{"id":4622,"date":"2022-12-20T18:09:19","date_gmt":"2022-12-20T21:09:19","guid":{"rendered":"http:\/\/lode.uno\/linux-man\/index.php\/2022\/12\/20\/shorewallexclusion-man5\/"},"modified":"2022-12-20T18:09:19","modified_gmt":"2022-12-20T21:09:19","slug":"shorewallexclusion-man5","status":"publish","type":"post","link":"https:\/\/lode.uno\/linux-man\/2022\/12\/20\/shorewallexclusion-man5\/","title":{"rendered":"SHOREWALL−EXCLUSION (man5)"},"content":{"rendered":"

SHOREWALL\u2212EXCLUSION<\/h1>\n

NAME<\/a>
SYNOPSIS<\/a>
DESCRIPTION<\/a>
EXAMPLES<\/a>
FILES<\/a>
SEE ALSO<\/a>
NOTES<\/a> <\/p>\n

\n

NAME <\/a> <\/h2>\n

exclusion \u2212 Exclude a set of hosts from a definition in a shorewall configuration file.<\/p>\n

SYNOPSIS <\/a> <\/h2>\n\n\n\n
<\/td>\n\n

!<\/b>address\u2212or\u2212range<\/i>[,address\u2212or\u2212range<\/i>]…<\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n
<\/td>\n\n

!<\/b>zone\u2212name<\/i>[,zone\u2212name<\/i>]…<\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

DESCRIPTION <\/a> <\/h2>\n

The first form of exclusion is used when you wish to exclude one or more addresses from a definition. An exclamation point is followed by a comma\u2212separated list of addresses. The addresses may be single host addresses (e.g., 192.168.1.4) or they may be network addresses in CIDR format (e.g., 192.168.1.0\/24). If your kernel and iptables include iprange support, you may also specify ranges of ip addresses of the form lowaddress<\/i>\u2212highaddress<\/i><\/p>\n

No embedded white\u2212space is allowed.<\/p>\n

Exclusion can appear after a list of addresses and\/or address ranges. In that case, the final list of address is formed by taking the first list and then removing the addresses defined in the exclusion.<\/p>\n

Beginning in Shorewall 4.4.13, the second form of exclusion is allowed after all<\/b> and any<\/b> in the SOURCE and DEST columns of shorewall\u2212rules<\/font><\/b> [1]<\/font><\/small> (5). It allows you to omit arbitrary zones from the list generated by those key words.<\/font><\/p>\n

Warning<\/big><\/b>
If you omit a sub\u2212zone and there is an explicit or explicit CONTINUE policy, a connection to\/from that zone can still be matched by the rule generated for a parent zone.<\/font><\/p>\n

For example:<\/font><\/p>\n

\/etc\/shorewall\/zones:<\/font><\/p>\n

#ZONE TYPE
z1 ip
z2:z1 ip
…<\/font><\/p>\n

\/etc\/shorewall\/policy:<\/font><\/p>\n

#SOURCE DEST POLICY
z1 net CONTINUE
z2 net REJECT<\/font><\/p>\n

\/etc\/shorewall\/rules:<\/font><\/p>\n

#ACTION SOURCE DEST PROTO DPORT
ACCEPT all!z2 net tcp 22<\/font><\/p>\n

In this case, SSH connections from z2<\/b> to net<\/b> will be accepted by the generated z1<\/b> to net ACCEPT rule.<\/font><\/p>\n

In most contexts, ipset names can be used as an address\u2212or\u2212range<\/i>. Beginning with Shorewall 4.4.14, ipset lists enclosed in +[…] may also be included (see<\/font> shorewall\u2212ipsets<\/font><\/b> [2]<\/font><\/small> (5)). The semantics of these lists when used in an exclusion are as follows:<\/font><\/p>\n

\u2022 !+[set1<\/i>,set2<\/i>,…setN<\/i>] produces a packet match if the packet does not match at least one of the sets. In other words, it is like NOT match set1<\/i> OR NOT match set2<\/i> … OR NOT match setN<\/i>.<\/font><\/p>\n

\u2022 +[!set1<\/i>,!set2<\/i>,…!setN<\/i>] produces a packet match if the packet does not match any of the sets. In other words, it is like NOT match set1<\/i> AND NOT match set2<\/i> … AND NOT match setN<\/i>.<\/font><\/p>\n

EXAMPLES <\/a> <\/h2>\n

IPv4 Example 1 \u2212 All IPv4 addresses except 192.168.3.4<\/font><\/p>\n

!192.168.3.4<\/font><\/p>\n

IPv4 Example 2 \u2212 All IPv4 addresses except the network 192.168.1.0\/24 and the host 10.2.3.4<\/font><\/p>\n

!192.168.1.0\/24,10.1.3.4<\/font><\/p>\n

IPv4 Example 3 \u2212 All IPv4 addresses except the range 192.168.1.3\u2212192.168.1.12 and the network 10.0.0.0\/8<\/font><\/p>\n

!192.168.1.3\u2212192.168.1.12,10.0.0.0\/8<\/font><\/p>\n

IPv4 Example 4 \u2212 The network 192.168.1.0\/24 except hosts 192.168.1.3 and 192.168.1.9<\/font><\/p>\n

192.168.1.0\/24!192.168.1.3,192.168.1.9<\/font><\/p>\n

Example 5 \u2212 All parent zones except loc<\/font><\/p>\n

any!loc<\/font><\/p>\n

FILES <\/a> <\/h2>\n

\/etc\/shorewall\/hosts<\/font><\/p>\n

\/etc\/shorewall\/masq<\/font><\/p>\n

\/etc\/shorewall\/rules<\/font><\/p>\n

\/etc\/shorewall\/tcrules<\/font><\/p>\n

SEE ALSO <\/a> <\/h2>\n

shorewall(8)<\/font><\/p>\n

NOTES <\/a> <\/h2>\n\n\n
<\/td>\n\n

1.<\/font><\/p>\n<\/td>\n

<\/td>\n\n

shorewall-rules<\/font><\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

https:\/\/shorewall.org\/manpages\/shorewall-rules.html<\/font><\/p>\n\n\n
<\/td>\n\n

2.<\/font><\/p>\n<\/td>\n

<\/td>\n\n

shorewall-ipsets<\/font><\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

https:\/\/shorewall.org\/manpages\/shorewall-ipsets.html<\/font><\/p>\n

\n","protected":false},"excerpt":{"rendered":"

exclusion \u2212 Exclude a set of hosts from a definition in a shorewall configuration file. <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[959],"tags":[961,1291,1563],"class_list":["post-4622","post","type-post","status-publish","format-standard","hentry","category-5-formatos-de-ficheros","tag-961","tag-man5","tag-shorewall-exclusion"],"gutentor_comment":0,"_links":{"self":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts\/4622","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/comments?post=4622"}],"version-history":[{"count":0,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts\/4622\/revisions"}],"wp:attachment":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/media?parent=4622"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/categories?post=4622"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/tags?post=4622"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}