SHOREWALL6-HOSTS(5) | Configuration Files | SHOREWALL6-HOSTS(5) |
NAME¶
hosts - shorewall6 fileSYNOPSIS¶
/etc/shorewall6/hosts
DESCRIPTION¶
This file is used to define zones in terms of subnets and/or individual IP addresses. Most simple setups don't need to (should not) place anything in this file. The order of entries in this file is not significant in determining zone composition. Rather, the order that the zones are declared in shorewall6-zones[1](5) determines the order in which the records in this file are interpreted.The name of a zone declared in
shorewall6-zones[1](5). You may not list the firewall zone in this
column.
HOST(S) (hosts)-
interface:[{[{address-or-range[,
address-or-range]...| +ipset}[exclusion]]
The name of an interface defined in the
shorewall6-interfaces[2](5) file followed by a colon (":")
and a comma-separated list whose elements are either:
OPTIONS - [ option[,option]...]
1.The IPv6 address of a host.
2.A network in CIDR format.
3.An IP address range of the form
low.address-high.address. Your kernel and ip6tables must have
iprange match support.
4.The name of an ipset.
5.The word dynamic which makes the zone dynamic
in that you can use the shorewall add and shorewall delete
commands to change to composition of the zone. This capability was added in
Shorewall 4.4.21.
You may also exclude certain hosts through use of an exclusion (see
shorewall6-exclusion[3](5).An optional comma-separated list of options from the
following list. The order in which you list the options is not significant but
the list must have no embedded white-space.
blacklist
Check packets arriving on this port against the
shorewall6-blacklist[4](5) file.
ipsec
The zone is accessed via a kernel 2.6 ipsec SA. Note that
if the zone named in the ZONE column is specified as an IPSEC zone in the
shorewall6-zones[1](5) file then you do NOT need to specify the 'ipsec'
option here.
mss=mss
Added in Shorewall 4.5.2. When present, causes the TCP
mss for new connections to/from the hosts given in the HOST(S) column to be
clamped at the specified mss.
routeback
shorewall6 should set up the infrastructure to pass
packets from this/these address(es) back to themselves. This is necessary if
hosts in this group use the services of a transparent proxy that is a member
of the group or if DNAT is used to send requests originating from this group
to a server in the group.
tcpflags
Packets arriving from these hosts are checked for certain
illegal combinations of TCP flags. Packets found to have such a combination of
flags are handled according to the setting of TCP_FLAGS_DISPOSITION after
having been logged according to the setting of TCP_FLAGS_LOG_LEVEL.
FILES¶
/etc/shorewall6/hostsSEE ALSO¶
http://www.shorewall.net/configuration_file_basics.htm#Pairs[5] shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-interfaces(5), shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5), shorewall6-rtrules(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-mangle(5), shorewall6-tos(5), shorewall6-tunnels(5), shorewall-zones(5)NOTES¶
- 1.
- shorewall6-zones
- 2.
- shorewall6-interfaces
- 3.
- shorewall6-exclusion
- 4.
- shorewall6-blacklist
10/19/2014 | Configuration Files |