File: stoppedrules.annotated

package info (click to toggle)
shorewall6 5.2.3.4-1
  • links: PTS, VCS
  • area: main
  • in suites: bullseye
  • size: 2,252 kB
  • sloc: sh: 1,946; perl: 168; makefile: 34
file content (101 lines) | stat: -rw-r--r-- 4,260 bytes parent folder | download | duplicates (4) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
 
#
# Shorewall6 - Sample Stoppedrules File for three-interface configuration.
# Copyright (C) 2012-2017 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#------------------------------------------------------------------------------
# For information about entries in this file, type "man shorewall-stoppedrules"
###############################################################################
# 
# This file is used to define the hosts that are accessible when the firewall is
# stopped or is being stopped.
# 
# Warning
# 
# Changes to this file do not take effect until after the next shorewall start, 
# shorewall reload, shorewall restart, or shorewall compile command.
# 
# The columns in the file are as follows (where the column name is followed by a
# different name in parentheses, the different name is used in the alternate
# specification syntax).
# 
# ACTION - ACCEPT|NOTRACK|DROP
# 
#     Determines the disposition of the packet.
# 
#     ACCEPT means that the packet will be accepted.
# 
#     NOTRACK indicates that no conntrack entry should be created for the packet.
#     NOTRACK does not imply ACCEPT.
# 
#     DROP was added in Shorewall 4.6.0 and causes the packet to be dropped in
#     the raw table's PREROUTING chain.
# 
# SOURCE - [-|[$FW|interface]|[{$FW|interface}[:address[,address]...]]|[address[,
#     address]...]
# 
#     $FW matches packets originating on the firewall itself, while interface
#     specifies packets arriving on the named interface.
# 
#     This column may also include a comma-separated list of IP/subnet addresses.
#     If your kernel and iptables include iprange match support, IP address
#     ranges are also allowed. Ipsets and exclusion are also supported. When $FW
#     or interface are specified, the list must be preceded by a colon (":").
# 
#     If left empty or supplied as "-", 0.0.0.0/0 is assumed.
# 
# DEST - [-|[$FW|interface]|[{$FW|interface}[:address[,address]...]]|[address[,
#     address]...]
# 
#     $FW matches packets addressed the firewall itself, while interface
#     specifies packets arriving on the named interface. Neither may be specified
#     if the target is NOTRACK or DROP.
# 
#     This column may also include a comma-separated list of IP/subnet addresses.
#     If your kernel and iptables include iprange match support, IP address
#     ranges are also allowed. Ipsets and exclusion are also supported. When $FW
#     or interface are specified, the list must be preceded by a colon (":").
# 
#     If left empty or supplied as "-", 0.0.0.0/0 is assumed.
# 
# PROTO (Optional) ‒ protocol-name-or-number[,...]
# 
#     Protocol.
# 
#     Beginning with Shorewall 4.5.12, this column can accept a comma-separated
#     list of protocols.
# 
# DPORT ‒ service-name/port-number-list
# 
#     Optional. A comma-separated list of port numbers and/or service names from
#     /etc/services. May also include port ranges of the form low-port:high-port
#     if your kernel and iptables include port range support.
# 
#     This column was formerly labelled DEST PORT(S).
# 
# SPORT ‒ service-name/port-number-list
# 
#     Optional. A comma-separated list of port numbers and/or service names from
#     /etc/services. May also include port ranges of the form low-port:high-port
#     if your kernel and iptables include port range support.
# 
#     Beginning with Shorewall 4.5.15, you may place '=' in this column, provided
#     that the DPORT column is non-empty. This causes the rule to match when
#     either the source port or the destination port in a packet matches one of
#     the ports specified in DEST PORTS(S). Use of '=' requires multi-port match
#     in your iptables and kernel.
# 
#     This column was formerly labelled SOURCE PORT(S).
# 
###############################################################################
#ACTION		SOURCE		DEST		PROTO	DEST		SOURCE
#							PORT(S)		PORT(S)
ACCEPT		LOC_IF		-
ACCEPT		-		LOC_IF
ACCEPT		DMZ_IF		-
ACCEPT		-		DMZ_IF