shorewall-addresses 5 Configuration Files addresses Specifying addresses within a Shorewall configuration In both Shorewall and Shorewall6, there are two basic types of addresses: Host Address This address type refers to a single host. In IPv4, the format is i.j.k.l where i through l are decimal numbers between 1 and 255. In IPv6, the format is a:b:c:d:e:f:g:h where a through h consist of 1 to 4 hexadecimal digits (leading zeros may be omitted). a single series of 0 addresses may be omitted. For example 2001:227:e857:1:0:0:0:0:1 may be written 2001:227:e857:1::1. Network Address A network address refers to 1 or more hosts and consists of a host address followed by a slash ("/") and a Variable Length Subnet Mask (VLSM). This is known as Classless Internet Domain Routing (CIDR) notation. The VLSM is a decimal number. For IPv4, it is in the range 0 through 32. For IPv6, the range is 0 through 128. The number represents the number of leading bits in the address that represent the network address; the remainder of the bits are a host address and are generally given as zero. Examples: IPv4: 192.168.1.0/24 IPv6: 2001:227:e857:1:0:0:0:0:1/64 In the Shorewall documentation and manpages, we have tried to make it clear which type of address is accepted in each specific case. Because Shorewall uses a colon (":") as a separator in many contexts, IPv6 addresses are best written using the standard convention in which the address itself is enclosed in square brackets: [2001:227:e857:1::1] [2001:227:e857:1::]/64 Entries in Shorewall configuration files often deal with the source (SOURCE) and destination (DEST) of connections and Shorewall implements a uniform way for specifying them. A SOURCE or DEST consists of one to three parts separated by colons (":"): ZONE — The name of a zone declared in /etc/shorewall/zones or /etc/shorewall6/zones. This part is only available in the rules file (/etc/shorewall/rules, /etc/shorewall/blrules, /etc/shorewall6/rules and /etc/shorewall6/blrules). INTERFACE — The name of an interface that matches an entry in /etc/shorewall/interfaces (/etc/shorewall6/interfaces). Beginning with Shorweall 5.2.1, the interface may be preceded with '!' which matches all interfaces except the one specified. ADDRESS LIST — A list of one or more addresses (host or network) or address ranges, separated by commas. In an IPv6 configuration, this list must be included in square or angled brackets ("[...]" or "<...>"). The list may have exclusion. Examples. All hosts in the net zone — net Subnet 192.168.1.0/29 in the loc zone — loc:192.168.1.0/29 All hosts in the net zone connecting through ppp0 — net:ppp0 All hosts interfaced by eth3 — eth3 Subnet 10.0.1.0/24 interfacing through eth2 — eth2:10.0.1.0/24 Host 2002:ce7c:92b4:1:a00:27ff:feb1:46a9 in the loc zone — loc:[2002:ce7c:92b4:1:a00:27ff:feb1:46a9] The primary IP address of eth0 in the $FW zone - $FW:&eth0 All hosts in Vatican City - net:^VA (Requires the GeoIP Match capability). If you kernel and iptables have IP Range match support, you may use IP address ranges in Shorewall configuration file entries; IP address ranges have the syntax <low IP address>-<high IP address>. Example: 192.168.1.5-192.168.1.12. For more information about addressing, see the Setup Guide.