Provided by: shorewall-common_4.0.6-1_all
zones - Shorewall zone declaration file
The /etc/shorewall/zones file declares your network zones. You specify
the hosts in each zone through entries in /etc/shorewall/interfaces or
The columns in the file are as follows.
ZONE — zone[:parent-zone[,parent-zone]...]
Name of the zone. The names "all", "none", "SOURCE" and "DEST"
are reserved and may not be used as zone names. The maximum
length of a zone name is determined by the setting of the
LOGFORMAT option in shorewall.conf 〈shorewall.conf.html〉 (5).
With the default LOGFORMAT, zone names can be at most 5
Where a zone is nested in one or more other zones, you may
follow the (sub)zone name by ":" and a comma-separated list of
the parent zones. The parent zones must have been declared in
earlier records in this file. See shorewall-nesting
〈shorewall-nesting.html〉 (5) for additional information.
#ZONE TYPE OPTIONS IN OPTIONS OUT OPTIONS
Currently, Shorewall uses this information to reorder the zone
list so that parent zones appear after their subzones in the
list. The IMPLICIT_CONTINUE option in shorewall.conf can also
create implicit CONTINUE policies to/from the subzone.
In the future, Shorewall may make additional use of nesting
ipv4 This is the standard Shorewall zone type and is the
default if you leave this column empty or if you enter
"-" in the column. Communication with some zone hosts may
be encrypted. Encrypted hosts are designated using the
’ipsec’option in shorewall-hosts 〈shorewall-hosts.html〉
ipsec Communication with all zone hosts is encrypted. Your
kernel and iptables must include policy match support.
Designates the firewall itself. You must have exactly one
’firewall’ zone. No options are permitted with a
’firewall’ zone. The name that you enter in the ZONE
column will be stored in the shell variable $FW which you
may use in other configuration files to designate the
bport (or bport4)
(Shorewall-perl only) The zone is associated with one or
more ports on a single bridge.
OPTIONS, IN OPTIONS and OUT OPTIONS — [option[,option]...]
A comma-separated list of options. With the exception of the mss
option, these only apply to TYPE ipsec zones.
where number is specified using setkey(8) using the
’unique:number option for the SPD level.
where number is the SPI of the SA used to encrypt/decrypt
IPSEC Encapsulation Protocol
sets the MSS field in TCP packets. If you supply this
option, you should also set FASTACCEPT=No in
shorewall.conf 〈shorewall.conf.html〉 (8) to insure that
both the SYN and SYN,ACK packets have their MSS field
only available with mode=tunnel
only available with mode=tunnel
strict Means that packets must match all rules.
next Separates rules; can only be used with strict
The options in the OPTIONS column are applied to both incoming and
outgoing traffic. The IN OPTIONS are applied to incoming traffic (in
addition to OPTIONS) and the OUT OPTIONS are applied to outgoing
If you wish to leave a column empty but need to make an entry in a
following column, use "-".
shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-
blacklist(5), shorewall-hosts(5), shorewall-interfaces(5), shorewall-
ipsec(5), shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
shorewall-providers(5), shorewall-proxyarp(5), shorewall-
route_routes(5), shorewall-routestopped(5), shorewall-rules(5),
shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5)
23 November 2007 shorewall-zones(5)