{"id":4361,"date":"2022-12-20T17:49:04","date_gmt":"2022-12-20T20:49:04","guid":{"rendered":"http:\/\/lode.uno\/linux-man\/index.php\/2022\/12\/20\/shorewall6conntrac-man5\/"},"modified":"2022-12-20T17:49:04","modified_gmt":"2022-12-20T20:49:04","slug":"shorewall6conntrac-man5","status":"publish","type":"post","link":"https:\/\/lode.uno\/linux-man\/2022\/12\/20\/shorewall6conntrac-man5\/","title":{"rendered":"SHOREWALL6−CONNTRAC (man5)"},"content":{"rendered":"

SHOREWALL6\u2212CONNTRAC<\/h1>\n

NAME<\/a>
SYNOPSIS<\/a>
DESCRIPTION<\/a>
EXAMPLE<\/a>
FILES<\/a>
SEE ALSO<\/a>
NOTES<\/a> <\/p>\n

\n

NAME <\/a> <\/h2>\n

conntrack \u2212 shorewall conntrack file<\/p>\n

SYNOPSIS <\/a> <\/h2>\n\n\n
<\/td>\n\n

\/etc\/shorewall[6]\/conntrack<\/b><\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

DESCRIPTION <\/a> <\/h2>\n

The original intent of the notrack<\/b> file was to exempt certain traffic from Netfilter connection tracking. Traffic matching entries in the file were not to be tracked.<\/p>\n

The role of the file was expanded in Shorewall 4.4.27 to include all rules that can be added in the Netfilter raw<\/b> table. In 4.5.7, the file’s name was changed to conntrack<\/b>.<\/p>\n

The file supports three different column layouts: FORMAT 1, FORMAT 2, and FORMAT 3 with FORMAT 1 being the default. The three differ as follows:<\/p>\n

\u2022 in FORMAT 2 and 3, there is an additional leading ACTION column.<\/p>\n

\u2022 in FORMAT 3, the SOURCE column accepts no zone name; rather the ACTION column allows a SUFFIX that determines the chain(s) that the generated rule will be added to.<\/p>\n

When an entry in the following form is encountered, the format of the following entries are assumed to be of the specified format<\/i>.<\/p>\n

?FORMAT<\/b>
format<\/i><\/p>\n

where format<\/i> is either 1<\/b>,2<\/b> or 3<\/b>.<\/p>\n

Format 3 was introduced in Shorewall 4.5.10.<\/p>\n

Comments may be attached to Netfilter rules generated from entries in this file through the use of ?COMMENT lines. These lines begin with ?COMMENT; the remainder of the line is treated as a comment which is attached to subsequent rules until another ?COMMENT line is found or until the end of the file is reached. To stop adding comments to rules, use a line containing only ?COMMENT.<\/p>\n

The columns in the file are as follows (where the column name is followed by a different name in parentheses, the different name is used in the alternate specification syntax).<\/p>\n

ACTION<\/b> \u2212 {NOTRACK<\/b>|CT<\/b>:helper<\/b>:name<\/i>[(arg<\/i>=val<\/i>[,…])|CT:ctevents:<\/b>event<\/i>[,…]|CT:expevents:new|CT:notrack<\/b>|DROP|LOG|ULOG(ulog\u2212parameters<\/i>):NFLOG(nflog\u2212parameters<\/i>)|IP[6]TABLES(target<\/i>)}[log\u2212level<\/i>[:log\u2212tag<\/i>]][:chain\u2212designator<\/i>]<\/p>\n

This column is only present when FORMAT >= 2. Values other than NOTRACK or DROP require CT Targetsupport in your iptables and kernel.<\/p>\n

\u2022 NOTRACK<\/b> or CT:notrack<\/b><\/p>\n

Disables connection tracking for this packet. If a log\u2212level<\/i> is specified, the packet will also be logged at that level.<\/p>\n

\u2022 CT:helper<\/b>:name<\/i><\/p>\n

Attach the helper identified by the name<\/i> to this connection. This is more flexible than loading the conntrack helper with preset ports. If a log\u2212level<\/i> is specified, the packet will also be logged at that level. Beginning with Shorewall 4.6.10, the helper name is optional<\/p>\n

At this writing, the available helpers are:<\/p>\n

amanda<\/p>\n

Requires that the amanda netfilter helper is present.<\/p>\n

ftp<\/p>\n

Requires that the FTP netfilter helper is present.<\/p>\n

irc<\/p>\n

Requires that the IRC netfilter helper is present.<\/p>\n

netbios\u2212ns<\/p>\n

Requires that the netbios_ns (sic) helper is present.<\/p>\n

RAS and Q.931<\/p>\n

These require that the H323 netfilter helper is present.<\/p>\n

pptp<\/p>\n

Requires that the pptp netfilter helper is present.<\/p>\n

sane<\/p>\n

Requires that the SANE netfilter helper is present.<\/p>\n

sip<\/p>\n

Requires that the SIP netfilter helper is present.<\/p>\n

snmp<\/p>\n

Requires that the SNMP netfilter helper is present.<\/p>\n

tftp<\/p>\n

Requires that the TFTP netfilter helper is present.<\/p>\n

May be followed by an option list of arg<\/i>=val<\/i> pairs in parentheses:<\/p>\n

\u2022 ctevents<\/b>=event<\/i>[,…]<\/p>\n

Only generate the specified conntrack events for this connection. Possible event types are: new<\/b>, related<\/b>, destroy<\/b>, reply<\/b>, assured<\/b>, protoinfo<\/b>, helper<\/b>, mark<\/b> (this is connection mark, not packet mark), natseqinfo<\/b>, and secmark<\/b>. If more than one event<\/i> is listed, the event<\/i> list must be enclosed in parentheses (e.g., ctevents=(new,related)).<\/p>\n

\u2022 expevents=new<\/b><\/p>\n

Only generate a new<\/b> expectation events for this connection.<\/p>\n

\u2022 ctevents:event<\/i>[,…]<\/p>\n

Added in Shorewall 4.6.10. Only generate the specified conntrack events for this connection. Possible event types are: new<\/b>, related<\/b>, destroy<\/b>, reply<\/b>, assured<\/b>, protoinfo<\/b>, helper<\/b>, mark<\/b> (this is connection mark, not packet mark), natseqinfo<\/b>, and secmark<\/b>.<\/p>\n

\u2022 expevents=new<\/p>\n

Added in Shorewall 4.6.10. Only generate new<\/b> expectation events for this connection.<\/p>\n

\u2022 DROP<\/b><\/p>\n

Added in Shorewall 4.5.10. Silently discard the packet. If a log\u2212level<\/i> is specified, the packet will also be logged at that level.<\/p>\n

\u2022 IP6TABLES<\/b>(target<\/i>)<\/p>\n

IPv6 only.<\/p>\n

Added in Shorewall 4.6.0. Allows you to specify any iptables target<\/i> with target options (e.g., “IP6TABLES(AUDIT \u2212\u2212type drop)”). If the target is not one recognized by Shorewall, the following error message will be issued:<\/p>\n

ERROR: Unknown target
(target<\/i>)<\/p>\n

This error message may be eliminated by adding target<\/i> as a builtin action in shorewall\u2212actions<\/font><\/b> [1]<\/font><\/small> (5).<\/font><\/p>\n

\u2022 IPTABLES<\/b>(target<\/i>)<\/font><\/p>\n

IPv4 only.<\/font><\/p>\n

Added in Shorewall 4.6.0. Allows you to specify any iptables target<\/i> with target options (e.g., “IPTABLES(AUDIT \u2212\u2212type drop)”). If the target is not one recognized by Shorewall, the following error message will be issued:<\/font><\/p>\n

