"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "manpages/shorewall.conf.xml" between
shorewall-docs-xml-5.2.3.6.tar.bz2 and shorewall-docs-xml-5.2.6.tar.bz2

About: Shorewall (The Shoreline Firewall) is an iptables based firewall (documentation; XML)

shorewall.conf.xml  (shorewall-docs-xml-5.2.3.6.tar.bz2):shorewall.conf.xml  (shorewall-docs-xml-5.2.6.tar.bz2)
skipping to change at line 223 skipping to change at line 223
</simplelist> </simplelist>
<para>Beginning with Shorewall 5.1.2, the default value is 'none' <para>Beginning with Shorewall 5.1.2, the default value is 'none'
for all of these. Note that the sample configuration files do, for all of these. Note that the sample configuration files do,
however, provide settings for DROP_DEFAULT, BLACKLIST_DEFAULT and however, provide settings for DROP_DEFAULT, BLACKLIST_DEFAULT and
REJECT_DEFAULT.</para> REJECT_DEFAULT.</para>
<para>If you set the value of either option to "None" then no <para>If you set the value of either option to "None" then no
default action will be used and the default action or macro must be default action will be used and the default action or macro must be
specified in <ulink specified in <ulink
url="/manpages/shorewall-policy.html">shorewall-policy</ulink>(5).</pa ra> url="shorewall-policy.html">shorewall-policy</ulink>(5).</para>
<para>You can pass <replaceable>parameters</replaceable> to the <para>You can pass <replaceable>parameters</replaceable> to the
specified action (e.g., specified action (e.g.,
<emphasis>myaction(audit,DROP)</emphasis>).</para> <emphasis>myaction(audit,DROP)</emphasis>).</para>
<para>Beginning with Shorewall 4.5.10, the action name can be <para>Beginning with Shorewall 4.5.10, the action name can be
followed optionally by a colon and a log followed optionally by a colon and a log
<replaceable>level</replaceable>. The level will be applied to each <replaceable>level</replaceable>. The level will be applied to each
rule in the action or body that does not already have a log rule in the action or body that does not already have a log
level.</para> level.</para>
skipping to change at line 248 skipping to change at line 248
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">ACCOUNTING=</emphasis>[<emphasis <term><emphasis role="bold">ACCOUNTING=</emphasis>[<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term> role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
<listitem> <listitem>
<para>Added in Shorewall 4.4.7. If set to Yes, Shorewall accounting <para>Added in Shorewall 4.4.7. If set to Yes, Shorewall accounting
is enabled (see <ulink is enabled (see <ulink
url="/manpages/shorewall-accounting.html">shorewall-accounting</ulink> url="shorewall-accounting.html">shorewall-accounting</ulink>(5)). If
(5)). not specified or set to the empty value, ACCOUNTING=Yes is
If not specified or set to the empty value, ACCOUNTING=Yes is
assumed.</para> assumed.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">ACCOUNTING_TABLE=</emphasis>[<emphasis <term><emphasis role="bold">ACCOUNTING_TABLE=</emphasis>[<emphasis
role="bold">filter</emphasis>|<emphasis role="bold">filter</emphasis>|<emphasis
role="bold">mangle</emphasis>]</term> role="bold">mangle</emphasis>]</term>
<listitem> <listitem>
<para>Added in Shorewall 4.4.20. This setting determines which <para>Added in Shorewall 4.4.20. This setting determines which
Netfilter table the accounting rules are added in. By default, Netfilter table the accounting rules are added in. By default,
ACCOUNTING_TABLE=filter is assumed. See also <ulink ACCOUNTING_TABLE=filter is assumed. See also <ulink
url="/manpages/shorewall-accounting.html">shorewall-accounting</ulink> (5).</para> url="shorewall-accounting.html">shorewall-accounting</ulink>(5).</para >
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">ADD_IP_ALIASES=</emphasis>[<emphasis <term><emphasis role="bold">ADD_IP_ALIASES=</emphasis>[<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term> role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
<listitem> <listitem>
<para>This parameter determines whether Shorewall automatically adds <para>This parameter determines whether Shorewall automatically adds
the external address(es) in <ulink the external address(es) in <ulink
url="/manpages/shorewall-nat.html">shorewall-nat</ulink>(5), and is url="shorewall-nat.html">shorewall-nat</ulink>(5), and is only
only available in IPv4 configurations. If the variable is set to available in IPv4 configurations. If the variable is set to
<emphasis role="bold">Yes</emphasis> or <emphasis <emphasis role="bold">Yes</emphasis> or <emphasis
role="bold">yes</emphasis> then Shorewall automatically adds these role="bold">yes</emphasis> then Shorewall automatically adds these
aliases. If it is set to <emphasis role="bold">No</emphasis> or aliases. If it is set to <emphasis role="bold">No</emphasis> or
<emphasis role="bold">no</emphasis>, you must add these aliases <emphasis role="bold">no</emphasis>, you must add these aliases
yourself using your distribution's network configuration yourself using your distribution's network configuration
tools.</para> tools.</para>
<para>If this variable is not set or is given an empty value <para>If this variable is not set or is given an empty value
(ADD_IP_ALIASES="") then ADD_IP_ALIASES=Yes is assumed.</para> (ADD_IP_ALIASES="") then ADD_IP_ALIASES=Yes is assumed.</para>
skipping to change at line 303 skipping to change at line 303
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">ADD_SNAT_ALIASES=</emphasis>[<emphasis <term><emphasis role="bold">ADD_SNAT_ALIASES=</emphasis>[<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term> role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
<listitem> <listitem>
<para>This parameter determines whether Shorewall automatically adds <para>This parameter determines whether Shorewall automatically adds
the SNAT ADDRESS in <ulink the SNAT ADDRESS in <ulink
url="/manpages/shorewall-masq.html">shorewall-masq</ulink>(5), and url="shorewall-masq.html">shorewall-masq</ulink>(5), and is only
is only available in IPv4 configurations. If the variable is set to available in IPv4 configurations. If the variable is set to
<emphasis role="bold">Yes</emphasis> or <emphasis <emphasis role="bold">Yes</emphasis> or <emphasis
role="bold">yes</emphasis> then Shorewall automatically adds these role="bold">yes</emphasis> then Shorewall automatically adds these
addresses. If it is set to <emphasis role="bold">No</emphasis> or addresses. If it is set to <emphasis role="bold">No</emphasis> or
<emphasis role="bold">no</emphasis>, you must add these addresses <emphasis role="bold">no</emphasis>, you must add these addresses
yourself using your distribution's network configuration yourself using your distribution's network configuration
tools.</para> tools.</para>
<para>If this variable is not set or is given an empty value <para>If this variable is not set or is given an empty value
(ADD_SNAT_ALIASES="") then ADD_SNAT_ALIASES=No is assumed.</para> (ADD_SNAT_ALIASES="") then ADD_SNAT_ALIASES=No is assumed.</para>
skipping to change at line 332 skipping to change at line 332
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">ADMINISABSENTMINDED=</emphasis>[<emphasis <term><emphasis role="bold">ADMINISABSENTMINDED=</emphasis>[<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term> role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
<listitem> <listitem>
<para>The value of this variable affects Shorewall's stopped state. <para>The value of this variable affects Shorewall's stopped state.
The behavior differs depending on whether <ulink The behavior differs depending on whether <ulink
url="/manpages/shorewall-routestopped.html">shorewall-routestopped</ul ink>(5) url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
or <ulink or <ulink
url="/manpages/shorewall-stoppedrules.html">shorewall-stoppedrules</ul ink>(5) url="shorewall-stoppedrules.html">shorewall-stoppedrules</ulink>(5)
is used:</para> is used:</para>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term>routestopped</term> <term>routestopped</term>
<listitem> <listitem>
<para>When ADMINISABSENTMINDED=No, only traffic to/from those <para>When ADMINISABSENTMINDED=No, only traffic to/from those
addresses listed in <filename>routestopped</filename> is addresses listed in <filename>routestopped</filename> is
accepted when Shorewall is stopped. When accepted when Shorewall is stopped. When
skipping to change at line 442 skipping to change at line 442
<para>Modify the HELPERS setting (see below) to list the helpers <para>Modify the HELPERS setting (see below) to list the helpers
that you need.</para> that you need.</para>
</listitem> </listitem>
<listitem> <listitem>
<para>Either:</para> <para>Either:</para>
<orderedlist numeration="loweralpha"> <orderedlist numeration="loweralpha">
<listitem> <listitem>
<para>Modify <ulink <para>Modify <ulink
url="/manpages/shorewall-conntrack.html">shorewall-conntrack</ ulink> url="shorewall-conntrack.html">shorewall-conntrack</ulink>
(5) to only apply helpers where they are required; or</para> (5) to only apply helpers where they are required; or</para>
</listitem> </listitem>
<listitem> <listitem>
<para>Specify the appropriate helper in the HELPER column in <para>Specify the appropriate helper in the HELPER column in
<ulink <ulink url="shorewall-rules.html">shorewall-rules</ulink>
url="/manpages/shorewall-rules.html">shorewall-rules</ulink>
(5).</para> (5).</para>
<note> <note>
<para>The macros for those applications requiring a helper <para>The macros for those applications requiring a helper
automatically specify the appropriate HELPER where automatically specify the appropriate HELPER where
required.</para> required.</para>
</note> </note>
</listitem> </listitem>
</orderedlist> </orderedlist>
</listitem> </listitem>
skipping to change at line 517 skipping to change at line 516
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">BALANCE_PROVIDERS=</emphasis>[<emphasis <term><emphasis role="bold">BALANCE_PROVIDERS=</emphasis>[<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term> role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
<listitem> <listitem>
<para>Added in Shorewall 5.1.1. When USE_DEFAULT_RT=Yes, this option <para>Added in Shorewall 5.1.1. When USE_DEFAULT_RT=Yes, this option
determines whether the <option>balance</option> provider option (see determines whether the <option>balance</option> provider option (see
<ulink <ulink
url="/manpages/shorewall-providers.html">shorewall-providers(5)</ulink url="shorewall-providers.html">shorewall-providers(5)</ulink>) is
>) the default. When BALANCE_PROVIDERS=Yes, then the
is the default. When BALANCE_PROVIDERS=Yes, then the
<option>balance</option> option is assumed unless the <option>balance</option> option is assumed unless the
<option>fallback</option>, <option>loose</option>, <option>fallback</option>, <option>loose</option>,
<option>load</option> or <option>tproxy</option> option is <option>load</option> or <option>tproxy</option> option is
specified. If this option is not set or is set to the empty value, specified. If this option is not set or is set to the empty value,
then the default value is the value of USE_DEFAULT_RT.</para> then the default value is the value of USE_DEFAULT_RT.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">BASIC_FILTERS=</emphasis>[<emphasis <term><emphasis role="bold">BASIC_FILTERS=</emphasis>[<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term> role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
<listitem> <listitem>
<para>Added in Shorewall-4.6.0. When set to <emphasis <para>Added in Shorewall-4.6.0. When set to <emphasis
role="bold">Yes</emphasis>, causes entries in <ulink role="bold">Yes</emphasis>, causes entries in <ulink
url="/manpages/shorewall-tcfilters.html">shorewall-tcfilters(5)</ulink url="shorewall-tcfilters.html">shorewall-tcfilters(5)</ulink> to
> generate a basic filter rather than a u32 filter. This setting
to generate a basic filter rather than a u32 filter. This setting
requires the <firstterm>Basic Ematch</firstterm> capability in your requires the <firstterm>Basic Ematch</firstterm> capability in your
kernel and iptables.</para> kernel and iptables.</para>
<note> <note>
<para>One of the advantages of basic filters is that ipset matches <para>One of the advantages of basic filters is that ipset matches
are supported in newer iproute2 and kernel versions. Because are supported in newer iproute2 and kernel versions. Because
Shorewall cannot reliably detect this capability, use of basic Shorewall cannot reliably detect this capability, use of basic
filters is controlled by this option.</para> filters is controlled by this option.</para>
</note> </note>
skipping to change at line 592 skipping to change at line 591
be dropped or REJECT if the packets are to be replied with an ICMP be dropped or REJECT if the packets are to be replied with an ICMP
port unreachable reply or a TCP RST (tcp only). If you do not assign port unreachable reply or a TCP RST (tcp only). If you do not assign
a value or if you assign an empty value then DROP is assumed.</para> a value or if you assign an empty value then DROP is assumed.</para>
<para>A_DROP and A_REJECT are audited versions of DROP and REJECT <para>A_DROP and A_REJECT are audited versions of DROP and REJECT
respectively and were added in Shorewall 4.4.20. They require respectively and were added in Shorewall 4.4.20. They require
AUDIT_TARGET in the kernel and iptables.</para> AUDIT_TARGET in the kernel and iptables.</para>
<para>The BLACKLIST_DISPOSITION setting determines the disposition <para>The BLACKLIST_DISPOSITION setting determines the disposition
of packets sent to the <emphasis role="bold">blacklog</emphasis> of packets sent to the <emphasis role="bold">blacklog</emphasis>
target of <ulink target of <ulink url="shorewall-blrules.html">shorewall-blrules
url="/manpages/shorewall-blrules.html">shorewall-blrules
</ulink>(5), but otherwise does not affect entries in that </ulink>(5), but otherwise does not affect entries in that
file.</para> file.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis <term><emphasis
role="bold">BLACKLIST_LOG_LEVEL=</emphasis>[<emphasis>log-level</emphasi s>[:<replaceable>log-tag</replaceable>]]</term> role="bold">BLACKLIST_LOG_LEVEL=</emphasis>[<emphasis>log-level</emphasi s>[:<replaceable>log-tag</replaceable>]]</term>
<listitem> <listitem>
<para>Formerly named BLACKLIST_LOGLEVEL. This parameter determines <para>Formerly named BLACKLIST_LOGLEVEL. This parameter determines
if packets from blacklisted hosts are logged and it determines the if packets from blacklisted hosts are logged and it determines the
syslog level that they are to be logged at. Its value is a syslog syslog level that they are to be logged at. Its value is a syslog
level (Example: BLACKLIST_LOG_LEVEL=debug). If you do not assign a level (Example: BLACKLIST_LOG_LEVEL=debug). If you do not assign a
value or if you assign an empty value then packets from blacklisted value or if you assign an empty value then packets from blacklisted
hosts are not logged. The setting determines the log level of hosts are not logged. The setting determines the log level of
packets sent to the <emphasis role="bold">blacklog</emphasis> target packets sent to the <emphasis role="bold">blacklog</emphasis> target
of <ulink of <ulink
url="/manpages/shorewall-blrules.html">shorewall-blrules</ulink>(5).</ para> url="shorewall-blrules.html">shorewall-blrules</ulink>(5).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">CLAMPMSS=[</emphasis><emphasis <term><emphasis role="bold">CLAMPMSS=[</emphasis><emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">Yes</emphasis>|<emphasis
role="bold">No</emphasis>|<emphasis>value</emphasis>]</term> role="bold">No</emphasis>|<emphasis>value</emphasis>]</term>
<listitem> <listitem>
<para>This parameter enables the TCP Clamp MSS to PMTU feature of <para>This parameter enables the TCP Clamp MSS to PMTU feature of
skipping to change at line 655 skipping to change at line 653
<para>If this option is set to <emphasis role="bold">No</emphasis> <para>If this option is set to <emphasis role="bold">No</emphasis>
then Shorewall won't clear the current traffic control rules during then Shorewall won't clear the current traffic control rules during
[<command>re</command>]<command>start</command> or [<command>re</command>]<command>start</command> or
<command>reload</command>. This setting is intended for use by <command>reload</command>. This setting is intended for use by
people who prefer to configure traffic shaping when the network people who prefer to configure traffic shaping when the network
interfaces come up rather than when the firewall is started. If that interfaces come up rather than when the firewall is started. If that
is what you want to do, set TC_ENABLED=Yes and CLEAR_TC=No and do is what you want to do, set TC_ENABLED=Yes and CLEAR_TC=No and do
not supply an /etc/shorewall/tcstart file. That way, your traffic not supply an /etc/shorewall/tcstart file. That way, your traffic
shaping rules can still use the “fwmark” classifier based on packet shaping rules can still use the “fwmark” classifier based on packet
marking defined in <ulink marking defined in <ulink
url="/manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>(5). url="shorewall-tcrules.html">shorewall-tcrules</ulink>(5). If not
If not specified, CLEAR_TC=Yes is assumed.</para> specified, CLEAR_TC=Yes is assumed.</para>
<warning> <warning>
<para>When you specify TC_ENABLED=shared (see below), then you <para>When you specify TC_ENABLED=shared (see below), then you
should also specify CLEAR_TC=No.</para> should also specify CLEAR_TC=No.</para>
</warning> </warning>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">COMPLETE=</emphasis>[<emphasis <term><emphasis role="bold">COMPLETE=</emphasis>[<emphasis
skipping to change at line 817 skipping to change at line 815
disallowing IPv6 traffic. If not specified or empty, disallowing IPv6 traffic. If not specified or empty,
“DISABLE_IPV6=No” is assumed.</para> “DISABLE_IPV6=No” is assumed.</para>
<para>It is important to note that changing DISABLE_IPV6=Yes to <para>It is important to note that changing DISABLE_IPV6=Yes to
DISABLE_IPV6=No does <emphasis>not</emphasis> enable IPV6. The DISABLE_IPV6=No does <emphasis>not</emphasis> enable IPV6. The
recommended approach for enabling IPv6 on your system is:</para> recommended approach for enabling IPv6 on your system is:</para>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para>Install, configure and start <ulink <para>Install, configure and start <ulink
url="/IPv6Support.html">Shorewall6</ulink>.</para> url="../IPv6Support.html">Shorewall6</ulink>.</para>
</listitem> </listitem>
<listitem> <listitem>
<para>Change DISABLE_IPV6=Yes to DISABLE_IPV6=No in <para>Change DISABLE_IPV6=Yes to DISABLE_IPV6=No in
<filename>/etc/shorewall/shorewall.conf</filename>.</para> <filename>/etc/shorewall/shorewall.conf</filename>.</para>
</listitem> </listitem>
<listitem> <listitem>
<para>Reload Shorewall</para> <para>Reload Shorewall</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">DOCKER=</emphasis>[<emphasis <term><emphasis role="bold">DOCKER=</emphasis>[<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term> role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
<listitem> <listitem>
<para>Added in Shorewall 5.0.6. When set to <option>Yes</option>, <para>Added in Shorewall 5.0.6; IPv4 only. When set to
the generated script will save Docker-generated rules before and <option>Yes</option>, the generated script will save
restore them after executing the <command>start</command>, Docker-generated rules before and restore them after executing the
<command>stop</command>, <command>reload</command> and <command>start</command>, <command>stop</command>,
<command>restart</command> commands. If set to <option>No</option> <command>reload</command> and <command>restart</command> commands.
(the default), the generated script will delete any Docker-generated If set to <option>No</option> (the default), the generated script
rules when executing those commands. See<ulink url="/Docker.html"> will delete any Docker-generated rules when executing those
http://www.shorewall.net/Docker.html</ulink> for additional commands. See<ulink url="../Docker.html">
https://shorewall.org/Docker.html</ulink> for additional
information.</para> information.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis <term><emphasis
role="bold">DOCKER_BRIDGE=</emphasis>[<emphasis>bridgename</emphasis>]</
term>
<listitem>
<para>Added in Shorewall 5.2.4; IPv4 only. Specifies the name of the
default Docker bridge. If not specified, the value 'docker0' is
assumed.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">DONT_LOAD=</emphasis>[<emphasis>module</emphasis>[,<emphasis >module</emphasis>]...]</term> role="bold">DONT_LOAD=</emphasis>[<emphasis>module</emphasis>[,<emphasis >module</emphasis>]...]</term>
<listitem> <listitem>
<para>Causes Shorewall to not load the listed kernel modules.</para> <para>Causes Shorewall to not load the listed kernel modules.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">DYNAMIC_BLACKLIST=</emphasis>{<emphasis <term><emphasis role="bold">DYNAMIC_BLACKLIST=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">Yes</emphasis>|<emphasis
skipping to change at line 934 skipping to change at line 944
<important> <important>
<para>Once the dynamic blacklisting ipset has been created, <para>Once the dynamic blacklisting ipset has been created,
changing this option setting requires a complete restart of changing this option setting requires a complete restart of
the firewall; <command>shorewall [-6] restart</command> if the firewall; <command>shorewall [-6] restart</command> if
RESTART=restart, otherwise <command>shorewall [-6] [-l] stop RESTART=restart, otherwise <command>shorewall [-6] [-l] stop
&amp;&amp; shorewall [-6] [-l] start</command></para> &amp;&amp; shorewall [-6] [-l] start</command></para>
</important> </important>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term>log</term>
<listitem>
<para>Added in Shorewall 5.2.5. When specified, successful
'blacklist' and 'allow' commands will log a message to the
system log.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>noupdate</term>
<listitem>
<para>Added in Shorewall 5.2.5. Normally, once an address has
been blacklisted, each time that a packet is received from the
packet, the ipset's entry for the address is updated to reset
the timeout to the value specifyed in the
<option>timeout</option> option above. Setting the
<option>noupdate</option> option, inhibits this resetting of
the entry's timeout. This option is ignored when the
<option>timeout</option> option is not specified.</para>
</listitem>
</varlistentry>
</variablelist> </variablelist>
<para>When ipset-based dynamic blacklisting is enabled, the contents <para>When ipset-based dynamic blacklisting is enabled, the contents
of the blacklist will be preserved over of the blacklist will be preserved over
<command>stop</command>/<command>reboot</command>/<command>start</comm and> <command>stop</command>/<command>reboot</command>/<command>start</comm and>
sequences if SAVE_IPSETS=Yes, SAVE_IPSETS=ipv4 or if sequences.</para>
<replaceable>setname</replaceable> is included in the list of sets
to be saved in SAVE_IPSETS.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">EXPAND_POLICIES=</emphasis>{<emphasis <term><emphasis role="bold">EXPAND_POLICIES=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term> role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
<listitem> <listitem>
<para>Normally, when the SOURCE or DEST columns in <para>Normally, when the SOURCE or DEST columns in
shorewall-policy(5) contains 'all', a single policy chain is created shorewall-policy(5) contains 'all', a single policy chain is created
skipping to change at line 1005 skipping to change at line 1038
packets until these packets reach the chain in which the original packets until these packets reach the chain in which the original
connection was accepted. So for packets going from the 'loc' zone to connection was accepted. So for packets going from the 'loc' zone to
the 'net' zone, ESTABLISHED/RELATED packets are ACCEPTED in the the 'net' zone, ESTABLISHED/RELATED packets are ACCEPTED in the
'loc-net' or 'loc2net' chain, depending on the setting of ZONE2ZONE 'loc-net' or 'loc2net' chain, depending on the setting of ZONE2ZONE
(see below).</para> (see below).</para>
<para>If you set FASTACCEPT=Yes, then ESTABLISHED/RELATED packets <para>If you set FASTACCEPT=Yes, then ESTABLISHED/RELATED packets
are accepted early in the INPUT, FORWARD and OUTPUT chains. If you are accepted early in the INPUT, FORWARD and OUTPUT chains. If you
set FASTACCEPT=Yes then you may not include rules in the ESTABLISHED set FASTACCEPT=Yes then you may not include rules in the ESTABLISHED
or RELATED sections of <ulink or RELATED sections of <ulink
url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5).</para > url="shorewall-rules.html">shorewall-rules</ulink>(5).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis <term><emphasis
role="bold">FIREWALL</emphasis>=[<emphasis>dnsname-or-ip-address</emphas is>]</term> role="bold">FIREWALL</emphasis>=[<emphasis>dnsname-or-ip-address</emphas is>]</term>
<listitem> <listitem>
<para>This option was added in Shorewall 5.0.13 and may be used on <para>This option was added in Shorewall 5.0.13 and may be used on
an administrative system in directories containing the an administrative system in directories containing the
skipping to change at line 1046 skipping to change at line 1079
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis <term><emphasis
role="bold">GEOIPDIR</emphasis>=[<emphasis>pathname</emphasis>]</term> role="bold">GEOIPDIR</emphasis>=[<emphasis>pathname</emphasis>]</term>
<listitem> <listitem>
<para>Added in Shorewall 4.5.4. Specifies the pathname of the <para>Added in Shorewall 4.5.4. Specifies the pathname of the
directory containing the <firstterm>GeoIP Match</firstterm> directory containing the <firstterm>GeoIP Match</firstterm>
database. See <ulink database. See <ulink
url="/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>. url="../ISO-3661.html">https://shorewall.org/ISO-3661.html</ulink>.
If not specified, the default value is If not specified, the default value is
<filename>/usr/share/xt_geoip/LE</filename> which is the default <filename>/usr/share/xt_geoip/LE</filename> which is the default
location of the little-endian database.</para> location of the little-endian database.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis <term><emphasis
role="bold">HELPERS</emphasis>=[<emphasis>helper</emphasis>[,<replaceabl e>helper</replaceable>...]]</term> role="bold">HELPERS</emphasis>=[<emphasis>helper</emphasis>[,<replaceabl e>helper</replaceable>...]]</term>
skipping to change at line 1150 skipping to change at line 1183
<term><emphasis role="bold">IMPLICIT_CONTINUE=</emphasis>{<emphasis <term><emphasis role="bold">IMPLICIT_CONTINUE=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term> role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
<listitem> <listitem>
<para>When this option is set to <emphasis <para>When this option is set to <emphasis
role="bold">Yes</emphasis>, it causes subzones to be treated role="bold">Yes</emphasis>, it causes subzones to be treated
differently with respect to policies.</para> differently with respect to policies.</para>
<para>Subzones are defined by following their name with ":" and a <para>Subzones are defined by following their name with ":" and a
list of parent zones (in <ulink list of parent zones (in <ulink
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5)). url="shorewall-zones.html">shorewall-zones</ulink>(5)). Normally,
Normally, you want to have a set of special rules for the subzone you want to have a set of special rules for the subzone and if a
and if a connection doesn't match any of those subzone-specific connection doesn't match any of those subzone-specific rules then
rules then you want the parent zone rules and policies to be you want the parent zone rules and policies to be applied; see
applied; see <ulink <ulink url="shorewall-nesting.html">shorewall-nesting</ulink>(5).
url="/manpages/shorewall-nesting.html">shorewall-nesting</ulink>(5).
With IMPLICIT_CONTINUE=Yes, that happens automatically.</para> With IMPLICIT_CONTINUE=Yes, that happens automatically.</para>
<para>If IMPLICIT_CONTINUE=No or if IMPLICIT_CONTINUE is not set, <para>If IMPLICIT_CONTINUE=No or if IMPLICIT_CONTINUE is not set,
then subzones are not subject to this special treatment. With then subzones are not subject to this special treatment. With
IMPLICIT_CONTINUE=Yes, an implicit CONTINUE policy may be overridden IMPLICIT_CONTINUE=Yes, an implicit CONTINUE policy may be overridden
by including an explicit policy (one that does not specify "all" in by including an explicit policy (one that does not specify "all" in
either the SOURCE or the DEST columns).</para> either the SOURCE or the DEST columns).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis <term><emphasis
role="bold">INVALID_DISPOSITION=[A_DROP|A_REJECT|DROP|REJECT|CONTINUE]</ emphasis></term> role="bold">INVALID_DISPOSITION=[A_DROP|A_REJECT|DROP|REJECT|CONTINUE]</ emphasis></term>
<listitem> <listitem>
<para>Added in Shorewall 4.5.13. Shorewall has traditionally passed <para>Added in Shorewall 4.5.13. Shorewall has traditionally passed
INVALID packets through the NEW section of <ulink INVALID packets through the NEW section of <ulink
url="/manpages/shorewall-rules.html">shorewall-rules</ulink> (5). url="shorewall-rules.html">shorewall-rules</ulink> (5). When a
When a packet in INVALID state fails to match any rule in the packet in INVALID state fails to match any rule in the INVALID
INVALID section, the packet is disposed of based on this setting. section, the packet is disposed of based on this setting. The
The default value is CONTINUE for compatibility with earlier default value is CONTINUE for compatibility with earlier
versions.</para> versions.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis <term><emphasis
role="bold">INVALID_LOG_LEVEL=</emphasis><emphasis>log-level</emphasis>[ :<replaceable>log-tag</replaceable>]</term> role="bold">INVALID_LOG_LEVEL=</emphasis><emphasis>log-level</emphasis>[ :<replaceable>log-tag</replaceable>]</term>
<listitem> <listitem>
<para>Added in Shorewall 4.5.13. Packets in the INVALID state that <para>Added in Shorewall 4.5.13. Packets in the INVALID state that
do not match any rule in the INVALID section of <ulink do not match any rule in the INVALID section of <ulink
url="/manpages/shorewall-rules.html">shorewall-rules</ulink> (5) are url="shorewall-rules.html">shorewall-rules</ulink> (5) are logged at
logged at this level. The default value is empty which means no this level. The default value is empty which means no logging is
logging is performed.</para> performed.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis <term><emphasis
role="bold">IP</emphasis>=[<emphasis>pathname</emphasis>]</term> role="bold">IP</emphasis>=[<emphasis>pathname</emphasis>]</term>
<listitem> <listitem>
<para>If specified, gives the pathname of the 'ip' executable. If <para>If specified, gives the pathname of the 'ip' executable. If
not specified, 'ip' is assumed and the utility will be located using not specified, 'ip' is assumed and the utility will be located using
skipping to change at line 1412 skipping to change at line 1444
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis <term><emphasis
role="bold">LOG_BACKEND=</emphasis>[<emphasis>backend</emphasis>]</term> role="bold">LOG_BACKEND=</emphasis>[<emphasis>backend</emphasis>]</term>
<listitem> <listitem>
<para>Added in Shorewall 4.6.4. LOG_BACKEND determines the logging <para>Added in Shorewall 4.6.4. LOG_BACKEND determines the logging
backend to be used for the <command>iptrace</command> command (see backend to be used for the <command>iptrace</command> command (see
<ulink url="manpages/shorewall.html">shorewall(8)</ulink>).</para> <ulink url="shorewall.html">shorewall(8)</ulink>).</para>
<para><replaceable>backend</replaceable> is one of:</para> <para><replaceable>backend</replaceable> is one of:</para>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term>LOG</term> <term>LOG</term>
<listitem> <listitem>
<para>Use standard kernel logging.</para> <para>Use standard kernel logging.</para>
</listitem> </listitem>
skipping to change at line 1473 skipping to change at line 1505
<varlistentry> <varlistentry>
<term><emphasis <term><emphasis
role="bold">LOG_LEVEL=</emphasis><emphasis>log-level</emphasis>[:<replac eable>log-tag</replaceable>]</term> role="bold">LOG_LEVEL=</emphasis><emphasis>log-level</emphasis>[:<replac eable>log-tag</replaceable>]</term>
<listitem> <listitem>
<para>Added in Shorewall 5.1.2. Beginning with that release, the <para>Added in Shorewall 5.1.2. Beginning with that release, the
sample configurations use this as the default log level and changing sample configurations use this as the default log level and changing
it will change all packet logging done by the configuration. In any it will change all packet logging done by the configuration. In any
configuration file (except <ulink configuration file (except <ulink
url="/manpages/shorewall-params.html">shorewall-params(5)</ulink>), url="shorewall-params.html">shorewall-params(5)</ulink>), $LOG_LEVEL
$LOG_LEVEL will expand to this value.</para> will expand to this value.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">LOG_MARTIANS=</emphasis>[<emphasis <term><emphasis role="bold">LOG_MARTIANS=</emphasis>[<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">Yes</emphasis>|<emphasis
role="bold">No</emphasis>|Keep]</term> role="bold">No</emphasis>|Keep]</term>
<listitem> <listitem>
<para>IPv4 only.</para> <para>IPv4 only.</para>
skipping to change at line 1496 skipping to change at line 1528
<para>If set to <emphasis role="bold">Yes</emphasis> or <emphasis <para>If set to <emphasis role="bold">Yes</emphasis> or <emphasis
role="bold">yes</emphasis>, sets role="bold">yes</emphasis>, sets
<filename>/proc/sys/net/ipv4/conf/*/log_martians</filename> to 1 <filename>/proc/sys/net/ipv4/conf/*/log_martians</filename> to 1
with the exception of with the exception of
<filename>/proc/sys/net/ipv4/conf/all/log_martians which is set to <filename>/proc/sys/net/ipv4/conf/all/log_martians which is set to
0</filename>. The default value is <emphasis 0</filename>. The default value is <emphasis
role="bold">Yes</emphasis> which sets both of the above to one. If role="bold">Yes</emphasis> which sets both of the above to one. If
you do not enable martian logging for all interfaces, you may still you do not enable martian logging for all interfaces, you may still
enable it for individual interfaces using the <emphasis enable it for individual interfaces using the <emphasis
role="bold">logmartians</emphasis> interface option in <ulink role="bold">logmartians</emphasis> interface option in <ulink
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink> (5).</para> url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).</para >
<para>The value <emphasis role="bold">Keep</emphasis> causes <para>The value <emphasis role="bold">Keep</emphasis> causes
Shorewall to ignore the option. If the option is set to <emphasis Shorewall to ignore the option. If the option is set to <emphasis
role="bold">Yes</emphasis>, then martians are logged on all role="bold">Yes</emphasis>, then martians are logged on all
interfaces. If the option is set to <emphasis interfaces. If the option is set to <emphasis
role="bold">No</emphasis>, then martian logging is disabled on all role="bold">No</emphasis>, then martian logging is disabled on all
interfaces except those specified in <ulink interfaces except those specified in <ulink
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink> (5).</para> url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).</para >
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis <term><emphasis
role="bold">LOG_VERBOSITY=</emphasis>[<emphasis>number</emphasis>]</term > role="bold">LOG_VERBOSITY=</emphasis>[<emphasis>number</emphasis>]</term >
<listitem> <listitem>
<para>This option controls the amount of information logged to the <para>This option controls the amount of information logged to the
file specified in the STARTUP_LOG option.</para> file specified in the STARTUP_LOG option.</para>
skipping to change at line 1626 skipping to change at line 1658
<para>If the LOGFORMAT value contains the substring “%d” then the <para>If the LOGFORMAT value contains the substring “%d” then the
logging rule number is calculated and formatted in that position; if logging rule number is calculated and formatted in that position; if
that substring is not included then the rule number is not included. that substring is not included then the rule number is not included.
