Provided by: shorewall-common_4.0.12-1_all bug


       zones - Shorewall zone declaration file




       The  /etc/shorewall/zones file declares your network zones. You specify
       the hosts in each zone through entries in /etc/shorewall/interfaces  or

       The columns in the file are as follows.

              Name  of  the zone. The names "all", "none", "SOURCE" and "DEST"
              are reserved and may not be used  as  zone  names.  The  maximum
              length  of  a  zone  name  is  determined  by the setting of the
              LOGFORMAT option in  shorewall.conf  〈shorewall.conf.html〉  (5).
              With  the  default  LOGFORMAT,  zone  names  can  be  at  most 5
              characters long.

              The order in which Shorewall matches addresses from  packets  to
              zones  is  determined by the order of zone declarations. Where a
              zone is nested in one or more other zones, you may either ensure
              that  the  nested zone precedes its parents in this file, or you
              may follow the (sub)zone name by ":" and a comma-separated  list
              of the parent zones. The parent zones must have been declared in
              earlier   records   in   this   file.   See    shorewall-nesting
              〈shorewall-nesting.html〉 (5) for additional information.


              #ZONE     TYPE     OPTIONS         IN OPTIONS        OUT OPTIONS
              a         ipv4
              b         ipv4
              c:a,b     ipv4

              Currently,  Shorewall  uses this information to reorder the zone
              list so that parent zones appear after  their  subzones  in  the
              list.     The   IMPLICIT_CONTINUE   option   in   shorewall.conf
              〈shorewall.conf.html〉 (5)  can  also  create  implicit  CONTINUE
              policies to/from the subzone.

              In  the  future,  Shorewall  may  make additional use of nesting


              ipv4   This is the standard  Shorewall  zone  type  and  is  the
                     default  if  you  leave this column empty or if you enter
                     "-" in the column. Communication with some zone hosts may
                     be  encrypted.  Encrypted  hosts are designated using the
                     ’ipsec’option in  shorewall-hosts  〈shorewall-hosts.html〉

              ipsec  Communication  with  all  zone  hosts  is encrypted. Your
                     kernel and iptables must include policy match support.

                     Designates the firewall itself. You must have exactly one
                     ’firewall’   zone.   No  options  are  permitted  with  a
                     ’firewall’ zone. The name that  you  enter  in  the  ZONE
                     column will be stored in the shell variable $FW which you
                     may use in other configuration  files  to  designate  the
                     firewall zone.

              bport (or bport4)
                     (Shorewall-perl  only) The zone is associated with one or
                     more ports on a single bridge.

       OPTIONS, IN OPTIONS and OUT OPTIONS — [option[,option]...]
              A comma-separated list of options. With the exception of the mss
              option, these only apply to TYPE ipsec zones.

                     where  number  is  specified  using  setkey(8)  using the
                     ’unique:number option for the SPD level.

                     where number is the SPI of the SA used to encrypt/decrypt

                     IPSEC Encapsulation Protocol

                     sets  the  MSS  field  in TCP packets. If you supply this
                     option,   you   should   also   set   FASTACCEPT=No    in
                     shorewall.conf  〈shorewall.conf.html〉  (5) to insure that
                     both the SYN and SYN,ACK packets  have  their  MSS  field

                     IPSEC mode

                     only available with mode=tunnel

                     only available with mode=tunnel

              strict Means that packets must match all rules.

              next   Separates rules; can only be used with strict

       The  options  in  the  OPTIONS  column are applied to both incoming and
       outgoing traffic. The IN OPTIONS are applied to  incoming  traffic  (in
       addition  to  OPTIONS)  and  the  OUT  OPTIONS  are applied to outgoing

       If you wish to leave a column empty but need to  make  an  entry  in  a
       following column, use "-".




       shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-
       blacklist(5), shorewall-hosts(5),  shorewall-interfaces(5),  shorewall-
       ipsec(5),  shorewall-maclist(5),  shorewall-masq(5),  shorewall-nat(5),
       shorewall-nesting(5),     shorewall-netmap(5),     shorewall-params(5),
       shorewall-policy(5),   shorewall-providers(5),   shorewall-proxyarp(5),
       shorewall-route_routes(5),    shorewall-routestopped(5),     shorewall-
       rules(5),    shorewall.conf(5),    shorewall-tcclasses(5),   shorewall-
       tcdevices(5),   shorewall-tcrules(5),   shorewall-tos(5),    shorewall-

                                 24 June 2008               shorewall-zones(5)