1SHOREWALL-ZONES(5) Configuration Files SHOREWALL-ZONES(5)
2
6 zones - Shorewall zone declaration file
7
9 /etc/shorewall/zones
10
12 The /etc/shorewall/zones file declares your network zones. You specify
13 the hosts in each zone through entries in /etc/shorewall/interfaces or
14 /etc/shorewall/hosts.
15 The columns in the file are as follows (where the column name is
17 followed by a different name in parentheses, the different name is used
18 in the alternate specification syntax).
19 ZONE - zone[:parent-zone[,parent-zone]...]
21 Name of the zone. Must start with a letter and consist of letters,
22 digits or '_'. The names "all", "none", "any", "SOURCE" and "DEST"
23 are reserved and may not be used as zone names. The maximum length
24 of a zone name is determined by the setting of the LOGFORMAT option
25 in shorewall.conf[1](5). With the default LOGFORMAT, zone names can
26 be at most 5 characters long. The maximum length of an iptables
27 log prefix is 29 bytes. As explained in shorewall.conf[1] (5), the
28 legacy default LOGPREFIX formatting string is “Shorewall:%s:%s:”
29 where the first %s is replaced by the chain name and the second is
30 replaced by the disposition.
31 • The "Shorewall:%s:%s:" formatting string has 12 fixed
33 characters ("Shorewall" and three colons).
34 • The longest of the standard dispositions are ACCEPT and REJECT
36 which have 6 characters each.
37 • The canonical name for the chain containing the rules for
39 traffic going from zone 1 to zone 2 is "<zone 1>2<zone 2>" or
40 "<zone 1>-<zone 2>".
41 • So if M is the maximum zone name length, such chains can have
43 length 2*M + 1.
44 12 + 6 + 2*M + 1 = 29 which reduces to
45 2*M = 29 - 12 - 6 - 1 = 10 or
46 M = 5
47 In Shorewall 5.1.0, the LOGFORMAT in the default and sample
49 shorewall.conf files was changed to "%s:%s ".
50 • That formatting string has 2 fixed characters (":" and a
52 space).
53 • So the maximum zone name length M is calculated as:
55 2 + 6 + 2*M + 1 = 29
56 2M = 29 - 2 - 6 - 1 = 20
57 M = 10
58 The order in which Shorewall matches addresses from packets to
59 zones is determined by the order of zone declarations. Where a zone
60 is nested in one or more other zones, you may either ensure that
61 the nested zone precedes its parents in this file, or you may
62 follow the (sub)zone name by ":" and a comma-separated list of the
63 parent zones. The parent zones must have been declared in earlier
64 records in this file. See shorewall-nesting[2](5) for additional
65 information.
66 Example:
68 #ZONE TYPE OPTIONS IN OPTIONS OUT OPTIONS
70 a ip
71 b ip
72 c:a,b ip
73 Currently, Shorewall uses this information to reorder the zone list
75 so that parent zones appear after their subzones in the list. The
76 IMPLICIT_CONTINUE option in shorewall.conf[1](5) can also create
77 implicit CONTINUE policies to/from the subzone.
78 Where an ipsec zone is explicitly included as a child of an ip
80 zone, the ruleset allows CONTINUE policies (explicit or implicit)
81 to work as expected.
82 In the future, Shorewall may make additional use of nesting
84 information.
85 TYPE
87 ip
89 This is the standard Shorewall zone type and is the default if
90 you leave this column empty or if you enter "-" in the column.
91 Communication with some zone hosts may be encrypted. Encrypted
92 hosts are designated using the 'ipsec' option in
93 shorewall-hosts[3](5). For clarity, this zone type may be
94 specified as ipv4 in IPv4 configurations and ipv6 in IPv6
95 configurations.
96 ipsec
98 Communication with all zone hosts is encrypted. Your kernel and
99 iptables must include policy match support. For clarity, this
100 zone type may be specified as ipsec4 in IPv4 configurations and
101 ipsec6 in IPv6 configurations.
102 firewall
104 Designates the firewall itself. You must have exactly one
105 'firewall' zone. No options are permitted with a 'firewall'
106 zone. The name that you enter in the ZONE column will be stored
107 in the shell variable $FW which you may use in other
108 configuration files to designate the firewall zone.
109 bport
111 The zone is associated with one or more ports on a single
112 bridge. For clarity, this zone type may be specified as bport4
113 in IPv4 configurations and bport6 in IPv6 configurations.
114 vserver
116 Added in Shorewall 4.4.11 Beta 2 - A zone composed of
117 Linux-vserver guests. The zone contents must be defined in
118 shorewall-hosts[3] (5).
119 Vserver zones are implicitly handled as subzones of the
121 firewall zone.
122 loopback
124 Added in Shorewall 4.5.17.
125 Normally, Shorewall treats the loopback interface (lo) in the
127 following way:
128 • By default, all traffic through the interface is ACCEPTed.
130 • If a $FW -> $FW policy is defined or $FW -> $FW rules are
132 defined, they are placed in a chain named ${FW}2${F2} or
133 ${FW}-${FW} (e.g., 'fw2fw' or 'fw-fw' ) depending on the
134 ZONE2ZONE setting in shorewall.conf[1](5).
135 • $FW -> $FW traffic is only filtered in the OUTPUT chain.
137 By defining a loopback zone and associating it with the
139 loopback interface in shorewall-interfaces(5), you can effect a
140 slightly different model. Suppose that the loopback zone name
141 is 'local'; then:
142 • Both $FW -> local and local -> $FW chains are created.
144 • The $FW -> local and local -> $FW policies may be
146 different.
147 • Both $FW -> local and local -> $FW rules may be specified.
149 Rules to/from the loopback zone and any zone other than the
151 firewall zone are ignored with a warning.
152 loopback zones may be nested within other loopback zones.
154 local
156 Added in Shorewall 4.5.17. local is the same as ipv4 with the
157 exception that the zone is only accessible from the firewall
158 and vserver zones.
159 OPTIONS, IN OPTIONS and OUT OPTIONS (options, in_options, out_options)
161 - [option[,option]...]
162 A comma-separated list of options. With the exception of the mss
163 and blacklist options, these only apply to TYPE ipsec zones.
164 dynamic_shared
166 Added in Shorewall 4.5.9. May only be specified in the OPTIONS
167 column and indicates that only a single ipset should be created
168 for this zone if it has multiple dynamic entries in
169 shorewall-hosts[3](5). Without this option, a separate ipset is
170 created for each interface.
171 reqid=number
173 where number is specified using setkey(8) using the
174 'unique:number option for the SPD level.
175 spi=<number>
177 where number is the SPI of the SA used to encrypt/decrypt
178 packets.
179 proto=ah|esp|ipcomp
181 IPSEC Encapsulation Protocol
182 mss=number
184 sets the MSS field in TCP packets. If you supply this option,
185 you should also set FASTACCEPT=No in shorewall.conf[1](5) to
186 insure that both the SYN and SYN,ACK packets have their MSS
187 field adjusted.
188 mode=transport|tunnel
190 IPSEC mode
191 tunnel-src=address[/mask]
193 only available with mode=tunnel
194 tunnel-dst=address[/mask]
196 only available with mode=tunnel
197 strict
199 Means that packets must match all rules.
200 next
202 Separates rules; can only be used with strict
203 The options in the OPTIONS column are applied to both incoming and
205 outgoing traffic. The IN OPTIONS are applied to incoming traffic
206 (in addition to OPTIONS) and the OUT OPTIONS are applied to
207 outgoing traffic.
208 If you wish to leave a column empty but need to make an entry in a
210 following column, use "-".
211
213 /etc/shorewall/zones
214 /etc/shorewall6/zones
216
218 https://shorewall.org/Multiple_Zones.html[4].
219 https://shorewall.org/configuration_file_basics.htm#Pairs[5]
221 shorewall(8)
223
225 1. shorewall.conf
226 https://shorewall.org/manpages/shorewall.conf.html
227 2. shorewall-nesting
229 https://shorewall.org/manpages/shorewall-nesting.html
230 3. shorewall-hosts
232 https://shorewall.org/manpages/shorewall-hosts.html
233 4. https://shorewall.org/Multiple_Zones.html
235 https://shorewall.org/Multiple_Zones.html
236 5. https://shorewall.org/configuration_file_basics.htm#Pairs
238 https://shorewall.org/configuration_file_basics.htm#Pairs
239Configuration Files 09/24/2020 SHOREWALL-ZONES(5)