If not supplied or supplied as empty (LOGFORMAT="") then If not supplied or supplied as empty (LOGFORMAT="") then
“Shorewall:%s:%s:” is assumed.</para> “Shorewall:%s:%s:” is assumed.</para>
<note> <note>
<para>The setting of LOGFORMAT has an effect of the permitted <para>The setting of LOGFORMAT has an effect of the permitted
length of zone names. See <ulink length of zone names. See <ulink
url="/manpages/shorewall-zones.html">shorewall-zones</ulink> url="shorewall-zones.html">shorewall-zones</ulink> (5).</para>
(5).</para>
</note> </note>
<caution> <caution>
<para>Beginning with Shorewall 5.1.0, the default and sample <para>Beginning with Shorewall 5.1.0, the default and sample
shorewall[6].conf files set LOGFORMAT="%s %s ".</para> shorewall[6].conf files set LOGFORMAT="%s %s ".</para>
<para>Regardless of the LOGFORMAT setting, Shorewall IPv4 log <para>Regardless of the LOGFORMAT setting, Shorewall IPv4 log
messages that use this LOGFORMAT can be uniquely identified using messages that use this LOGFORMAT can be uniquely identified using
the following regular expression:</para> the following regular expression:</para>
skipping to change at line 1784 skipping to change at line 1815
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis <term><emphasis
role="bold">MACLIST_TTL=[</emphasis><emphasis>number</emphasis>]</term> role="bold">MACLIST_TTL=[</emphasis><emphasis>number</emphasis>]</term>
<listitem> <listitem>
<para>The performance of configurations with a large numbers of <para>The performance of configurations with a large numbers of
entries in <ulink entries in <ulink
url="/manpages/shorewall-maclist.html">shorewall-maclist</ulink>(5) url="shorewall-maclist.html">shorewall-maclist</ulink>(5) can be
can be improved by setting the MACLIST_TTL variable in <ulink improved by setting the MACLIST_TTL variable in <ulink
url="/manpages/shorewall.conf.html">shorewall[6].conf</ulink>(5).</par url="shorewall.conf.html">shorewall[6].conf</ulink>(5).</para>
a>
<para>If your iptables and kernel support the "Recent Match" (see <para>If your iptables and kernel support the "Recent Match" (see
the output of "shorewall check" near the top), you can cache the the output of "shorewall check" near the top), you can cache the
results of a 'maclist' file lookup and thus reduce the overhead results of a 'maclist' file lookup and thus reduce the overhead
associated with MAC Verification.</para> associated with MAC Verification.</para>
<para>When a new connection arrives from a 'maclist' interface, the <para>When a new connection arrives from a 'maclist' interface, the
packet passes through then list of entries for that interface in packet passes through then list of entries for that interface in
<ulink <ulink url="shorewall-maclist.html">shorewall-maclist</ulink>(5). If
url="/manpages/shorewall-maclist.html">shorewall-maclist</ulink>(5). there is a match then the source IP address is added to the 'Recent'
If there is a match then the source IP address is added to the set for that interface. Subsequent connection attempts from that IP
'Recent' set for that interface. Subsequent connection attempts from address occurring within $MACLIST_TTL seconds will be accepted
that IP address occurring within $MACLIST_TTL seconds will be without having to scan all of the entries. After $MACLIST_TTL from
accepted without having to scan all of the entries. After the first accepted connection request from an IP address, the next
$MACLIST_TTL from the first accepted connection request from an IP connection request from that IP address will be checked against the
address, the next connection request from that IP address will be entire list.</para>
checked against the entire list.</para>
<para>If MACLIST_TTL is not specified or is specified as empty (e.g, <para>If MACLIST_TTL is not specified or is specified as empty (e.g,
MACLIST_TTL="" or is specified as zero then 'maclist' lookups will MACLIST_TTL="" or is specified as zero then 'maclist' lookups will
not be cached).</para> not be cached).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">MANGLE_ENABLED=</emphasis>[<emphasis <term><emphasis role="bold">MANGLE_ENABLED=</emphasis>[<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term> role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
skipping to change at line 2006 skipping to change at line 2036
<listitem> <listitem>
<para>IPv4 only.</para> <para>IPv4 only.</para>
<para>When set to Yes, causes Shorewall to null-route the IPv4 <para>When set to Yes, causes Shorewall to null-route the IPv4
address ranges reserved by RFC1918. The default value is address ranges reserved by RFC1918. The default value is
'No'.</para> 'No'.</para>
<para>When combined with route filtering (ROUTE_FILTER=Yes or <para>When combined with route filtering (ROUTE_FILTER=Yes or
<option>routefilter</option> in <ulink <option>routefilter</option> in <ulink
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink> (5)), url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)),
this option ensures that packets with an RFC1918 source address are this option ensures that packets with an RFC1918 source address are
only accepted from interfaces having known routes to networks using only accepted from interfaces having known routes to networks using
such addresses.</para> such addresses.</para>
<para>Beginning with Shorewall 4.5.15, you may specify <para>Beginning with Shorewall 4.5.15, you may specify
<option>blackhole</option>, <option>unreachable</option> or <option>blackhole</option>, <option>unreachable</option> or
<option>prohibit</option> to set the type of route to be created. <option>prohibit</option> to set the type of route to be created.
See <ulink See <ulink
url="/MultiISP.html#null_routing">http://www.shorewall.net/MultiISP.ht ml#null_routing</ulink>.</para> url="../MultiISP.html#null_routing">https://shorewall.org/MultiISP.htm l#null_routing</ulink>.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis <term><emphasis
role="bold">OPTIMIZE=</emphasis>[<replaceable>value</replaceable>]</term > role="bold">OPTIMIZE=</emphasis>[<replaceable>value</replaceable>]</term >
<listitem> <listitem>
<para>The specified <replaceable>value</replaceable> enables certain <para>The specified <replaceable>value</replaceable> enables certain
optimizations. Each optimization category is associated with a power optimizations. Each optimization category is associated with a power
skipping to change at line 2377 skipping to change at line 2407
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis <term><emphasis
role="bold">RELATED_DISPOSITION=[ACCEPT|A_ACCEPT|A_DROP|A_REJECT|DROP|RE JECT|CONTINUE]</emphasis></term> role="bold">RELATED_DISPOSITION=[ACCEPT|A_ACCEPT|A_DROP|A_REJECT|DROP|RE JECT|CONTINUE]</emphasis></term>
<listitem> <listitem>
<para>Added in Shorewall 4.4.27. Shorewall has traditionally <para>Added in Shorewall 4.4.27. Shorewall has traditionally
ACCEPTed RELATED packets that don't match any rule in the RELATED ACCEPTed RELATED packets that don't match any rule in the RELATED
section of <ulink section of <ulink url="shorewall-rules.html">shorewall-rules</ulink>
url="/manpages/shorewall-rules.html">shorewall-rules</ulink> (5). (5). Concern about the safety of this practice resulted in the
Concern about the safety of this practice resulted in the addition addition of this option. When a packet in RELATED state fails to
of this option. When a packet in RELATED state fails to match any match any rule in the RELATED section, the packet is disposed of
rule in the RELATED section, the packet is disposed of based on this based on this setting. The default value is ACCEPT for compatibility
setting. The default value is ACCEPT for compatibility with earlier with earlier versions.</para>
versions.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis <term><emphasis
