Update zones files in samples

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2666 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Samples/one-interface/zones

@@ -11,12 +11,36 @@
 #		The names "all" and "none" are reserved and may not be
 #		used as zone names.
 #
-#	IPSEC	Yes --	Communication with all zone hosts is encrypted
+#		Where a zone is nested in one or more other zones,
-#	ONLY		Your kernel and iptables must include policy
+#		you may follow the (sub)zone name by ":" and a
+#		comma-separated list of the parent zones. The parent
+#		zones must have been defined in earlier records in this
+#		file.
+#
+#		Example:
+#
+#			#ZONE     TYPE     OPTIONS
+#			a	  plain
+#			b	  plain
+#			c:a,b     plain
+#
+#		Currently, Shorewall uses this information only to reorder the
+#		zone list so that parent zones appear after their subzones in
+#		the list. In the future, Shorewall may make more extensive use
+#		of that information.
+#
+#	TYPE	plain -	This is the standard Shorewall zone type and is the
+#			default if you leave this column empty or if you enter
+#			"-" in the column. Communication with some zone hosts
+#			may be encrypted. Encrypted hosts are designated using
+#			the 'ipsec'option in /etc/shorewall/hosts.
+#		ipsec -	Communication with all zone hosts is encrypted
+#			Your kernel and iptables must include policy
 #			match support.
-#		No  --	Communication with some zone hosts may be encrypted.
+#		firewall
-#			Encrypted hosts are designated using the 'ipsec'
+#		      - Designates the firewall itself. You must have 
-#			option in /etc/shorewall/hosts.
+#			exactly one 'firewall' zone. No options are
+#			permitted with a 'firewall' zone.
 #
 #	OPTIONS,	A comma-separated list of options as follows:
 #	IN OPTIONS,
@@ -59,19 +83,9 @@
 # OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts.
 #
 # See http://www.shorewall.net/Documentation.htm#Nested
-#------------------------------------------------------------------------------
-# Example zones:
-#
-#	You have a three interface firewall with internet, local and DMZ
-#	interfaces.
-#
-#	#ZONE	IPSEC	OPTIONS		IN			OUT	
-#	net	
-#	loc
-#	dmz
-#
 ###############################################################################
-#ZONE	IPSEC	OPTIONS			IN			OUT
+#ZONE	TYPE	OPTIONS			IN			OUT
-#	ONLY				OPTIONS			OPTIONS
+#					OPTIONS			OPTIONS\
-net
+fw	firewall
+net	plain
 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

Samples/three-interfaces/zones

@@ -11,12 +11,36 @@
 #		The names "all" and "none" are reserved and may not be
 #		used as zone names.
 #
-#	IPSEC	Yes --	Communication with all zone hosts is encrypted
+#		Where a zone is nested in one or more other zones,
-#	ONLY		Your kernel and iptables must include policy
+#		you may follow the (sub)zone name by ":" and a
+#		comma-separated list of the parent zones. The parent
+#		zones must have been defined in earlier records in this
+#		file.
+#
+#		Example:
+#
+#			#ZONE     TYPE     OPTIONS
+#			a	  plain
+#			b	  plain
+#			c:a,b     plain
+#
+#		Currently, Shorewall uses this information only to reorder the
+#		zone list so that parent zones appear after their subzones in
+#		the list. In the future, Shorewall may make more extensive use
+#		of that information.
+#
+#	TYPE	plain -	This is the standard Shorewall zone type and is the
+#			default if you leave this column empty or if you enter
+#			"-" in the column. Communication with some zone hosts
+#			may be encrypted. Encrypted hosts are designated using
+#			the 'ipsec'option in /etc/shorewall/hosts.
+#		ipsec -	Communication with all zone hosts is encrypted
+#			Your kernel and iptables must include policy
 #			match support.
-#		No  --	Communication with some zone hosts may be encrypted.
+#		firewall
-#			Encrypted hosts are designated using the 'ipsec'
+#		      - Designates the firewall itself. You must have 
-#			option in /etc/shorewall/hosts.
+#			exactly one 'firewall' zone. No options are
+#			permitted with a 'firewall' zone.
 #
 #	OPTIONS,	A comma-separated list of options as follows:
 #	IN OPTIONS,
@@ -59,21 +83,11 @@
 # OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts.
 #
 # See http://www.shorewall.net/Documentation.htm#Nested
-#------------------------------------------------------------------------------
-# Example zones:
-#
-#	You have a three interface firewall with internet, local and DMZ
-#	interfaces.
-#
-#	#ZONE	IPSEC	OPTIONS		IN			OUT	
-#	net	
-#	loc
-#	dmz
-#
 ###############################################################################
-#ZONE	IPSEC	OPTIONS			IN			OUT
+#ZONE	TYPE	OPTIONS			IN			OUT
-#	ONLY				OPTIONS			OPTIONS
+#					OPTIONS			OPTIONS
-net
+fw	firewall
-loc
+net	plain
-dmz
+loc	plain
+dmz	plain
 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

Samples/two-interfaces/zones

@@ -11,12 +11,36 @@
 #		The names "all" and "none" are reserved and may not be
 #		used as zone names.
 #
-#	IPSEC	Yes --	Communication with all zone hosts is encrypted
+#		Where a zone is nested in one or more other zones,
-#	ONLY		Your kernel and iptables must include policy
+#		you may follow the (sub)zone name by ":" and a
+#		comma-separated list of the parent zones. The parent
+#		zones must have been defined in earlier records in this
+#		file.
+#
+#		Example:
+#
+#			#ZONE     TYPE     OPTIONS
+#			a	  plain
+#			b	  plain
+#			c:a,b     plain
+#
+#		Currently, Shorewall uses this information only to reorder the
+#		zone list so that parent zones appear after their subzones in
+#		the list. In the future, Shorewall may make more extensive use
+#		of that information.
+#
+#	TYPE	plain -	This is the standard Shorewall zone type and is the
+#			default if you leave this column empty or if you enter
+#			"-" in the column. Communication with some zone hosts
+#			may be encrypted. Encrypted hosts are designated using
+#			the 'ipsec'option in /etc/shorewall/hosts.
+#		ipsec -	Communication with all zone hosts is encrypted
+#			Your kernel and iptables must include policy
 #			match support.
-#		No  --	Communication with some zone hosts may be encrypted.
+#		firewall
-#			Encrypted hosts are designated using the 'ipsec'
+#		      - Designates the firewall itself. You must have 
-#			option in /etc/shorewall/hosts.
+#			exactly one 'firewall' zone. No options are
+#			permitted with a 'firewall' zone.
 #
 #	OPTIONS,	A comma-separated list of options as follows:
 #	IN OPTIONS,
@@ -59,22 +83,11 @@
 # OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts.
 #
 # See http://www.shorewall.net/Documentation.htm#Nested
-#------------------------------------------------------------------------------
-# Example zones:
-#
-#	You have a three interface firewall with internet, local and DMZ
-#	interfaces.
-#
-#	#ZONE	IPSEC	OPTIONS		IN			OUT	
-#	net	
-#	loc
-#	dmz
-#
 ###############################################################################
-#ZONE	IPSEC	OPTIONS			IN			OUT
+#ZONE	TYPE	OPTIONS			IN			OUT
-#	ONLY				OPTIONS			OPTIONS
+#					OPTIONS			OPTIONS
-
+fw	firewall
-net
+net	plain
-loc
+loc	plain
 
 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE