Provided by: shorewall-common_4.0.6-1_all bug


       hosts - Shorewall file




       This file is used to define zones in terms of subnets and/or individual
       IP addresses. Most simple setups  don’t  need  to  (should  not)  place
       anything in this file.

       The  order  of  entries  in this file is not significant in determining
       zone composition. Rather, the order that  the  zones  are  declared  in
       shorewall-zones  〈shorewall-zones.html〉  (5)  determines  the  order in
       which the records in this file are interpreted.

              The only time that you need this file is when you have more than
              one zone connected through a single interface.

              If  you  have  an  entry  for a zone and interface in shorewall-
              interfaces 〈shorewall-interfaces.html〉 (5) then do  not  include
              any entries in this file for that same (zone, interface) pair.

       The columns in the file are as follows.

              The    name    of    a    zone   declared   in   shorewall-zones
              〈shorewall-zones.html〉 (5). You may not list the  firewall  zone
              in this column.

              The  name  of  an  interface defined in the shorewall-interfaces
              〈shorewall-interfaces.html〉 (5) file followed by a  colon  (":")
              and a comma-separated list whose elements are either:

              1.  The IP address of a host.

              2.  A network in CIDR format.

              3.  An  IP  address  range of the form low.address-high.address.
                  Your kernel and iptables must have iprange match support.

              4.  The name of an ipset.
              You may also exclude certain hosts through use of  an  exclusion
              (see shorewall-exclusion 〈shorewall-exclusion.html〉 (5).

       OPTIONS (Optional) — [option[,option]...]
              A  comma-separated  list of options from the following list. The
              order in which you list the options is not significant  but  the
              list must have no embedded white space.

                     Connection requests from these hosts are compared against
                     the         contents         of         shorewall-maclist
                     〈shorewall-maclist.html〉   (5).   If   this   option   is
                     specified, the interface  must  be  an  ethernet  NIC  or
                     equivalent and must be up before Shorewall is started.

                     Shorewall  should  set  up  the  infrastructure  to  pass
                     packets from this/these address(es) back  to  themselves.
                     This is necessary if hosts in this group use the services
                     of a transparent proxy that is a member of the  group  or
                     if  DNAT  is  used to send requests originating from this
                     group to a server in the group.

                     This option only makes sense for ports on a bridge.

                     Check  packets  arriving  on  this   port   against   the
                     shorewall-blacklist  〈shorewall-blacklist.html〉 (5) file.

                     Packets arriving from these hosts are checked for certain
                     illegal  combinations of TCP flags. Packets found to have
                     such a combination of flags are handled according to  the
                     setting of TCP_FLAGS_DISPOSITION after having been logged
                     according to the setting of TCP_FLAGS_LOG_LEVEL.

                     This option only makes sense for ports on a bridge.

                     Filter packets  for  smurfs  (packets  with  a  broadcast
                     address as the source).

                     Smurfs  will be optionally logged based on the setting of
                     SMURF_LOG_LEVEL in  shorewall.conf  〈shorewall.conf.html〉
                     (5). After logging, the packets are dropped.

              ipsec  The zone is accessed via a kernel 2.6 ipsec SA. Note that
                     if the zone named in the ZONE column is specified  as  an
                     IPSEC  zone in the shorewall-zones 〈shorewall-zones.html〉
                     (5) file then you do NOT  need  to  specify  the  ’ipsec’
                     option here.




       shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-
       blacklist(5), shorewall-interfaces(5),  shorewall-ipsec(5),  shorewall-
       maclist(5),  shorewall-masq(5),  shorewall-nat(5), shorewall-netmap(5),
       shorewall-params(5),    shorewall-policy(5),    shorewall-providers(5),
       shorewall-proxyarp(5),       shorewall-route_routes(5),      shorewall-
       routestopped(5),  shorewall-rules(5),   shorewall.conf(5),   shorewall-
       tcclasses(5),  shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-
       tos(5), shorewall-tunnels(5), shorewall-zones(5)

                               23 November 2007             shorewall-hosts(5)