shorewall-hosts 5 hosts Shorewall file /etc/shorewall/hosts This file is used to define zones in terms of subnets and/or individual IP addresses. Most simple setups don't need to (should not) place anything in this file. The order of entries in this file is not significant in determining zone composition. Rather, the order that the zones are defined in shorewall-zones(5) determines the order in which the records in this file are interpreted. The only time that you need this file is when you have more than one zone connected through a single interface. If you have an entry for a zone and interface in shorewall-interfaces(5) then do not include any entries in this file for that same (zone, interface) pair. The columns in the file are as follows. ZONE The name of a zone defined in shorewall-zones(5). You may not list the firewall zone in this column. HOST(S) The name of an interface defined in the shorewall-interfaces(5) file followed by a colon (":") and a comma-separated list whose elements are either: The IP address of a host. A network in CIDR format. An IP address range of the form low.address-high.address. Your kernel and iptables must have iprange match support. A physical port name; only allowed when the interface names a bridge created by the brctl(8) addbr command. This port must not be defined in shorewall-interfaces(5) and may optionally followed by a colon (":") and a host or network IP or a range. See http://www.shorewall.net/bridge.html for details. Specifying a physical port name requires that you have BRIDGING=Yes in shorewall.conf(5). Examples: eth1:192.168.1.3 eth2:192.168.2.0/24 eth3:192.168.2.0/24,192.168.3.1 br0:eth4 br0:eth0:192.168.1.16/28 eth4:192.168.1.44-192.168.1.49 eth2:+Admin OPTIONS A comma-separated list of options from the following list. The order in which you list the options is not significant but the list should have no embedded white space. maclist Connection requests from these hosts are compared against the contents of shorewall-maclist(5). If this option is specified, the interface must be an ethernet NIC or equivalent and must be up before Shorewall is started. routeback Shorewall should set up the infrastructure to pass packets from this/these address(es) back to themselves. This is necessary if hosts in this group use the services of a transparent proxy that is a member of the group or if DNAT is used to send requests originating from this group to a server in the group. blacklist This option only makes sense for ports on a bridge. Check packets arriving on this port against the shorewall-blacklist(5) file. tcpflags Packets arriving from these hosts are checked for certain illegal combinations of TCP flags. Packets found to have such a combination of flags are handled according to the setting of TCP_FLAGS_DISPOSITION after having been logged according to the setting of TCP_FLAGS_LOG_LEVEL. nosmurfs This option only makes sense for ports on a bridge. Filter packets for smurfs (packets with a broadcast address as the source). Smurfs will be optionally logged based on the setting of SMURF_LOG_LEVEL in shorewall.conf(5). After logging, the packets are dropped. ipsec The zone is accessed via a kernel 2.6 ipsec SA. Note that if the zone named in the ZONE column is specified as an IPSEC zone in the shorewall-zones(5) file then you do NOT need to specify the 'ipsec' option here. /etc/shorewall/hosts shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-blacklist(5), shorewall-interfaces(5), shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5), shorewall-params(5), shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_routes(5), shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)