#
# Shorewall version 3.3 - Hosts file
#
# /etc/shorewall/hosts
#
#	THE ONLY TIME YOU NEED THIS FILE IS WHERE YOU HAVE MORE THAN
#	ONE ZONE CONNECTED THROUGH A SINGLE INTERFACE.
#
#	IF YOU DON'T HAVE THAT SITUATION THEN DON'T TOUCH THIS FILE.
#------------------------------------------------------------------------------
#	IF YOU HAVE AN ENTRY FOR A ZONE AND INTERFACE IN
#	/etc/shorewall/interfaces THEN DO NOT ADD ANY ENTRIES FOR THAT
#	ZONE AND INTERFACE IN THIS FILE.
#------------------------------------------------------------------------------
#	This file is used to define zones in terms of subnets and/or
#	individual IP addresses. Most simple setups don't need to
#	(should not) place anything in this file.
#
#	The order of entries in this file is not significant in
#	determining zone composition. Rather, the order that the zones
#	are defined in /etc/shorewall/zones determines the order in
#	which the records in this file are interpreted.
#
#	ZONE	- The name of a zone defined in /etc/shorewall/zones. You may
#		  not list the firewall zone in this column.
#
#	HOST(S)	- The name of an interface  defined in the
#		  /etc/shorewall/interfaces file followed by a colon (":") and
#		  a comma-separated list whose elements are either:
#
#			a) The IP address of a host
#			b) A subnetwork in the form
#			   <subnet-address>/<mask width>
#			c) An IP address range of the form <low address>-<high
#			   address>. Your kernel and iptables must have iprange
#			   match support.
#			d) A physical port name; only allowed when the
#			   interface names a bridge created by the
#			   brctl addbr command. This port must not
#			   be defined in /etc/shorewall/interfaces and may
#			   optionally followed by a colon (":") and a
#			   host or network IP or a range.
#			   See http://www.shorewall.net/bridge.html
#			   for details. Specifying a physical port
#			   name requires that you have BRIDGING=Yes in
#			   /etc/shorewall/shorewall.conf.
#			e) The name of an ipset (preceded by "+").
#
#		  Examples:
#
#			eth1:192.168.1.3
#			eth2:192.168.2.0/24
#			eth3:192.168.2.0/24,192.168.3.1
#			br0:eth4
#			br0:eth0:192.168.1.16/28
#			eth4:192.168.1.44-192.168.1.49
#			eth2:+Admin
#
#	OPTIONS - A comma-separated list of options. Currently-defined
#		  options are:
#
#			maclist	     - Connection requests from these hosts
#				       are compared against the contents of
#				       /etc/shorewall/maclist. If this option
#				       is specified, the interface must be
#				       an ethernet NIC and must be up before
#				       Shorewall is started.
#
#			routeback    - Shorewall should set up the
#				       infrastructure to pass packets
#				       from this/these address(es) back
#				       to themselves. This is necessary if
#				       hosts in this group use the services
#				       of a transparent proxy that is
#				       a member of the group or if DNAT is used
#				       to send requests originating from this
#				       group to a server in the group.
#
#			norfc1918    - This option only makes sense for ports
#				       on a bridge.
#
#				       The port should not accept
#				       any packets whose source is in one
#				       of the ranges reserved by RFC 1918
#				       (i.e., private or "non-routable"
#				       addresses. If packet mangling or
#				       connection-tracking match is enabled in
#				       your kernel, packets whose destination
#				       addresses are reserved by RFC 1918 are
#				       also rejected.
#
#			blacklist    - This option only makes sense for ports
#				       on a bridge.
#
#				       Check packets arriving on this port
#				       against the /etc/shorewall/blacklist
#				       file.
#
#			tcpflags     - Packets arriving from these hosts are
#				       checked for certain illegal combinations
#				       of TCP flags. Packets found to have
#				       such a combination of flags are handled
#				       according to the setting of
#				       TCP_FLAGS_DISPOSITION after having been
#				       logged according to the setting of
#				       TCP_FLAGS_LOG_LEVEL.
#
#			nosmurfs     - This option only makes sense for ports
#				       on a bridge.
#
#				       Filter packets for smurfs
#				       (packets with a broadcast
#				       address as the source).
#
#				       Smurfs will be optionally logged based
#				       on the setting of SMURF_LOG_LEVEL in
#				       shorewall.conf. After logging, the
#				       packets are dropped.
#
#			ipsec	     - The zone is accessed via a
#				       kernel 2.6 ipsec SA. Note that if the
#				       zone named in the ZONE column is
#				       specified as an IPSEC zone in the
#				       /etc/shorewall/zones file then you
#				       do NOT need to specify the 'ipsec'
#				       option here.
#
# For additional information, see http://shorewall.net/Documentation.htm#Hosts
#
###############################################################################
#ZONE	HOST(S)					OPTIONS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE