Updated Samples For 1.4.7 Final Release Changes

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@753 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Samples/one-interface/interfaces

@@ -1,5 +1,5 @@
 #	
-# 	Shorewall 1.4  -- Sample Interface File For One Interface
+# 	Shorewall 1.4.7.7.7.7.7.7.7  -- Sample Interface File For One Interface
 #
 # 	/etc/shorewall/interfaces
 #
@@ -106,6 +106,13 @@
 #					/etc/shorewall/shorewall.conf.
 #
 #					This option has no effect if NEWNOTSYN=Yes
+#			arp_filter	
+#					If specified, this interface will only respond
+#					to ARP who-has requests for IP addresses 
+#					configured on the interface. If not specified,
+#					the interface can respond to ARP who-has requests
+#					for IP addresses on any of the firewall's interface.
+#					The interface must be up when shorewall is started.
 #
 #			The order in which you list the options is not
 #			significant but the list should have no embedded white

Samples/one-interface/policy

@@ -1,5 +1,5 @@
 #	
-# 	Shorewall 1.4 -- Sample Policy File For One Interface
+# 	Shorewall 1.4.7 -- Sample Policy File For One Interface
 #
 # 	/etc/shorewall/policy
 #
@@ -75,5 +75,6 @@
 #SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
 fw		net		ACCEPT
 net		all		DROP		info
+# The FOLLOWING POLICY MUST BE LAST
 all		all		REJECT		info
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

Samples/one-interface/rules

@@ -1,5 +1,5 @@
 #	
-# 	Shorewall version 1.4 - Sample Rules File For One Interface
+# 	Shorewall version 1.4.7 - Sample Rules File For One Interface
 #
 # 	/etc/shorewall/rules
 #
@@ -55,9 +55,27 @@
 #				LOG		
 #						Simply log the packet and continue.
 #
-#			May optionally be followed by ":" and a syslog log
+#			You may rate-limit the rule by optionally following 
-#			level (e.g, REJECT:info). This causes the packet to be
+#			ACCEPT, DNAT[-], REDIRECT[-] or LOG with
-#			logged at the specified level.
+#				
+#				< <rate>/<interval>[:<burst>] >
+#
+#			Where <rate> is the number of connections per 
+#			<interval> ("sec" or "min") and <burst> is the largest
+#			burst permitted. If no <burst> is given, a value of 5 
+#			is assumed. There may be no whitespace embedded in the
+#			specification.
+#
+#		Example:
+#				ACCEPT<10/sec:20>
+#
+#			The ACTION (and rate limit) may optionally be followed by ":"
+#			and a syslog log level (e.g, REJECT:info or DNAT<4/sec:8>:debugging)
+#			This causes the packet to be logged at the specified level.
+#
+#	NOTE: For those of you who prefer to place the rate limit in a separate column, 
+#	see the RATE LIMIT column below. If you specify a value in that column you must include
+#	a rate limit in the action column.
 #
 #			You may also specify ULOG (must be in upper case) as a 
 #			log level. This will log to the ULOG target for routing
@@ -207,6 +225,36 @@
 #			If no source IP address is given, the original source
 #			address is not altered.
 #
+#	RATE LIMIT	You may rate-limit the rule by placing a value in this column:
+#
+#				<rate>/<interval>[:<burst>]
+#
+#			Where <rate> is the number of connections per <interval> ("sec"
+#			or "min") and <burst> is the largest burst permitted. If no
+#			<burst> is given, a value of 5 is assummed. There may be no
+#			whitespace embedded in the specification.
+#
+#		Example:
+#				10/sec:20
+#
+#			If you place a rate limit in this column, you may not place
+#			a similiar limit in the ACTION column.
+#
+#	USER SET	This Column may only be non-empty if the SOURCE is the firewall
+#			itself and the ACTION is ACCEPT, DROP or REJECT.
+#
+#			The column may contain a user set name defined in the 
+#			/etc/shorewall/usersets file or it may contain:
+#
+#			[<user name or number>]:[<group name or number>]
+#
+#			When this column is non-empty, the rule applies only if the 
+#			program generating the output is running under the effective
+#			<user>(s) and/or <group>(s) specified. When a user set name is 
+#			given, a log level may not be present in the ACTION column;
+#			logging for such rules is controlled by user set's entry in
+#			/etc/shorewall/usersets.
+#
 #	Note: Most one interface rules are of the type ACCEPT, REDIRECT or REJECT.
 #	DNAT, DNAT-, CONTINUE rules are for multiple interface firewall.
 #	Also by default all outbound fw -> net communications are allowed.
@@ -214,17 +262,17 @@
 #
 #	Example: Accept www requests to the one interface server.
 #
-#	#ACTION		SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL
+#	#ACTION		SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER
-#	#					PORT	PORT(S)	DEST
+#	#					PORT	PORT(S)	DEST		LIMIT	SET
 #	ACCEPT		net	fw	tcp	http
 #
 #	Example: Redirect port 88 Internet traffic to fw port 80
-#	#ACTION		SOURCE	DEST	PROTO	DEST	SOURCE  ORIGINAL
+#	#ACTION		SOURCE	DEST	PROTO	DEST	SOURCE  ORIGINAL	RATE	USER
-#	#					PORT	PORT(S)	DEST
+#	#					PORT	PORT(S)	DEST		LIMIT	SET
 #	REDIRECT	net	80	tcp	88
 #
 ##############################################################################
-#ACTION		SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL
+#ACTION		SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER					
-#					PORT	PORT(S)	DEST
+#					PORT	PORT(S)	DEST		LIMIT	SET
 ACCEPT		net	fw	icmp	8
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Samples/one-interface/zones

@@ -1,5 +1,5 @@
 #
-#	Shorewall 1.4 -- Sample Zone File For One Interface
+#	Shorewall 1.4.7 -- Sample Zone File For One Interface
 #	/etc/shorewall/zones
 #
 #	This file determines your network zones. Columns are:
@@ -8,6 +8,13 @@
 #	DISPLAY		Display name of the zone
 #	COMMENTS	Comments about the zone
 #
+# THE ORDER OF THE ENTRIES IN THIS FILE IS IMPORTANT IF YOU HAVE NESTED OR
+# OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts.
+#
+# See http://www.shorewall.net/Documentation.html#Nested
+#
+# Of Course This Is A Single Zone .. So The Above Does Not Apply 
+#
 #ZONE	DISPLAY		COMMENTS
 net	Net		Internet
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

Samples/three-interfaces/interfaces

@@ -1,5 +1,5 @@
 #	
-#	Shorewall 1.4 -- Sample Interface File For Three Interfaces
+#	Shorewall 1.4.7 -- Sample Interface File For Three Interfaces
 #
 # 	/etc/shorewall/interfaces
 #
@@ -106,6 +106,13 @@
 #				/etc/shorewall/shorewall.conf.
 #
 #				This option has no effect if NEWNOTSYN=Yes.
+#		arp_filter
+#				If specified, this interface will only respond
+#				to ARP who-has requests for IP addresses
+#				configured on the interface. If not specified,
+#				the interface can respond to ARP who-has requests
+#				for IP addresses on any of the firewall's interface.
+#				The interface must be up when shorewall is started.
 #
 #		The order in which you list the options is not
 #		significant but the list should have no embedded white

Samples/three-interfaces/masq

@@ -1,5 +1,5 @@
 #	
-#	Shorewall 1.4 - Sample Masquerade file For Three Interfaces
+#	Shorewall 1.4.7 - Sample Masquerade file For Three Interfaces
 #
 #	etc/shorewall/masq
 #

Samples/three-interfaces/policy

@@ -1,5 +1,5 @@
 #	
-# 	Shorewall 1.4 -- Sample Policy File For Three Interfaces
+# 	Shorewall 1.4.7 -- Sample Policy File For Three Interfaces
 #
 # 	/etc/shorewall/policy
 #
@@ -81,5 +81,6 @@ loc		net		ACCEPT
 # remove the comment from the following line.
 #dmz		net		ACCEPT
 net		all		DROP		info
+# THE FOLLOWING POLICY MUST BE LAST
 all		all		REJECT		info
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

Samples/three-interfaces/routestopped

@@ -1,6 +1,6 @@
 ##############################################################################
 #
-#	Shorewall 1.4	--	Sample Routestopped File For Three Interfaces.
+#	Shorewall 1.4.7	--	Sample Routestopped File For Three Interfaces.
 #
 #	/etc/shorewall/routestopped
 #

Samples/three-interfaces/rules

@@ -1,5 +1,5 @@
 #	
-# 	Shorewall version 1.4 - Sample Rules File For Three Interfaces
+# 	Shorewall version 1.4.7 - Sample Rules File For Three Interfaces
 #
 # 	/etc/shorewall/rules
 #
@@ -55,9 +55,27 @@
 #				LOG		
 #						Simply log the packet and continue.
 #
-#			May optionally be followed by ":" and a syslog log
+#			You may rate-limit the rule by optionally following 
-#			level (e.g, REJECT:info). This causes the packet to be
+#			ACCEPT, DNAT[-], REDIRECT[-] or LOG with
-#			logged at the specified level.
+#
+#				< <rate>/<interval>[:<burst>] >
+#
+#			Where <rate> is the number of connections per 
+#			<interval> ("sec" or "min") and <burst> is the largest
+#			burst permitted. If no <burst> is given, a value of 5 
+#			is assumed. There may be no whitespace embedded in the
+#			specification.
+#
+#		Example:
+#			ACCEPT<10/sec:20>
+#
+#			The ACTION (and rate limit) may optionally be followed by ":"
+#			and a syslog log level (e.g, REJECT:info or DNAT<4/sec:8>:debugging)
+#			This causes the packet to be logged at the specified level.
+#
+#	NOTE: For those of you who prefer to place the rate limit in a separate column, 
+#	see the RATE LIMIT column below. If you specify a value in that column you must include
+#	a rate limit in the action column.
 #
 #			You may also specify ULOG (must be in upper case) as a 
 #			log level. This will log to the ULOG target for routing
@@ -207,45 +225,75 @@
 #			If no source IP address is given, the original source
 #			address is not altered.
 #
+#	RATE LIMIT	You may rate-limit the rule by placing a value in this column:
+#
+#				<rate>/<interval>[:<burst>]
+#
+#			Where <rate> is the number of connections per <interval> ("sec"
+#			or "min") and <burst> is the largest burst permitted. If no
+#			<burst> is given, a value of 5 is assummed. There may be no
+#			whitespace embedded in the specification.
+#
+#		Example:
+#				10/sec:20
+#
+#			If you place a rate limit in this column, you may not place
+#			a similiar limit in the ACTION column.
+#
+#	USER SET	This Column may only be non-empty if the SOURCE is the firewall
+#			itself and the ACTION is ACCEPT, DROP or REJECT.
+#
+#			The column may contain a user set name defined in the 
+#			/etc/shorewall/usersets file or it may contain:
+#
+#				[<user name or number>]:[<group name or number>]
+#
+#			When this column is non-empty, the rule applies only if the 
+#			program generating the output is running under the effective
+#			<user>(s) and/or <group>(s) specified. When a user set name is 
+#			given, a log level may not be present in the ACTION column;
+#			logging for such rules is controlled by user set's entry in
+#			/etc/shorewall/usersets.
+#
 #	Also by default all outbound loc -> net communications are allowed.
 #	You can change this behavior in the sample policy file.
 #
 #	Example:	Accept www requests to the firewall.
 #
-#	#ACTION		SOURCE	DEST		PROTO	DEST	SOURCE	ORIGINAL
+#	#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	ORIGINAL	RATE	USER
-#	#						PORT	PORT(S)	DEST
+#	#							PORT	PORT(S)	DEST		LIMIT	SET
 #	ACCEPT		net		fw		tcp	http
 #
 #	Example:	Accept SMTP requests from the Local Network to the Internet
 #
-#	#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	ORIGINAL
+#	#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	ORIGINAL	RATE	USER
-#	#							PORT	PORT(S)	DEST
+#	#							PORT	PORT(S)	DEST		LIMIT	SET
 #	ACCEPT		loc		net		tcp	smtp
 #
 #	Example:	Forward all ssh and http connection requests from the Internet
 #			to dmz system 192.168.2.3
 #
-#	#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	ORIGINAL
+#	#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	ORIGINAL	RATE	USER
-#	#							PORT	PORT(S)	DEST
+#	#							PORT	PORT(S)	DEST		LIMIT	SET
 #	DNAT		net		dmz:192.168.2.3	tcp	ssh,http
 #
 #	Example:	Redirect all locally-originating www connection requests to
 #			port 3128 on the firewall (Squid running on the firewall
 #			system) except when the destination address is 192.168.2.2
 #
-#	#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	ORIGINAL
+#	#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	ORIGINAL	RATE	USER
-#	#							PORT	PORT(S)	DEST
+#	#							PORT	PORT(S)	DEST		LIMIT	SET
 #	REDIRECT	loc		3128		tcp	www	-	!192.168.2.2
 #
 #	Example:	All http requests from the Internet to address
 #			130.252.100.69 are to be forwarded to 192.168.1.3
 #
-#	#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	ORIGINAL
+#	#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	ORIGINAL	RATE	USER
-#	#							PORT	PORT(S)	DEST
+#	#							PORT	PORT(S)	DEST		LIMIT	SET
 #	DNAT		net		loc:192.168.1.3	tcp	80	-	130.252.100.69
 ##############################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	ORIGINAL
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	ORIGINAL	RATE	USER
-#							PORT	PORT(S)	DEST
+#							PORT	PORT(S)	DEST		LIMIT	SET
 #
 #	Accept DNS connections from the firewall to the Internet
 #

Samples/three-interfaces/zones

@@ -1,5 +1,5 @@
 #
-# 	Shorewall 1.4 -- Sample Zone File For Two Interfaces
+# 	Shorewall 1.4.7 -- Sample Zone File For Two Interfaces
 # 	/etc/shorewall/zones
 #
 # This file determines your network zones. Columns are:
@@ -8,6 +8,11 @@
 #	DISPLAY		Display name of the zone
 #	COMMENTS	Comments about the zone
 #
+# THE ORDER OF THE ENTRIES IN THIS FILE IS IMPORTANT IF YOU HAVE NESTED OR
+# OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts.
+#
+# See http://www.shorewall.net/Documentation.html#Nested
+#
 #ZONE	DISPLAY		COMMENTS
 net	Net		Internet
 loc	Local		Local Networks

Samples/two-interfaces/interfaces

@@ -1,5 +1,5 @@
 #	
-#	Shorewall 1.4 -- Sample Interface File For Two Interfaces
+#	Shorewall 1.4.7 -- Sample Interface File For Two Interfaces
 #
 # 	/etc/shorewall/interfaces
 #
@@ -110,6 +110,13 @@
 #				/etc/shorewall/shorewall.conf.
 #
 #				This option has no effect if NEWNOTSYN=Yes.
+#		arp_filter
+#				If specified, this interface will only respond
+#				to ARP who-has requests for IP addresses
+#				configured on the interface. If not specified,
+#				the interface can respond to ARP who-has requests
+#				for IP addresses on any of the firewall's interface.
+#				The interface must be up when shorewall is started.
 #
 #		The order in which you list the options is not
 #		significant but the list should have no embedded white

Samples/two-interfaces/masq

@@ -1,5 +1,5 @@
 #	
-#	Shorewall 1.4 - Sample Masquerade file For Two Interfaces
+#	Shorewall 1.4.7 - Sample Masquerade file For Two Interfaces
 #
 #	etc/shorewall/masq
 #

Samples/two-interfaces/policy

@@ -1,5 +1,5 @@
 #	
-# 	Shorewall 1.4 -- Sample Policy File For Two Interfaces
+# 	Shorewall 1.4.7 -- Sample Policy File For Two Interfaces
 #
 # 	/etc/shorewall/policy
 #
@@ -78,5 +78,6 @@ loc		net		ACCEPT
 # remove the comment from the following line.
 #fw		net		ACCEPT
 net		all		DROP		info
+# THE FOLLOWING POLICY MUST BE LAST
 all		all		REJECT		info
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

Samples/two-interfaces/routestopped

@@ -1,6 +1,6 @@
 ##############################################################################
 #
-#	Shorewall 1.4	--	Sample Routestopped file for two interfaces.
+#	Shorewall 1.4.7	--	Sample Routestopped file for two interfaces.
 #
 #	/etc/shorewall/routestopped
 #

Samples/two-interfaces/rules

@@ -1,5 +1,5 @@
 #	
-# 	Shorewall version 1.4 - Sample Rules File For Two Interfaces
+# 	Shorewall version 1.4.7 - Sample Rules File For Two Interfaces
 #
 # 	/etc/shorewall/rules
 #
@@ -55,9 +55,27 @@
 #				LOG		
 #						Simply log the packet and continue.
 #
-#			May optionally be followed by ":" and a syslog log
+#			You may rate-limit the rule by optionally following 
-#			level (e.g, REJECT:info). This causes the packet to be
+#			ACCEPT, DNAT[-], REDIRECT[-] or LOG with
-#			logged at the specified level.
+#
+#				< <rate>/<interval>[:<burst>] >
+#
+#			Where <rate> is the number of connections per 
+#			<interval> ("sec" or "min") and <burst> is the largest
+#			burst permitted. If no <burst> is given, a value of 5 
+#			is assumed. There may be no whitespace embedded in the
+#			specification.
+#
+#		Example:
+#				ACCEPT<10/sec:20>
+#
+#			The ACTION (and rate limit) may optionally be followed by ":"
+#			and a syslog log level (e.g, REJECT:info or DNAT<4/sec:8>:debugging)
+#			This causes the packet to be logged at the specified level.
+#
+#	NOTE: For those of you who prefer to place the rate limit in a separate column, 
+#	see the RATE LIMIT column below. If you specify a value in that column you must include
+#	a rate limit in the action column.
 #
 #			You may also specify ULOG (must be in upper case) as a 
 #			log level. This will log to the ULOG target for routing
@@ -207,45 +225,75 @@
 #			If no source IP address is given, the original source
 #			address is not altered.
 #
+#	RATE LIMIT	You may rate-limit the rule by placing a value in this column:
+#
+#				<rate>/<interval>[:<burst>]
+#
+#			Where <rate> is the number of connections per <interval> ("sec"
+#			or "min") and <burst> is the largest burst permitted. If no
+#			<burst> is given, a value of 5 is assummed. There may be no
+#			whitespace embedded in the specification.
+#
+#		Example:
+#				10/sec:20
+#
+#			If you place a rate limit in this column, you may not place
+#			a similiar limit in the ACTION column.
+#
+#	USER SET	This Column may only be non-empty if the SOURCE is the firewall
+#			itself and the ACTION is ACCEPT, DROP or REJECT.
+#
+#			The column may contain a user set name defined in the 
+#			/etc/shorewall/usersets file or it may contain:
+#
+#				[<user name or number>]:[<group name or number>]
+#
+#			When this column is non-empty, the rule applies only if the 
+#			program generating the output is running under the effective
+#			<user>(s) and/or <group>(s) specified. When a user set name is 
+#			given, a log level may not be present in the ACTION column;
+#			logging for such rules is controlled by user set's entry in
+#			/etc/shorewall/usersets.
+#
 #	Also by default all outbound loc -> net communications are allowed.
 #	You can change this behavior in the sample policy file.
 #
 #	Example:	Accept www requests to the firewall.
 #
-#	#ACTION		SOURCE	DEST		PROTO	DEST	SOURCE	ORIGINAL
+#	#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	ORIGINAL	RATE	USER
-#	#						PORT	PORT(S)	DEST
+#	#							PORT	PORT(S)	DEST		LIMIT	SET
 #	ACCEPT		net		fw	tcp	http
 #
 #	Example:	Accept SMTP requests from the Local Network to the Internet
 #
-#	#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	ORIGINAL
+#	#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	ORIGINAL	RATE	USER
-#	#							PORT	PORT(S)	DEST
+#	#							PORT	PORT(S)	DEST		LIMIT	SET
 #	ACCEPT		loc		net		tcp	smtp
 #
 #	Example:	Forward all ssh and http connection requests from the Internet
 #			to local system 192.168.1.3
 #
-#	#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	ORIGINAL
+#	#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	ORIGINAL	RATE	USER
-#	#							PORT	PORT(S)	DEST
+#	#							PORT	PORT(S)	DEST		LIMIT	SET
 #	DNAT		net		loc:192.168.1.3	tcp	ssh,http
 #
 #	Example:	Redirect all locally-originating www connection requests to
 #			port 3128 on the firewall (Squid running on the firewall
 #			system) except when the destination address is 192.168.2.2
 #
-#	#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	ORIGINAL
+#	#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	ORIGINAL	RATE	USER
-#	#							PORT	PORT(S)	DEST
+#	#							PORT	PORT(S)	DEST		LIMIT	SET
 #	REDIRECT	loc		3128		tcp	www	-	!192.168.2.2
 #
 #	Example:	All http requests from the Internet to address
 #			130.252.100.69 are to be forwarded to 192.168.1.3
 #
-#	#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	ORIGINAL
+#	#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	ORIGINAL	RATE	USER	
-#	#							PORT	PORT(S)	DEST
+#	#							PORT	PORT(S)	DEST		LIMIT	SET
 #	DNAT		net		loc:192.168.1.3	tcp	80	-	130.252.100.69
 ##############################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	ORIGINAL
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	ORIGINAL		RATE	USER
-#							PORT	PORT(S)	DEST
+#							PORT	PORT(S)	DEST			LIMIT	SET
 #
 #	Accept DNS connections from the firewall to the network
 #

Samples/two-interfaces/zones

@@ -1,5 +1,5 @@
 #
-# 	Shorewall 1.4 -- Sample Zone File For Two Interfaces
+# 	Shorewall 1.4.7 -- Sample Zone File For Two Interfaces
 # 	/etc/shorewall/zones
 #
 # This file determines your network zones. Columns are:
@@ -8,6 +8,11 @@
 #	DISPLAY		Display name of the zone
 #	COMMENTS	Comments about the zone
 #
+# THE ORDER OF THE ENTRIES IN THIS FILE IS IMPORTANT IF YOU HAVE NESTED OR
+# OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts.
+#
+# See http://www.shorewall.net/Documentation.html#Nested
+#
 #ZONE	DISPLAY		COMMENTS
 net	Net		Internet
 loc	Local		Local Networks