{"id":21670387,"url":"https://github.com/alpinelinux/awall","last_synced_at":"2025-08-20T07:30:42.430Z","repository":{"id":39633869,"uuid":"72691280","full_name":"alpinelinux/awall","owner":"alpinelinux","description":"[MIRROR] Alpine firewall configuration tool","archived":false,"fork":false,"pushed_at":"2024-12-17T15:57:15.000Z","size":5291,"stargazers_count":47,"open_issues_count":1,"forks_count":14,"subscribers_count":8,"default_branch":"master","last_synced_at":"2024-12-17T16:43:42.766Z","etag":null,"topics":["alpine-linux","firewall-configuration","iptables","lua"],"latest_commit_sha":null,"homepage":"https://gitlab.alpinelinux.org/alpine/awall","language":"Lua","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/alpinelinux.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2016-11-02T23:49:10.000Z","updated_at":"2024-12-17T15:54:10.000Z","dependencies_parsed_at":"2024-11-20T13:47:59.514Z","dependency_job_id":null,"html_url":"https://github.com/alpinelinux/awall","commit_stats":null,"previous_names":[],"tags_count":90,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alpinelinux%2Fawall","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alpinelinux%2Fawall/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alpinelinux%2Fawall/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alpinelinux%2Fawall/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/alpinelinux","download_url":"https://codeload.github.com/alpinelinux/awall/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":230400616,"owners_count":18219831,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["alpine-linux","firewall-configuration","iptables","lua"],"created_at":"2024-11-25T12:31:48.485Z","updated_at":"2024-12-19T08:09:09.893Z","avatar_url":"https://github.com/alpinelinux.png","language":"Lua","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Alpine Wall User's Guide\n\n## Introduction\n\nAlpine Wall (awall) is a Linux firewall configuration tool, providing\nvarious benefits over plain iptables:\n\n* Common usage patterns abstracted to high-level constructs, such as\n  [zones](#zone) and [limits](#limit)\n* Single source for multiple heterogenous hosts: implement modular\n  policies using [dependencies](#processing) and\n  [variables](#variable)\n* Single source for IPv4 and IPv6 rules\n* Refer to hosts using DNS names\n* [Review the effect of changed policies](#diff) before activation\n* [Automatic fallback](#activate): avoid locking yourself out when\n  changing rules\n\nAwall is lightweight: no additional daemons, Python, D-BUS\netc. required. Awall translates high-level policies into the format\naccepted by \u003ccode\u003eiptables-restore\u003c/code\u003e.\n\n## \u003ca name=\"processing\"\u003e\u003c/a\u003eConfiguration File Processing\n\nAwall reads its configuration from multiple JSON-formatted files,\ncalled *policy files*. The files located in directory\n`/usr/share/awall/mandatory` are *mandatory* policies shipped with APK\npackages. In addition, there can be installation-specific mandatory\npolicies in `/etc/awall`.\n\nThe latter directory may also contain symbolic links to policy files\nlocated in `/usr/share/awall/optional` and\n`/etc/awall/optional`. These are *optional* policies, which can be\nenabled on need basis. Such symbolic links are easily created and\ndestroyed using the `awall enable` and `awall disable`\ncommands. `awall list` shows which optional policies are enabled and\ndisabled. The command also prints the description of the optional\npolicy if defined in the file using a top-level attribute named\n**description**.\n\nSometimes a policy file depends on other policy files. In this case,\nthe policy file must have a top-level attribute **import**, the value\nof which is a list of policy names, which correspond to the file names\nwithout the `.json` suffix. The imported policies may be either\noptional policies or *private* policies, located in\n`/usr/share/awall/private` or `/etc/awall/private`. By default, the\npolicies listed there are processed before the importing policy.\n\nThe order of the generated iptables rules generally reflects the\nprocessing order of their corresponding awall policies. The processing\norder of policies can be adjusted by defining top-level attributes\n**after** and **before** in policy files. These attributes are lists\nof policies, after or before which the declaring policy shall be\nprocessed. Putting a policy name to either of these lists does not by\nitself import the policy. The ordering directives are ignored with\nrespect to those policies that are not enabled by the user or imported\nby other policies. If not defined, **after** is assumed to be equal to\nthe relative complement of the **before** definition in the **import**\ndefinition of the policy.\n\nAs the import directive does not require the path name to be\nspecified, awall expects policies to have unique names, even if\nlocated in different directories. It is allowed to import optional\npolicies that are not explicitly enabled by the user. Such policies\nshow up with the `required` status in the output of `awall list`.\n\nHistorically, awall has ignored superfluous attributes in JSON\nobjects. This behavior is about to change. In order to enforce\nfuture-proof strict schema checking, one can set the\n**awall_schema_check** variable to **true**. Setting it to **false**\nwill revert to the old behavior and suppress any warnings on schema\nviolations.\n\n## List Parameters\n\nSeveral awall parameters are defined as lists of values. In order to\nfacilitate manual editing of policy files, awall also accepts single\nvalues in place of lists. Such values are semantically equivalent to\nlists containing one element.\n\n## \u003ca name=\"variable\"\u003e\u003c/a\u003eVariables\n\nAwall allows variable definitions in policy files. The top-level\nattribute **variable** is a dictionary containing the definitions. The\nvalue of a variable can be of any type (string, integer, list, or\ndictionary).