hosts - Shorewall file

NAME

       hosts - Shorewall file

SYNOPSIS

       /etc/shorewall/hosts

DESCRIPTION

       This file is used to define zones in terms of subnets and/or individual
       IP addresses. Most simple setups don't need to (should not) place
       anything in this file.

       The order of entries in this file is not significant in determining
       zone composition. Rather, the order that the zones are declared in
       shorewall-zones[1](5) determines the order in which the records in this
       file are interpreted.

           Warning
           The only time that you need this file is when you have more than
           one zone connected through a single interface.

           Warning
           If you have an entry for a zone and interface in
           shorewall-interfaces[2](5) then do not include any entries in this
           file for that same (zone, interface) pair.

       The columns in the file are as follows.

       ZONE - zone-name
           The name of a zone declared in shorewall-zones[1](5). You may not
           list the firewall zone in this column.

       HOST(S) -
       interface:{[{address-or-range[,address-or-range]...|+ipset}[exclusion]
           The name of an interface defined in the shorewall-interfaces[2](5)
           file followed by a colon (":") and a comma-separated list whose
           elements are either:

            1. The IP address of a host.

            2. A network in CIDR format.

            3. An IP address range of the form low.address-high.address. Your
               kernel and iptables must have iprange match support.

            4. The name of an ipset.

           You may also exclude certain hosts through use of an exclusion (see
           shorewall-exclusion[3](5).

       OPTIONS (Optional) - [option[,option]...]
           A comma-separated list of options from the following list. The
           order in which you list the options is not significant but the list
           must have no embedded white space.

           maclist
               Connection requests from these hosts are compared against the
               contents of shorewall-maclist[4](5). If this option is
               specified, the interface must be an ethernet NIC or equivalent
               and must be up before Shorewall is started.

           routeback
               Shorewall should set up the infrastructure to pass packets from
               this/these address(es) back to themselves. This is necessary if
               hosts in this group use the services of a transparent proxy
               that is a member of the group or if DNAT is used to send
               requests originating from this group to a server in the group.

           blacklist
               This option only makes sense for ports on a bridge.

               Check packets arriving on this port against the
               shorewall-blacklist[5](5) file.

           tcpflags
               Packets arriving from these hosts are checked for certain
               illegal combinations of TCP flags. Packets found to have such a
               combination of flags are handled according to the setting of
               TCP_FLAGS_DISPOSITION after having been logged according to the
               setting of TCP_FLAGS_LOG_LEVEL.

           nosmurfs
               This option only makes sense for ports on a bridge.

               Filter packets for smurfs (packets with a broadcast address as
               the source).

               Smurfs will be optionally logged based on the setting of
               SMURF_LOG_LEVEL in shorewall.conf[6](5). After logging, the
               packets are dropped.

           ipsec
               The zone is accessed via a kernel 2.6 ipsec SA. Note that if
               the zone named in the ZONE column is specified as an IPSEC zone
               in the shorewall-zones[1](5) file then you do NOT need to
               specify the 'ipsec' option here.

           broadcast
               Used when you want to include limited broadcasts (destination
               IP address 255.255.255.255) from the firewall to this zone.
               Only necessary when:

                1. The network specified in the HOST(S) column does not
                   include 255.255.255.255.

                2. The zone does not have an entry for this interface in
                   shorewall-interfaces[2](5).

           destonly
               Normally used with the Multi-cast IP address range
               (224.0.0.0/4). Specifies that traffic will be sent to the
               specified net(s) but that no traffic will be received from the
               net(s).

EXAMPLES

       Example 1
           The firewall runs a PPTP server which creates a ppp interface for
           each remote client. The clients are assigned IP addresses in the
           network 192.168.3.0/24 and in a zone named 'vpn'.

               #ZONE       HOST(S)               OPTIONS
               vpn         ppp+:192.168.3.0/24

FILES

       /etc/shorewall/hosts

NOTES

        1. shorewall-zones
           http://www.shorewall.net/manpages/shorewall-zones.html

        2. shorewall-interfaces
           http://www.shorewall.net/manpages/shorewall-interfaces.html

        3. shorewall-exclusion
           http://www.shorewall.net/manpages/shorewall-exclusion.html

        4. shorewall-maclist
           http://www.shorewall.net/manpages/shorewall-maclist.html

        5. shorewall-blacklist
           http://www.shorewall.net/manpages/shorewall-blacklist.html

        6. shorewall.conf
           http://www.shorewall.net/manpages/shorewall.conf.html

[FIXME: source]                   06/17/2010

NAME

SYNOPSIS

DESCRIPTION

EXAMPLES

FILES

SEE ALSO

NOTES