hosts - shorewall6 file
This file is used to define zones in terms of subnets and/or individual IP
addresses. Most simple setups don't need to (should not) place anything in
The order of entries in this file is not significant in determining zone
composition. Rather, the order that the zones are declared in
(5) determines the order in which the records in
this file are interpreted.
The only time that you need this file is when you have more than one zone
connected through a single interface.
If you have an entry for a zone and interface in
(5) then do not include any entries in this
file for that same (zone, interface) pair.
The columns in the file are as follows (where the column name is followed by a
different name in parentheses, the different name is used in the alternate
The name of a zone declared in
shorewall6-zones(5). You may not list the firewall zone in this
The name of an interface defined in the
(5) file followed by a colon (":")
and a comma-separated list whose elements are either:
1.The IPv6 address of a host.
2.A network in CIDR format.
3.An IP address range of the form
[low.address]-[ high.address]. Your kernel and ip6tables must
have iprange match support.
4.The name of an ipset.
5.The word dynamic which makes the
zone dynamic in that you can use the shorewall add and shorewall
delete commands to change to composition of the zone. This capability was
added in Shorewall 4.4.21.
You may also exclude certain hosts through use of an exclusion
OPTIONS - [ option
An optional comma-separated list of options
from the following list. The order in which you list the options is not
significant but the list must have no embedded white-space.
Check packets arriving on this port against
the shorewall6-blacklist(5) file.
The zone is accessed via a kernel 2.6 ipsec
SA. Note that if the zone named in the ZONE column is specified as an IPSEC
zone in the shorewall6-zones(5) file then you do NOT need to specify
the 'ipsec' option here.
Added in Shorewall 4.5.2. When present, causes
the TCP mss for new connections to/from the hosts given in the HOST(S) column
to be clamped at the specified mss.
shorewall6 should set up the infrastructure to
pass packets from this/these address(es) back to themselves. This is necessary
if hosts in this group use the services of a transparent proxy that is a
member of the group or if DNAT is used to send requests originating from this
group to a server in the group.
Packets arriving from these hosts are checked
for certain illegal combinations of TCP flags. Packets found to have such a
combination of flags are handled according to the setting of
TCP_FLAGS_DISPOSITION after having been logged according to the setting of
shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-interfaces(5), shorewall6-maclist(5),
shorewall6-providers(5), shorewall6-rtrules(5), shorewall6-routestopped(5),
shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-mangle(5),
shorewall6-tos(5), shorewall6-tunnels(5), shorewall-zones(5)