.0.0/0 0.0.0.0/0 icmp echo-request
1:T 0.0.0.0/0 0.0.0.0/0 icmp echo-reply
RESTORE:T 0.0.0.0/0 0.0.0.0/0 all - - - 0
CONTINUE:T 0.0.0.0/0 0.0.0.0/0 all - - - !0
4:T 0.0.0.0/0 0.0.0.0/0 ipp2p:all
SAVE:T 0.0.0.0/0 0.0.0.0/0 all - - - !0
If a packet hasn't been classified (packet mark is 0), copy the
connection mark to the packet mark. If the packet mark is set,
we're done. If the packet is P2P, set the packet mark to 4. If the
packet mark has been set, save it to the connection mark.
Example 2:
SNAT outgoing connections on eth0 from 192.168.1.0/24 in
round-robin fashion between addresses 1.1.1.1, 1.1.1.3, and 1.1.1.9
(Shorewall 4.5.9 and later).
/etc/shorewall/tcrules:
#ACTION SOURCE DEST PROTO PORT(S) SOURCE USER TEST
# PORT(S)
1-3:CF 192.168.1.0/24 eth0 ; state=NEW
/etc/shorewall/masq:
#INTERFACE SOURCE ADDRESS ...
eth0 192.168.1.0/24 1.1.1.1 ; mark=1:C
eth0 192.168.1.0/24 1.1.1.3 ; mark=2:C
eth0 192.168.1.0/24 1.1.1.4 ; mark=3:C
FILES
/etc/shorewall/tcrules
SEE ALSO
http://shorewall.net/traffic_shaping.htm
http://shorewall.net/MultiISP.html
http://shorewall.net/PacketMarking.html
http://shorewall.net/configuration_file_basics.htm#Pairs
shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-ecn(5), shorewall-exclusion(5),
shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)NOTES
1. shorewall-rules
http://www.shorewall.net/manpages/shorewall-rules.html
2. shorewall.conf
http://www.shorewall.net/manpages/shorewall.conf.html
3. shorewall-tcdevices
http://www.shorewall.net/manpages/shorewall-tcdevices.html
4. shorewall-tcclasses
http://www.shorewall.net/manpages/shorewall-tcclasses.html
5. shorewall-providers
http://www.shorewall.net/manpages/shorewall-providers.html
6. shorewall-exclusion
http://www.shorewall.net/manpages/shorewall-exclusion.html
7. shorewall.conf
http://www.shorewall.net/manpages/shorewall.conf
[FIXME: source] 12/19/2013 SHOREWALL-TCRULES(5)
