Provided by: shorewall_5.0.4-1_all 
NAME
hosts - Shorewall file
SYNOPSIS
/etc/shorewall/hosts
DESCRIPTION
This file is used to define zones in terms of subnets and/or individual IP addresses. Most
simple setups don't need to (should not) place anything in this file.
The order of entries in this file is not significant in determining zone composition.
Rather, the order that the zones are declared in shorewall-zones[1](5) determines the
order in which the records in this file are interpreted.
Warning
The only time that you need this file is when you have more than one zone connected
through a single interface.
Warning
If you have an entry for a zone and interface in shorewall-interfaces[2](5) then do
not include any entries in this file for that same (zone, interface) pair.
The columns in the file are as follows.
ZONE - zone-name
The name of a zone declared in shorewall-zones[1](5). You may not list the firewall
zone in this column.
HOST(S) - interface:{[{address-or-range[,address-or-range]...|+ipset|dynamic}[exclusion]
The name of an interface defined in the shorewall-interfaces[2](5) file followed by a
colon (":") and a comma-separated list whose elements are either:
1. The IP address of a host.
2. A network in CIDR format.
3. An IP address range of the form low.address-high.address. Your kernel and iptables
must have iprange match support.
4. The name of an ipset.
5. The word dynamic which makes the zone dynamic in that you can use the shorewall
add and shorewall delete commands to change to composition of the zone.
You may also exclude certain hosts through use of an exclusion (see
shorewall-exclusion[3](5).
OPTIONS (Optional) - [option[,option]...]
A comma-separated list of options from the following list. The order in which you list
the options is not significant but the list must have no embedded white-space.
blacklist
Check packets arriving on this port against the shorewall-blacklist[4](5) file.
broadcast
Used when you want to include limited broadcasts (destination IP address
255.255.255.255) from the firewall to this zone. Only necessary when:
1. The network specified in the HOST(S) column does not include 255.255.255.255.
2. The zone does not have an entry for this interface in
shorewall-interfaces[2](5).
destonly
Normally used with the Multi-cast IP address range (224.0.0.0/4). Specifies that
traffic will be sent to the specified net(s) but that no traffic will be received
from the net(s).
ipsec
The zone is accessed via a kernel 2.6 ipsec SA. Note that if the zone named in the
ZONE column is specified as an IPSEC zone in the shorewall-zones[1](5) file then
you do NOT need to specify the 'ipsec' option here.
maclist
Connection requests from these hosts are compared against the contents of
shorewall-maclist[5](5). If this option is specified, the interface must be an
Ethernet NIC or equivalent and must be up before Shorewall is started.
mss=mss
Added in Shorewall 4.5.2. When present, causes the TCP mss for new connections
to/from the hosts given in the HOST(S) column to be clamped at the specified mss.
nosmurfs
This option only makes sense for ports on a bridge.
Filter packets for smurfs (packets with a broadcast address as the source).
Smurfs will be optionally logged based on the setting of SMURF_LOG_LEVEL in
shorewall.conf[6](5). After logging, the packets are dropped.
routeback
Shorewall should set up the infrastructure to pass packets from this/these
address(es) back to themselves. This is necessary if hosts in this group use the
services of a transparent proxy that is a member of the group or if DNAT is used
to send requests originating from this group to a server in the group.
tcpflags
Packets arriving from these hosts are checked for certain illegal combinations of
TCP flags. Packets found to have such a combination of flags are handled according
to the setting of TCP_FLAGS_DISPOSITION after having been logged according to the
setting of TCP_FLAGS_LOG_LEVEL.
EXAMPLES
Example 1
The firewall runs a PPTP server which creates a ppp interface for each remote client.
The clients are assigned IP addresses in the network 192.168.3.0/24 and in a zone
named 'vpn'.
#ZONE HOST(S) OPTIONS
vpn ppp+:192.168.3.0/24
FILES
/etc/shorewall/hosts
SEE ALSO
http://www.shorewall.net/configuration_file_basics.htm#Pairs[7]
shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-blacklist(5),
shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
shorewall-nat(5), shorewall-nesting(5), shorewall-netmap(5), shorewall-params(5),
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
shorewall-tunnels(5), shorewall-zones(5)
NOTES
1. shorewall-zones
http://www.shorewall.net/manpages/shorewall-zones.html
2. shorewall-interfaces
http://www.shorewall.net/manpages/shorewall-interfaces.html
3. shorewall-exclusion
http://www.shorewall.net/manpages/shorewall-exclusion.html
4. shorewall-blacklist
http://www.shorewall.net/manpages/shorewall-blacklist.html
5. shorewall-maclist
http://www.shorewall.net/manpages/shorewall-maclist.html
6. shorewall.conf
http://www.shorewall.net/manpages/shorewall.conf.html
7. http://www.shorewall.net/configuration_file_basics.htm#Pairs
http://www.shorewall.net/configuration_file_basics.htm#Pairs