2002-05-01 01:13:15 +02:00
|
|
|
#
|
2005-07-09 07:55:29 +02:00
|
|
|
# Shorewall 2.4 - /etc/shorewall/hosts
|
2002-05-01 01:13:15 +02:00
|
|
|
#
|
2005-07-09 06:45:32 +02:00
|
|
|
# THE ONLY TIME YOU NEED THIS FILE IS WHERE YOU HAVE MORE THAN
|
|
|
|
# ONE ZONE CONNECTED THROUGH A SINGLE INTERFACE.
|
2002-05-01 01:13:15 +02:00
|
|
|
#
|
2005-07-09 06:45:32 +02:00
|
|
|
# IF YOU DON'T HAVE THAT SITUATION THEN DON'T TOUCH THIS FILE.
|
|
|
|
#------------------------------------------------------------------------------
|
|
|
|
# IF YOU HAVE AN ENTRY FOR A ZONE AND INTERFACE IN
|
|
|
|
# /etc/shorewall/interfaces THEN DO NOT ADD ANY ENTRIES FOR THAT
|
|
|
|
# ZONE AND INTERFACE IN THIS FILE.
|
|
|
|
#------------------------------------------------------------------------------
|
2003-02-20 00:58:56 +01:00
|
|
|
# This file is used to define zones in terms of subnets and/or
|
|
|
|
# individual IP addresses. Most simple setups don't need to
|
|
|
|
# (should not) place anything in this file.
|
2002-05-01 01:13:15 +02:00
|
|
|
#
|
2005-07-09 06:45:32 +02:00
|
|
|
# The order of entries in this file is not significant in
|
|
|
|
# determining zone composition. Rather, the order that the zones
|
|
|
|
# are defined in /etc/shorewall/zones determines the order in
|
|
|
|
# which the records in this file are interpreted.
|
|
|
|
#
|
2003-02-20 00:58:56 +01:00
|
|
|
# ZONE - The name of a zone defined in /etc/shorewall/zones
|
2002-05-01 01:13:15 +02:00
|
|
|
#
|
2005-07-09 06:45:32 +02:00
|
|
|
# HOST(S) - The name of an interface defined in the
|
|
|
|
# /etc/shorewall/interfaces file followed by a colon (":") and
|
2003-07-06 17:31:26 +02:00
|
|
|
# a comma-separated list whose elements are either:
|
2002-05-01 01:13:15 +02:00
|
|
|
#
|
2003-02-20 00:58:56 +01:00
|
|
|
# a) The IP address of a host
|
|
|
|
# b) A subnetwork in the form
|
|
|
|
# <subnet-address>/<mask width>
|
2005-07-09 07:45:05 +02:00
|
|
|
# c) An IP address range of the form <low address>-<high
|
|
|
|
# address>. Your kernel and iptables must have iprange
|
|
|
|
# match support.
|
|
|
|
# d) A physical port name; only allowed when the
|
2005-07-09 06:45:32 +02:00
|
|
|
# interface names a bridge created by the
|
|
|
|
# brctl addbr command. This port must not
|
|
|
|
# be defined in /etc/shorewall/interfaces and may
|
|
|
|
# optionally followed by a colon (":") and a
|
2005-07-09 07:45:05 +02:00
|
|
|
# host or network IP or a range.
|
2005-07-09 06:45:32 +02:00
|
|
|
# See http://www.shorewall.net/Bridge.html for details.
|
2005-07-14 18:31:55 +02:00
|
|
|
# e) The name of an ipset (preceded by "+").
|
2002-06-29 15:48:33 +02:00
|
|
|
#
|
2003-02-20 00:58:56 +01:00
|
|
|
# Examples:
|
|
|
|
#
|
|
|
|
# eth1:192.168.1.3
|
2003-02-23 15:10:37 +01:00
|
|
|
# eth2:192.168.2.0/24
|
2003-07-06 17:31:26 +02:00
|
|
|
# eth3:192.168.2.0/24,192.168.3.1
|
2005-07-09 06:45:32 +02:00
|
|
|
# br0:eth4
|
|
|
|
# br0:eth0:192.168.1.16/28
|
2005-07-09 07:45:05 +02:00
|
|
|
# eth4:192.168.1.44-192.168.1.49
|
2005-07-14 18:31:55 +02:00
|
|
|
# eth2:+Admin
|
2003-02-20 00:58:56 +01:00
|
|
|
#
|
|
|
|
# OPTIONS - A comma-separated list of options. Currently-defined
|
|
|
|
# options are:
|
|
|
|
#
|
|
|
|
# maclist - Connection requests from these hosts
|
|
|
|
# are compared against the contents of
|
|
|
|
# /etc/shorewall/maclist. If this option
|
|
|
|
# is specified, the interface must be
|
|
|
|
# an ethernet NIC and must be up before
|
|
|
|
# Shorewall is started.
|
|
|
|
#
|
2005-07-09 06:45:32 +02:00
|
|
|
# routeback - Shorewall should set up the infrastructure
|
2003-04-01 04:00:37 +02:00
|
|
|
# to pass packets from this/these
|
|
|
|
# address(es) back to themselves. This is
|
2005-07-09 06:45:32 +02:00
|
|
|
# necessary if hosts in this group use the
|
2003-04-01 04:00:37 +02:00
|
|
|
# services of a transparent proxy that is
|
|
|
|
# a member of the group or if DNAT is used
|
|
|
|
# to send requests originating from this
|
|
|
|
# group to a server in the group.
|
|
|
|
#
|
2005-07-09 06:45:32 +02:00
|
|
|
# norfc1918 - This option only makes sense for ports
|
|
|
|
# on a bridge.
|
|
|
|
#
|
|
|
|
# The port should not accept
|
|
|
|
# any packets whose source is in one
|
|
|
|
# of the ranges reserved by RFC 1918
|
|
|
|
# (i.e., private or "non-routable"
|
|
|
|
# addresses. If packet mangling or
|
|
|
|
# connection-tracking match is enabled in
|
|
|
|
# your kernel, packets whose destination
|
|
|
|
# addresses are reserved by RFC 1918 are
|
|
|
|
# also rejected.
|
|
|
|
#
|
|
|
|
# nobogons - This option only makes sense for ports
|
|
|
|
# on a bridge.
|
|
|
|
#
|
|
|
|
# This port should not accept
|
|
|
|
# any packets whose source is in one
|
|
|
|
# of the ranges reserved by IANA (this
|
|
|
|
# option does not cover those ranges
|
|
|
|
# reserved by RFC 1918 -- see
|
|
|
|
# 'norfc1918' above).
|
|
|
|
#
|
|
|
|
# blacklist - This option only makes sense for ports
|
|
|
|
# on a bridge.
|
|
|
|
#
|
|
|
|
# Check packets arriving on this port
|
|
|
|
# against the /etc/shorewall/blacklist
|
|
|
|
# file.
|
|
|
|
#
|
|
|
|
# tcpflags - Packets arriving from these hosts are
|
|
|
|
# checked for certain illegal combinations
|
|
|
|
# of TCP flags. Packets found to have
|
|
|
|
# such a combination of flags are handled
|
|
|
|
# according to the setting of
|
|
|
|
# TCP_FLAGS_DISPOSITION after having been
|
|
|
|
# logged according to the setting of
|
|
|
|
# TCP_FLAGS_LOG_LEVEL.
|
|
|
|
#
|
|
|
|
# nosmurfs - This option only makes sense for ports
|
|
|
|
# on a bridge.
|
|
|
|
#
|
|
|
|
# Filter packets for smurfs
|
|
|
|
# (packets with a broadcast
|
|
|
|
# address as the source).
|
|
|
|
#
|
|
|
|
# Smurfs will be optionally logged based
|
|
|
|
# on the setting of SMURF_LOG_LEVEL in
|
|
|
|
# shorewall.conf. After logging, the
|
|
|
|
# packets are dropped.
|
|
|
|
#
|
|
|
|
# newnotsyn - TCP packets that don't have the SYN
|
|
|
|
# flag set and which are not part of an
|
|
|
|
# established connection will be accepted
|
|
|
|
# from these hosts, even if
|
|
|
|
# NEWNOTSYN=No has been specified in
|
|
|
|
# /etc/shorewall/shorewall.conf.
|
|
|
|
#
|
|
|
|
# This option has no effect if
|
|
|
|
# NEWNOTSYN=Yes.
|
2003-02-20 00:58:56 +01:00
|
|
|
#
|
2005-07-09 07:45:05 +02:00
|
|
|
# ipsec - The zone is accessed via a
|
|
|
|
# kernel 2.6 ipsec SA. Note that if the
|
|
|
|
# zone named in the ZONE column is
|
|
|
|
# specified as an IPSEC zone in the
|
|
|
|
# /etc/shorewall/ipsec file then you do NOT
|
|
|
|
# need to specify the 'ipsec' option here.
|
|
|
|
#
|
|
|
|
# For additional information, see http://shorewall.net/Documentation.htm#Hosts
|
|
|
|
#
|
2003-02-20 00:58:56 +01:00
|
|
|
#ZONE HOST(S) OPTIONS
|
2002-05-01 01:13:15 +02:00
|
|
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE
|