<code bash>  
;
; RSBAC JAIL definition for shorewall         
; 20080707
;
; Tested by:
; igraltist on gentoo
;
""
"0.0.0.0"
(allow-dev-read
 allow-dev-write
 allow-dev-get-status
 allow-all-net-family
 allow-inet-raw
 allow-ipc-syslog
 allow-ipc-parent)
(net-admin
 sys-resource
 setuid
 setgid
 net-raw)
(firewall)
(firewall
 net-id
 sysctl
 rlimit)
</code>

add this to the shorewall initscript 

   run-jail shorewall /sbin/shorewall  -f start

or
<code bash>
rsbac_jail  -d -D -e -n -r -y -P -C  NET_ADMIN SYS_RESOURCE SETUID SETGID NET_RAW -G  firewall -M  firewall net_id sysctl rlimit /sbin/shorewall  -f start
</code>