Provided by: shorewall6_4.2.10-1_all bug

NAME

       hosts - shorewall6 file

SYNOPSIS

       /etc/shorewall6/hosts

DESCRIPTION

       This file is used to define zones in terms of subnets and/or individual
       IP addresses. Most simple setups don´t need to (should not) place
       anything in this file.

       The order of entries in this file is not significant in determining
       zone composition. Rather, the order that the zones are declared in
       shorewall6-zones[1](5) determines the order in which the records in
       this file are interpreted.

       Warning
       The only time that you need this file is when you have more than one
       zone connected through a single interface.

       Warning
       If you have an entry for a zone and interface in
       shorewall6-interfaces[2](5) then do not include any entries in this
       file for that same (zone, interface) pair.

       The columns in the file are as follows.

       ZONE - zone-name
           The name of a zone declared in shorewall6-zones[1](5). You may not
           list the firewall zone in this column.

       HOST(S) -
       interface:[{[{address-or-range[,address-or-range]...|+ipset}[exclusion]]
           The name of an interface defined in the shorewall6-interfaces[2](5)
           file followed by a colon (":") and a comma-separated list whose
           elements are either:

            1.  The IPv6 address of a host.

            2.  A network in CIDR format.

            3.  An IP address range of the form low.address-high.address. Your
               kernel and ip6tables must have iprange match support.

            4.  The name of an ipset.

               You may also exclude certain hosts through use of an exclusion
               (see shorewall6-exclusion[3](5).

       OPTIONS (Optional) - [option[,option]...]
           A comma-separated list of options from the following list. The
           order in which you list the options is not significant but the list
           must have no embedded white space.

           routeback
               shorewall6 should set up the infrastructure to pass packets
               from this/these address(es) back to themselves. This is
               necessary if hosts in this group use the services of a
               transparent proxy that is a member of the group or if DNAT is
               used to send requests originating from this group to a server
               in the group.

           blacklist
               This option only makes sense for ports on a bridge.

               Check packets arriving on this port against the
               shorewall6-blacklist[4](5) file.

           tcpflags
               Packets arriving from these hosts are checked for certain
               illegal combinations of TCP flags. Packets found to have such a
               combination of flags are handled according to the setting of
               TCP_FLAGS_DISPOSITION after having been logged according to the
               setting of TCP_FLAGS_LOG_LEVEL.

           ipsec
               The zone is accessed via a kernel 2.6 ipsec SA. Note that if
               the zone named in the ZONE column is specified as an IPSEC zone
               in the shorewall6-zones[1](5) file then you do NOT need to
               specify the ´ipsec´ option here.

FILES

       /etc/shorewall6/hosts

SEE ALSO

       shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
       shorewall6-blacklist(5), shorewall6-interfaces(5),
       shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
       shorewall6-providers(5), shorewall6-route_rules(5),
       shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
       shorewall6-tcclasses(5), shorewall6-tcdevices(5),
       shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5),
       shorewall-zones(5)

NOTES

        1. shorewall6-zones
           shorewall-zones.html

        2. shorewall6-interfaces
           shorewall-interfaces.html

        3. shorewall6-exclusion
           shorewall-exclusion.html

        4. shorewall6-blacklist
           shorewall-blacklist.html

                                  06/18/2009               SHOREWALL6-HOSTS(5)