Provided by: shorewall6_4.4.21-1_all
hosts - shorewall6 file
This file is used to define zones in terms of subnets and/or individual
IP addresses. Most simple setups don't need to (should not) place
anything in this file.
The order of entries in this file is not significant in determining
zone composition. Rather, the order that the zones are declared in
shorewall6-zones(5) determines the order in which the records in
this file are interpreted.
The only time that you need this file is when you have more than
one zone connected through a single interface.
If you have an entry for a zone and interface in
shorewall6-interfaces(5) then do not include any entries in this
file for that same (zone, interface) pair.
The columns in the file are as follows.
ZONE - zone-name
The name of a zone declared in shorewall6-zones(5). You may not
list the firewall zone in this column.
The name of an interface defined in the shorewall6-interfaces(5)
file followed by a colon (":") and a comma-separated list whose
elements are either:
1. The IPv6 address of a host.
2. A network in CIDR format.
3. An IP address range of the form low.address-high.address. Your
kernel and ip6tables must have iprange match support.
4. The name of an ipset.
5. The word dynamic which makes the zone dynamic in that you can
use the shorewall add and shorewall delete commands to change
to composition of the zone. This capability was added in
You may also exclude certain hosts through use of an exclusion (see
OPTIONS (Optional) - [option[,option]...]
A comma-separated list of options from the following list. The
order in which you list the options is not significant but the list
must have no embedded white space.
shorewall6 should set up the infrastructure to pass packets
from this/these address(es) back to themselves. This is
necessary if hosts in this group use the services of a
transparent proxy that is a member of the group or if DNAT is
used to send requests originating from this group to a server
in the group.
This option only makes sense for ports on a bridge. As of
Shorewall 4.4.13, its is ignored with a warning message:
WARNING: The "blacklist" host option is no longer supported and
will be ignored. Check packets arriving on this port against
the shorewall6-blacklist(5) file.
Packets arriving from these hosts are checked for certain
illegal combinations of TCP flags. Packets found to have such a
combination of flags are handled according to the setting of
TCP_FLAGS_DISPOSITION after having been logged according to the
setting of TCP_FLAGS_LOG_LEVEL.
The zone is accessed via a kernel 2.6 ipsec SA. Note that if
the zone named in the ZONE column is specified as an IPSEC zone
in the shorewall6-zones(5) file then you do NOT need to
specify the 'ipsec' option here.
shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
[FIXME: source] 07/09/2011 SHOREWALL6-HOSTS(5)