Provided by: shorewall_4.4.21-1_all bug


       hosts - Shorewall file




       This file is used to define zones in terms of subnets and/or individual
       IP addresses. Most simple setups don't need to (should not) place
       anything in this file.

       The order of entries in this file is not significant in determining
       zone composition. Rather, the order that the zones are declared in
       shorewall-zones[1](5) determines the order in which the records in this
       file are interpreted.

           The only time that you need this file is when you have more than
           one zone connected through a single interface.

           If you have an entry for a zone and interface in
           shorewall-interfaces[2](5) then do not include any entries in this
           file for that same (zone, interface) pair.

       The columns in the file are as follows.

       ZONE - zone-name
           The name of a zone declared in shorewall-zones[1](5). You may not
           list the firewall zone in this column.

       HOST(S) -
           The name of an interface defined in the shorewall-interfaces[2](5)
           file followed by a colon (":") and a comma-separated list whose
           elements are either:

            1. The IP address of a host.

            2. A network in CIDR format.

            3. An IP address range of the form low.address-high.address. Your
               kernel and iptables must have iprange match support.

            4. The name of an ipset.

            5. The word dynamic which makes the zone dynamic in that you can
               use the shorewall add and shorewall delete commands to change
               to composition of the zone.

           You may also exclude certain hosts through use of an exclusion (see

       OPTIONS (Optional) - [option[,option]...]
           A comma-separated list of options from the following list. The
           order in which you list the options is not significant but the list
           must have no embedded white space.

               Connection requests from these hosts are compared against the
               contents of shorewall-maclist[4](5). If this option is
               specified, the interface must be an ethernet NIC or equivalent
               and must be up before Shorewall is started.

               Shorewall should set up the infrastructure to pass packets from
               this/these address(es) back to themselves. This is necessary if
               hosts in this group use the services of a transparent proxy
               that is a member of the group or if DNAT is used to send
               requests originating from this group to a server in the group.

               This option only makes sense for ports on a bridge. As of
               Shoreawall 4.4.13, the option is no longer supported and is
               ignored with a warning: WARNING: The "blacklist" host option is
               no longer supported and will be ignored.  Check packets
               arriving on this port against the shorewall-blacklist[5](5)

               Packets arriving from these hosts are checked for certain
               illegal combinations of TCP flags. Packets found to have such a
               combination of flags are handled according to the setting of
               TCP_FLAGS_DISPOSITION after having been logged according to the
               setting of TCP_FLAGS_LOG_LEVEL.

               This option only makes sense for ports on a bridge.

               Filter packets for smurfs (packets with a broadcast address as
               the source).

               Smurfs will be optionally logged based on the setting of
               SMURF_LOG_LEVEL in shorewall.conf[6](5). After logging, the
               packets are dropped.

               The zone is accessed via a kernel 2.6 ipsec SA. Note that if
               the zone named in the ZONE column is specified as an IPSEC zone
               in the shorewall-zones[1](5) file then you do NOT need to
               specify the 'ipsec' option here.

               Used when you want to include limited broadcasts (destination
               IP address from the firewall to this zone.
               Only necessary when:

                1. The network specified in the HOST(S) column does not

                2. The zone does not have an entry for this interface in

               Normally used with the Multi-cast IP address range
               ( Specifies that traffic will be sent to the
               specified net(s) but that no traffic will be received from the


       Example 1
           The firewall runs a PPTP server which creates a ppp interface for
           each remote client. The clients are assigned IP addresses in the
           network and in a zone named 'vpn'.

               #ZONE       HOST(S)               OPTIONS
               vpn         ppp+:




       shorewall(8), shorewall-accounting(5), shorewall-actions(5),
       shorewall-blacklist(5), shorewall_interfaces(5), shorewall-ipsets(5),
       shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
       shorewall-nesting(5), shorewall-netmap(5), shorewall-params(5),
       shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
       shorewall-route_rules(5), shorewall-routestopped(5),
       shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
       shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
       shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)


        1. shorewall-zones

        2. shorewall-interfaces

        3. shorewall-exclusion

        4. shorewall-maclist

        5. shorewall-blacklist

        6. shorewall.conf

[FIXME: source]                   07/10/2011                SHOREWALL-HOSTS(5)