role="bold">RELATED_LOG_LEVEL=</emphasis><emphasis>log-level</emphasis>[ :<replaceable>log-tag</replaceable>]</term> role="bold">RELATED_LOG_LEVEL=</emphasis><emphasis>log-level</emphasis>[ :<replaceable>log-tag</replaceable>]</term>
<listitem> <listitem>
<para>Added in Shorewall 4.4.27. Packets in the related state that <para>Added in Shorewall 4.4.27. Packets in the related state that
do not match any rule in the RELATED section of <ulink do not match any rule in the RELATED section of <ulink
url="/manpages/shorewall-rules.html">shorewall-rules</ulink> (5) are url="shorewall-rules.html">shorewall-rules</ulink> (5) are logged at
logged at this level. The default value is empty which means no this level. The default value is empty which means no logging is
logging is performed.</para> performed.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis <term><emphasis
role="bold">REJECT_ACTION=</emphasis><emphasis>action</emphasis></term> role="bold">REJECT_ACTION=</emphasis><emphasis>action</emphasis></term>
<listitem> <listitem>
<para>Added in Shorewall 4.5.21. When a REJECT target is specified, <para>Added in Shorewall 4.5.21. When a REJECT target is specified,
Shorewall normally handles the response as follows:</para> Shorewall normally handles the response as follows:</para>
skipping to change at line 2497 skipping to change at line 2526
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">REQUIRE_INTERFACE=</emphasis>[<emphasis <term><emphasis role="bold">REQUIRE_INTERFACE=</emphasis>[<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term> role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
<listitem> <listitem>
<para>Added in Shorewall 4.4.10. The default is No. If set to Yes, <para>Added in Shorewall 4.4.10. The default is No. If set to Yes,
at least one optional interface must be up in order for the firewall at least one optional interface must be up in order for the firewall
to be in the started state. Intended to be used with the <ulink to be in the started state. Intended to be used with the <ulink
url="/manpages/shorewall-init.html">Shorewall Init url="shorewall-init.html">Shorewall Init Package</ulink>.</para>
Package</ulink>.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">RESTART=</emphasis>[<emphasis <term><emphasis role="bold">RESTART=</emphasis>[<emphasis
role="bold">restart</emphasis>|<emphasis role="bold">restart</emphasis>|<emphasis
role="bold">reload</emphasis>]</term> role="bold">reload</emphasis>]</term>
<listitem> <listitem>
<para>Added in Shorewall 5.0.1 to replace LEGACY_RESTART which was <para>Added in Shorewall 5.0.1 to replace LEGACY_RESTART which was
skipping to change at line 2584 skipping to change at line 2612
<varlistentry> <varlistentry>
<term><emphasis role="bold">RETAIN_ALIASES=</emphasis>{<emphasis <term><emphasis role="bold">RETAIN_ALIASES=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term> role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
<listitem> <listitem>
<para>IPv4 only.</para> <para>IPv4 only.</para>
<para>During <emphasis role="bold">shorewall star</emphasis>t, IP <para>During <emphasis role="bold">shorewall star</emphasis>t, IP
addresses to be added as a consequence of ADD_IP_ALIASES=Yes and addresses to be added as a consequence of ADD_IP_ALIASES=Yes and
ADD_SNAT_ALIASES=Yes are quietly deleted when <ulink ADD_SNAT_ALIASES=Yes are quietly deleted when <ulink
url="/manpages/shorewall-nat.html">shorewall-nat</ulink>(5) and url="shorewall-nat.html">shorewall-nat</ulink>(5) and <ulink
<ulink url="/manpages/shorewall-masq.html">shorewall-masq</ulink>(5) url="shorewall-masq.html">shorewall-masq</ulink>(5) are processed
are processed then are re-added later. This is done to help ensure then are re-added later. This is done to help ensure that the
that the addresses can be added with the specified labels but can addresses can be added with the specified labels but can have the
have the undesirable side effect of causing routes to be quietly undesirable side effect of causing routes to be quietly deleted.
deleted. When RETAIN_ALIASES is set to Yes, existing addresses will When RETAIN_ALIASES is set to Yes, existing addresses will not be
not be deleted. Regardless of the setting of RETAIN_ALIASES, deleted. Regardless of the setting of RETAIN_ALIASES, addresses
addresses added during <emphasis role="bold">shorewall added during <emphasis role="bold">shorewall start</emphasis> are
start</emphasis> are still deleted at a subsequent <emphasis still deleted at a subsequent <emphasis role="bold">shorewall
role="bold">shorewall [stop</emphasis>, <emphasis [stop</emphasis>, <emphasis role="bold">shorewall reload</emphasis>
role="bold">shorewall reload</emphasis> or <emphasis or <emphasis role="bold">shorewall restart</emphasis>.</para>
role="bold">shorewall restart</emphasis>.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">ROUTE_FILTER=</emphasis>[<emphasis <term><emphasis role="bold">ROUTE_FILTER=</emphasis>[<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">Yes</emphasis>|<emphasis
role="bold">No</emphasis>|Keep]</term> role="bold">No</emphasis>|Keep]</term>
<listitem> <listitem>
<para>If this parameter is given the value <emphasis <para>If this parameter is given the value <emphasis
skipping to change at line 2618 skipping to change at line 2645
interfaces which are brought up while Shorewall is in the started interfaces which are brought up while Shorewall is in the started
state. The default value is <emphasis state. The default value is <emphasis
role="bold">no</emphasis>.</para> role="bold">no</emphasis>.</para>
<para>The value <emphasis role="bold">Keep</emphasis> causes <para>The value <emphasis role="bold">Keep</emphasis> causes
Shorewall to ignore the option. If the option is set to <emphasis Shorewall to ignore the option. If the option is set to <emphasis
role="bold">Yes</emphasis>, then route filtering occurs on all role="bold">Yes</emphasis>, then route filtering occurs on all
interfaces. If the option is set to <emphasis interfaces. If the option is set to <emphasis
role="bold">No</emphasis>, then route filtering is disabled on all role="bold">No</emphasis>, then route filtering is disabled on all
interfaces except those specified in <ulink interfaces except those specified in <ulink
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink> (5).</para> url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).</para >
<important> <important>
<para>If you need to disable route filtering on any interface, <para>If you need to disable route filtering on any interface,
then you must set ROUTE_FILTER=No then set routefilter=1 or then you must set ROUTE_FILTER=No then set routefilter=1 or
routefilter=2 on those interfaces where you want route filtering. routefilter=2 on those interfaces where you want route filtering.
See <ulink See <ulink
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulin k>(5) url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
for additional details.</para> for additional details.</para>
</important> </important>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">RPFILTER_DISPOSITION=</emphasis>[<emphasis <term><emphasis role="bold">RPFILTER_DISPOSITION=</emphasis>[<emphasis
role="bold">DROP</emphasis>|<emphasis role="bold">DROP</emphasis>|<emphasis
role="bold">REJECT</emphasis>|A_DROP|A_REJECT]</term> role="bold">REJECT</emphasis>|A_DROP|A_REJECT]</term>
<listitem> <listitem>
<para>Added in Shorewall 4.5.7. Determines the disposition of <para>Added in Shorewall 4.5.7. Determines the disposition of
packets entering from interfaces the <option>rpfilter</option> packets entering from interfaces the <option>rpfilter</option>
option (see <ulink option (see <ulink
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink> (5)). url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)).
Packets disposed of by this option are those whose response packets Packets disposed of by this option are those whose response packets
would not be sent through the same interface receiving the would not be sent through the same interface receiving the
packet.</para> packet.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis <term><emphasis
role="bold">RPFILTER_LOG_LEVEL=</emphasis><emphasis>log-level</emphasis> [:<replaceable>log-tag</replaceable>]</term> role="bold">RPFILTER_LOG_LEVEL=</emphasis><emphasis>log-level</emphasis> [:<replaceable>log-tag</replaceable>]</term>
skipping to change at line 2699 skipping to change at line 2726
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">SFILTER_DISPOSITION=</emphasis>[<emphasis <term><emphasis role="bold">SFILTER_DISPOSITION=</emphasis>[<emphasis
role="bold">DROP</emphasis>|<emphasis role="bold">DROP</emphasis>|<emphasis
role="bold">REJECT</emphasis>|A_DROP|A_REJECT]</term> role="bold">REJECT</emphasis>|A_DROP|A_REJECT]</term>
<listitem> <listitem>
<para>Added in Shorewall 4.4.20. Determines the disposition of <para>Added in Shorewall 4.4.20. Determines the disposition of
packets matching the <option>sfilter</option> option (see <ulink packets matching the <option>sfilter</option> option (see <ulink
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink> url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)) and
(5)) of <firstterm>hairpin</firstterm> packets on interfaces without the
and of <firstterm>hairpin</firstterm> packets on interfaces without <option>routeback</option> option.<footnote>
the <option>routeback</option> option.<footnote>
<para>Hairpin packets are packets that are routed out of the <para>Hairpin packets are packets that are routed out of the
same interface that they arrived on.</para> same interface that they arrived on.</para>
</footnote></para> </footnote></para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis <term><emphasis
role="bold">SFILTER_LOG_LEVEL=</emphasis><emphasis>log-level</emphasis>[ :<replaceable>log-tag</replaceable>]</term> role="bold">SFILTER_LOG_LEVEL=</emphasis><emphasis>log-level</emphasis>[ :<replaceable>log-tag</replaceable>]</term>
<listitem> <listitem>
<para>Added on Shorewall 4.4.20. Determines the logging of packets <para>Added on Shorewall 4.4.20. Determines the logging of packets
matching the <option>sfilter</option> option (see <ulink matching the <option>sfilter</option> option (see <ulink
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink> url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)) and
(5)) of <firstterm>hairpin</firstterm> packets on interfaces without the
and of <firstterm>hairpin</firstterm> packets on interfaces without <option>routeback</option> option.<footnote>
the <option>routeback</option> option.<footnote>
<para>Hairpin packets are packets that are routed out of the <para>Hairpin packets are packets that are routed out of the
same interface that they arrived on.</para> same interface that they arrived on.</para>
</footnote> The default is <option>info</option>. If you don't </footnote> The default is <option>info</option>. If you don't
wish for these packets to be logged, use wish for these packets to be logged, use
SFILTER_LOG_LEVEL=none.</para> SFILTER_LOG_LEVEL=none.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis <term><emphasis
skipping to change at line 2745 skipping to change at line 2772
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">SMURF_DISPOSITION=</emphasis>[<emphasis <term><emphasis role="bold">SMURF_DISPOSITION=</emphasis>[<emphasis
role="bold">DROP</emphasis>|A_DROP]</term> role="bold">DROP</emphasis>|A_DROP]</term>
<listitem> <listitem>
<para>Added in Shorewall 4.4.20. The default setting is DROP which <para>Added in Shorewall 4.4.20. The default setting is DROP which
causes smurf packets (see the nosmurfs option in <ulink causes smurf packets (see the nosmurfs option in <ulink
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink> url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)) to
(5)) be dropped. A_DROP causes the packets to be audited prior to being
to be dropped. A_DROP causes the packets to be audited prior to dropped and requires AUDIT_TARGET support in the kernel and
being dropped and requires AUDIT_TARGET support in the kernel and
iptables.</para> iptables.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis <term><emphasis
role="bold">SMURF_LOG_LEVEL=</emphasis>[<emphasis>log-level</emphasis>[: <replaceable>log-tag</replaceable>]]</term> role="bold">SMURF_LOG_LEVEL=</emphasis>[<emphasis>log-level</emphasis>[: <replaceable>log-tag</replaceable>]]</term>
<listitem> <listitem>
<para>Specifies the logging level for smurf packets (see the <para>Specifies the logging level for smurf packets (see the
nosmurfs option in <ulink nosmurfs option in <ulink
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink> url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)). If
(5)). set to the empty value ( SMURF_LOG_LEVEL="" ) then smurfs are not
If set to the empty value ( SMURF_LOG_LEVEL="" ) then smurfs are not
logged.</para> logged.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">STARTUP_ENABLED=</emphasis>{<emphasis <term><emphasis role="bold">STARTUP_ENABLED=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term> role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
<listitem> <listitem>
<para>Determines if Shorewall is allowed to start. As released from <para>Determines if Shorewall is allowed to start. As released from
skipping to change at line 2861 skipping to change at line 2888
you supply to configure traffic shaping. The script must be named you supply to configure traffic shaping. The script must be named
'tcstart' and must be placed in a directory on your 'tcstart' and must be placed in a directory on your
CONFIG_PATH.</para> CONFIG_PATH.</para>
<para>If you say <emphasis role="bold">No</emphasis> or <emphasis <para>If you say <emphasis role="bold">No</emphasis> or <emphasis
role="bold">no</emphasis> then traffic shaping is not role="bold">no</emphasis> then traffic shaping is not
enabled.</para> enabled.</para>
<para>If you set TC_ENABLED=Simple (Shorewall 4.4.6 and later), <para>If you set TC_ENABLED=Simple (Shorewall 4.4.6 and later),
simple traffic shaping using <ulink simple traffic shaping using <ulink
url="/manpages/shorewall-tcinterfaces.html">shorewall-tcinterfaces</ul url="shorewall-tcinterfaces.html">shorewall-tcinterfaces</ulink>(5)
ink>(5) and <ulink url="shorewall-tcpri.html">shorewall-tcpri</ulink>(5) is
and <ulink
url="/manpages/shorewall-tcpri.html">shorewall-tcpri</ulink>(5) is
enabled.</para> enabled.</para>
<para>If you set TC_ENABLED=Internal or internal or leave the option <para>If you set TC_ENABLED=Internal or internal or leave the option
empty then Shorewall will use its builtin traffic shaper empty then Shorewall will use its builtin traffic shaper
(tc4shorewall written by Arne Bernin.</para> (tc4shorewall written by Arne Bernin.</para>
<para>Beginning with Shorewall 4.4.15, you can set <para>Beginning with Shorewall 4.4.15, you can set
TC_ENABLED=Shared. This allows you to configure the tcdevices and TC_ENABLED=Shared. This allows you to configure the tcdevices and
tcclasses in your Shorewall6 configuration yet make them available tcclasses in your Shorewall6 configuration yet make them available
to the compiler when compiling your Shorewall configuration. In to the compiler when compiling your Shorewall configuration. In
skipping to change at line 2890 skipping to change at line 2916
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">TC_EXPERT=</emphasis>{<emphasis <term><emphasis role="bold">TC_EXPERT=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term> role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
<listitem> <listitem>
<para>Normally, Shorewall tries to protect users from themselves by <para>Normally, Shorewall tries to protect users from themselves by
preventing PREROUTING and OUTPUT tcrules from being applied to preventing PREROUTING and OUTPUT tcrules from being applied to
packets that have been marked by the 'track' option in <ulink packets that have been marked by the 'track' option in <ulink
url="/manpages/shorewall-providers.html">shorewall-providers</ulink>(5 ).</para> url="shorewall-providers.html">shorewall-providers</ulink>(5).</para>
<para>If you know what you are doing, you can set TC_EXPERT=Yes and <para>If you know what you are doing, you can set TC_EXPERT=Yes and
Shorewall will not include these cautionary checks.</para> Shorewall will not include these cautionary checks.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis <term><emphasis
role="bold">TC_PRIOMAP</emphasis>=<emphasis>map</emphasis></term> role="bold">TC_PRIOMAP</emphasis>=<emphasis>map</emphasis></term>
<listitem> <listitem>
<para>Added in Shorewall 4.4.6. Determines the mapping of a packet's <para>Added in Shorewall 4.4.6. Determines the mapping of a packet's
TOS field to priority bands. See <ulink TOS field to priority bands. See <ulink
url="/manpages/shorewall-tcpri.html">shorewall-tcpri</ulink>(5). The url="shorewall-tcpri.html">shorewall-tcpri</ulink>(5). The
<emphasis>map</emphasis> consists of 16 space-separated digits with <emphasis>map</emphasis> consists of 16 space-separated digits with
values 1, 2 or 3. A value of 1 corresponds to Linux priority 0, 2 to values 1, 2 or 3. A value of 1 corresponds to Linux priority 0, 2 to
Linux priority 1, and 3 to Linux Priority 2. The first entry gives Linux priority 1, and 3 to Linux Priority 2. The first entry gives
the priority of TOS value 0, the second of TOS value 1, and so on. the priority of TOS value 0, the second of TOS value 1, and so on.
