Provided by: shorewall-common_4.0.6-1_all bug

NAME

       zones - Shorewall zone declaration file

SYNOPSIS

       /etc/shorewall/zones

DESCRIPTION

       The  /etc/shorewall/zones file declares your network zones. You specify
       the hosts in each zone through entries in /etc/shorewall/interfaces  or
       /etc/shorewall/hosts.

       The columns in the file are as follows.

       ZONEzone[:parent-zone[,parent-zone]...]
              Name  of  the zone. The names "all", "none", "SOURCE" and "DEST"
              are reserved and may not be used  as  zone  names.  The  maximum
              length  of  a  zone  name  is  determined  by the setting of the
              LOGFORMAT option in  shorewall.conf  〈shorewall.conf.html〉  (5).
              With  the  default  LOGFORMAT,  zone  names  can  be  at  most 5
              characters long.

              Where a zone is nested in one  or  more  other  zones,  you  may
              follow  the  (sub)zone name by ":" and a comma-separated list of
              the parent zones. The parent zones must have  been  declared  in
              earlier    records   in   this   file.   See   shorewall-nesting
              〈shorewall-nesting.html〉 (5) for additional information.

              Example:

              #ZONE     TYPE     OPTIONS         IN OPTIONS        OUT OPTIONS
              a         ipv4
              b         ipv4
              c:a,b     ipv4

              Currently, Shorewall uses this information to reorder  the  zone
              list  so  that  parent  zones appear after their subzones in the
              list.  The IMPLICIT_CONTINUE option in shorewall.conf  can  also
              create implicit CONTINUE policies to/from the subzone.

              In  the  future,  Shorewall  may  make additional use of nesting
              information.

       TYPE

              ipv4   This is the standard  Shorewall  zone  type  and  is  the
                     default  if  you  leave this column empty or if you enter
                     "-" in the column. Communication with some zone hosts may
                     be  encrypted.  Encrypted  hosts are designated using the
                     ’ipsec’option in  shorewall-hosts  〈shorewall-hosts.html〉
                     (5).

              ipsec  Communication  with  all  zone  hosts  is encrypted. Your
                     kernel and iptables must include policy match support.

              firewall
                     Designates the firewall itself. You must have exactly one
                     ’firewall’   zone.   No  options  are  permitted  with  a
                     ’firewall’ zone. The name that  you  enter  in  the  ZONE
                     column will be stored in the shell variable $FW which you
                     may use in other configuration  files  to  designate  the
                     firewall zone.

              bport (or bport4)
                     (Shorewall-perl  only) The zone is associated with one or
                     more ports on a single bridge.

       OPTIONS, IN OPTIONS and OUT OPTIONS — [option[,option]...]
              A comma-separated list of options. With the exception of the mss
              option, these only apply to TYPE ipsec zones.

              reqid=number
                     where  number  is  specified  using  setkey(8)  using the
                     ’unique:number option for the SPD level.

              spi=<number>
                     where number is the SPI of the SA used to encrypt/decrypt
                     packets.

              proto=ah|esp|ipcomp
                     IPSEC Encapsulation Protocol

              mss=number
                     sets  the  MSS  field  in TCP packets. If you supply this
                     option,   you   should   also   set   FASTACCEPT=No    in
                     shorewall.conf  〈shorewall.conf.html〉  (8) to insure that
                     both the SYN and SYN,ACK packets  have  their  MSS  field
                     adjusted.

              mode=transport|tunnel
                     IPSEC mode

              tunnel-src=address[/mask]
                     only available with mode=tunnel

              tunnel-dst=address[/mask]
                     only available with mode=tunnel

              strict Means that packets must match all rules.

              next   Separates rules; can only be used with strict

       The  options  in  the  OPTIONS  column are applied to both incoming and
       outgoing traffic. The IN OPTIONS are applied to  incoming  traffic  (in
       addition  to  OPTIONS)  and  the  OUT  OPTIONS  are applied to outgoing
       traffic.

       If you wish to leave a column empty but need to  make  an  entry  in  a
       following column, use "-".

FILES

       /etc/shorewall/zones

SEE ALSO

       shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-
       blacklist(5), shorewall-hosts(5),  shorewall-interfaces(5),  shorewall-
       ipsec(5),  shorewall-maclist(5),  shorewall-masq(5),  shorewall-nat(5),
       shorewall-netmap(5),     shorewall-params(5),      shorewall-policy(5),
       shorewall-providers(5),        shorewall-proxyarp(5),        shorewall-
       route_routes(5),     shorewall-routestopped(5),     shorewall-rules(5),
       shorewall.conf(5),    shorewall-tcclasses(5),   shorewall-tcdevices(5),
       shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5)

                               23 November 2007             shorewall-zones(5)