# # Shorewall version 3.2 - Sample Zones File for two-interface configuration. # Copyright (C) 2006 by the Shorewall Team # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public # License as published by the Free Software Foundation; either # version 2.1 of the License, or (at your option) any later version. # # See the file README.txt for further details. # # # /etc/shorewall/zones # # This file declares your network zones. You specify the hosts in # each zone through entries in /etc/shorewall/interfaces or # /etc/shorewall/hosts. # # WARNING: The format of this file changed in Shorewall 3.0.0. You can # continue to use your old records provided that you set # IPSECFILE=ipsec in /etc/shorewall/shorewall.conf. This will # signal Shorewall that the IPSEC-related zone options are # still specified in /etc/shorewall/ipsec rather than in this # file. # # To use records in the format described below, you must have # IPSECFILE=zones specified in /etc/shorewall/shorewall.conf # AND YOU MUST NOT SET THE 'FW' VARIABLE IN THAT FILE!!!!! # # Columns are: # # ZONE Short name of the zone (5 Characters or less in length). # The names "all" and "none" are reserved and may not be # used as zone names. # # Where a zone is nested in one or more other zones, # you may follow the (sub)zone name by ":" and a # comma-separated list of the parent zones. The parent # zones must have been defined in earlier records in this # file. # # Example: # # #ZONE TYPE OPTIONS # a ipv4 # b ipv4 # c:a,b ipv4 # # Currently, Shorewall uses this information to reorder the # zone list so that parent zones appear after their subzones in # the list. The IMPLICIT_CONTINUE option in shorewall.conf can # also create implicit CONTINUE policies to/from the subzone. # # In the future, Shorewall may make additional use # of nesting information. # # TYPE ipv4 - This is the standard Shorewall zone type and is the # default if you leave this column empty or if you enter # "-" in the column. Communication with some zone hosts # may be encrypted. Encrypted hosts are designated using # the 'ipsec'option in /etc/shorewall/hosts. # ipsec - Communication with all zone hosts is encrypted # Your kernel and iptables must include policy # match support. # firewall # - Designates the firewall itself. You must have # exactly one 'firewall' zone. No options are # permitted with a 'firewall' zone. The name that you # enter in the ZONE column will be stored in the shell # variable $FW which you may use in other configuration # files to designate the firewall zone. # # OPTIONS, A comma-separated list of options as follows: # IN OPTIONS, # OUT OPTIONS reqid= where is specified # using setkey(8) using the 'unique: # option for the SPD level. # # spi= where is the SPI of # the SA used to encrypt/decrypt packets. # # proto=ah|esp|ipcomp # # mss= (sets the MSS field in TCP packets) # # mode=transport|tunnel # # tunnel-src=
[/] (only # available with mode=tunnel) # # tunnel-dst=
[/] (only # available with mode=tunnel) # # strict Means that packets must match all rules. # # next Separates rules; can only be used with # strict # # Example: # mode=transport,reqid=44 # # The options in the OPTIONS column are applied to both incoming # and outgoing traffic. The IN OPTIONS are applied to incoming # traffic (in addition to OPTIONS) and the OUT OPTIONS are # applied to outgoing traffic. # # If you wish to leave a column empty but need to make an entry # in a following column, use "-". # # For more information, see http://www.shorewall.net/Documentation.htm#Zones # ############################################################################### #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ipv4 loc ipv4 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE