;
; RSBAC JAIL definition for shorewall         
; 20080707
;
; Tested by:
; igraltist on gentoo
;
""
"0.0.0.0"
(allow-dev-read
 allow-dev-write
 allow-dev-get-status
 allow-all-net-family
 allow-inet-raw
 allow-ipc-syslog
 allow-ipc-parent)
(net-admin
 sys-resource
 setuid
 setgid
 net-raw)
(firewall)
(firewall
 net-id
 sysctl
 rlimit)

add this to the shorewall initscript

 run-jail shorewall /sbin/shorewall  -f start

or

rsbac_jail  -d -D -e -n -r -y -P -C  NET_ADMIN SYS_RESOURCE SETUID SETGID NET_RAW -G  firewall -M  firewall net_id sysctl rlimit /sbin/shorewall  -f start