1SHOREWALL-ADDRESSES(5) Configuration Files SHOREWALL-ADDRESSES(5)
2
3
4
6 addresses - Specifying addresses within a Shorewall configuration
7
9 In both Shorewall and Shorewall6, there are two basic types of
10 addresses:
11
12 Host Address
13 This address type refers to a single host.
14
15 In IPv4, the format is i.j.k.l where i through l are decimal
16 numbers between 1 and 255.
17
18 In IPv6, the format is a:b:c:d:e:f:g:h where a through h consist of
19 1 to 4 hexadecimal digits (leading zeros may be omitted). a single
20 series of 0 addresses may be omitted. For example
21 2001:227:e857:1:0:0:0:0:1 may be written 2001:227:e857:1::1.
22
23 Network Address
24 A network address refers to 1 or more hosts and consists of a host
25 address followed by a slash ("/") and a Variable Length Subnet Mask
26 (VLSM). This is known as Classless Internet Domain Routing (CIDR)
27 notation.
28
29 The VLSM is a decimal number. For IPv4, it is in the range 0
30 through 32. For IPv6, the range is 0 through 128. The number
31 represents the number of leading bits in the address that represent
32 the network address; the remainder of the bits are a host address
33 and are generally given as zero.
34
35 Examples:
36
37 IPv4: 192.168.1.0/24
38
39 IPv6: 2001:227:e857:1:0:0:0:0:1/64
40
41 In the Shorewall documentation and manpages, we have tried to make it
42 clear which type of address is accepted in each specific case.
43
44 Because Shorewall uses a colon (":") as a separator in many contexts,
45 IPv6 addresses are best written using the standard convention in which
46 the address itself is enclosed in square brackets:
47 [2001:227:e857:1::1]
48 [2001:227:e857:1::]/64
49
51 Entries in Shorewall configuration files often deal with the source
52 (SOURCE) and destination (DEST) of connections and Shorewall implements
53 a uniform way for specifying them.
54
55 A SOURCE or DEST consists of one to three parts separated by colons
56 (":"):
57
58 1. ZONE — The name of a zone declared in /etc/shorewall/zones or
59 /etc/shorewall6/zones. This part is only available in the rules
60 file (/etc/shorewall/rules,
61 /etc/shorewall/blrules,/etc/shorewall6/rules and
62 /etc/shorewall6/blrules).
63
64 2. INTERFACE — The name of an interface that matches an entry in
65 /etc/shorewall/interfaces (/etc/shorewall6/interfaces).
66
67 Beginning with Shorweall 5.2.1, the interface may be preceded with
68 '!' which matches all interfaces except the one specified.
69
70 3. ADDRESS LIST — A list of one or more addresses (host or network) or
71 address ranges, separated by commas. In an IPv6 configuration, this
72 list must be included in square or angled brackets ("[...]" or
73 "<...>"). The list may have exclusion.
74
75 Examples.
76
77 1. All hosts in the net zone — net
78
79 2. Subnet 192.168.1.0/29 in the loc zone — loc:192.168.1.0/29
80
81 3. All hosts in the net zone connecting through ppp0 — net:ppp0
82
83 4. All hosts interfaced by eth3 — eth3
84
85 5. Subnet 10.0.1.0/24 interfacing through eth2 — eth2:10.0.1.0/24
86
87 6. Host 2002:ce7c:92b4:1:a00:27ff:feb1:46a9 in the loc zone —
88 loc:[2002:ce7c:92b4:1:a00:27ff:feb1:46a9]
89
90 7. The primary IP address of eth0 in the $FW zone - $FW:ð0
91
92 8. All hosts in Vatican City - net:^VA (Requires the GeoIP Match
93 capability).
94
96 If you kernel and iptables have IP Range match support, you may use IP
97 address ranges in Shorewall configuration file entries; IP address
98 ranges have the syntax <low IP address>-<high IP address>.
99
100 Example: 192.168.1.5-192.168.1.12.
101
102
104 For more information about addressing, see theSetup Guide[1].
105
107 1. Setup Guide
108 http://www.shorewall.netshorewall_setup_guide.htm#Addressing
109
110
111
112Configuration Files 01/17/2019 SHOREWALL-ADDRESSES(5)