From 1664767f757f3eccf328136dbdbc37feed8dcd14 Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Mon, 12 Sep 2005 17:21:52 +0000
Subject: [PATCH] Update zones files in samples

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2666 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 Samples/one-interface/zones    | 52 +++++++++++++++++++------------
 Samples/three-interfaces/zones | 56 +++++++++++++++++++++-------------
 Samples/two-interfaces/zones   | 55 ++++++++++++++++++++-------------
 3 files changed, 102 insertions(+), 61 deletions(-)

diff --git a/Samples/one-interface/zones b/Samples/one-interface/zones
index 6d322c8bb..8c26ae2f6 100644
--- a/Samples/one-interface/zones
+++ b/Samples/one-interface/zones
@@ -11,12 +11,36 @@
 #		The names "all" and "none" are reserved and may not be
 #		used as zone names.
 #
-#	IPSEC	Yes --	Communication with all zone hosts is encrypted
-#	ONLY		Your kernel and iptables must include policy
+#		Where a zone is nested in one or more other zones,
+#		you may follow the (sub)zone name by ":" and a
+#		comma-separated list of the parent zones. The parent
+#		zones must have been defined in earlier records in this
+#		file.
+#
+#		Example:
+#
+#			#ZONE     TYPE     OPTIONS
+#			a	  plain
+#			b	  plain
+#			c:a,b     plain
+#
+#		Currently, Shorewall uses this information only to reorder the
+#		zone list so that parent zones appear after their subzones in
+#		the list. In the future, Shorewall may make more extensive use
+#		of that information.
+#
+#	TYPE	plain -	This is the standard Shorewall zone type and is the
+#			default if you leave this column empty or if you enter
+#			"-" in the column. Communication with some zone hosts
+#			may be encrypted. Encrypted hosts are designated using
+#			the 'ipsec'option in /etc/shorewall/hosts.
+#		ipsec -	Communication with all zone hosts is encrypted
+#			Your kernel and iptables must include policy
 #			match support.
-#		No  --	Communication with some zone hosts may be encrypted.
-#			Encrypted hosts are designated using the 'ipsec'
-#			option in /etc/shorewall/hosts.
+#		firewall
+#		      - Designates the firewall itself. You must have 
+#			exactly one 'firewall' zone. No options are
+#			permitted with a 'firewall' zone.
 #
 #	OPTIONS,	A comma-separated list of options as follows:
 #	IN OPTIONS,
@@ -59,19 +83,9 @@
 # OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts.
 #
 # See http://www.shorewall.net/Documentation.htm#Nested
-#------------------------------------------------------------------------------
-# Example zones:
-#
-#	You have a three interface firewall with internet, local and DMZ
-#	interfaces.
-#
-#	#ZONE	IPSEC	OPTIONS		IN			OUT	
-#	net	
-#	loc
-#	dmz
-#
 ###############################################################################
-#ZONE	IPSEC	OPTIONS			IN			OUT
-#	ONLY				OPTIONS			OPTIONS
-net
+#ZONE	TYPE	OPTIONS			IN			OUT
+#					OPTIONS			OPTIONS\
+fw	firewall
+net	plain
 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
diff --git a/Samples/three-interfaces/zones b/Samples/three-interfaces/zones
index 1116a7c01..94551f190 100644
--- a/Samples/three-interfaces/zones
+++ b/Samples/three-interfaces/zones
@@ -11,12 +11,36 @@
 #		The names "all" and "none" are reserved and may not be
 #		used as zone names.
 #
-#	IPSEC	Yes --	Communication with all zone hosts is encrypted
-#	ONLY		Your kernel and iptables must include policy
+#		Where a zone is nested in one or more other zones,
+#		you may follow the (sub)zone name by ":" and a
+#		comma-separated list of the parent zones. The parent
+#		zones must have been defined in earlier records in this
+#		file.
+#
+#		Example:
+#
+#			#ZONE     TYPE     OPTIONS
+#			a	  plain
+#			b	  plain
+#			c:a,b     plain
+#
+#		Currently, Shorewall uses this information only to reorder the
+#		zone list so that parent zones appear after their subzones in
+#		the list. In the future, Shorewall may make more extensive use
+#		of that information.
+#
+#	TYPE	plain -	This is the standard Shorewall zone type and is the
+#			default if you leave this column empty or if you enter
+#			"-" in the column. Communication with some zone hosts
+#			may be encrypted. Encrypted hosts are designated using
+#			the 'ipsec'option in /etc/shorewall/hosts.
+#		ipsec -	Communication with all zone hosts is encrypted
+#			Your kernel and iptables must include policy
 #			match support.
-#		No  --	Communication with some zone hosts may be encrypted.
-#			Encrypted hosts are designated using the 'ipsec'
-#			option in /etc/shorewall/hosts.
+#		firewall
+#		      - Designates the firewall itself. You must have 
+#			exactly one 'firewall' zone. No options are
+#			permitted with a 'firewall' zone.
 #
 #	OPTIONS,	A comma-separated list of options as follows:
 #	IN OPTIONS,
@@ -59,21 +83,11 @@
 # OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts.
 #
 # See http://www.shorewall.net/Documentation.htm#Nested
-#------------------------------------------------------------------------------
-# Example zones:
-#
-#	You have a three interface firewall with internet, local and DMZ
-#	interfaces.
-#
-#	#ZONE	IPSEC	OPTIONS		IN			OUT	
-#	net	
-#	loc
-#	dmz
-#
 ###############################################################################
-#ZONE	IPSEC	OPTIONS			IN			OUT
-#	ONLY				OPTIONS			OPTIONS
-net
-loc
-dmz
+#ZONE	TYPE	OPTIONS			IN			OUT
+#					OPTIONS			OPTIONS
+fw	firewall
+net	plain
+loc	plain
+dmz	plain
 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
diff --git a/Samples/two-interfaces/zones b/Samples/two-interfaces/zones
index 5dcac588f..89d93b2bc 100644
--- a/Samples/two-interfaces/zones
+++ b/Samples/two-interfaces/zones
@@ -11,12 +11,36 @@
 #		The names "all" and "none" are reserved and may not be
 #		used as zone names.
 #
-#	IPSEC	Yes --	Communication with all zone hosts is encrypted
-#	ONLY		Your kernel and iptables must include policy
+#		Where a zone is nested in one or more other zones,
+#		you may follow the (sub)zone name by ":" and a
+#		comma-separated list of the parent zones. The parent
+#		zones must have been defined in earlier records in this
+#		file.
+#
+#		Example:
+#
+#			#ZONE     TYPE     OPTIONS
+#			a	  plain
+#			b	  plain
+#			c:a,b     plain
+#
+#		Currently, Shorewall uses this information only to reorder the
+#		zone list so that parent zones appear after their subzones in
+#		the list. In the future, Shorewall may make more extensive use
+#		of that information.
+#
+#	TYPE	plain -	This is the standard Shorewall zone type and is the
+#			default if you leave this column empty or if you enter
+#			"-" in the column. Communication with some zone hosts
+#			may be encrypted. Encrypted hosts are designated using
+#			the 'ipsec'option in /etc/shorewall/hosts.
+#		ipsec -	Communication with all zone hosts is encrypted
+#			Your kernel and iptables must include policy
 #			match support.
-#		No  --	Communication with some zone hosts may be encrypted.
-#			Encrypted hosts are designated using the 'ipsec'
-#			option in /etc/shorewall/hosts.
+#		firewall
+#		      - Designates the firewall itself. You must have 
+#			exactly one 'firewall' zone. No options are
+#			permitted with a 'firewall' zone.
 #
 #	OPTIONS,	A comma-separated list of options as follows:
 #	IN OPTIONS,
@@ -59,22 +83,11 @@
 # OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts.
 #
 # See http://www.shorewall.net/Documentation.htm#Nested
-#------------------------------------------------------------------------------
-# Example zones:
-#
-#	You have a three interface firewall with internet, local and DMZ
-#	interfaces.
-#
-#	#ZONE	IPSEC	OPTIONS		IN			OUT	
-#	net	
-#	loc
-#	dmz
-#
 ###############################################################################
-#ZONE	IPSEC	OPTIONS			IN			OUT
-#	ONLY				OPTIONS			OPTIONS
-
-net
-loc
+#ZONE	TYPE	OPTIONS			IN			OUT
+#					OPTIONS			OPTIONS
+fw	firewall
+net	plain
+loc	plain
 
 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE