1SHOREWALL-ZONES(5)            Configuration Files           SHOREWALL-ZONES(5)
2
3
4

NAME

6       zones - Shorewall zone declaration file
7

SYNOPSIS

9       /etc/shorewall/zones
10

DESCRIPTION

12       The /etc/shorewall/zones file declares your network zones. You specify
13       the hosts in each zone through entries in /etc/shorewall/interfaces or
14       /etc/shorewall/hosts.
15
16       The columns in the file are as follows (where the column name is
17       followed by a different name in parentheses, the different name is used
18       in the alternate specification syntax).
19
20       ZONE - zone[:parent-zone[,parent-zone]...]
21           Name of the zone. Must start with a letter and consist of letters,
22           digits or '_'. The names "all", "none", "any", "SOURCE" and "DEST"
23           are reserved and may not be used as zone names. The maximum length
24           of a zone name is determined by the setting of the LOGFORMAT option
25           in shorewall.conf[1](5). With the default LOGFORMAT, zone names can
26           be at most 5 characters long.  The maximum length of an iptables
27           log prefix is 29 bytes. As explained in shorewall.conf[1] (5), the
28           legacy default LOGPREFIX formatting string is “Shorewall:%s:%s:”
29           where the first %s is replaced by the chain name and the second is
30           replaced by the disposition.
31
32           •   The "Shorewall:%s:%s:" formatting string has 12 fixed
33               characters ("Shorewall" and three colons).
34
35           •   The longest of the standard dispositions are ACCEPT and REJECT
36               which have 6 characters each.
37
38           •   The canonical name for the chain containing the rules for
39               traffic going from zone 1 to zone 2 is "<zone 1>2<zone 2>" or
40               "<zone 1>-<zone 2>".
41
42           •   So if M is the maximum zone name length, such chains can have
43               length 2*M + 1.
44                   12 + 6 + 2*M + 1 = 29 which reduces to
45                   2*M = 29 - 12 - 6 - 1 = 10 or
46                   M = 5
47
48           In Shorewall 5.1.0, the LOGFORMAT in the default and sample
49           shorewall.conf files was changed to "%s:%s ".
50
51           •   That formatting string has 2 fixed characters (":" and a
52               space).
53
54           •   So the maximum zone name length M is calculated as:
55                   2 + 6 + 2*M + 1 = 29
56                   2M = 29 - 2 - 6 - 1 = 20
57                   M = 10
58           The order in which Shorewall matches addresses from packets to
59           zones is determined by the order of zone declarations. Where a zone
60           is nested in one or more other zones, you may either ensure that
61           the nested zone precedes its parents in this file, or you may
62           follow the (sub)zone name by ":" and a comma-separated list of the
63           parent zones. The parent zones must have been declared in earlier
64           records in this file. See shorewall-nesting[2](5) for additional
65           information.
66
67           Example:
68
69               #ZONE     TYPE     OPTIONS         IN OPTIONS        OUT OPTIONS
70               a         ip
71               b         ip
72               c:a,b     ip
73
74           Currently, Shorewall uses this information to reorder the zone list
75           so that parent zones appear after their subzones in the list. The
76           IMPLICIT_CONTINUE option in shorewall.conf[1](5) can also create
77           implicit CONTINUE policies to/from the subzone.
78
79           Where an ipsec zone is explicitly included as a child of an ip
80           zone, the ruleset allows CONTINUE policies (explicit or implicit)
81           to work as expected.
82
83           In the future, Shorewall may make additional use of nesting
84           information.
85
86       TYPE
87
88           ip
89               This is the standard Shorewall zone type and is the default if
90               you leave this column empty or if you enter "-" in the column.
91               Communication with some zone hosts may be encrypted. Encrypted
92               hosts are designated using the 'ipsec' option in
93               shorewall-hosts[3](5). For clarity, this zone type may be
94               specified as ipv4 in IPv4 configurations and ipv6 in IPv6
95               configurations.
96
97           ipsec
98               Communication with all zone hosts is encrypted. Your kernel and
99               iptables must include policy match support. For clarity, this
100               zone type may be specified as ipsec4 in IPv4 configurations and
101               ipsec6 in IPv6 configurations.
102
103           firewall
104               Designates the firewall itself. You must have exactly one
105               'firewall' zone. No options are permitted with a 'firewall'
106               zone. The name that you enter in the ZONE column will be stored
107               in the shell variable $FW which you may use in other
108               configuration files to designate the firewall zone.
109
110           bport
111               The zone is associated with one or more ports on a single
112               bridge. For clarity, this zone type may be specified as bport4
113               in IPv4 configurations and bport6 in IPv6 configurations.
114
115           vserver
116               Added in Shorewall 4.4.11 Beta 2 - A zone composed of
117               Linux-vserver guests. The zone contents must be defined in
118               shorewall-hosts[3] (5).
119
120               Vserver zones are implicitly handled as subzones of the
121               firewall zone.
122
123           loopback
124               Added in Shorewall 4.5.17.
125
126               Normally, Shorewall treats the loopback interface (lo) in the
127               following way:
128
129               •   By default, all traffic through the interface is ACCEPTed.
130
131               •   If a $FW -> $FW policy is defined or $FW -> $FW rules are
132                   defined, they are placed in a chain named ${FW}2${F2} or
133                   ${FW}-${FW} (e.g., 'fw2fw' or 'fw-fw' ) depending on the
134                   ZONE2ZONE setting in shorewall.conf[1](5).
135
136               •   $FW -> $FW traffic is only filtered in the OUTPUT chain.
137
138               By defining a loopback zone and associating it with the
139               loopback interface in shorewall-interfaces(5), you can effect a
140               slightly different model. Suppose that the loopback zone name
141               is 'local'; then:
142
143               •   Both $FW -> local and local -> $FW chains are created.
144
145               •   The $FW -> local and local -> $FW policies may be
146                   different.
147
148               •   Both $FW -> local and local -> $FW rules may be specified.
149
150               Rules to/from the loopback zone and any zone other than the
151               firewall zone are ignored with a warning.
152
153               loopback zones may be nested within other loopback zones.
154
155           local
156               Added in Shorewall 4.5.17.  local is the same as ipv4 with the
157               exception that the zone is only accessible from the firewall
158               and vserver zones.
159
160       OPTIONS, IN OPTIONS and OUT OPTIONS (options, in_options, out_options)
161       - [option[,option]...]
162           A comma-separated list of options. With the exception of the mss
163           and blacklist options, these only apply to TYPE ipsec zones.
164
165           dynamic_shared
166               Added in Shorewall 4.5.9. May only be specified in the OPTIONS
167               column and indicates that only a single ipset should be created
168               for this zone if it has multiple dynamic entries in
169               shorewall-hosts[3](5). Without this option, a separate ipset is
170               created for each interface.
171
172           reqid=number
173               where number is specified using setkey(8) using the
174               'unique:number option for the SPD level.
175
176           spi=<number>
177               where number is the SPI of the SA used to encrypt/decrypt
178               packets.
179
180           proto=ah|esp|ipcomp
181               IPSEC Encapsulation Protocol
182
183           mss=number
184               sets the MSS field in TCP packets. If you supply this option,
185               you should also set FASTACCEPT=No in shorewall.conf[1](5) to
186               insure that both the SYN and SYN,ACK packets have their MSS
187               field adjusted.
188
189           mode=transport|tunnel
190               IPSEC mode
191
192           tunnel-src=address[/mask]
193               only available with mode=tunnel
194
195           tunnel-dst=address[/mask]
196               only available with mode=tunnel
197
198           strict
199               Means that packets must match all rules.
200
201           next
202               Separates rules; can only be used with strict
203
204           The options in the OPTIONS column are applied to both incoming and
205           outgoing traffic. The IN OPTIONS are applied to incoming traffic
206           (in addition to OPTIONS) and the OUT OPTIONS are applied to
207           outgoing traffic.
208
209           If you wish to leave a column empty but need to make an entry in a
210           following column, use "-".
211

FILES

213       /etc/shorewall/zones
214
215       /etc/shorewall6/zones
216

SEE ALSO

218       https://shorewall.org/Multiple_Zones.html[4].
219
220       https://shorewall.org/configuration_file_basics.htm#Pairs[5]
221
222       shorewall(8)
223

NOTES

225        1. shorewall.conf
226           https://shorewall.org/manpages/shorewall.conf.html
227
228        2. shorewall-nesting
229           https://shorewall.org/manpages/shorewall-nesting.html
230
231        3. shorewall-hosts
232           https://shorewall.org/manpages/shorewall-hosts.html
233
234        4. https://shorewall.org/Multiple_Zones.html
235           https://shorewall.org/Multiple_Zones.html
236
237        5. https://shorewall.org/configuration_file_basics.htm#Pairs
238           https://shorewall.org/configuration_file_basics.htm#Pairs
239
240
241
242Configuration Files               09/24/2020                SHOREWALL-ZONES(5)
Impressum