Name

routestopped — The Shorewall6 file that governs what traffic flows through the firewall while it is in 'stopped' state.

Synopsis

/etc/shorewall6/routestopped

Description

This file is deprecated in favor of the shorewall6-stoppedrules(5) file.

This file is used to define the hosts that are accessible when the firewall is stopped or is being stopped. When shorewall6-shell is being used, the file also determines those hosts that are accessible when the firewall is in the process of being [re]started.

The columns in the file are as follows (where the column name is followed by a different name in parentheses, the different name is used in the alternate specification syntax).

INTERFACE - interface

Interface through which host(s) communicate with the firewall

HOST(S) - [-|address[,address]...]

Optional comma-separated list of IP/subnet addresses. If your kernel and ip6tables include iprange match support, IP address ranges are also allowed.

If left empty or supplied as "-", 0.0.0.0/0 is assumed.

OPTIONS - [-|option[,option]...]

An optional comma-separated list of options. The order of the options is not important but the list can contain no embedded white-space. The currently-supported options are:

routeback

Set up a rule to ACCEPT traffic from these hosts back to themselves. Beginning with Shorewall 4.4.9, this option is automatically set if routeback is specified in shorewall6-interfaces (5) or if the rules compiler detects that the interface is a bridge.

source

Allow traffic from these hosts to ANY destination. Without this option or the dest option, only traffic from this host to other listed hosts (and the firewall) is allowed. If source is specified then routeback is redundant.

dest

Allow traffic to these hosts from ANY source. Without this option or the source option, only traffic from this host to other listed hosts (and the firewall) is allowed. If dest is specified then routeback is redundant.

critical

Allow traffic between the firewall and these hosts throughout '[re]start', 'stop' and 'clear'. Specifying critical on one or more entries will cause your firewall to be "totally open" for a brief window during each of those operations. Examples of where you might want to use this are:

  • 'Ping' nodes with heartbeat.

  • LDAP server(s) if you use LDAP Authentication

  • NFS Server if you have an NFS-mounted root filesystem.

Note

The source and dest options work best when used in conjunction with ADMINISABSENTMINDED=Yes in shorewall6.conf(5).

Example

Example 1:
        #INTERFACE      HOST(S)                 OPTIONS
        eth2            2002:ce7c:92b4::/64
        eth0            2002:ce7c:92b4:1::/64
        br0             -                       routeback
        eth3            -                       source

FILES

/etc/shorewall6/routestopped

See ALSO

http://shorewall.net/starting_and_stopping_shorewall.htm

http://shorewall.net/configuration_file_basics.htm#Pairs

shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5), shorewall6-rtrules(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)

Documentation


Frequently Used Articles

- FAQs - IPv4 Manpages - IPv6 Manpages - Configuration File Basics - Beginner Documentation - Troubleshooting

Shorewall 4.0/4.2 Documentation


Current HOWTOs and Other Articles

- 6to4 and 6in4 Tunnels - Accounting - Actions - Aliased (virtual) Interfaces (e.g., eth0:0) - Anatomy of Shorewall - Anti-Spoofing Measures - AUDIT Target support - Bandwidth Control - Blacklisting/Whitelisting - Bridge/Firewall - Building Shorewall from GIT - Commands - Compiled Programs - Configuration File Basics - DHCP - DNAT - Dynamic Zones - ECN Disabling by host or subnet - Events - Extension Scripts - Fallback/Uninstall - FAQs - Features - Fool's Firewall - Forwarding Traffic on the Same Interface - FTP and Shorewall - Helpers/Helper Modules - Installation/Upgrade - IPP2P - IPSEC - Ipsets - IPv6 Support - ISO 3661 Country Codes - Kazaa Filtering - Kernel Configuration - KVM (Kernel-mode Virtual Machine) - Limiting Connection Rates - Linux Containers (LXC) - Linux-vserver - Logging - Macros - MAC Verification - Manpages (IPv4) (IPv6) - Manual Chains - Masquerading - Multiple Internet Connections from a Single Firewall - Multiple Zones Through One Interface - My Shorewall Configuration - Netfilter Overview - Network Mapping - No firewalling of traffic between bridge port - One-to-one NAT - Operating Shorewall - OpenVPN - OpenVZ - Packet Marking - Packet Processing in a Shorewall-based Firewall - 'Ping' Management - Port Forwarding - Port Information - Port Knocking (deprecated) - Port Knocking, Auto Blacklisting and Other Uses of the 'Recent Match' - PPTP - Proxy ARP - QuickStart Guides - Release Model - Requirements - Routing and Shorewall - Routing on One Interface - Samba - Shorewall Events - Shorewall Init - Shorewall Lite - Shorewall on a Laptop - Shorewall Perl - Shorewall Setup Guide - SMB - SNAT - Split DNS the Easy Way - Squid with Shorewall - Starting/stopping the Firewall - Static (one-to-one) NAT - Support - Tips and Hints - Traffic Shaping/QOS - Simple - Traffic Shaping/QOS - Complex - Transparent Proxy - UPnP - Upgrade Issues - Upgrading to Shorewall 4.4 (Upgrading Debian Lenny to Squeeze) - VPN - VPN Passthrough - White List Creation - Xen - Shorewall in a Bridged Xen DomU - Xen - Shorewall in Routed Xen Dom0

Top of Page