See tc-prio(8) for additional information.</para> See tc-prio(8) for additional information.</para>
<para>The default setting is TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 <para>The default setting is TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2
2 2".</para> 2 2".</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
skipping to change at line 2927 skipping to change at line 2953
<term><emphasis <term><emphasis
role="bold">TCP_FLAGS_DISPOSITION=</emphasis>[<emphasis role="bold">TCP_FLAGS_DISPOSITION=</emphasis>[<emphasis
role="bold">ACCEPT</emphasis>|<emphasis role="bold">ACCEPT</emphasis>|<emphasis
role="bold">DROP</emphasis>|<emphasis role="bold">DROP</emphasis>|<emphasis
role="bold">REJECT</emphasis>|A_DROP|A_REJECT]</term> role="bold">REJECT</emphasis>|A_DROP|A_REJECT]</term>
<listitem> <listitem>
<para>Determines the disposition of TCP packets that fail the checks <para>Determines the disposition of TCP packets that fail the checks
enabled by the <emphasis role="bold">tcpflags</emphasis> interface enabled by the <emphasis role="bold">tcpflags</emphasis> interface
option (see <ulink option (see <ulink
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink> url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)) and
(5)) must have a value of ACCEPT (accept the packet), REJECT (send an RST
and must have a value of ACCEPT (accept the packet), REJECT (send an response) or DROP (ignore the packet). If not set or if set to the
RST response) or DROP (ignore the packet). If not set or if set to empty value (e.g., TCP_FLAGS_DISPOSITION="") then
the empty value (e.g., TCP_FLAGS_DISPOSITION="") then
TCP_FLAGS_DISPOSITION=DROP is assumed.</para> TCP_FLAGS_DISPOSITION=DROP is assumed.</para>
<para>A_DROP and A_REJECT are audited versions of DROP and REJECT <para>A_DROP and A_REJECT are audited versions of DROP and REJECT
respectively and were added in Shorewall 4.4.20. They require respectively and were added in Shorewall 4.4.20. They require
AUDIT_TARGET in the kernel and iptables.</para> AUDIT_TARGET in the kernel and iptables.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis <term><emphasis
skipping to change at line 2959 skipping to change at line 2985
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">TRACK_PROVIDERS=</emphasis>{<emphasis <term><emphasis role="bold">TRACK_PROVIDERS=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term> role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
<listitem> <listitem>
<para>Added in Shorewall 4.4.3. When set to Yes, causes the <para>Added in Shorewall 4.4.3. When set to Yes, causes the
<option>track</option> option to be assumed on all providers defined <option>track</option> option to be assumed on all providers defined
in <ulink in <ulink
url="/manpages/shorewall-providers.html">shorewall-providers</ulink>(5 url="shorewall-providers.html">shorewall-providers</ulink>(5). May
). be overridden on an individual provider through use of the
May be overridden on an individual provider through use of the
<option>notrack</option> option. The default value is 'No'.</para> <option>notrack</option> option. The default value is 'No'.</para>
<para>Beginning in Shorewall 4.4.6, setting this option to 'Yes' <para>Beginning in Shorewall 4.4.6, setting this option to 'Yes'
also simplifies PREROUTING rules in <ulink also simplifies PREROUTING rules in <ulink
url="/manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>(5). url="shorewall-tcrules.html">shorewall-tcrules</ulink>(5).
Previously, when TC_EXPERT=No, packets arriving through 'tracked' Previously, when TC_EXPERT=No, packets arriving through 'tracked'
provider interfaces were unconditionally passed to the PREROUTING provider interfaces were unconditionally passed to the PREROUTING
tcrules. This was done so that tcrules could reset the packet mark tcrules. This was done so that tcrules could reset the packet mark
to zero, thus allowing the packet to be routed using the 'main' to zero, thus allowing the packet to be routed using the 'main'
routing table. Using the main table allowed dynamic routes (such as routing table. Using the main table allowed dynamic routes (such as
those added for VPNs) to be effective. The rtrules file was created those added for VPNs) to be effective. The rtrules file was created
to provide a better alternative to clearing the packet mark. As a to provide a better alternative to clearing the packet mark. As a
consequence, passing these packets to PREROUTING complicates things consequence, passing these packets to PREROUTING complicates things
without providing any real benefit. Beginning with Shorewall 4.4.6, without providing any real benefit. Beginning with Shorewall 4.4.6,
when TRACK_PROVIDERS=Yes and TC_EXPERT=No, packets arriving through when TRACK_PROVIDERS=Yes and TC_EXPERT=No, packets arriving through
skipping to change at line 3014 skipping to change at line 3040
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis <term><emphasis
role="bold">UNTRACKED_DISPOSITION=[ACCEPT|A_ACCEPT|A_DROP|A_REJECT|DROP| REJECT|CONTINUE]</emphasis></term> role="bold">UNTRACKED_DISPOSITION=[ACCEPT|A_ACCEPT|A_DROP|A_REJECT|DROP| REJECT|CONTINUE]</emphasis></term>
<listitem> <listitem>
<para>Added in Shorewall 4.5.13. Shorewall has traditionally passed <para>Added in Shorewall 4.5.13. Shorewall has traditionally passed
UNTRACKED packets through the NEW section of <ulink UNTRACKED packets through the NEW section of <ulink
url="/manpages/shorewall-rules.html">shorewall-rules</ulink> (5). url="shorewall-rules.html">shorewall-rules</ulink> (5). When a
When a packet in UNTRACKED state fails to match any rule in the packet in UNTRACKED state fails to match any rule in the UNTRACKED
UNTRACKED section, the packet is disposed of based on this setting. section, the packet is disposed of based on this setting. The
The default value is CONTINUE for compatibility with earlier default value is CONTINUE for compatibility with earlier
versions.</para> versions.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis <term><emphasis
role="bold">UNTRACKED_LOG_LEVEL=</emphasis><emphasis>log-level</emphasis >[:<replaceable>log-tag</replaceable>]</term> role="bold">UNTRACKED_LOG_LEVEL=</emphasis><emphasis>log-level</emphasis >[:<replaceable>log-tag</replaceable>]</term>
<listitem> <listitem>
<para>Added in Shorewall 4.5.13. Packets in the UNTRACKED state that <para>Added in Shorewall 4.5.13. Packets in the UNTRACKED state that
do not match any rule in the UNTRACKED section of <ulink do not match any rule in the UNTRACKED section of <ulink
url="/manpages/shorewall-rules.html">shorewall-rules</ulink> (5) are url="shorewall-rules.html">shorewall-rules</ulink> (5) are logged at
logged at this level. The default value is empty which means no this level. The default value is empty which means no logging is
logging is performed.</para> performed.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">USE_DEFAULT_RT=</emphasis>[<emphasis <term><emphasis role="bold">USE_DEFAULT_RT=</emphasis>[<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term> role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
<listitem> <listitem>
<para>When set to 'Yes', this option causes the Shorewall multi-ISP <para>When set to 'Yes', this option causes the Shorewall multi-ISP
feature to create a set of routing rules which are resilient to feature to create a set of routing rules which are resilient to
skipping to change at line 3053 skipping to change at line 3079
number of reasons, VPNs going up and down being an example. The idea number of reasons, VPNs going up and down being an example. The idea
is to send packets through the main table prior to applying any of is to send packets through the main table prior to applying any of
the Shorewall-generated routing rules. So changes to the main table the Shorewall-generated routing rules. So changes to the main table
will affect the routing of packets by default.</para> will affect the routing of packets by default.</para>
<para>When USE_DEFAULT_RT=Yes:</para> <para>When USE_DEFAULT_RT=Yes:</para>
<orderedlist> <orderedlist>
<listitem> <listitem>
<para>Both the DUPLICATE and the COPY columns in <ulink <para>Both the DUPLICATE and the COPY columns in <ulink
url="/manpages/shorewall-providers.html">providers</ulink>(5) url="shorewall-providers.html">providers</ulink>(5) file must
file must remain empty (or contain "-").</para> remain empty (or contain "-").</para>
</listitem> </listitem>
<listitem> <listitem>
<para>The default route is added to the the 'default' table <para>The default route is added to the the 'default' table
rather than to the main table.</para> rather than to the main table.</para>
</listitem> </listitem>
<listitem> <listitem>
<para>If running Shorewall 5.1.0 or earlier or if <para>If running Shorewall 5.1.0 or earlier or if
BALANCE_PROVIDERS=Yes (Shorewall 5.1.1 or later), then the BALANCE_PROVIDERS=Yes (Shorewall 5.1.1 or later), then the
<emphasis role="bold">balance</emphasis> provider option is <emphasis role="bold">balance</emphasis> provider option is
assumed unless the <option>fallback</option>, assumed unless the <option>fallback</option>,
<option>loose</option>, <option>load</option> or <option>loose</option>, <option>load</option> or
<option>tproxy</option> option is specified.</para> <option>tproxy</option> option is specified.</para>
</listitem> </listitem>
<listitem> <listitem>
<para>Packets are sent through the main routing table by a rule <para>Packets are sent through the main routing table by a rule
with priority 999. In <ulink with priority 999. In <ulink
url="/manpages/shorewall-rtrules.html">shorewall-rtrules</ulink>(5 url="shorewall-rtrules.html">shorewall-rtrules</ulink>(5), the
), range 1-998 may be used for inserting rules that bypass the main
the range 1-998 may be used for inserting rules that bypass the table.</para>
main table.</para>
</listitem> </listitem>
<listitem> <listitem>
<para>All provider gateways must be specified explicitly in the <para>All provider gateways must be specified explicitly in the
GATEWAY column. <emphasis role="bold">detect</emphasis> may not GATEWAY column. <emphasis role="bold">detect</emphasis> may not
be specified.<note> be specified.<note>
<para><emphasis role="bold">detect</emphasis> may be <para><emphasis role="bold">detect</emphasis> may be
specified for interfaces whose configuration is managed by specified for interfaces whose configuration is managed by
dhcpcd. Shorewall will use dhcpcd's database to find the dhcpcd. Shorewall will use dhcpcd's database to find the
interface's gateway.</para> interface's gateway.</para>
 End of changes. 54 change blocks. 
144 lines changed or deleted 159 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)