\n\n### Variable Expansion\n\nA variable is referenced in policy files by a string which equals the\nvariable name prepended with the **$** character. If the value of the\nvariable is a string, the reference can be embedded into a longer\nstring in order to substitute some part of that string (in shell\nstyle). Variable references can be used when defining other variables,\nas long as the definitions are not circular.\n\nPolicy files can reference variables defined in other policy\nfiles. Policy files can also override variables defined elsewhere by\nredefining them. In this case, the new definition affects all policy\nfiles, also those processed before the overriding policy. Awall\nvariables are in fact simple macros, since each variable remains\nconstant thoughout a single processing round. If multiple files define\nthe same variable, the definition in the file processed last takes\neffect.\n\nIf defined as an empty string, all non-embedded references to a\nvariable evaluate as if the attribute in question was not present in\nthe configuration. This is also the case when a string containing\nembedded variable references finally evaluates to an empty string.\n\n### Control Variables\n\nVariables controlling the awall behavior are prefixed with **awall_**.\n\n\u003ctable\u003e\n  \u003cthead\u003e\n    \u003ctr\u003e\u003cth\u003eVariable\u003c/th\u003e\u003cth\u003eDescription\u003c/th\u003e\u003cth\u003eDefault value\u003c/th\u003e\u003c/tr\u003e\n  \u003c/thead\u003e\n  \u003ctbody\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003cstrong\u003eawall_dedicated_chains\u003c/strong\u003e\u003c/td\u003e\n      \u003ctd\u003eInstall rules to \u003ca href=\"#dedicated\"\u003ededicated chains\u003c/a\u003e\u003c/td\u003e\n      \u003ctd\u003e\u003cstrong\u003efalse\u003c/strong\u003e\u003c/td\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003cstrong\u003eawall_families\u003c/strong\u003e\u003c/td\u003e\n      \u003ctd\u003e\n        List of address families (\u003cstrong\u003einet\u003c/strong\u003e and\n        \u003cstrong\u003einet6\u003c/strong\u003e) for which to configure the firewall\n      \u003c/td\u003e\n      \u003ctd\u003eAuto-detected\u003c/td\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003cstrong\u003eawall_schema_check\u003c/strong\u003e\u003c/td\u003e\n      \u003ctd\u003e\n        Disable (\u003cstrong\u003efalse\u003c/strong\u003e), enable\n        (\u003cstrong\u003enull\u003c/strong\u003e), or enforce (\u003cstrong\u003etrue\u003c/strong\u003e)\n        schema check for \u003ca href=\"#processing\"\u003epolicy files\u003c/a\u003e\n      \u003c/td\u003e\n      \u003ctd\u003e\u003cstrong\u003enull\u003c/strong\u003e\u003c/td\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003cstrong\u003eawall_tproxy_mark\u003c/strong\u003e\u003c/td\u003e\n      \u003ctd\u003e\n        Mark for packets diverted to a \u003ca href=\"#tproxy\"\u003etransparent proxy\u003c/a\u003e\n      \u003c/td\u003e\n      \u003ctd\u003e\u003cstrong\u003e1\u003c/strong\u003e\u003c/td\u003e\n    \u003c/tr\u003e\n  \u003c/tbody\u003e\n\u003c/table\u003e\n\n## Configuration Objects\n\nConfiguration objects can be divided into two main types. *Auxiliary\nobjects* model high-level concepts such as services and zones. *Rule\nobjects* translate into one or more iptables rules, and are often\ndefined with the help of some auxiliary objects.\n\n### \u003ca name=\"service\"\u003e\u003c/a\u003eServices\n\nA *service* represents a set of network protocols. A top-level\nattribute **service** is a dictionary that maps service names to\nservice definition objects, or lists thereof in more complex cases.\n\nA service definition object contains an attribute named **proto**,\nwhich corresponds to the `--protocol` option of iptables. The protocol\ncan be defined as a numerical value or string as defined in\n`/etc/protocols`. If the protocol is **tcp** or **udp**, the scope of\nthe service definition may be constrained by defining an attribute\nnamed **port**, which is a list of TCP or UDP port numbers or ranges\nthereof, separated by the **-** character. If the protocol is **icmp**\nor **icmpv6**, an analogous **type** attribute may be used. The\nreplies to ICMP messages have their own type codes, which may be\nspecified using the **reply-type** attribute.\n\nIf the protocol is **icmp** or **icmpv6**, the scope of the rule is\nalso automatically limited to IPv4 or IPv6, respectively. There are\nalso other services which are specific to IPv4 or IPv6. To constrain\nthe scope of the service definition to either protocol version, an\noptional **family** attribute can be set to value **inet** or\n**inet6**, respectively.\n\nSome services require the server or client to open additional\nconnections to dynamically allocated ports or even different\nhosts. *Connection tracking helpers* are used to make the firewall\naware of such additional connections. The **ct-helper** attribute is\nused to associate such a helper to a service definition when required\nby the service.\n\nAll rule objects, except for policy and MSS clamping rules, may have\nan attribute named **service**, constraining the rule's scope to\nspecific services only. This attribute is a list of service names,\nreferring to the keys of the top-level service dictionary.\n\n### \u003ca name=\"zone\"\u003e\u003c/a\u003eZones\n\nA *zone* represents a set of network hosts. A top-level attribute\n**zone** is a dictionary that maps zone names to zone objects. A zone\nobject has any combination of attributes named **iface**, **addr**,\nand **ipsec**. **iface** is a list of network interfaces and **addr**\nis a list of IPv4/IPv6 host and network addresses (CIDR notation).\n**addr** may also contain domain names, which are expanded to IP\naddresses using DNS resolution. If not defined, **addr** defaults to\nthe entire address space and **iface** to all interfaces. An empty\nzone can be defined by setting either **addr** or **iface** to an\nempty list.\n\nRule objects contain two attributes, **in** and **out**, which are\nlists of zone names. These attributes control whether a packet matches\nthe rule or not. If a particular zone is referenced by the **in**\nattribute, the rule applies to packets whose ingress interface and\nsource address are covered by the zone definition. Correspondingly, if\na zone is referenced by the **out** attribute, the rule applies to\npackets whose egress interface and destination address are included in\nthe zone. If both **in** and **out** are defined, the packet must\nfulfill both criteria in order to match the rule.\n\nThe firewall host itself can be referred to using the special value\n**_fw** as the zone name.\n\nIn general, it is not necessary to define rules for both directions of\ntraffic. Awall policies are supposed to declare explicit rules in one\ndirection, such that the **in** zone points to the client and **out**\nto the server side of the service, that is, the side where the TCP/UDP\nport or ICMP type matches the [service definition](#service). The\nnecessary iptables rules for the opposite direction are automatically\ndeduced.\n\nBy default, awall does not generate iptables rules with identical\ningress and egress interfaces. This behavior can be changed per zone\nby setting the optional **route-back** attribute of the zone to\n**true**. Note that this attribute can have an effect also in the case\nwhere **in** and **out** attributes of a rule are not equal but their\ndefinitions overlap. In this case, the **route-back** attribute of the\n**out** zone determines the behavior.\n\nIf used, the **ipsec** attribute is used to exclude from the zone any\ntraffic that is or is not subject to IPsec processing. If set to\n**true** in the **in** zone, only the packets subject to IPsec\ndecapsulation are considered originating from the zone. In the **out**\nzone, only the packets subject to IPsec encapsulation will be included\nif **ipsec** is set to **true**. The value of **false** would exclude\nany traffic requiring IPsec processing towards the respective\ndirection.\n\n### \u003ca name=\"limit\"\u003e\u003c/a\u003eLimits\n\nA *limit* specifies the maximum rate for a flow of packets or new\nconnections. Unlike the other auxiliary objects, limits are not named\nmembers of a top-level dictionary but are embedded into other objects.\n\nIn its simplest form, a limit definition is an integer specifying the\nmaximum number of packets or connections per second. More complex\nlimits are defined as objects, where the **count** attribute defines\nthe maximum during an interval defined by the **interval**\nattribute. The unit of the **interval** attribute is second, and the\ndefault value is 1. The default value for **count** is 1 as well.\n\nThe maximum rate defined by a limit may be absolute or specific to\nblocks of IP addresses or pairs thereof. The number of most\nsignificant bits taken into account when mapping the source and\ndestination IP addresses to blocks can be specified with the\n**src-mask** and **dest-mask** attributes, respectively. If set to\n**true** (boolean), all bits are considered. The value of **false**\ncauses the respective address to be ignored. Address\nfamily\u0026ndash;specific prefix lengths can be set by defining the mask\nas an object with attributes named **inet** and **inet6**.\n\nThe default behavior with respect to the masks depends on the type of\nthe enclosing object. For [filters](#filter), the default behavior is\nto apply the limit for each source address separately. For [logging\nclasses](#log), the limit is considered absolute by default.\n\nThe packet rates contributing to the limit may be summed over multiple\n[filters](#filter). This can be achieved by setting the optional\n**name** attribute to equal values among the related limits. If the\n**update** attribute is set to **false** (boolean), the rates measured\nat this limit are not included in the sum, but the referred sum is\nused to make the limiting decision. Named limits may be specific only\nto fixed-size blocks of either the source or the destination address,\nnot both. However, the address to be considered may vary among the\nrules using the limit and may be selected by setting an attribute\nnamed **addr** to either **src** (default) or **dest**. By default,\nall bits of the selected address are taken into account, but address\nfamily\u0026ndash;specific prefix lengths can be set via the top-level\n**limit** dictionary, where the keys correspond to limit names and\nvalues follow the syntax of **src-mask** and **dest-mask**.\n\n### \u003ca name=\"log\"\u003e\u003c/a\u003eLogging Classes\n\nA *logging class* specifies how packets matching certain rules are\nlogged. A top-level attribute **log** is a dictionary that maps\nlogging class names to setting objects.\n\nA setting object may have an attribute named **mode**, which specifies\nwhich logging facility to use. Allowed values are **log**, **nflog**,\n**ulog**, and **none**. The default is **log**, i.e. in-kernel\nlogging.\n\nThe following table shows the optional attributes valid for all\nlogging modes:\n\n\u003ctable\u003e\n  \u003cthead\u003e\u003ctr\u003e\u003cth\u003eAttribute\u003c/th\u003e\u003cth\u003eDescription\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\n  \u003ctbody\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003cstrong\u003eevery\u003c/strong\u003e\u003c/td\u003e\n      \u003ctd\u003e\n        Divide successive packets into groups, the size of which is\n        specified by the value of this attribute, and log only the\n        first packet of each group\n      \u003c/td\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003cstrong\u003elimit\u003c/strong\u003e\u003c/td\u003e\n      \u003ctd\u003e\n        Maximum number of packets to be logged defined as \u003ca\n        href=\"#limit\"\u003elimit\u003c/a\u003e\n      \u003c/td\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003cstrong\u003eprefix\u003c/strong\u003e\u003c/td\u003e\n      \u003ctd\u003eString with which the log entries are prefixed\u003c/td\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003cstrong\u003eprobability\u003c/strong\u003e\u003c/td\u003e\n      \u003ctd\u003eProbability for logging an individual packet (default: 1)\u003c/td\u003e\n    \u003c/tr\u003e\n  \u003c/tbody\u003e\n\u003c/table\u003e\n\nWith the in-kernel log mode **log**, the level of logging may be\nspecified using the **level** attribute. Log modes **nflog** and\n**ulog** are about copying the packets into user space, at least\npartially. The following table shows the additional attributes valid\nwith these modes:\n\n\u003ctable\u003e\n  \u003cthead\u003e\u003ctr\u003e\u003cth\u003eAttribute\u003c/th\u003e\u003cth\u003eDescription\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\n  \u003ctbody\u003e\n    \u003ctr\u003e\u003ctd\u003e\u003cstrong\u003egroup\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eNetlink group to be used\u003c/td\u003e\u003c/tr\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003cstrong\u003erange\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eNumber of bytes to be copied\u003c/td\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003cstrong\u003ethreshold\u003c/strong\u003e\u003c/td\u003e\n      \u003ctd\u003eNumber of packets to queue inside the kernel before copying them\u003c/td\u003e\n    \u003c/tr\u003e\n  \u003c/tbody\u003e\n\u003c/table\u003e\n\nCopies of the eligible packets are sent to all hosts defined with the\n**mirror** attribute of the logging class. The hosts may be defined\nusing IP addresses or DNS names. If this attribute is defined,\n**mode** defaults to **none**.\n\n[Filter](#filter) and [policy](#policy) rules can have an attribute\nnamed **log**. If it is a string, it is interpreted as a reference to\na logging class, and logging is performed according to the\ndefinitions. If the value of the **log** attribute is **true**\n(boolean), logging is done using default settings. If the value is\n**false** (boolean), logging is disabled for the rule. If **log** is\nnot defined, logging is done using the default settings except for\naccept and pass rules, for which logging is omitted.\n\nDefault logging settings can be set by defining a logging class named\n**_default**. Normally, default logging uses the **log** mode with\npackets limited to one per second.\n\n### Rules\n\nThere are several types of rule objects:\n\n* Filter rules\n* Policy rules\n* Packet logging rules\n* NAT rules\n* Packet marking rules\n* Packet classification rules\n* TTL adjustment rules\n* Transparent proxy rules\n* MSS clamping rules\n* Connection tracking bypass rules\n\nAll rule objects can have the **in** and **out** attributes referring\nto [zones](#zone) as described in the previous section. In addition,\nthe scope of the rule can be further constrained with the following\nattributes:\n\n\u003ctable\u003e\n  \u003cthead\u003e\u003ctr\u003e\u003cth\u003eAttribute\u003c/th\u003e\u003cth\u003eDescription\u003c/th\u003e\u003cth\u003eEffect\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\n  \u003ctbody\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003cstrong\u003esrc\u003c/strong\u003e\u003c/td\u003e\n      \u003ctd\u003e\n        Similar to \u003cstrong\u003eaddr\u003c/strong\u003e attribute of \u003ca\n        href=\"#zone\"\u003ezone objects\u003c/a\u003e\n      \u003c/td\u003e\n      \u003ctd\u003ePacket's source address matches the value\u003c/td\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003cstrong\u003edest\u003c/strong\u003e\u003c/td\u003e\n      \u003ctd\u003e\n        Similar to \u003cstrong\u003eaddr\u003c/strong\u003e attribute of \u003ca\n        href=\"#zone\"\u003ezone objects\u003c/a\u003e\n      \u003c/td\u003e\n      \u003ctd\u003ePacket's destination address matches the value\u003c/td\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003cstrong\u003eipset\u003c/strong\u003e\u003c/td\u003e\n      \u003ctd\u003e\n        List of objects containing two attributes:\n        \u003cstrong\u003ename\u003c/strong\u003e referring to an \u003ca href=\"#ipset\"\u003eIP\n        set\u003c/a\u003e and \u003cstrong\u003eargs\u003c/strong\u003e, which is a list of strings\n        \u003cstrong\u003ein\u003c/strong\u003e and \u003cstrong\u003eout\u003c/strong\u003e\n      \u003c/td\u003e\n      \u003ctd\u003e\n        Packet matches any of the IP sets referred here when the match\n        arguments are taken from the source (\u003cstrong\u003ein\u003c/strong\u003e) and\n        destination (\u003cstrong\u003eout\u003c/strong\u003e) address, port, or interface\n        in the order specified by \u003cstrong\u003eargs\u003c/strong\u003e for the\n        respective set\n      \u003c/td\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003cstrong\u003estring\u003c/strong\u003e\u003c/td\u003e\n      \u003ctd\u003e\n        String or object containing at least an attribute named\n        \u003cstrong\u003ematch\u003c/strong\u003e and optionally one or more of the\n        following: \u003cstrong\u003ealgo\u003c/strong\u003e, \u003cstrong\u003efrom\u003c/strong\u003e, and\n        \u003cstrong\u003eto\u003c/strong\u003e.\n      \u003c/td\u003e\n      \u003ctd\u003e\n        Packet contains the given plain string or the one defined by\n        the \u003cstrong\u003ematch\u003c/strong\u003e attribute. Attributes\n        \u003cstrong\u003efrom\u003c/strong\u003e and \u003cstrong\u003eto\u003c/strong\u003e can be used to\n        constrain the search to the specific byte range of the\n        packet. The used algorithm may be selected using the\n        \u003cstrong\u003ealgo\u003c/strong\u003e attribute. The allowed values are\n        \u003cstrong\u003ebm\u003c/strong\u003e for Boyer\u0026ndash;Moore (default) and\n        \u003cstrong\u003ekmp\u003c/strong\u003e for Knuth\u0026ndash;Pratt\u0026ndash;Morris.\n      \u003c/td\u003e\n    \u003c/tr\u003e\n  \u003c/tbody\u003e\n\u003c/table\u003e\n\nRule objects are declared in type-specific top-level dictionaries in\nawall policy files. If a packet matches multiple rules, the one\nappearing earlier in the list takes precedence. If the matching rules\nare defined in different policy files, the one that was processed\nearlier takes precedence in the current implementation, but this may\nchange in future versions.\n\n#### \u003ca name=\"filter\"\u003e\u003c/a\u003eFilter Rules\n\nFilter objects specify an action for packets fulfilling certain\ncriteria. The top-level attribute **filter** is a list of filter\nobjects.\n\nFilter objects may have an attribute named **action**, the value of\nwhich can be one of the following:\n\n\u003ctable\u003e\n  \u003cthead\u003e\u003ctr\u003e\u003cth\u003eValue\u003c/th\u003e\u003cth\u003eAction\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\n  \u003ctbody\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003cstrong\u003eaccept\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eAccept the packet (default)\u003c/td\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003cstrong\u003ereject\u003c/strong\u003e\u003c/td\u003e\n      \u003ctd\u003eReject the packet with an ICMP error message\u003c/td\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\u003ctd\u003e\u003cstrong\u003edrop\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eSilently drop the packet\u003c/td\u003e\u003c/tr\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003cstrong\u003etarpit\u003c/strong\u003e\u003c/td\u003e\n      \u003ctd\u003e\n        Put incoming TCP connections into persist state and ignore\n        attempts to close them. Silently drop non-TCP\n        packets. (Connection tracking bypass is automatically enabled\n        for the matching packets.)\n      \u003c/td\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003cstrong\u003epass\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eNo action\u003c/td\u003e\n    \u003c/tr\u003e\n  \u003c/tbody\u003e\n\u003c/table\u003e\n\nFilter objects, the action of which is **accept**, may also contain\nlimits for packet flow or new connections. These are specified with\nthe **flow-limit** and **conn-limit** attributes, respectively. The\nvalues of these attributes are [limit objects](#limit). The **drop**\naction is applied to the packets exceeding the limit. Optionally, the\nlimit object may have an attribute named **log**. It defines how the\ndropped packets should be logged and is semantically similar to the\n**log** attribute of rule objects.\n\nFilter objects may have an attribute named **update-limit**. This\ncauses the packet flow or new connection attempts matching the filter\nto be included in the total rate of a named limit without any packets\nbeing dropped. When defined as a string, it is interpreted as the name\nof the limit. It can also be defined as an object with a **name**\nattribute and additional attributes. The **measure** attribute is used\nto select whether to measure the packet flow (**flow**) or connection\nattempts (**conn**, default). The **addr** attribute is used to select\nwhether to consider the source (**src**, default) or destination\n(**dest**) address. When **update-limit** is defined, **action**\ndefaults to **pass** and cannot be set to any other value.\n\nFilter objects may have an attribute named **dnat**, the value of\nwhich is an IPv4 address or a DNS name resolving to a single IPv4\naddress. If defined, this enables destination NAT for all IPv4 packets\nmatching the rule, such that the specified address replaces the\noriginal destination address. If also port translation is desired, the\nattribute may be defined as an object consisting of attributes\n**addr** and **port**. The format of the **port** attribute is similar\nto that of the **to-port** attribute of [NAT rules](#nat). This option\nhas no effect on IPv6 packets.\n\nFilter objects may have a boolean attribute named **no-track**. If set\nto **true**, connection tracking is bypassed for the matching\npackets. In addition, if **action** is set to **accept**, the\ncorresponding packets travelling to the reverse direction are also\nallowed.\n\nIf one or more connection tracking helpers are associated with the\nservices referred to by an accept rule, additional iptables rules are\ngenerated for the related connections detected by the helpers. The\n**related** attribute can be used to override the default rules\ngenerated by awall. It is a list of basic rule objects, the packets\nmatching to which are accepted, provided that they are also detected\nby at least one of the helpers.\n\n#### \u003ca name=\"policy\"\u003e\u003c/a\u003ePolicy Rules\n\nPolicy objects describe the default action for packets that did not\nmatch any filter. The top-level attribute **policy** is a list of\npolicy objects.\n\nPolicy objects must have the **action** attribute defined. The\npossible values and their semantics are the same as in [filter\nrules](#filter).\n\n#### Packet Logging Rules\n\nPacket logging rules allow packets matching the specified criteria to\nbe logged before any filtering takes place. Such rules are contained\nin the top-level list named **packet-log**.\n\nLogging class may be specified using the **log** attribute. Otherwise,\ndefault logging settings are used.\n\n#### \u003ca name=\"nat\"\u003e\u003c/a\u003eNAT Rules\n\nNAT rules come in two flavors: *source NAT rules* and *destination NAT\nrules*. These are contained in two top-level lists named **snat** and\n**dnat**, respectively.\n\nEach NAT rule may have an attribute named **to-addr** that specifies\nthe IP address ranges to which the original source or destination\naddress is mapped. It is a list that can contain\n\n* an IPv4 address or range\n* an IPv6 address or range\n* DNS name which resolves to an IPv4 and/or IPv6 address\n\nOnly one address or range per protocol version may be defined. Ranges\nare specified by two addresses, separated with the **-** character. If\nnot defined, **to-addr** defaults to the primary address of the\ningress interface in case of destination NAT, or that of the egress\ninterface in case of source NAT.\n\nWhen **to-addr** is defined, the NAT rule applies to those protocol\nversions for which an address is given. The protocol version scope can\nbe explicitly defined using the **family** attribute. It is a list\nwhere the allowed values are **inet** and **inet6**, corresponding to\nIPv4 and IPv6. When both **to-addr** and **family** are undefined, the\nrule applies to IPv4 packets only.\n\nOptionally, a NAT rule can specify the TCP and UDP port range to which\nthe original source or destination port is mapped. The attribute is\nnamed **to-port**, and the value can be a single port number or a\nrange specified by two numbers, separated with the **-** character. If\n**to-port** is not specified, the original port number is kept intact.\n\nNAT rules, may have an **action** attribute set to value **include**\nor **exclude**. The latter means that NAT is not performed on the\nmatching packets (unless they match an **include** rule processed\nearlier). The default value is **include**.\n\n#### Packet Marking Rules\n\nPacket marking rules are used to mark packets matching the specified\ncriteria. The mark can be used as a basis for the routing decision.\nEach marking rule must specify the mark using the **mark** attribute,\nwhich is a 32-bit integer.\n\nNormal marking rules are contained by the top-level list attribute\nnamed **mark**.\n\nThere is another top-level list attribute, named **route-track**,\nwhich contains route tracking rules. These are special marking rules\nwhich cause all the subsequent packets related to the same connection\nto be marked according to the rule.\n\n#### Packet Classification Rules\n\nPacket classification rules are used to set the DSCP field of the\npackets matching the specified criteria, in order to ensure quality of\nservice. Each classification rule, contained in the top-level list\nattribute named **classify**, must specify the class using the\n**class** attribute. These rules apply to the both directions of the\nmatching traffic.\n\n#### TTL Adjustment Rules\n\nTTL adjustment rules are used to set the TTL field of the IPv4 packets\nmatching the specified criteria. The TTL adjustment rules are contained\nin the top-level list attribute named **ttl** and define an attribute\nnamed **ttl**. If the value is a non-negative integer, the TTL of the\npacket is set to the value. If it is a negative integer, the TTL value\nis decremented accordingly. The TTL value can be incremented by a\nconstant by setting the attribute value to a string representing a\npositive integer, prepended with the plus sign (**+**).\n\n#### \u003ca name=\"tproxy\"\u003e\u003c/a\u003eTransparent Proxy Rules\n\nTransparent proxy rules divert the matching packets to a local proxy\nprocess without altering their headers. Such rules are contained in\nthe top-level list named **tproxy**.\n\nIn addition to the firewall configuration, using a transparent proxy\nrequires a routing configuration where packets marked for proxying are\ndiverted to a local process. The **awall_tproxy_mark** variable can be\nused to specify the mark for such packets, which defaults to 1.\n\nProxy rules may also have an attribute named **to-port** for\nspecifying the TCP or UDP port of the proxy if it is different from\nthe original destination port.\n\n#### MSS Clamping Rules\n\nMSS Clamping Rules are used to deal with ISPs that block ICMP\nFragmentation Needed or ICMPv6 Packet Too Big packets. An MSS clamping\nrule overwrites the MSS option with a value specified with the **mss**\nattribute for the matching TCP connections. If **mss** is not\nspecified, a suitable value is automatically determined from the path\nMTU. The MSS clamping rules are located in the top-level dictionary\nnamed **clamp-mss**.\n\n#### Connection Tracking Bypass Rules\n\nConnection tracking bypass rules are used to disable connection\ntracking for packets matching the specified criteria. The top-level\nattribute **no-track** is a list of such rules.\n\nLike [NAT rules](#nat), connection tracking bypass rules may have an\n**action** attribute set to value **include** or **exclude**.\n\n### \u003ca name=\"ipset\"\u003e\u003c/a\u003eIP Sets\n\nAny IP set referenced by rule objects should be created by\nawall. Auxiliary *IP set* objects are used to defined them in awall\npolicy files. The top-level attribute **ipset** is a dictionary, the\nkeys of which are IP set names. The values are IP set objects, which\nhave two mandatory attributes. The attribute named **type**\ncorresponds to the type argument of the `ipset create`\ncommand. **family** specifies whether the set is for IPv4 or IPv6\naddresses, and the possible values are **inet** and **inet6**,\ncorrespondingly.\n\nIf the **timeout** attribute is set to **true**, entries added to the\nIP set may be assigned a timeout, after which they are automatically\ndeleted from the set. If set to an integer, the timeout functionality\nis enabled for the set and all entries are by default assinged a\ntimeout corresponding to the value in seconds.\n\nFor bitmap-type IP sets, the **range** attribute specifies the range\nof allowed IPv4 addresses. It may be given as a network address or two\naddresses separated by the **-** character. It is not necessary to\nspecify **family** for bitmaps, since the kernel supports only IPv4\nbitmaps.\n\nThe maximum size of hash-type IP sets may be limited with the **size**\nattribute.\n\n## Customizing iptables Rules\n\nIn the rare event that awall's capabilities do not suffice for your\nuse case, it is possible to manually define match options, targets,\nand additional chains.  