# # Shorewall version 3.3 - Zones File # # /etc/shorewall/zones # # This file declares your network zones. You specify the hosts in # each zone through entries in /etc/shorewall/interfaces or # /etc/shorewall/hosts. # # WARNING: The format of this file changed in Shorewall 3.0.0. You can # continue to use your old records provided that you set # IPSECFILE=ipsec in /etc/shorewall/shorewall.conf. This will # signal Shorewall that the IPSEC-related zone options are # still specified in /etc/shorewall/ipsec rather than in this # file. # # To use records in the format described below, you must have # IPSECFILE=zones specified in /etc/shorewall/shorewall.conf # AND YOU MUST NOT SET THE 'FW' VARIABLE IN THAT FILE!!!!! # # Columns are: # # ZONE Short name of the zone. The names "all" and "none" are reserved # and may not be used as zone names. The maximum length of a # zone name is determined by the setting of the LOGFORMAT option # in shorewall.conf. With the default LOGFORMAT, zone names can # be at most 5 characters long. # # Where a zone is nested in one or more other zones, # you may follow the (sub)zone name by ":" and a # comma-separated list of the parent zones. The parent # zones must have been defined in earlier records in this # file. # # Example: # # #ZONE TYPE OPTIONS # a ipv4 # b ipv4 # c:a,b ipv4 # # Currently, Shorewall uses this information to reorder the # zone list so that parent zones appear after their subzones in # the list. The IMPLICIT_CONTINUE option in shorewall.conf can # also create implicit CONTINUE policies to/from the subzone. # # In the future, Shorewall may make additional use # of nesting information. # # TYPE ipv4 - This is the standard Shorewall zone type and is the # default if you leave this column empty or if you enter # "-" in the column. Communication with some zone hosts # may be encrypted. Encrypted hosts are designated using # the 'ipsec'option in /etc/shorewall/hosts. # ipsec - Communication with all zone hosts is encrypted # Your kernel and iptables must include policy # match support. # firewall # - Designates the firewall itself. You must have # exactly one 'firewall' zone. No options are # permitted with a 'firewall' zone. The name that you # enter in the ZONE column will be stored in the shell # variable $FW which you may use in other configuration # files to designate the firewall zone. # # OPTIONS, A comma-separated list of options as follows: # IN OPTIONS, # OUT OPTIONS reqid= where is specified # using setkey(8) using the 'unique: # option for the SPD level. # # spi= where is the SPI of # the SA used to encrypt/decrypt packets. # # proto=ah|esp|ipcomp # # mss= (sets the MSS field in TCP packets) # # mode=transport|tunnel # # tunnel-src=
[/] (only # available with mode=tunnel) # # tunnel-dst=
[/] (only # available with mode=tunnel) # # strict Means that packets must match all rules. # # next Separates rules; can only be used with # strict # # Example: # mode=transport,reqid=44 # # The options in the OPTIONS column are applied to both incoming # and outgoing traffic. The IN OPTIONS are applied to incoming # traffic (in addition to OPTIONS) and the OUT OPTIONS are # applied to outgoing traffic. # # If you wish to leave a column empty but need to make an entry # in a following column, use "-". #------------------------------------------------------------------------------ # Example zones: # # You have a three interface firewall with internet, local and DMZ # interfaces. # # #ZONE TYPE OPTIONS IN OUT # # OPTIONS OPTIONS # fw firewall # net ipv4 # loc ipv4 # dmz ipv4 # # # For more information, see http://www.shorewall.net/Documentation.htm#Zones # ############################################################################### #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE