diff --git a/manpages/shorewall-zones.xml b/manpages/shorewall-zones.xml new file mode 100644 index 000000000..3fb13d55e --- /dev/null +++ b/manpages/shorewall-zones.xml @@ -0,0 +1,228 @@ + + + + zones + + 5 + + + + zones + + Shorewall zone declaration file + + + + + /etc/shorewall/zones + + + + + Description + + The /etc/shorewall/zones file declares your network zones. You + specify the hosts in each zone through entries in + /etc/shorewall/interfaces or + /etc/shorewall/hosts. + + + The format of this file changed in Shorewall 3.0.0. You can + continue to use your old records provided that you set IPSECFILE=ipsec + in /etc/shorewall/shorewall.conf. This will signal Shorewall that the + IPSEC-related zone options are still specified in /etc/shorewall/ipsec + rather than in this file. + + To use records in the format described below, you must have + IPSECFILE=zones specified in + /etc/shorewall/shorewall.conf AND YOU MUST NOT SET + THE 'FW' VARIABLE IN THAT FILE. + + + The columns in the file are as follows. + + + + ZONE + + + Short name of the zone. The names "all" and "none" are + reserved and may not be used as zone names. The maximum length of a + zone name is determined by the setting of the LOGFORMAT option in + shorewall.conf. With the default LOGFORMAT, zone names can be at + most 5 characters long. + + Where a zone is nested in one or more other zones, you may + follow the (sub)zone name by ":" and a comma-separated list of the + parent zones. The parent zones must have been defined in earlier + records in this file. + + Example: + + #ZONE TYPE OPTIONS +a ipv4 +b ipv4 +c:a,b ipv4 + + Currently, Shorewall uses this information to reorder the zone + list so that parent zones appear after their subzones in the list. + The IMPLICIT_CONTINUE option in shorewall.conf can also create + implicit CONTINUE policies to/from the subzone. + + In the future, Shorewall may make additional use of nesting + information. + + + + + TYPE + + + + + ipv4 + + + This is the standard Shorewall zone type and is the + default if you leave this column empty or if you enter "-" in + the column. Communication with some zone hosts may be + encrypted. Encrypted hosts are designated using the + 'ipsec'option in /etc/shorewall/hosts. + + + + + ipsec + + + Communication with all zone hosts is encrypted. Your + kernel and iptables must include polic match support. + + + + + fw + + + Designates the firewall itself. You must have exactly + one 'firewall' zone. No options ar permitted with a 'firewall' + zone. The name that you enter in the ZONE column will be + stored in the shell variable $FW which you may use in other + configuration files to designate the firewall zone. + + + + + + + + OPTIONS, IN OPTIONS and OUT OPTIONS + + + A comma-separated list of options. + + + + reqid=<number> + + + where <number> is specified using setkey(8) using + the 'unique:<number> option for the SPD level. + + + + + spi=<number> + + + where <number> is the SPI of the SA used to + encrypt/decrypt packets. + + + + + proto=ah|esp|ipcomp + + + IPSEC Encapsulation Protocol + + + + + mss=<number> + + + sets the MSS field in TCP packets + + + + + mode=transport|tunnel + + + IPSEC mode + + + + + tunnel-src=<address>[/<mask>] + + + only available with mode=tunnel + + + + + tunnel-dst=<address>[/<mask>] + + + only available with mode=tunnel + + + + + strict + + + Means that packets must match all rules. + + + + + next + + + Separates rules; can only be used with strict + + + + + The options in the OPTIONS column are applied to both incoming + and outgoing traffic. The IN OPTIONS are applied to incoming traffic + (in addition to OPTIONS) and the OUT OPTIONS are applied to outgoing + traffic. + + If you wish to leave a column empty but need to make an entry + in a following column, use "-". + + + + + + + FILES + + /etc/shorewall/zones + + + + See ALSO + + shorewall(8), accounting(5), actions(5), blacklist(5), hosts(5), + interfaces(5), ipsec(5), maclist(5), masq(5), nat(5), netmap(5), + params(5), policy(5), policy(5), providers(5), proxyarp(5), + route_routes(5), routestopped(5), rules(5), shorewall.conf(5), + tcclasses(5), tcdevices(5), tcrules(5), tos(5), tunnels(5), + zones(5) + + \ No newline at end of file