shorewall6-zones(5)

1SHOREWALL6-ZONES(5)             [FIXME: manual]            SHOREWALL6-ZONES(5)
2
3
4

NAME

6       zones - Shorewall6 zone declaration file
7

SYNOPSIS

9       /etc/shorewall6/zones
10

DESCRIPTION

12       The /etc/shorewall6/zones file declares your network zones. You specify
13       the hosts in each zone through entries in /etc/shorewall6/interfaces or
14       /etc/shorewall6/hosts.
15
16       The columns in the file are as follows.
17
18       ZONE - zone[:parent-zone[,parent-zone]...]
19           Name of the zone. The names "all", "none", "SOURCE" and "DEST" are
20           reserved and may not be used as zone names. The maximum length of a
21           zone name is determined by the setting of the LOGFORMAT option in
22           shorewall6.conf[1](5). With the default LOGFORMAT, zone names can
23           be at most 5 characters long.  The maximum length of an iptables
24           log prefix is 29 bytes. As explained in shorewall6.conf[2] (5), the
25           default LOGPREFIX formatting string is “Shorewall:%s:%s:” where the
26           first %s is replaced by the chain name and the second is replaced
27           by the disposition.
28
29           ·   The default formatting string has 12 fixed characters
30               ("Shorewall" and three colons).
31
32           ·   The longest of the standard dispositions are ACCEPT and REJECT
33               which have 6 characters each.
34
35           ·   The canonical name for the chain containing the rules for
36               traffic going from zone 1 to zone 2 is "<zone 1>2<zone 2>".
37
38           ·   So if M is the maximum zone name length, such chains can have
39               length 2*M + 1.
40                   12 + 6 + 2*M + 1 = 29 which reduces to
41                   2*M = 29 - 12 - 6 - 1 = 10 or
42                   M = 5
43           The order in which Shorewall6 matches addresses from packets to
44           zones is determined by the order of zone declarations. Where a zone
45           is nested in one or more other zones, you may either ensure that
46           the nested zone precedes its parents in this file, or you may
47           follow the (sub)zone name by ":" and a comma-separated list of the
48           parent zones. The parent zones must have been declared in earlier
49           records in this file. See shorewall6-nesting[3](5) for additional
50           information.
51
52           Example:
53
54               #ZONE     TYPE     OPTIONS         IN OPTIONS        OUT OPTIONS
55               a         ipv6
56               b         ipv6
57               c:a,b     ipv6
58
59           Currently, Shorewall6 uses this information to reorder the zone
60           list so that parent zones appear after their subzones in the list.
61           The IMPLICIT_CONTINUE option in shorewall6.conf[1](5) can also
62           create implicit CONTINUE policies to/from the subzone.
63
64           Where an ipsec zone is explicitly included as a child of an ipv6
65           zone, the ruleset allows CONTINUE policies (explicit or implicit)
66           to work as expected.
67
68           In the future, Shorewall6 may make additional use of nesting
69           information.
70
71       TYPE
72
73           ipv6
74               This is the standard Shorewall6 zone type and is the default if
75               you leave this column empty or if you enter "-" in the column.
76               Communication with some zone hosts may be encrypted. Encrypted
77               hosts are designated using the 'ipsec'option in
78               shorewall6-hosts[4](5).
79
80           ipsec (or ipsec6)
81               Communication with all zone hosts is encrypted. Your kernel and
82               ip6tables must include policy match support.
83
84           firewall
85               Designates the firewall itself. You must have exactly one
86               'firewall' zone. No options are permitted with a 'firewall'
87               zone. The name that you enter in the ZONE column will be stored
88               in the shell variable $FW which you may use in other
89               configuration files to designate the firewall zone.
90
91           bport (or bport6)
92               The zone is associated with one or more ports on a single
93               bridge.
94
95           vserver
96               Added in Shorewall 4.4.11 Beta 2 - A zone composed of
97               Linux-vserver guests. The zone contents must be defined in
98               shorewall-hosts[5] (5).
99
100               Vserver zones are implicitly handled as subzones of the
101               firewall zone.
102
103       OPTIONS, IN OPTIONS and OUT OPTIONS - [option[,option]...]
104           A comma-separated list of options. With the exception of the mss
105           and blacklist options, these only apply to TYPE ipsec zones.
106
107           blacklist
108               Added in Shorewall 4.4.13. May not be specified for firewall or
109               vserver zones.
110
111               When specified in the IN_OPTIONS column, causes all traffic
112               from this zone to be passed against the src entries in
113               shorewall6-blacklist[6](5).
114
115               When specified in the OUT_OPTIONS column, causes all traffic to
116               this zone to be passed against the dst entries in
117               shorewall6-blacklist[6](5).
118
119               Specifying this option in the OPTIONS column is equivalent to
120               entering it in both of the IN_OPTIONS and OUT_OPTIONS column.
121
122           reqid=number
123               where number is specified using setkey(8) using the
124               'unique:number option for the SPD level.
125
126           spi=<number>
127               where number is the SPI of the SA used to encrypt/decrypt
128               packets.
129
130           proto=ah|esp|ipcomp
131               IPSEC Encapsulation Protocol
132
133           mss=number
134               sets the MSS field in TCP packets. If you supply this option,
135               you should also set FASTACCEPT=No in shorewall6.conf[1](5) to
136               insure that both the SYN and SYN,ACK packets have their MSS
137               field adjusted.
138
139           mode=transport|tunnel
140               IPSEC mode
141
142           tunnel-src=address[/mask]
143               only available with mode=tunnel
144
145           tunnel-dst=address[/mask]
146               only available with mode=tunnel
147
148           strict
149               Means that packets must match all rules.
150
151           next
152               Separates rules; can only be used with strict
153
154           The options in the OPTIONS column are applied to both incoming and
155           outgoing traffic. The IN OPTIONS are applied to incoming traffic
156           (in addition to OPTIONS) and the OUT OPTIONS are applied to
157           outgoing traffic.
158
159           If you wish to leave a column empty but need to make an entry in a
160           following column, use "-".
161

FILES

163       /etc/shorewall6/zones
164

NOTES

178        1. shorewall6.conf
179           http://www.shorewall.net/manpages6/shorewall6.conf.html
180
181        2. shorewall6.conf
182           http://www.shorewall.net/manpages6/shorewall.conf.html
183
184        3. shorewall6-nesting
185           http://www.shorewall.net/manpages6/shorewall6-nesting.html
186
187        4. shorewall6-hosts
188           http://www.shorewall.net/manpages6/shorewall6-hosts.html
189
190        5. shorewall-hosts
191           http://www.shorewall.net/manpages6/shorewall-hosts.html
192
193        6. horewall6-blacklist
194           http://www.shorewall.net/manpages6/shorewall6-blacklist.html
195
196
197
198[FIXME: source]                   09/16/2011               SHOREWALL6-ZONES(5)

NAME

SYNOPSIS

DESCRIPTION

FILES

SEE ALSO

NOTES