·

shorewall6-exclusion (5) Linux Manual Page

ByLinux Manual Posted on

exclusion – Exclude a set of hosts from a definition in a shorewall6 configuration file.

Synopsis

!address-or-range[,address-or-range]…

!zone-name[,zone-name]…

Description

Exclusion is used when you wish to exclude one or more addresses from a definition. An exclamation point is followed by a comma-separated list of addresses. The addresses may be single host addresses (e.g., fe80::2a0:ccff:fedb:31c4) or they may be network addresses in CIDR format (e.g., fe80::2a0:ccff:fedb:31c4/64). If your kernel and ip6tables include iprange support, you may also specify ranges of ip addresses of the form lowaddresshighaddress No embedded white-space is allowed. Exclusion can appear after a list of addresses and/or address ranges. In that case, the final list of address is formed by taking the first list and then removing the addresses defined in the exclusion. Beginning in Shorewall 4.4.13, the second form of exclusion is allowed after all and any in the SOURCE and DEST columns of /etc/shorewall/rules. It allows you to omit arbitrary zones from the list generated by those key words.

Warning
If you omit a sub-zone and there is an explicit or explicit CONTINUE policy, a connection to/from that zone can still be matched by the rule generated for a parent zone. For example: /etc/shorewall6/zones:

#ZONE TYPE
z1 ip
z2:z1 ip
...

/etc/shorewall6/policy:

#SOURCE DEST POLICY
z1 net CONTINUE
z2 net REJECT

/etc/shorewall6/rules:

#ACTION SOURCE DEST PROTO DEST
# PORT(S)
ACCEPT all!z2 net tcp 22

In this case, SSH connections from z2 to net will be accepted by the generated z1 to net ACCEPT rule.

Files

/etc/shorewall6/hosts

/etc/shorewall6/masq

/etc/shorewall6/rules

/etc/shorewall6/tcrules

See Also

shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5), shorewall6-rtrules(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-mangle(5), shorewall6-tos(5), shorewall6-tunnels(5), shorewall-zones(5)

Leave a Reply

Your email address will not be published. Required fields are marked *