Match options can be added via the **match**\nattribute in the corresponding awall rule. The iptables target with\npossible options can be set via the **action** attribute. The iptables\ntargets are always spelled in upper case, so awall can distinguish\nthem from other actions.\n\nCustomized chains can be defined in the top-level dictionary named\n**custom**.  The key is the unique identifier of the chain, and\npackets can be sent to the chain by defining the value of the\n**action** attribute of an awall rule as this identifier prefixed by\n**custom:**. The values of the dictionary are lists of objects. Each\nobject maps to a single rule in the custom iptables chain, typically\ndefined using two attributes: **match** for match options and\n**target** for the target with its options. The target can also refer\nto another customized chain, using the **custom:** prefix. If\n**match** is left unspecified, the rule will match all packets. It is\nalso possible to constrain each rule to IPv4 or IPv6 only by defining\nthe **family** attribute as **inet** or **inet6**, respectively.\n\n## \u003ca name=\"dedicated\"\u003e\u003c/a\u003eCo-Existence with Other Firewall Management Tools\n\nIf awall is used on a host running other software that manipulates\niptables rules, it is recommended to set the\n**awall_dedicated_chains** variable to **true**, which will have the\nfollowing effects:\n\n* Awall installs its own rules to dedicated chains prefixed with\n  **awall-**.\n* Activation of awall rules leaves any unrelated rule intact.\n\n## Command Line Syntax\n\n### Translating Policy Files to Firewall Configuration Files\n\n **awall translate** \\[**-o** | **--output** DIRECTORY\\] \\[**-V** | **--verify**\\]\n\nThe `--verify` option makes awall verify the configuration using the\ntest mode of \u003ccode\u003eiptables-restore\u003c/code\u003e before overwriting the old\nfiles.\n\nSpecifying the output directory allows testing awall policies without\noverwriting the current iptables and ipset configuration files. By\ndefault, awall generates the configuration to `/etc/iptables` and\n`/etc/ipset.d`, which are read by the init scripts.\n\n### \u003ca name=\"activate\"\u003e\u003c/a\u003eRun-Time Configuration of Firewall\n\n **awall activate** \\[**-f** | **--force**\\]\n\nThis command generates firewall configuration from the policy files,\nsuperseding the currently active configuration. If the user confirms the new\nconfiguration by hitting the Return key within 10 seconds or the `--force`\noption is used, the configuration is saved to the files. Otherwise, the old\nconfiguration is restored.\n\nUnless the `--force` option is used, the firewall must already be active when\nthis command is run.\n\n **awall flush** \\[**-a** | **--all**\\]\n\nNormally, this command deletes all firewall rules and configures it to\ndrop all packets.\n\nIf awall is configured to [co-exist with other firewall management\ntools](#dedicated), this command flushes only the rules installed by\nawall. Specifying `--all` overrides this behavior and causes all rules\nto be flushed.\n\n### Optional Policies\n\nOptional policies can be enabled or disabled using this command:\n\n **awall** {**enable** | **disable**} POLICY...\n\nOptional policies can be listed using this command:\n\n **awall list** \\[**-a** | **--all**\\]\n\nThe **enabled** status means that the policy has been enabled by the\nuser. The **disabled** status means that the policy is not in use. The\n**required** status means that the policy has not been enabled by the\nuser but is in use because it is required by another policy which is\nin use.\n\nNormally, the command lists only optional policies. Specifying `--all`\nmakes it list all policies and more information about them.\n\n### Debugging Policies\n\nThis command can be used to dump variable, zone, and other definitions\nas well as their source policies:\n\n **awall dump** \\[LEVEL\\]\n\nThe level is an integer in range 0\u0026ndash;5 and defaults to 0. More\ninformation is displayed on higher levels.\n\n\u003ca name=\"diff\"\u003e\u003c/a\u003e **awall diff** \\[ **-o** | **--output** DIRECTORY]\n\nDisplays the difference in the input policy files and generated output\nfiles since the last **translate** or **activate** command.\n\nWhen the `--output` option is used, the updated configuration is\ncompared to the generated files in the specified directory (generated\nby the equivalent **translate** command).\n\n## Default Policies\n\nAwall ships with a set of optional policies, which can be used as the\nbasis for firewall configuration:\n\n\u003ctable\u003e\n  \u003cthead\u003e\u003ctr\u003e\u003cth\u003eName\u003c/th\u003e\u003cth\u003eDescription\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\n  \u003ctbody\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003cstrong\u003eadp-clamp-mss\u003c/strong\u003e\u003c/td\u003e\n      \u003ctd\u003eClamp MSS on WAN\u003c/td\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003cstrong\u003eadp-dhcp\u003c/strong\u003e\u003c/td\u003e\n      \u003ctd\u003eAllow DHCP on specified zones\u003c/td\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003cstrong\u003eadp-http-server\u003c/strong\u003e\u003c/td\u003e\n      \u003ctd\u003eAllow HTTP server on the firewall host\u003c/td\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003cstrong\u003eadp-local-outbound\u003c/strong\u003e\u003c/td\u003e\n      \u003ctd\u003ePolicy for local outbound traffic\u003c/td\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003cstrong\u003eadp-ntp-client\u003c/strong\u003e\u003c/td\u003e\n      \u003ctd\u003eAllow DNS and NTP clients on the firewall host\u003c/td\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003cstrong\u003eadp-ping\u003c/td\u003e\u003c/strong\u003e\n      \u003ctd\u003e\n        Allow ICMP echo request. On WAN, rate is limited to 3 packets\n        per second.