Provided by: shorewall-common_4.0.12-1_all bug


       hosts - Shorewall file




       This file is used to define zones in terms of subnets and/or individual
       IP addresses. Most simple setups  don’t  need  to  (should  not)  place
       anything in this file.

       The  order  of  entries  in this file is not significant in determining
       zone composition. Rather, the order that  the  zones  are  declared  in
       shorewall-zones  〈shorewall-zones.html〉  (5)  determines  the  order in
       which the records in this file are interpreted.

              The only time that you need this file is when you have more than
              one zone connected through a single interface.

              If  you  have  an  entry  for a zone and interface in shorewall-
              interfaces 〈shorewall-interfaces.html〉 (5) then do  not  include
              any entries in this file for that same (zone, interface) pair.

       The columns in the file are as follows.

              The    name    of    a    zone   declared   in   shorewall-zones
              〈shorewall-zones.html〉 (5). You may not list the  firewall  zone
              in this column.

              The  name  of  an  interface defined in the shorewall-interfaces
              〈shorewall-interfaces.html〉 (5) file followed by a  colon  (":")
              and a comma-separated list whose elements are either:

              1.  The IP address of a host.

              2.  A network in CIDR format.

              3.  An  IP  address  range of the form low.address-high.address.
                  Your kernel and iptables must have iprange match support.

              4.  The name of an ipset.
              You may also exclude certain hosts through use of  an  exclusion
              (see shorewall-exclusion 〈shorewall-exclusion.html〉 (5).

       OPTIONS (Optional) — [option[,option]...]
              A  comma-separated  list of options from the following list. The
              order in which you list the options is not significant  but  the
              list must have no embedded white space.

                     Connection requests from these hosts are compared against
                     the         contents         of         shorewall-maclist
                     〈shorewall-maclist.html〉   (5).   If   this   option   is
                     specified, the interface  must  be  an  ethernet  NIC  or
                     equivalent and must be up before Shorewall is started.

                     Shorewall  should  set  up  the  infrastructure  to  pass
                     packets from this/these address(es) back  to  themselves.
                     This is necessary if hosts in this group use the services
                     of a transparent proxy that is a member of the  group  or
                     if  DNAT  is  used to send requests originating from this
                     group to a server in the group.

                     This option only makes sense for ports on a bridge.

                     Check  packets  arriving  on  this   port   against   the
                     shorewall-blacklist  〈shorewall-blacklist.html〉 (5) file.

                     Packets arriving from these hosts are checked for certain
                     illegal  combinations of TCP flags. Packets found to have
                     such a combination of flags are handled according to  the
                     setting of TCP_FLAGS_DISPOSITION after having been logged
                     according to the setting of TCP_FLAGS_LOG_LEVEL.

                     This option only makes sense for ports on a bridge.

                     Filter packets  for  smurfs  (packets  with  a  broadcast
                     address as the source).

                     Smurfs  will be optionally logged based on the setting of
                     SMURF_LOG_LEVEL in  shorewall.conf  〈shorewall.conf.html〉
                     (5). After logging, the packets are dropped.

              ipsec  The zone is accessed via a kernel 2.6 ipsec SA. Note that
                     if the zone named in the ZONE column is specified  as  an
                     IPSEC  zone in the shorewall-zones 〈shorewall-zones.html〉
                     (5) file then you do NOT  need  to  specify  the  ’ipsec’
                     option here.

                     Used   when   you  want  to  include  limited  broadcasts
                     (destination  IP  address   from   the
                     firewall to this zone. Only necessary when:

                     1.  The  network specified in the HOST(S) column does not

                     2.  The zone does not have an entry for this interface in
                         shorewall-interfaces 〈shorewall-interfaces.html〉 (5).

                     Normally  used  with  the  Multi-cast  IP  address  range
                     ( Specifies that traffic will be sent to the
                     specified net(s) but that no  traffic  will  be  received
                     from the net(s).


       Example 1
              The  firewall  runs  a PPTP server which creates a ppp interface
              for each remote client. The clients are assigned IP addresses in
              the network and in a zone named ’vpn’.

              #ZONE       HOST(S)               OPTIONS
              vpn         ppp+:

              It  is  especially  recommended to define such a zone using this
              file          rather          than          shorewall-interfaces
              〈shorewall-interfaces.html〉  (8)  if  there is another zone that
              uses a fixed PPP interface  (for  example,  if  the  ’net’  zone
              always interfaces through ppp0).




       shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-
       blacklist(5), shorewall-interfaces(5),  shorewall-ipsec(5),  shorewall-
       maclist(5),  shorewall-masq(5), shorewall-nat(5), shorewall-nesting(5),
       shorewall-netmap(5),     shorewall-params(5),      shorewall-policy(5),
       shorewall-providers(5),        shorewall-proxyarp(5),        shorewall-
       route_routes(5),     shorewall-routestopped(5),     shorewall-rules(5),
       shorewall.conf(5),    shorewall-tcclasses(5),   shorewall-tcdevices(5),
       shorewall-tcrules(5),      shorewall-tos(5),      shorewall-tunnels(5),

                                 24 June 2008               shorewall-hosts(5)