1SHOREWALL-HOSTS(5) [FIXME: manual] SHOREWALL-HOSTS(5)
2
6 hosts - Shorewall file
7
9 /etc/shorewall/hosts
10
12 This file is used to define zones in terms of subnets and/or individual
13 IP addresses. Most simple setups don't need to (should not) place
14 anything in this file.
15 The order of entries in this file is not significant in determining
17 zone composition. Rather, the order that the zones are declared in
18 shorewall-zones[1](5) determines the order in which the records in this
19 file are interpreted.
20 Warning
22 The only time that you need this file is when you have more than
23 one zone connected through a single interface.
24 Warning
26 If you have an entry for a zone and interface in
27 shorewall-interfaces[2](5) then do not include any entries in this
28 file for that same (zone, interface) pair.
29 The columns in the file are as follows.
31 ZONE - zone-name
33 The name of a zone declared in shorewall-zones[1](5). You may not
34 list the firewall zone in this column.
35 HOST(S) -
37 interface:{[{address-or-range[,address-or-range]...|+ipset|dynamic}[exclusion]
38 The name of an interface defined in the shorewall-interfaces[2](5)
39 file followed by a colon (":") and a comma-separated list whose
40 elements are either:
41 1. The IP address of a host.
43 2. A network in CIDR format.
45 3. An IP address range of the form low.address-high.address. Your
47 kernel and iptables must have iprange match support.
48 4. The name of an ipset.
50 5. The word dynamic which makes the zone dynamic in that you can
52 use the shorewall add and shorewall delete commands to change
53 to composition of the zone.
54 You may also exclude certain hosts through use of an exclusion (see
56 shorewall-exclusion[3](5).
57 OPTIONS (Optional) - [option[,option]...]
59 A comma-separated list of options from the following list. The
60 order in which you list the options is not significant but the list
61 must have no embedded white space.
62 maclist
64 Connection requests from these hosts are compared against the
65 contents of shorewall-maclist[4](5). If this option is
66 specified, the interface must be an ethernet NIC or equivalent
67 and must be up before Shorewall is started.
68 routeback
70 Shorewall should set up the infrastructure to pass packets from
71 this/these address(es) back to themselves. This is necessary if
72 hosts in this group use the services of a transparent proxy
73 that is a member of the group or if DNAT is used to send
74 requests originating from this group to a server in the group.
75 blacklist
77 This option only makes sense for ports on a bridge. As of
78 Shoreawall 4.4.13, the option is no longer supported and is
79 ignored with a warning: WARNING: The "blacklist" host option is
80 no longer supported and will be ignored. Check packets
81 arriving on this port against the shorewall-blacklist[5](5)
82 file.
83 tcpflags
85 Packets arriving from these hosts are checked for certain
86 illegal combinations of TCP flags. Packets found to have such a
87 combination of flags are handled according to the setting of
88 TCP_FLAGS_DISPOSITION after having been logged according to the
89 setting of TCP_FLAGS_LOG_LEVEL.
90 nosmurfs
92 This option only makes sense for ports on a bridge.
93 Filter packets for smurfs (packets with a broadcast address as
95 the source).
96 Smurfs will be optionally logged based on the setting of
98 SMURF_LOG_LEVEL in shorewall.conf[6](5). After logging, the
99 packets are dropped.
100 ipsec
102 The zone is accessed via a kernel 2.6 ipsec SA. Note that if
103 the zone named in the ZONE column is specified as an IPSEC zone
104 in the shorewall-zones[1](5) file then you do NOT need to
105 specify the 'ipsec' option here.
106 broadcast
108 Used when you want to include limited broadcasts (destination
109 IP address 255.255.255.255) from the firewall to this zone.
110 Only necessary when:
111 1. The network specified in the HOST(S) column does not
113 include 255.255.255.255.
114 2. The zone does not have an entry for this interface in
116 shorewall-interfaces[2](5).
117 destonly
119 Normally used with the Multi-cast IP address range
120 (224.0.0.0/4). Specifies that traffic will be sent to the
121 specified net(s) but that no traffic will be received from the
122 net(s).
123
125 Example 1
126 The firewall runs a PPTP server which creates a ppp interface for
127 each remote client. The clients are assigned IP addresses in the
128 network 192.168.3.0/24 and in a zone named 'vpn'.
129 #ZONE HOST(S) OPTIONS
131 vpn ppp+:192.168.3.0/24
132
134 /etc/shorewall/hosts
135
137 shorewall(8), shorewall-accounting(5), shorewall-actions(5),
138 shorewall-blacklist(5), shorewall_interfaces(5), shorewall-ipsets(5),
139 shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
140 shorewall-nesting(5), shorewall-netmap(5), shorewall-params(5),
141 shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
142 shorewall-route_rules(5), shorewall-routestopped(5),
143 shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
144 shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
145 shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)
146
148 1. shorewall-zones
149 http://www.shorewall.net/manpages/shorewall-zones.html
150 2. shorewall-interfaces
152 http://www.shorewall.net/manpages/shorewall-interfaces.html
153 3. shorewall-exclusion
155 http://www.shorewall.net/manpages/shorewall-exclusion.html
156 4. shorewall-maclist
158 http://www.shorewall.net/manpages/shorewall-maclist.html
159 5. shorewall-blacklist
161 http://www.shorewall.net/manpages/shorewall-blacklist.html
162 6. shorewall.conf
164 http://www.shorewall.net/manpages/shorewall.conf.html
165[FIXME: source] 09/16/2011 SHOREWALL-HOSTS(5)