2004-01-31 17:11:22 +01:00
|
|
|
#
|
2004-07-21 22:55:47 +02:00
|
|
|
# Shorewall 2.1 - /etc/shorewall/hosts
|
2004-01-31 17:11:22 +01:00
|
|
|
#
|
2004-02-21 17:32:49 +01:00
|
|
|
# THE ONLY TIME YOU NEED THIS FILE IS WHERE YOU HAVE MORE THAN
|
|
|
|
# ONE ZONE CONNECTED THROUGH A SINGLE INTERFACE.
|
2004-01-31 17:11:22 +01:00
|
|
|
#
|
2004-02-21 17:32:49 +01:00
|
|
|
# IF YOU DON'T HAVE THAT SITUATION THEN DON'T TOUCH THIS FILE.
|
2004-03-20 18:21:15 +01:00
|
|
|
#------------------------------------------------------------------------------
|
|
|
|
# IF YOU HAVE AN ENTRY FOR A ZONE AND INTERFACE IN
|
|
|
|
# /etc/shorewall/interfaces THEN DO NOT ADD ANY ENTRIES FOR THAT
|
|
|
|
# ZONE AND INTERFACE IN THIS FILE.
|
|
|
|
#------------------------------------------------------------------------------
|
2004-01-31 17:11:22 +01:00
|
|
|
# This file is used to define zones in terms of subnets and/or
|
|
|
|
# individual IP addresses. Most simple setups don't need to
|
|
|
|
# (should not) place anything in this file.
|
|
|
|
#
|
2004-04-15 15:50:02 +02:00
|
|
|
# The order of entries in this file is not significant in
|
|
|
|
# determining zone composition. Rather, the order that the zones
|
|
|
|
# are defined in /etc/shorewall/zones determines the order in
|
|
|
|
# which the records in this file are interpreted.
|
|
|
|
#
|
2004-01-31 17:11:22 +01:00
|
|
|
# ZONE - The name of a zone defined in /etc/shorewall/zones
|
|
|
|
#
|
2004-03-15 19:55:13 +01:00
|
|
|
# HOST(S) - The name of an interface defined in the
|
|
|
|
# /etc/shorewall/interfaces file followed by a colon (":") and
|
2004-01-31 17:11:22 +01:00
|
|
|
# a comma-separated list whose elements are either:
|
|
|
|
#
|
|
|
|
# a) The IP address of a host
|
|
|
|
# b) A subnetwork in the form
|
|
|
|
# <subnet-address>/<mask width>
|
2004-09-08 20:46:57 +02:00
|
|
|
# c) An IP address range of the form <low address>-<high
|
|
|
|
# address>. Your kernel and iptables must have iprange
|
|
|
|
# match support.
|
|
|
|
# d) A physical port name; only allowed when the
|
2004-03-15 19:55:13 +01:00
|
|
|
# interface names a bridge created by the
|
|
|
|
# brctl addbr command. This port must not
|
|
|
|
# be defined in /etc/shorewall/interfaces and may
|
|
|
|
# optionally followed by a colon (":") and a
|
2004-09-08 20:46:57 +02:00
|
|
|
# host or network IP or a range.
|
2004-03-15 19:55:13 +01:00
|
|
|
# See http://www.shorewall.net/Bridge.html for details.
|
2004-01-31 17:11:22 +01:00
|
|
|
#
|
|
|
|
# Examples:
|
|
|
|
#
|
|
|
|
# eth1:192.168.1.3
|
|
|
|
# eth2:192.168.2.0/24
|
|
|
|
# eth3:192.168.2.0/24,192.168.3.1
|
2004-03-15 19:55:13 +01:00
|
|
|
# br0:eth4
|
|
|
|
# br0:eth0:192.168.1.16/28
|
2004-09-08 20:46:57 +02:00
|
|
|
# eth4:192.168.1.44-192.168.1.49
|
2004-01-31 17:11:22 +01:00
|
|
|
#
|
|
|
|
# OPTIONS - A comma-separated list of options. Currently-defined
|
|
|
|
# options are:
|
|
|
|
#
|
|
|
|
# maclist - Connection requests from these hosts
|
|
|
|
# are compared against the contents of
|
|
|
|
# /etc/shorewall/maclist. If this option
|
|
|
|
# is specified, the interface must be
|
|
|
|
# an ethernet NIC and must be up before
|
|
|
|
# Shorewall is started.
|
|
|
|
#
|
2004-04-15 15:50:02 +02:00
|
|
|
