#
# Shorewall 2.0 - /etc/shorewall/hosts
#
#	THE ONLY TIME YOU NEED THIS FILE IS WHERE YOU HAVE MORE THAN
#	ONE ZONE CONNECTED THROUGH A SINGLE INTERFACE.
#
#	IF YOU DON'T HAVE THAT SITUATION THEN DON'T TOUCH THIS FILE.
#------------------------------------------------------------------------------
#	IF YOU HAVE AN ENTRY FOR A ZONE AND INTERFACE IN
#	/etc/shorewall/interfaces THEN DO NOT ADD ANY ENTRIES FOR THAT
#	ZONE AND INTERFACE IN THIS FILE.
#------------------------------------------------------------------------------
#	This file is used to define zones in terms of subnets and/or
#	individual IP addresses. Most simple setups don't need to
#	(should not) place anything in this file.
#
#	The order of entries in this file is not significant in
#	determining zone composition. Rather, the order that the zones
#	are defined in /etc/shorewall/zones determines the order in
#	which the records in this file are interpreted. 
#
#	ZONE	- The name of a zone defined in /etc/shorewall/zones
#
#	HOST(S)	- The name of an interface  defined in the
#		  /etc/shorewall/interfaces file followed by a colon (":") and
#		  a comma-separated list whose elements are either:
#
#			a) The IP address of a host
#			b) A subnetwork in the form
#			   <subnet-address>/<mask width>
#			c) A physical port name; only allowed when the
#			   interface names a bridge created by the
#			   brctl addbr command. This port must not
#			   be defined in /etc/shorewall/interfaces and may
#			   optionally followed by a colon (":") and a
#			   host or network IP.
#			   See http://www.shorewall.net/Bridge.html for details.
#
#		  Examples:
#
#			eth1:192.168.1.3
#			eth2:192.168.2.0/24
#			eth3:192.168.2.0/24,192.168.3.1
#			br0:eth4
#			br0:eth0:192.168.1.16/28
#
#	OPTIONS - A comma-separated list of options. Currently-defined
#		  options are:
#
#			maclist	     - Connection requests from these hosts
#				       are compared against the contents of
#				       /etc/shorewall/maclist. If this option
#				       is specified, the interface must be
#				       an ethernet NIC and must be up before
#				       Shorewall is started.
#
#			routeback    - Shorewall should set up the infrastructure
#				       to pass packets from this/these
#				       address(es) back to themselves. This is
#				       necessary if hosts in this group use the
#				       services of a transparent proxy that is
#				       a member of the group or if DNAT is used
#				       to send requests originating from this 
#				       group to a server in the group.
#
#			norfc1918    - This option only makes sense for ports
#				       on a bridge.
#
#				       The port should not accept 
#				       any packets whose source is in one
#				       of the ranges reserved by RFC 1918
#				       (i.e., private or "non-routable"
#				       addresses. If packet mangling or
#				       connection-tracking match is enabled in
#				       your kernel, packets whose destination
#				       addresses are reserved by RFC 1918 are
#				       also rejected.
#
#			nobogons    -  This option only makes sense for ports
#				       on a bridge.
#
#				       This port should not accept
#				       any packets whose source is in one
#				       of the ranges reserved by IANA (this
#				       option does not cover those ranges
#				       reserved by RFC 1918 -- see 
#				       'norfc1918' above).
#
#			blacklist    - This option only makes sense for ports
#				       on a bridge.
# 
#				       Check packets arriving on this port
#				       against the /etc/shorewall/blacklist
#				       file.
#
#			tcpflags     - Packets arriving from these hosts are
#				       checked for certain illegal combinations
#				       of TCP flags. Packets found to have
#				       such a combination of flags are handled
#				       according to the setting of
#				       TCP_FLAGS_DISPOSITION after having been
#				       logged according to the setting of
#				       TCP_FLAGS_LOG_LEVEL.
#
#			nosmurfs     - This option only makes sense for ports
#				       on a bridge.
#				       
#				       Filter packets for smurfs
#				       (packets with a broadcast
#				       address as the source).
#
#				       Smurfs will be optionally logged based
#				       on the setting of SMURF_LOG_LEVEL in
#				       shorewall.conf. After logging, the
#				       packets are dropped.
#
#			newnotsyn    - TCP packets that don't have the SYN 
#				       flag set and which are not part of an
#				       established connection will be accepted
#				       from these hosts, even if 
#				       NEWNOTSYN=No has been specified in
#				       /etc/shorewall/shorewall.conf.
#
#				       This option has no effect if 
#				       NEWNOTSYN=Yes.
#
#ZONE		HOST(S)				OPTIONS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE