1shorewall-hosts(5) shorewall-hosts(5)
2
6 hosts - Shorewall file
7
9 /etc/shorewall/hosts
10
12 This file is used to define zones in terms of subnets and/or individual
13 IP addresses. Most simple setups don't need to (should not) place any‐
14 thing in this file.
15 The order of entries in this file is not significant in determining
17 zone composition. Rather, the order that the zones are declared in
18 shorewall-zones ⟨shorewall-zones.html⟩ (5) determines the order in
19 which the records in this file are interpreted.
20 Warning
21 The only time that you need this file is when you have more than
23 one zone connected through a single interface.
24 Warning
25 If you have an entry for a zone and interface in shorewall-in‐
27 terfaces ⟨shorewall-interfaces.html⟩ (5) then do not include any
28 entries in this file for that same (zone, interface) pair.
29 The columns in the file are as follows.
31 ZONE — zone-name
33 The name of a zone declared in shorewall-zones
34 ⟨shorewall-zones.html⟩ (5). You may not list the firewall zone
35 in this column.
36 HOST(S) — interface:{[{address-or-range[,address-or-
38 range]...|+ipset}[exclusion]
39 The name of an interface defined in the shorewall-interfaces
40 ⟨shorewall-interfaces.html⟩ (5) file followed by a colon (":")
41 and a comma-separated list whose elements are either:
42 1. The IP address of a host.
44 2. A network in CIDR format.
46 3. An IP address range of the form low.address-high.address.
48 Your kernel and iptables must have iprange match support.
49 4. The name of an ipset.
51 You may also exclude certain hosts through use of an exclusion
52 (see shorewall-exclusion ⟨shorewall-exclusion.html⟩ (5).
53 OPTIONS (Optional) — [option[,option]...]
55 A comma-separated list of options from the following list. The
56 order in which you list the options is not significant but the
57 list must have no embedded white space.
58 maclist
60 Connection requests from these hosts are compared against
61 the contents of shorewall-maclist
62 ⟨shorewall-maclist.html⟩ (5). If this option is speci‐
63 fied, the interface must be an ethernet NIC or equivalent
64 and must be up before Shorewall is started.
65 routeback
67 Shorewall should set up the infrastructure to pass pack‐
68 ets from this/these address(es) back to themselves. This
69 is necessary if hosts in this group use the services of a
70 transparent proxy that is a member of the group or if
71 DNAT is used to send requests originating from this group
72 to a server in the group.
73 blacklist
75 This option only makes sense for ports on a bridge.
76 Check packets arriving on this port against the shore‐
78 wall-blacklist ⟨shorewall-blacklist.html⟩ (5) file.
79 tcpflags
81 Packets arriving from these hosts are checked for certain
82 illegal combinations of TCP flags. Packets found to have
83 such a combination of flags are handled according to the
84 setting of TCP_FLAGS_DISPOSITION after having been logged
85 according to the setting of TCP_FLAGS_LOG_LEVEL.
86 nosmurfs
88 This option only makes sense for ports on a bridge.
89 Filter packets for smurfs (packets with a broadcast ad‐
91 dress as the source).
92 Smurfs will be optionally logged based on the setting of
94 SMURF_LOG_LEVEL in shorewall.conf ⟨shorewall.conf.html⟩
95 (5). After logging, the packets are dropped.
96 ipsec The zone is accessed via a kernel 2.6 ipsec SA. Note that
98 if the zone named in the ZONE column is specified as an
99 IPSEC zone in the shorewall-zones ⟨shorewall-zones.html⟩
100 (5) file then you do NOT need to specify the 'ipsec' op‐
101 tion here.
102 broadcast
104 Used when you want to include limited broadcasts (desti‐
105 nation IP address 255.255.255.255) from the firewall to
106 this zone. Only necessary when:
107 1. The network specified in the HOST(S) column does not
109 include 255.255.255.255.
110 2. The zone does not have an entry for this interface in
112 shorewall-interfaces ⟨shorewall-interfaces.html⟩ (5).
113 destonly
115 Normally used with the Multi-cast IP address range
116 (224.0.0.0/4). Specifies that traffic will be sent to the
117 specified net(s) but that no traffic will be received
118 from the net(s).
119
121 Example 1
122 The firewall runs a PPTP server which creates a ppp interface
123 for each remote client. The clients are assigned IP addresses in
124 the network 192.168.3.0/24 and in a zone named 'vpn'.
125 #ZONE HOST(S) OPTIONS
127 vpn ppp+:192.168.3.0/24
128 It is especially recommended to define such a zone using this
130 file rather than shorewall-interfaces
131 ⟨shorewall-interfaces.html⟩ (8) if there is another zone that
132 uses a fixed PPP interface (for example, if the 'net' zone al‐
133 ways interfaces through ppp0).
134
136 /etc/shorewall/hosts
137
139 shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-
140 blacklist(5), shorewall-interfaces(5), shorewall-ipsec(5), shorewall-
141 maclist(5), shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
142 shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
143 shorewall-proxyarp(5), shorewall-route_routes(5), shorewall-
144 routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-tc‐
145 classes(5), shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-
146 tos(5), shorewall-tunnels(5), shorewall-zones(5)
147 19 May 2008 shorewall-hosts(5)