\n      \u003c/td\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003cstrong\u003eadp-router\u003c/strong\u003e\u003c/td\u003e\n      \u003ctd\u003e\n        Routing policy from LAN to WAN, possibly with NAT. Prevent LAN\n        address spoofing from WAN.\n      \u003c/td\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003cstrong\u003eadp-ssh-client\u003c/strong\u003e\u003c/td\u003e\n      \u003ctd\u003eAllow SSH clients on the firewall host\u003c/td\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003cstrong\u003eadp-ssh-server\u003c/strong\u003e\u003c/td\u003e\n      \u003ctd\u003e\n        Allow SSH server on the firewall host. On WAN, rate is limited\n        to 1 connection per 10 seconds.\n      \u003c/td\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003cstrong\u003eadp-web-client\u003c/strong\u003e\u003c/td\u003e\n      \u003ctd\u003eAllow DNS, HTTP, and HTTPS from specified zones to WAN\u003c/td\u003e\n    \u003c/tr\u003e\n  \u003c/tbody\u003e\n\u003c/table\u003e\n\nThe behavior of these policies can be tuned by defining variables and\nzones in a policy named **adp-config** or another policy imported by\nthis policy. On Alpine Linux, the **setup-firewall** utility\nautomatically enables some of the policies and generates an initial\n**adp-config** policy by making an educated guess.\n\n### Zones\n\n\u003ctable\u003e\n  \u003cthead\u003e\u003ctr\u003e\u003cth\u003eName\u003c/th\u003e\u003cth\u003eUsed by\u003c/th\u003e\u003cth\u003eDescription\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\n  \u003ctbody\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003cstrong\u003eadp-lan\u003c/strong\u003e\u003c/td\u003e\n      \u003ctd\u003e\u003cstrong\u003eadp-router\u003c/strong\u003e\u003c/td\u003e\n      \u003ctd\u003e\n        Local Area Network (LAN), defined by variables prefixed with\n        \u003cstrong\u003eadp_lan_\u003c/strong\u003e\n      \u003c/td\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003cstrong\u003eadp-lan-ifaces\u003c/strong\u003e\u003c/td\u003e\n      \u003ctd\u003e\u003c/td\u003e\n      \u003ctd\u003e\n        LAN interfaces, defined by variable \u003cstrong\u003eadp_lan_ifaces\u003c/strong\u003e and\n        intended to be included in \u003cstrong\u003eadp_dhcp_zones\u003c/strong\u003e\n      \u003c/td\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003cstrong\u003eadp-wan\u003c/strong\u003e\u003c/td\u003e\n      \u003ctd\u003e\n        \u003cstrong\u003eadp-clamp-mss\u003c/strong\u003e\u003cbr\u003e\n        \u003cstrong\u003eadp-ntp-client\u003c/strong\u003e\u003cbr\u003e\n        \u003cstrong\u003eadp-ping\u003c/strong\u003e\u003cbr\u003e\n        \u003cstrong\u003eadp-router\u003c/strong\u003e\u003cbr\u003e\n        \u003cstrong\u003eadp-ssh-server\u003c/strong\u003e\u003cbr\u003e\n        \u003cstrong\u003eadp-web-client\u003c/strong\u003e\n      \u003c/td\u003e\n      \u003ctd\u003e\n        Wide Area Network (WAN), to be defined in \u003cstrong\u003eadp-config\u003c/strong\u003e\n      \u003c/td\u003e\n    \u003c/tr\u003e\n  \u003c/tbody\u003e\n\u003c/table\u003e\n\n### Variables\n\n\u003ctable\u003e\n  \u003cthead\u003e\n    \u003ctr\u003e\n      \u003cth\u003eName\u003c/th\u003e\u003cth\u003eUsed by\u003c/th\u003e\u003cth\u003eDescription\u003c/th\u003e\u003cth\u003eDefault value\u003c/th\u003e\n    \u003c/tr\u003e\n  \u003c/thead\u003e\n  \u003ctbody\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003cstrong\u003eadp_dhcp_zones\u003c/strong\u003e\u003c/td\u003e\n      \u003ctd\u003e\u003cstrong\u003eadp-dhcp\u003c/strong\u003e\u003c/td\u003e\n      \u003ctd\u003eZones on which DHCP is allowed\u003c/td\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003cstrong\u003eadp_lan_addrs\u003c/strong\u003e\u003c/td\u003e\n      \u003ctd\u003e\u003cstrong\u003eadp-router\u003c/strong\u003e\u003c/td\u003e\n      \u003ctd\u003eLAN addresses\u003c/td\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003cstrong\u003eadp_lan_ifaces\u003c/strong\u003e\u003c/td\u003e\n      \u003ctd\u003e\n        \u003cstrong\u003eadp-dhcp\u003c/strong\u003e\u003cbr\u003e\n        \u003cstrong\u003eadp-router\u003c/strong\u003e\n      \u003c/td\u003e\n      \u003ctd\u003eLAN interfaces\u003c/td\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003cstrong\u003eadp_lan_private_addrs\u003c/strong\u003e\u003c/td\u003e\n      \u003ctd\u003e\u003cstrong\u003eadp-router\u003c/strong\u003e\u003c/td\u003e\n      \u003ctd\u003e\n        Private LAN addresses for which NAT must be applied when routing to WAN\n      \u003c/td\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003cstrong\u003eadp_local_policy\u003c/strong\u003e\u003c/td\u003e\n      \u003ctd\u003e\u003cstrong\u003eadp-local-outbound\u003c/strong\u003e\u003c/td\u003e\n      \u003ctd\u003ePolicy for local outbound traffic\u003c/td\u003e\n      \u003ctd\u003e\u003cstrong\u003ereject\u003c/strong\u003e\u003c/td\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003cstrong\u003eadp_router_policy\u003c/strong\u003e\u003c/td\u003e\n      \u003ctd\u003e\u003cstrong\u003eadp-router\u003c/strong\u003e\u003c/td\u003e\n      \u003ctd\u003eRouting policy from LAN to WAN\u003c/td\u003e\n      \u003ctd\u003e\u003cstrong\u003eaccept\u003c/strong\u003e\u003c/td\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003cstrong\u003eadp_web_client_zones\u003c/strong\u003e\u003c/td\u003e\n      \u003ctd\u003e\u003cstrong\u003eadp-web-client\u003c/strong\u003e\u003c/th\u003e\n      \u003ctd\u003eZones on which web clients are allowed\u003c/td\u003e\n      \u003ctd\u003e\u003cstrong\u003e_fw\u003c/strong\u003e (firewall host only)\u003c/td\u003e\n    \u003c/tr\u003e\n  \u003c/tbody\u003e\n\u003c/table\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Falpinelinux%2Fawall","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Falpinelinux%2Fawall","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Falpinelinux%2Fawall/lists"}