1SHOREWALL6-EXCLUSIO(5)          [FIXME: manual]         SHOREWALL6-EXCLUSIO(5)
2
3
4

NAME

6       exclusion - Exclude a set of hosts from a definition in a shorewall6
7       configuration file.
8

SYNOPSIS

10       !address-or-range[,address-or-range]...
11
12       !zone-name[,zone-name]...
13

DESCRIPTION

15       Exclusion is used when you wish to exclude one or more addresses from a
16       definition. An exclaimation point is followed by a comma-separated list
17       of addresses. The addresses may be single host addresses (e.g.,
18       fe80::2a0:ccff:fedb:31c4) or they may be network addresses in CIDR
19       format (e.g., fe80::2a0:ccff:fedb:31c4/64). If your kernel and
20       ip6tables include iprange support, you may also specify ranges of ip
21       addresses of the form lowaddress-highaddress
22
23       No embedded whitespace is allowed.
24
25       Exclusion can appear after a list of addresses and/or address ranges.
26       In that case, the final list of address is formed by taking the first
27       list and then removing the addresses defined in the exclusion.
28
29       Beginning in Shorewall 4.4.13, the second form of exclusion is allowed
30       after all and any in the SOURCE and DEST columns of
31       /etc/shorewall/rules. It allows you to omit arbitrary zones from the
32       list generated by those key words.
33
34           Warning
35           If you omit a sub-zone and there is an explicit or explicit
36           CONTINUE policy, a connection to/from that zone can still be
37           matched by the rule generated for a parent zone.
38
39           For example:
40
41           /etc/shorewall6/zones:
42
43               #ZONE          TYPE
44               z1             ip
45               z2:z1          ip
46               ...
47
48           /etc/shorewall6/policy:
49
50               #SOURCE         DEST          POLICY
51               z1              net           CONTINUE
52               z2              net           REJECT
53
54           /etc/shorewall6/rules:
55
56               #ACTION         SOURCE        DEST        PROTO         DEST
57               #                                                       PORT(S)
58               ACCEPT          all!z2        net         tcp           22
59
60           In this case, SSH connections from z2 to net will be accepted by
61           the generated z1 to net ACCEPT rule.
62

FILES

64       /etc/shorewall6/hosts
65
66       /etc/shorewall6/masq
67
68       /etc/shorewall6/rules
69
70       /etc/shorewall6/tcrules
71

SEE ALSO

73       shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
74       shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
75       shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
76       shorewall6-providers(5), shorewall6-route_rules(5),
77       shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
78       shorewall6-secmarks(5), shorewall6-tcclasses(5),
79       shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
80       shorewall6-tunnels(5), shorewall-zones(5)
81
82
83
84[FIXME: source]                   09/16/2011            SHOREWALL6-EXCLUSIO(5)