ERROR: Unknown target
(target<\/i>)<\/font><\/p>\n

This error message may be eliminated by adding target<\/i> as a builtin action in<\/font> shorewall\u2212actions<\/font><\/b> [1]<\/font><\/small> (5).<\/font><\/p>\n

\u2022 LOG<\/b><\/font><\/p>\n

Added in Shoreawll 4.6.0. Logs the packet using the specified log\u2212level<\/i> and log\u2212tag<\/i> (if any). If no log\u2212level is specified, then ‘info’ is assumed.<\/font><\/p>\n

\u2022 NFLOG<\/b><\/font><\/p>\n

Added in Shoreawll 4.6.0. Queues the packet to a backend logging daemon using the NFLOG netfilter target with the specified nflog\u2212parameters<\/i>.<\/font><\/p>\n

\u2022 ULOG<\/b><\/font><\/p>\n

IPv4 only. Added in Shoreawll 4.6.0. Queues the packet to a backend logging daemon using the ULOG netfilter target with the specified ulog\u2212parameters<\/i>.<\/font><\/p>\n

When FORMAT = 1, this column is not present and the rule is processed as if NOTRACK had been entered in this column.<\/font><\/p>\n

Beginning with Shorewall 4.5.10, when FORMAT = 3, this column can end with a colon followed by a chain\u2212designator<\/i>. The chain\u2212designator<\/i> can be one of the following:<\/font><\/p>\n

P<\/font><\/p>\n

The rule is added to the raw table PREROUTING chain. This is the default if no chain\u2212designator<\/i> is present.<\/font><\/p>\n

O<\/font><\/p>\n

The rule is added to the raw table OUTPUT chain.<\/font><\/p>\n

PO or OP<\/font><\/p>\n

The rule is added to the raw table PREROUTING and OUTPUT chains.<\/font><\/p>\n

SOURCE (formats 1 and 2) \u2013 {zone<\/i>[:interface<\/i>][:address\u2212list<\/i>]}<\/font><\/p>\n

where zone<\/i> is the name of a zone, interface<\/i> is an interface to that zone, and address\u2212list<\/i> is a comma\u2212separated list of addresses (may contain exclusion \u2212 see<\/font> shorewall\u2212exclusion<\/font><\/b> [2]<\/font><\/small> (5)).<\/font><\/p>\n

Beginning with Shorewall 4.5.7, all<\/b> can be used as the zone<\/i> name to mean all zones.<\/font><\/p>\n

Beginning with Shorewall 4.5.10, all\u2212<\/b> can be used as the zone<\/i> name to mean all off\u2212firewall zones.<\/font><\/p>\n

SOURCE (format 3 prior to Shorewall 5.1.0) \u2013 {\u2212|interface<\/i>[:address\u2212list<\/i>]|address\u2212list<\/i>}<\/font><\/p>\n

Where interface<\/i> is an interface to that zone, and address\u2212list<\/i> is a comma\u2212separated list of addresses (may contain exclusion \u2212 see<\/font> shorewall\u2212exclusion<\/font><\/b> [2]<\/font><\/small> (5)).<\/font><\/p>\n

SOURCE (format 3 on Shorewall 5.1.0 and later) \u2212 {\u2212|[<\/b>source\u2212spec<\/i>[,…]]}<\/b><\/font><\/p>\n

where source\u2212spec<\/i> is one of the following:<\/font><\/p>\n

interface<\/i><\/font><\/p>\n

Where interface is the logical name of an interface defined in<\/font> shorewall\u2212interface<\/font><\/b> [3]<\/font><\/small> (5).<\/font><\/p>\n

address<\/i>[,…][exclusion<\/i>]<\/font><\/p>\n

where address<\/i> may be:<\/font><\/p>\n

\u2022 A host or network IP address.<\/font><\/p>\n

\u2022 A MAC address in Shorewall format (preceded by a tilde (“~”) and using dash (“\u2212”) as a separator.<\/font><\/p>\n

