<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> <refentry> <refmeta> <refentrytitle>shorewall6-exclusion</refentrytitle> <manvolnum>5</manvolnum> </refmeta> <refnamediv> <refname>exclusion</refname> <refpurpose>Exclude a set of hosts from a definition in a shorewall6 configuration file.</refpurpose> </refnamediv> <refsynopsisdiv> <cmdsynopsis> <arg choice="plain" rep="repeat"><option>!</option><replaceable>address-or-range</replaceable>[,<replaceable>address-or-range</replaceable>]</arg> </cmdsynopsis> <cmdsynopsis> <arg choice="plain" rep="repeat"><option>!</option><replaceable>zone-name</replaceable>[,<replaceable>zone-name</replaceable>]</arg> </cmdsynopsis> </refsynopsisdiv> <refsect1> <title>Description</title> <para>Exclusion is used when you wish to exclude one or more addresses from a definition. An exclaimation point is followed by a comma-separated list of addresses. The addresses may be single host addresses (e.g., fe80::2a0:ccff:fedb:31c4) or they may be network addresses in CIDR format (e.g., fe80::2a0:ccff:fedb:31c4/64). If your kernel and ip6tables include iprange support, you may also specify ranges of ip addresses of the form <emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis></para> <para>No embedded whitespace is allowed.</para> <para>Exclusion can appear after a list of addresses and/or address ranges. In that case, the final list of address is formed by taking the first list and then removing the addresses defined in the exclusion.</para> <para>Beginning in Shorewall 4.4.13, the second form of exclusion is allowed after <emphasis role="bold">all</emphasis> and <emphasis role="bold">any</emphasis> in the SOURCE and DEST columns of /etc/shorewall/rules. It allows you to omit arbitrary zones from the list generated by those key words.</para> <warning> <para>If you omit a sub-zone and there is an explicit or explicit CONTINUE policy, a connection to/from that zone can still be matched by the rule generated for a parent zone.</para> <para>For example:</para> <blockquote> <para>/etc/shorewall6/zones:</para> <programlisting>#ZONE TYPE z1 ip z2:z1 ip ...</programlisting> <para>/etc/shorewall6/policy:</para> <programlisting>#SOURCE DEST POLICY z1 net CONTINUE z2 net REJECT</programlisting> <para>/etc/shorewall6/rules:</para> <programlisting>#ACTION SOURCE DEST PROTO DEST # PORT(S) ACCEPT all!z2 net tcp 22</programlisting> <para>In this case, SSH connections from <emphasis role="bold">z2</emphasis> to <emphasis role="bold">net</emphasis> will be accepted by the generated <emphasis role="bold">z1</emphasis> to net ACCEPT rule.</para> </blockquote> </warning> </refsect1> <refsect1> <title>FILES</title> <para>/etc/shorewall6/hosts</para> <para>/etc/shorewall6/masq</para> <para>/etc/shorewall6/rules</para> <para>/etc/shorewall6/tcrules</para> </refsect1> <refsect1> <title>See ALSO</title> <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5), shorewall6-rtrules(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5), shorewall-zones(5)</para> </refsect1> </refentry>