<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
  <refmeta>
    <refentrytitle>shorewall6-exclusion</refentrytitle>

    <manvolnum>5</manvolnum>
  </refmeta>

  <refnamediv>
    <refname>exclusion</refname>

    <refpurpose>Exclude a set of hosts from a definition in a shorewall6
    configuration file.</refpurpose>
  </refnamediv>

  <refsynopsisdiv>
    <cmdsynopsis>
      <arg choice="plain"
      rep="repeat"><option>!</option><replaceable>address-or-range</replaceable>[,<replaceable>address-or-range</replaceable>]</arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <arg choice="plain"
      rep="repeat"><option>!</option><replaceable>zone-name</replaceable>[,<replaceable>zone-name</replaceable>]</arg>
    </cmdsynopsis>
  </refsynopsisdiv>

  <refsect1>
    <title>Description</title>

    <para>Exclusion is used when you wish to exclude one or more addresses
    from a definition. An exclaimation point is followed by a comma-separated
    list of addresses. The addresses may be single host addresses (e.g.,
    fe80::2a0:ccff:fedb:31c4) or they may be network addresses in CIDR format
    (e.g., fe80::2a0:ccff:fedb:31c4/64). If your kernel and ip6tables include
    iprange support, you may also specify ranges of ip addresses of the form
    <emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis></para>

    <para>No embedded whitespace is allowed.</para>

    <para>Exclusion can appear after a list of addresses and/or address
    ranges. In that case, the final list of address is formed by taking the
    first list and then removing the addresses defined in the
    exclusion.</para>

    <para>Beginning in Shorewall 4.4.13, the second form of exclusion is
    allowed after <emphasis role="bold">all</emphasis> and <emphasis
    role="bold">any</emphasis> in the SOURCE and DEST columns of
    /etc/shorewall/rules. It allows you to omit arbitrary zones from the list
    generated by those key words.</para>

    <warning>
      <para>If you omit a sub-zone and there is an explicit or explicit
      CONTINUE policy, a connection to/from that zone can still be matched by
      the rule generated for a parent zone.</para>

      <para>For example:</para>

      <blockquote>
        <para>/etc/shorewall6/zones:</para>

        <programlisting>#ZONE          TYPE
z1             ip
z2:z1          ip
...</programlisting>

        <para>/etc/shorewall6/policy:</para>

        <programlisting>#SOURCE         DEST          POLICY
z1              net           CONTINUE
z2              net           REJECT</programlisting>

        <para>/etc/shorewall6/rules:</para>

        <programlisting>#ACTION         SOURCE        DEST        PROTO         DEST
#                                                       PORT(S)
ACCEPT          all!z2        net         tcp           22</programlisting>

        <para>In this case, SSH connections from <emphasis
        role="bold">z2</emphasis> to <emphasis role="bold">net</emphasis> will
        be accepted by the generated <emphasis role="bold">z1</emphasis> to
        net ACCEPT rule.</para>
      </blockquote>
    </warning>
  </refsect1>

  <refsect1>
    <title>FILES</title>

    <para>/etc/shorewall6/hosts</para>

    <para>/etc/shorewall6/masq</para>

    <para>/etc/shorewall6/rules</para>

    <para>/etc/shorewall6/tcrules</para>
  </refsect1>

  <refsect1>
    <title>See ALSO</title>

    <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
    shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
    shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
    shorewall6-providers(5), shorewall6-rtrules(5),
    shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
    shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
    shorewall6-tos(5), shorewall6-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
</refentry>