shorewall6-hosts5hostsshorewall6 file/etc/shorewall6/hostsDescriptionThis file is used to define zones in terms of subnets and/or
individual IP addresses. Most simple setups don't need to (should not)
place anything in this file.The order of entries in this file is not significant in determining
zone composition. Rather, the order that the zones are declared in shorewall6-zones(5) determines the
order in which the records in this file are interpreted.The only time that you need this file is when you have more than
one zone connected through a single interface.If you have an entry for a zone and interface in shorewall6-interfaces(5) then do
not include any entries in this file for that same (zone, interface)
pair.The columns in the file are as follows (where the column name is
followed by a different name in parentheses, the different name is used in
the alternate specification syntax).ZONE -
zone-nameThe name of a zone declared in shorewall6-zones(5). You may not
list the firewall zone in this column.HOST(S) (hosts)-
interface:{[{address-or-range[,address-or-range]...|+ipset}[exclusion]The name of an interface defined in the shorewall6-interfaces(5)
file followed by a colon (":") and a comma-separated list whose
elements are either:The IPv6 address of a
host.A network in CIDR format.An IP address range of the form
low.address-high.address.
Your kernel and ip6tables must have iprange match
support.The name of an ipset.The word which makes the zone
dynamic in that you can use the shorewall add
and shorewall delete commands to change to
composition of the zone. This capability was added in Shorewall
4.4.21.
You may also exclude certain hosts through use of an
exclusion (see shorewall6-exclusion(5).
OPTIONS - [option[,option]...]An optional comma-separated list of options from the following
list. The order in which you list the options is not significant but
the list must have no embedded white space.routebackshorewall6 should set up the infrastructure to pass
packets from this/these address(es) back to themselves. This
is necessary if hosts in this group use the services of a
transparent proxy that is a member of the group or if DNAT is
used to send requests originating from this group to a server
in the group.blacklistThis option only makes sense for ports on a bridge. As
of Shorewall 4.4.13, its is ignored with a warning
message:
WARNING: The "blacklist" host
option is no longer supported and will be
ignored.
Check packets arriving on this port against the shorewall6-blacklist(5)
file.tcpflagsPackets arriving from these hosts are checked for
certain illegal combinations of TCP flags. Packets found to
have such a combination of flags are handled according to the
setting of TCP_FLAGS_DISPOSITION after having been logged
according to the setting of TCP_FLAGS_LOG_LEVEL.ipsecThe zone is accessed via a kernel 2.6 ipsec SA. Note
that if the zone named in the ZONE column is specified as an
IPSEC zone in the shorewall6-zones(5) file
then you do NOT need to specify the 'ipsec' option
here.FILES/etc/shorewall6/hostsSee ALSOhttp://shorewall.net/configuration_file_basics.htm#Pairsshorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-interfaces(5), shorewall6-maclist(5),
shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-route_rules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5),
shorewall-zones(5)