Configuration Files Tips and Hints

Tom Eastep

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled “GNU Free Documentation License”.

2023/02/18

Table of Contents

Introduction
Files
Man Pages
Comments
Names
Zone and Chain Names
Capabilities
"Blank" Columns
Line Continuation
Alternate Specification of Column Values - Shorewall 4.4.24 and Later
Using Netfilter Features not Directly Supported by Shorewall
Addresses
Specifying SOURCE and DEST
INCLUDE Directive
?FORMAT Directive
?COMMENT Directive
CONFIG_PATH
Using Shell Variables
Address Variables
Port Variables
Action Variables
Shorewall Variables
Conditional Entries
Embedded Shell and Perl
Using DNS Names
Comma-separated Lists
Complementing an Address, Subnet, Protocol or Port List
Exclusion Lists
IP Address Ranges
Protocol Number/Names and Port Numbers/Service Names
Port Ranges
Port Lists
ICMP and ICMP6 Types and Codes
Using MAC Addresses
Rate Limiting (Rate and Burst)
TIME Columns
Switches
Logical Interface Names
Optional and Required Interfaces
Shorewall Configurations
Saved Configurations

Caution

This article applies to Shorewall 5.0 and later. If you are running a version of Shorewall earlier than Shorewall 5.0.0 then please see the documentation for that release.

Caution

If you copy or edit your configuration files on a system running Microsoft Windows, you must run them through dos2unix before you use them with Shorewall.

Introduction

This article offers hints about how to accomplish common tasks with Shorewall. The Introduction to Shorewall is required reading for being able to use this article effectively. For information about setting up your first Shorewall-based firewall, see the Quickstart Guides.

Files

/etc/shorewall/shorewall.conf - used to set global firewall parameters.
/etc/shorewall/params - use this file to set shell variables that you will expand in other files. It is always processed by /bin/sh or by the shell specified through SHOREWALL_SHELL in /etc/shorewall/shorewall.conf.
/etc/shorewall/zones - partition the firewall's view of the world into zones.
/etc/shorewall/policy - establishes firewall high-level policy.
/etc/shorewall/initdone - An optional Perl script that will be invoked by the Shorewall rules compiler when the compiler has finished it's initialization.
/etc/shorewall/interfaces - describes the interfaces on the firewall system.
/etc/shorewall/hosts - allows defining zones in terms of individual hosts and subnetworks.
/etc/shorewall/masq - directs the firewall where to use many-to-one (dynamic) Network Address Translation (a.k.a. Masquerading) and Source Network Address Translation (SNAT).
/etc/shorewall/mangle - supersedes /etc/shorewall/tcrules in Shorewall 4.6.0. Contains rules for packet marking, TTL, TPROXY, etc.
/etc/shorewall/rules - defines rules that are exceptions to the overall policies established in /etc/shorewall/policy.
/etc/shorewall/nat - defines one-to-one NAT rules.
/etc/shorewall/proxyarp - defines use of Proxy ARP.
/etc/shorewall/routestopped - defines hosts accessible when Shorewall is stopped. Superseded in Shorewall 4.6.8 by /etc/shorewall/stoppedrules. Not supported in Shorewall 5.0.0 and later versions.
/etc/shorewall/tcrules - The file has a rather unfortunate name because it is used to define marking of packets for later use by both traffic control/shaping and policy routing. This file is superseded by /etc/shorewall/mangle in Shorewall 4.6.0. Not supported in Shorewall 5.0.0 and later releases.
/etc/shorewall/tos - defines rules for setting the TOS field in packet headers. Superseded in Shorewall 4.5.1 by the TOS targ