<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>shorewall-routestopped</title><link rel="stylesheet" href="html.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.73.2" /></head><body><div class="refentry" lang="en" xml:lang="en"><a id="id257171"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>routestopped — The Shorewall file that governs what traffic flows through the firewall while it is in 'stopped' state.</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">/etc/shorewall/routestopped</code> </p></div></div><div class="refsect1" lang="en" xml:lang="en"><a id="id257203"></a><h2>Description</h2><p>This file is used to define the hosts that are accessible when the firewall is stopped or is being stopped. When shorewall-shell is being used, the file also determines those hosts that are accessible when the firewall is in the process of being [re]started.</p><p>The columns in the file are as follows.</p><div class="variablelist"><dl><dt><span class="term"><span class="bold"><strong>INTERFACE</strong></span> - <span class="emphasis"><em>interface</em></span></span></dt><dd><p>Interface through which host(s) communicate with the firewall</p></dd><dt><span class="term"><span class="bold"><strong>HOST(S)</strong></span> (Optional) - [<span class="bold"><strong>-</strong></span>|<span class="emphasis"><em>address</em></span>[,<span class="emphasis"><em>address</em></span>]...]</span></dt><dd><p>Comma-separated list of IP/subnet addresses. If your kernel and iptables include iprange match support, IP address ranges are also allowed.</p><p>If left empty or supplied as "-", 0.0.0.0/0 is assumed.</p></dd><dt><span class="term"><span class="bold"><strong>OPTIONS</strong></span> (Optional) - [<span class="bold"><strong>-</strong></span>|<span class="emphasis"><em>option</em></span>[<span class="bold"><strong>,</strong></span><span class="emphasis"><em>option</em></span>]...]</span></dt><dd><p>A comma-separated list of options. The order of the options is not important but the list can contain no embedded whitespace. The currently-supported options are:</p><div class="variablelist"><dl><dt><span class="term"><span class="bold"><strong>routeback</strong></span></span></dt><dd><p>Set up a rule to ACCEPT traffic from these hosts back to themselves.</p></dd><dt><span class="term"><span class="bold"><strong>source</strong></span></span></dt><dd><p>Allow traffic from these hosts to ANY destination. Without this option or the <span class="bold"><strong>dest</strong></span> option, only traffic from this host to other listed hosts (and the firewall) is allowed. If <span class="bold"><strong>source</strong></span> is specified then <span class="bold"><strong>routeback</strong></span> is redundant.</p></dd><dt><span class="term"><span class="bold"><strong>dest</strong></span></span></dt><dd><p>Allow traffic to these hosts from ANY source. Without this option or the <span class="bold"><strong>source</strong></span> option, only traffic from this host to other listed hosts (and the firewall) is allowed. If <span class="bold"><strong>dest</strong></span> is specified then <span class="bold"><strong>routeback</strong></span> is redundant.</p></dd><dt><span class="term"><span class="bold"><strong>critical</strong></span></span></dt><dd><p>Allow traffic between the firewall and these hosts throughout '[re]start', 'stop' and 'clear'. Specifying <span class="bold"><strong>critical</strong></span> on one or more entries will cause your firewall to be "totally open" for a brief window during each of those operations. Examples of where you might want to use this are:</p><div class="itemizedlist"><ul type="disc"><li><p>'Ping' nodes with heartbeat.</p></li><li><p>LDAP server(s) if you use LDAP Authentication</p></li><li><p>NFS Server if you have an NFS-mounted root filesystem.</p></li></ul></div></dd></dl></div></dd></dl></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>The <span class="bold"><strong>source</strong></span> and <span class="bold"><strong>dest</strong></span> options work best when used in conjunction with ADMINISABSENTMINDED=Yes in <a class="ulink" href="shorewall.conf.html" target="_self">shorewall.conf</a>(5).</p></div></div><div class="refsect1" lang="en" xml:lang="en"><a id="id257652"></a><h2>Example</h2><div class="variablelist"><dl><dt><span class="term">Example 1:</span></dt><dd><pre class="programlisting"> #INTERFACE HOST(S) OPTIONS eth2 192.168.1.0/24 eth0 192.0.2.44 br0 - routeback eth3 - source</pre></dd></dl></div></div><div class="refsect1" lang="en" xml:lang="en"><a id="id257676"></a><h2>FILES</h2><p>/etc/shorewall/routestopped</p></div><div class="refsect1" lang="en" xml:lang="en"><a id="id257686"></a><h2>See ALSO</h2><p><a class="ulink" href="http://shorewall.net/starting_and_stopping_shorewall.htm" target="_self">http://shorewall.net/starting_and_stopping_shorewall.htm</a></p><p>shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5), shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5), shorewall-params(5), shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5), shorewall-rules(5), shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</p></div></div></body></html>