Provided by:
shorewall-common_4.0.6-1_all 
NAME
hosts - Shorewall file
SYNOPSIS
/etc/shorewall/hosts
DESCRIPTION
This file is used to define zones in terms of subnets and/or individual
IP addresses. Most simple setups don’t need to (should not) place
anything in this file.
The order of entries in this file is not significant in determining
zone composition. Rather, the order that the zones are declared in
shorewall-zones 〈shorewall-zones.html〉 (5) determines the order in
which the records in this file are interpreted.
Warning
The only time that you need this file is when you have more than
one zone connected through a single interface.
Warning
If you have an entry for a zone and interface in shorewall-
interfaces 〈shorewall-interfaces.html〉 (5) then do not include
any entries in this file for that same (zone, interface) pair.
The columns in the file are as follows.
ZONE — zone-name
The name of a zone declared in shorewall-zones
〈shorewall-zones.html〉 (5). You may not list the firewall zone
in this column.
HOST(S) — interface:{[{address-or-range[,address-or-
range]...|+ipset}[exclusion]
The name of an interface defined in the shorewall-interfaces
〈shorewall-interfaces.html〉 (5) file followed by a colon (":")
and a comma-separated list whose elements are either:
1. The IP address of a host.
2. A network in CIDR format.
3. An IP address range of the form low.address-high.address.
Your kernel and iptables must have iprange match support.
4. The name of an ipset.
You may also exclude certain hosts through use of an exclusion
(see shorewall-exclusion 〈shorewall-exclusion.html〉 (5).
OPTIONS (Optional) — [option[,option]...]
A comma-separated list of options from the following list. The
order in which you list the options is not significant but the
list must have no embedded white space.
maclist
Connection requests from these hosts are compared against
the contents of shorewall-maclist
〈shorewall-maclist.html〉 (5). If this option is
specified, the interface must be an ethernet NIC or
equivalent and must be up before Shorewall is started.
routeback
Shorewall should set up the infrastructure to pass
packets from this/these address(es) back to themselves.
This is necessary if hosts in this group use the services
of a transparent proxy that is a member of the group or
if DNAT is used to send requests originating from this
group to a server in the group.
blacklist
This option only makes sense for ports on a bridge.
Check packets arriving on this port against the
shorewall-blacklist 〈shorewall-blacklist.html〉 (5) file.
tcpflags
Packets arriving from these hosts are checked for certain
illegal combinations of TCP flags. Packets found to have
such a combination of flags are handled according to the
setting of TCP_FLAGS_DISPOSITION after having been logged
according to the setting of TCP_FLAGS_LOG_LEVEL.
nosmurfs
This option only makes sense for ports on a bridge.
Filter packets for smurfs (packets with a broadcast
address as the source).
Smurfs will be optionally logged based on the setting of
SMURF_LOG_LEVEL in shorewall.conf 〈shorewall.conf.html〉
(5). After logging, the packets are dropped.
ipsec The zone is accessed via a kernel 2.6 ipsec SA. Note that
if the zone named in the ZONE column is specified as an
IPSEC zone in the shorewall-zones 〈shorewall-zones.html〉
(5) file then you do NOT need to specify the ’ipsec’
option here.
FILES
/etc/shorewall/hosts
SEE ALSO
shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-
blacklist(5), shorewall-interfaces(5), shorewall-ipsec(5), shorewall-
maclist(5), shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
shorewall-proxyarp(5), shorewall-route_routes(5), shorewall-
routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-
tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-
tos(5), shorewall-tunnels(5), shorewall-zones(5)
23 November 2007 shorewall-hosts(5)