# # Shorewall 2.1 - /etc/shorewall/hosts # # THE ONLY TIME YOU NEED THIS FILE IS WHERE YOU HAVE MORE THAN # ONE ZONE CONNECTED THROUGH A SINGLE INTERFACE. # # IF YOU DON'T HAVE THAT SITUATION THEN DON'T TOUCH THIS FILE. #------------------------------------------------------------------------------ # IF YOU HAVE AN ENTRY FOR A ZONE AND INTERFACE IN # /etc/shorewall/interfaces THEN DO NOT ADD ANY ENTRIES FOR THAT # ZONE AND INTERFACE IN THIS FILE. #------------------------------------------------------------------------------ # This file is used to define zones in terms of subnets and/or # individual IP addresses. Most simple setups don't need to # (should not) place anything in this file. # # The order of entries in this file is not significant in # determining zone composition. Rather, the order that the zones # are defined in /etc/shorewall/zones determines the order in # which the records in this file are interpreted. # # ZONE - The name of a zone defined in /etc/shorewall/zones # # HOST(S) - The name of an interface defined in the # /etc/shorewall/interfaces file followed by a colon (":") and # a comma-separated list whose elements are either: # # a) The IP address of a host # b) A subnetwork in the form # / # c) An IP address range of the form -. Your kernel and iptables must have iprange # match support. # d) A physical port name; only allowed when the # interface names a bridge created by the # brctl addbr command. This port must not # be defined in /etc/shorewall/interfaces and may # optionally followed by a colon (":") and a # host or network IP or a range. # See http://www.shorewall.net/Bridge.html for details. # # Examples: # # eth1:192.168.1.3 # eth2:192.168.2.0/24 # eth3:192.168.2.0/24,192.168.3.1 # br0:eth4 # br0:eth0:192.168.1.16/28 # eth4:192.168.1.44-192.168.1.49 # # OPTIONS - A comma-separated list of options. Currently-defined # options are: # # maclist - Connection requests from these hosts # are compared against the contents of # /etc/shorewall/maclist. If this option # is specified, the interface must be # an ethernet NIC and must be up before # Shorewall is started. # # routeback - Shorewall should set up the infrastructure # to pass packets from this/these # address(es) back to themselves. This is # necessary if hosts in this group use the # services of a transparent proxy that is # a member of the group or if DNAT is used # to send requests originating from this # group to a server in the group. # # norfc1918 - This option only makes sense for ports # on a bridge. # # The port should not accept # any packets whose source is in one # of the ranges reserved by RFC 1918 # (i.e., private or "non-routable" # addresses. If packet mangling or # connection-tracking match is enabled in # your kernel, packets whose destination # addresses are reserved by RFC 1918 are # also rejected. # # nobogons - This option only makes sense for ports # on a bridge. # # This port should not accept # any packets whose source is in one # of the ranges reserved by IANA (this # option does not cover those ranges # reserved by RFC 1918 -- see # 'norfc1918' above). # # blacklist - This option only makes sense for ports # on a bridge. # # Check packets arriving on this port # against the /etc/shorewall/blacklist # file. # # tcpflags - Packets arriving from these hosts are # checked for certain illegal combinations # of TCP flags. Packets found to have # such a combination of flags are handled # according to the setting of # TCP_FLAGS_DISPOSITION after having been # logged according to the setting of # TCP_FLAGS_LOG_LEVEL. # # nosmurfs - This option only makes sense for ports # on a bridge. # # Filter packets for smurfs # (packets with a broadcast # address as the source). # # Smurfs will be optionally logged based # on the setting of SMURF_LOG_LEVEL in # shorewall.conf. After logging, the # packets are dropped. # # newnotsyn - TCP packets that don't have the SYN # flag set and which are not part of an # established connection will be accepted # from these hosts, even if # NEWNOTSYN=No has been specified in # /etc/shorewall/shorewall.conf. # # This option has no effect if # NEWNOTSYN=Yes. # # ipsec - The zone is accessed via a # kernel 2.6 ipsec SA. Note that if the # zone named in the ZONE column is # specified as an IPSEC zone in the # /etc/shorewall/ipsec file then you do NOT # need to specify the 'ipsec' option here. # #ZONE HOST(S) OPTIONS #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE