Provided by: shorewall_3.4.4-1_all
zones - Shorewall zone declaration file
The /etc/shorewall/zones file declares your network zones. You specify
the hosts in each zone through entries in /etc/shorewall/interfaces or
The columns in the file are as follows.
ZONE — zone[:parent-zone[,parent-zone]...]
Name of the zone. The names "all" and "none" are reserved and
may not be used as zone names. The maximum length of a zone name
is determined by the setting of the LOGFORMAT option in shore‐
wall.conf(5). With the default LOGFORMAT, zone names can be at
most 5 characters long.
Where a zone is nested in one or more other zones, you may fol‐
low the (sub)zone name by ":" and a comma-separated list of the
parent zones. The parent zones must have been declared in ear‐
lier records in this file. See shorewall-nesting(5) for addi‐
#ZONE TYPE OPTIONS IN OPTIONS OUT OPTIONS
Currently, Shorewall uses this information to reorder the zone
list so that parent zones appear after their subzones in the
list. The IMPLICIT_CONTINUE option in shorewall.conf can also
create implicit CONTINUE policies to/from the subzone.
In the future, Shorewall may make additional use of nesting
ipv4 This is the standard Shorewall zone type and is the
default if you leave this column empty or if you enter
"-" in the column. Communication with some zone hosts may
be encrypted. Encrypted hosts are designated using the
’ipsec’option in shorewall-hosts(5).
ipsec Communication with all zone hosts is encrypted. Your ker‐
nel and iptables must include policy match support.
Designates the firewall itself. You must have exactly one
’firewall’ zone. No options are permitted with a ’fire‐
wall’ zone. The name that you enter in the ZONE column
will be stored in the shell variable $FW which you may
use in other configuration files to designate the fire‐
OPTIONS, IN OPTIONS and OUT OPTIONS — [option[,option]...]
A comma-separated list of options. With the exception of the mss
option, these only apply to TYPE ipsec zones.
where number is specified using setkey(8) using the
’unique:number option for the SPD level.
where number is the SPI of the SA used to encrypt/decrypt
IPSEC Encapsulation Protocol
sets the MSS field in TCP packets
only available with mode=tunnel
only available with mode=tunnel
strict Means that packets must match all rules.
next Separates rules; can only be used with strict
The options in the OPTIONS column are applied to both incoming and out‐
going traffic. The IN OPTIONS are applied to incoming traffic (in addi‐
tion to OPTIONS) and the OUT OPTIONS are applied to outgoing traffic.
If you wish to leave a column empty but need to make an entry in a fol‐
lowing column, use "-".
shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-
blacklist(5), shorewall-hosts(5), shorewall-interfaces(5), shorewall-
ipsec(5), shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
shorewall-netmap(5), shorewall-params(5), shorewall-policy(5), shore‐
wall-providers(5), shorewall-proxyarp(5), shorewall-route_routes(5),
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
17 June 2007 shorewall-zones(5)