stoppedrules — The Shorewall file that governs what traffic flows through the firewall while it is in the 'stopped' state.
/etc/shorewall[6]/stoppedrules 
This file is used to define the hosts that are accessible when the firewall is stopped or is being stopped.
Changes to this file do not take effect until after the next
      shorewall start, shorewall reload,
      shorewall restart, or shorewall
      compile command.
The columns in the file are as follows (where the column name is followed by a different name in parentheses, the different name is used in the alternate specification syntax).
ACCEPT|NOTRACK|DROPDetermines the disposition of the packet.
ACCEPT means that the packet will be
          accepted.
NOTRACK indicates that no conntrack entry
          should be created for the packet. NOTRACK does not
          imply ACCEPT.
DROP was added in Shorewall 4.6.0 and causes
          the packet to be dropped in the raw table's PREROUTING chain.
interface]|[{$FW|interface}[:address[,address]...]]|[address[,address]...]$FW matches packets originating on the
          firewall itself, while interface
          specifies packets arriving on the named interface.
This column may also include a comma-separated list of
          IP/subnet addresses. If your kernel and iptables include iprange
          match support, IP address ranges are also allowed. Ipsets and
          exclusion are also supported. When $FW or interface
          are specified, the list must be preceded by a colon (":").
If left empty or supplied as "-", 0.0.0.0/0 is assumed.
interface]|[{$FW|interface}[:address[,address]...]]|[address[,address]...]$FW matches packets addressed the firewall
          itself, while interface specifies packets
          arriving on the named interface. Neither may be specified if the
          target is NOTRACK or DROP.
This column may also include a comma-separated list of
          IP/subnet addresses. If your kernel and iptables include iprange
          match support, IP address ranges are also allowed. Ipsets and
          exclusion are also supported. When $FW or interface
          are specified, the list must be preceded by a colon (":").
If left empty or supplied as "-", 0.0.0.0/0 is assumed.
protocol-name-or-number[,...]Protocol.
Beginning with Shorewall 4.5.12, this column can accept a comma-separated list of protocols.
service-name/port-number-listOptional. A comma-separated list of port numbers and/or
          service names from /etc/services. May also
          include port ranges of the form
          low-port:high-port
          if your kernel and iptables include port range support.
This column was formerly labelled DEST PORT(S).
service-name/port-number-listOptional. A comma-separated list of port numbers and/or
          service names from /etc/services. May also
          include port ranges of the form
          low-port:high-port
          if your kernel and iptables include port range support.
Beginning with Shorewall 4.5.15, you may place '=' in this column, provided that the DPORT column is non-empty. This causes the rule to match when either the source port or the destination port in a packet matches one of the ports specified in DEST PORTS(S). Use of '=' requires multi-port match in your iptables and kernel.
This column was formerly labelled SOURCE PORT(S).