# routeback - Shorewall should set up the infrastructure
|
2004-01-31 17:11:22 +01:00
|
|
|
# to pass packets from this/these
|
|
|
|
# address(es) back to themselves. This is
|
2004-04-15 15:50:02 +02:00
|
|
|
# necessary if hosts in this group use the
|
2004-01-31 17:11:22 +01:00
|
|
|
# services of a transparent proxy that is
|
|
|
|
# a member of the group or if DNAT is used
|
|
|
|
# to send requests originating from this
|
|
|
|
# group to a server in the group.
|
|
|
|
#
|
2004-03-22 22:15:54 +01:00
|
|
|
# norfc1918 - This option only makes sense for ports
|
|
|
|
# on a bridge.
|
|
|
|
#
|
|
|
|
# The port should not accept
|
|
|
|
# any packets whose source is in one
|
|
|
|
# of the ranges reserved by RFC 1918
|
|
|
|
# (i.e., private or "non-routable"
|
|
|
|
# addresses. If packet mangling or
|
|
|
|
# connection-tracking match is enabled in
|
|
|
|
# your kernel, packets whose destination
|
|
|
|
# addresses are reserved by RFC 1918 are
|
|
|
|
# also rejected.
|
|
|
|
#
|
|
|
|
# nobogons - This option only makes sense for ports
|
|
|
|
# on a bridge.
|
|
|
|
#
|
|
|
|
# This port should not accept
|
|
|
|
# any packets whose source is in one
|
|
|
|
# of the ranges reserved by IANA (this
|
|
|
|
# option does not cover those ranges
|
|
|
|
# reserved by RFC 1918 -- see
|
|
|
|
# 'norfc1918' above).
|
|
|
|
#
|
2004-03-25 16:28:16 +01:00
|
|
|
# blacklist - This option only makes sense for ports
|
2004-03-22 22:15:54 +01:00
|
|
|
# on a bridge.
|
|
|
|
#
|
|
|
|
# Check packets arriving on this port
|
|
|
|
# against the /etc/shorewall/blacklist
|
|
|
|
# file.
|
|
|
|
#
|
|
|
|
# tcpflags - Packets arriving from these hosts are
|
|
|
|
# checked for certain illegal combinations
|
|
|
|
# of TCP flags. Packets found to have
|
|
|
|
# such a combination of flags are handled
|
|
|
|
# according to the setting of
|
|
|
|
# TCP_FLAGS_DISPOSITION after having been
|
|
|
|
# logged according to the setting of
|
|
|
|
# TCP_FLAGS_LOG_LEVEL.
|
|
|
|
#
|
|
|
|
# nosmurfs - This option only makes sense for ports
|
|
|
|
# on a bridge.
|
|
|
|
#
|
|
|
|
# Filter packets for smurfs
|
|
|
|
# (packets with a broadcast
|
|
|
|
# address as the source).
|
|
|
|
#
|
|
|
|
# Smurfs will be optionally logged based
|
|
|
|
# on the setting of SMURF_LOG_LEVEL in
|
|
|
|
# shorewall.conf. After logging, the
|
|
|
|
# packets are dropped.
|
|
|
|
#
|
|
|
|
# newnotsyn - TCP packets that don't have the SYN
|
|
|
|
# flag set and which are not part of an
|
|
|
|
# established connection will be accepted
|
|
|
|
# from these hosts, even if
|
|
|
|
# NEWNOTSYN=No has been specified in
|
|
|
|
# /etc/shorewall/shorewall.conf.
|
|
|
|
#
|
|
|
|
# This option has no effect if
|
|
|
|
# NEWNOTSYN=Yes.
|
|
|
|
#
|
2004-08-17 20:00:22 +02:00
|
|
|
# ipsec - The zone is accessed via a
|
2004-10-26 16:48:21 +02:00
|
|
|
# kernel 2.6 ipsec SA. Note that if the
|
|
|
|
# zone named in the ZONE column is
|
|
|
|
# specified as an IPSEC zone in the
|
|
|
|
# /etc/shorewall/ipsec file then you do NOT
|
|
|
|
# need to specify the 'ipsec' option here.
|
2004-08-06 17:35:05 +02:00
|
|
|
#
|
2004-01-31 17:11:22 +01:00
|
|
|
#ZONE HOST(S) OPTIONS
|
|
|
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE
|