\u2022 The name of an ipset preceded by a plus sign (“+”). See<\/font> shorewall\u2212ipsets<\/font><\/b> [4]<\/font><\/small> (5).<\/font><\/p>\n

exclusion<\/i> is described in<\/font> shorewall\u2212exclusion<\/font><\/b> [2]<\/font><\/small> (5).<\/font><\/p>\n

interface<\/i>:address<\/i>[,…][exclusion<\/i>]<\/font><\/p>\n

This form combines the preceding two and requires that both the incoming interface and source address match.<\/font><\/p>\n

exclusion<\/i><\/font><\/p>\n

See<\/font> shorewall\u2212exclusion<\/font><\/b> [2]<\/font><\/small> (5)<\/font><\/p>\n

Beginning with Shorewall 5.1.0, multiple source\u2212spec<\/i>s separated by commas may be specified provided that the following alternative forms are used: (address<\/i>[,…][exclusion<\/i>])<\/font><\/p>\n

interface<\/i>\ud83d\ude41address<\/i>[,…][exclusion<\/i>])<\/font><\/p>\n

(exclusion<\/i>)<\/font><\/p>\n

DEST (Prior to Shorewall 5.1.0) \u2013 {\u2212|interface<\/i>[:address\u2212list<\/i>]|address\u2212list<\/i>}<\/font><\/p>\n

where address\u2212list<\/i> is a comma\u2212separated list of addresses (may contain exclusion \u2212 see<\/font> shorewall\u2212exclusion<\/font><\/b> [2]<\/font><\/small> (5)).<\/font><\/p>\n

DEST (Shorewall 5.1.0 and later) \u2212 {\u2212|<\/b>dest\u2212spec<\/i>[,…]}<\/b><\/font><\/p>\n

where dest\u2212spec<\/i> is one of the following:<\/font><\/p>\n

interface<\/i><\/font><\/p>\n

Where interface is the logical name of an interface defined in<\/font> shorewall\u2212interface<\/font><\/b> [3]<\/font><\/small> (5).<\/font><\/p>\n

address<\/i>[,…][exclusion<\/i>]<\/font><\/p>\n

where address<\/i> may be:<\/font><\/p>\n

\u2022 A host or network IP address.<\/font><\/p>\n

\u2022 A MAC address in Shorewall format (preceded by a tilde (“~”) and using dash (“\u2212”) as a separator.<\/font><\/p>\n

\u2022 The name of an ipset preceded by a plus sign (“+”). See<\/font> shorewall\u2212ipsets<\/font><\/b> [4]<\/font><\/small> (5).<\/font><\/p>\n

exclusion<\/i> is described in<\/font> shorewall\u2212exclusion<\/font><\/b> [2]<\/font><\/small> (5).<\/font><\/p>\n

interface<\/i>:address<\/i>[,…][exclusion<\/i>]<\/font><\/p>\n

This form combines the preceding two and requires that both the outgoing interface and destination address match.<\/font><\/p>\n

exclusion<\/i><\/font><\/p>\n

See<\/font> shorewall\u2212exclusion<\/font><\/b> [2]<\/font><\/small> (5)<\/font><\/p>\n

Beginning with Shorewall 5.1.0, multiple source\u2212specs separated by commas may be specified provided that the following alternative forms are used: (address<\/i>[,…][exclusion<\/i>])<\/font><\/p>\n

interface<\/i>\ud83d\ude41address<\/i>[,…][exclusion<\/i>])<\/font><\/p>\n

(exclusion<\/i>)<\/font><\/p>\n

PROTO \u2013 protocol\u2212name\u2212or\u2212number<\/i>[,…]<\/font><\/p>\n

A protocol name from \/etc\/protocols or a protocol number. tcp and 6 may be optionally followed by :syn<\/b> to match only the SYN packet (first packet in the three\u2212way handshake).<\/font><\/p>\n

Beginning with Shorewall 4.5.12, this column can accept a comma\u2212separated list of protocols and either proto<\/b> or protos<\/b> is accepted in the alternate input format.<\/font><\/p>\n

Beginning with Shorewall 5.1.11, when tcp<\/b> or 6<\/b> is specified and the ACTION is CT<\/b>, the compiler will default to :syn<\/b>. If you wish the rule to match packets with any valid combination of TCP flags, you may specify tcp:all<\/b> or 6:all<\/b>.<\/font><\/p>\n

DPORT \u2212 port\u2212number\/service\u2212name\u2212list<\/font><\/p>\n

A comma\u2212separated list of port numbers and\/or service names from \/etc\/services. May also include port ranges of the form low\u2212port<\/i>:high\u2212port<\/i> if your kernel and iptables include port range support.<\/font><\/p>\n

This column was formerly labelled DEST PORT(S).<\/font><\/p>\n

SPORT \u2212 port\u2212number\/service\u2212name\u2212list<\/font><\/p>\n

A comma\u2212separated list of port numbers and\/or service names from \/etc\/services. May also include port ranges of the form low\u2212port<\/i>:high\u2212port<\/i> if your kernel and iptables include port range support.<\/font><\/p>\n

Beginning with Shorewall 4.5.15, you may place ‘=’ in this column, provided that the DPORT column is non\u2212empty. This causes the rule to match when either the source port or the destination port in a packet matches one of the ports specified in DPORT. Use of ‘=’ requires multi\u2212port match in your iptables and kernel.<\/font><\/p>\n

This column was formerly labelled SOURCE PORT(S).<\/font><\/p>\n

USER \u2013 [user<\/i>][:group<\/i>]<\/font><\/p>\n

This column was formerly named USER\/GROUP and may only be specified if the SOURCE zone<\/i> is $FW. Specifies the effective user id and or group id of the process sending the traffic.<\/font><\/p>\n

SWITCH \u2212 [!]<\/b>switch\u2212name<\/i>[={0|1}]<\/b><\/font><\/p>\n

Added in Shorewall 4.5.10 and allows enabling and disabling the rule without requiring shorewall restart<\/b>.<\/font><\/p>\n

The rule is enabled if the value stored in \/proc\/net\/nf_condition\/switch\u2212name<\/i> is 1. The rule is disabled if that file contains 0 (the default). If ‘!’ is supplied, the test is inverted such that the rule is enabled if the file contains 0.<\/font><\/p>\n

Within the switch\u2212name<\/i>, ‘@0’ and ‘@{0}’ are replaced by the name of the chain to which the rule is a added. The switch\u2212name<\/i> (after ‘…’ expansion) must begin with a letter and be composed of letters, decimal digits, underscores or hyphens. Switch names must be 30 characters or less in length.<\/font><\/p>\n

Switches are normally off<\/b>. To turn a switch on<\/b>:<\/font><\/p>\n

echo 1 >
\/proc\/net\/nf_condition\/<\/b>switch\u2212name<\/i><\/font><\/p>\n

To turn it off<\/b> again:<\/font><\/p>\n

echo 0 >
\/proc\/net\/nf_condition\/<\/b>switch\u2212name<\/i><\/font><\/p>\n

Switch settings are retained over shorewall restart<\/b>.<\/font><\/p>\n

When the switch\u2212name<\/i> is followed by =0<\/b> or =1<\/b>, then the switch is initialized to off or on respectively by the start<\/b> command. Other commands do not affect the switch setting.<\/font><\/p>\n

EXAMPLE <\/a> <\/h2>\n

IPv4 Example 1:<\/font><\/p>\n

#ACTION SOURCE DEST PROTO DPORT SPORT USER
CT:helper:ftp(expevents=new) fw \u2212 tcp 21<\/font><\/p>\n

IPv4 Example 2 (Shorewall 4.5.10 or later):<\/font><\/p>\n

Drop traffic to\/from all zones to IP address 1.2.3.4<\/font><\/p>\n

?FORMAT 2
#ACTION SOURCE DEST PROTO DPORT SPORT USER
DROP all\u2212:1.2.3.4 \u2212
DROP all 1.2.3.4<\/font><\/p>\n

or<\/font><\/p>\n

?FORMAT 3
#ACTION SOURCE DEST PROTO DPORT SPORT USER
DROP:P 1.2.3.4 \u2212
DROP:PO \u2212 1.2.3.4<\/font><\/p>\n

IPv6 Example 1:<\/font><\/p>\n

Use the FTP helper for TCP port 21 connections from the firewall itself.<\/font><\/p>\n

FORMAT 2
#ACTION SOURCE DEST PROTO DPORT SPORT USER
CT:helper:ftp(expevents=new) fw \u2212 tcp 21<\/font><\/p>\n

IPv6 Example 2 (Shorewall 4.5.10 or later):<\/font><\/p>\n

Drop traffic to\/from all zones to IP address 2001:1.2.3::4<\/font><\/p>\n

FORMAT 2
#ACTION SOURCE DEST PROTO DPORT SPORT USER
DROP all\u2212:2001:1.2.3::4 \u2212
DROP all 2001:1.2.3::4<\/font><\/p>\n

or<\/font><\/p>\n

FORMAT 3
#ACTION SOURCE DEST PROTO DPORT SPORT USER
DROP:P 2001:1.2.3::4 \u2212
DROP:PO \u2212 2001:1.2.3::4<\/font><\/p>\n

FILES <\/a> <\/h2>\n

\/etc\/shorewall\/conntrack<\/font><\/p>\n

\/etc\/shorewall6\/conntrack<\/font><\/p>\n

SEE ALSO <\/a> <\/h2>\n

https:\/\/shorewall.org\/configuration_file_basics.htm#Pairs<\/font><\/b> [5]<\/font><\/small><\/p>\n

shorewall(8)<\/font><\/p>\n

NOTES <\/a> <\/h2>\n\n\n
<\/td>\n\n

1.<\/font><\/p>\n<\/td>\n

<\/td>\n\n

shorewall-actions<\/font><\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

https:\/\/shorewall.org\/manpages\/shorewall-actions.html<\/font><\/p>\n\n\n
<\/td>\n\n

2.<\/font><\/p>\n<\/td>\n

<\/td>\n\n

shorewall-exclusion<\/font><\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

https:\/\/shorewall.org\/manpages\/shorewall-exclusion.html<\/font><\/p>\n\n\n
<\/td>\n\n

3.<\/font><\/p>\n<\/td>\n

<\/td>\n\n

shorewall-interface<\/font><\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

https:\/\/shorewall.org\/manpages\/shorewall-interfaces.html<\/font><\/p>\n\n\n
<\/td>\n\n

4.<\/font><\/p>\n<\/td>\n

<\/td>\n\n

shorewall-ipsets<\/font><\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

https:\/\/shorewall.org\/manpages\/shorewall-ipsets.html<\/font><\/p>\n\n\n
<\/td>\n\n

5.<\/font><\/p>\n<\/td>\n

<\/td>\n\n

https:\/\/shorewall.org\/configuration_file_basics.htm#Pairs<\/font><\/p>\n<\/td>\n<\/tr>\n<\/table>\n

https:\/\/shorewall.org\/configuration_file_basics.htm#Pairs<\/font><\/p>\n

\n","protected":false},"excerpt":{"rendered":"

conntrack \u2212 shorewall conntrack file <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[959],"tags":[961,1291,1371],"class_list":["post-4361","post","type-post","status-publish","format-standard","hentry","category-5-formatos-de-ficheros","tag-961","tag-man5","tag-shorewall-conntrack"],"gutentor_comment":0,"_links":{"self":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts\/4361","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/comments?post=4361"}],"version-history":[{"count":0,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts\/4361\/revisions"}],"wp:attachment":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/media?parent=4361"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/categories?post=4361"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/tags?post=4361"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}