'\" t .\" Title: shorewall6-hosts .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.78.1 .\" Date: 03/16/2017 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" .TH "SHOREWALL6\-HOSTS" "5" "03/16/2017" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" hosts \- shorewall6 file .SH "SYNOPSIS" .HP \w'\fB/etc/shorewall6/hosts\fR\ 'u \fB/etc/shorewall6/hosts\fR .SH "DESCRIPTION" .PP This file is used to define zones in terms of subnets and/or individual IP addresses\&. Most simple setups don\*(Aqt need to (should not) place anything in this file\&. .PP The order of entries in this file is not significant in determining zone composition\&. Rather, the order that the zones are declared in \m[blue]\fBshorewall6\-zones\fR\m[]\&\s-2\u[1]\d\s+2(5) determines the order in which the records in this file are interpreted\&. .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBWarning\fR .ps -1 .br .PP The only time that you need this file is when you have more than one zone connected through a single interface\&. .sp .5v .RE .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBWarning\fR .ps -1 .br .PP If you have an entry for a zone and interface in \m[blue]\fBshorewall6\-interfaces\fR\m[]\&\s-2\u[2]\d\s+2(5) then do not include any entries in this file for that same (zone, interface) pair\&. .sp .5v .RE .PP The columns in the file are as follows (where the column name is followed by a different name in parentheses, the different name is used in the alternate specification syntax)\&. .PP \fBZONE\fR \- \fIzone\-name\fR .RS 4 The name of a zone declared in \m[blue]\fBshorewall6\-zones\fR\m[]\&\s-2\u[1]\d\s+2(5)\&. You may not list the firewall zone in this column\&. .RE .PP \fBHOST(S)\fR (hosts)\- \fIinterface\fR:{\fIaddress\-or\-range\fR[,\fIaddress\-or\-range\fR]\&.\&.\&.|+\fIipset\fR|\fBdynamic\fR}[\fIexclusion\fR] .RS 4 The name of an interface defined in the \m[blue]\fBshorewall6\-interfaces\fR\m[]\&\s-2\u[2]\d\s+2(5) file followed by a colon (":") and a comma\-separated list whose elements are either: .sp .RS 4 .ie n \{\ \h'-04' 1.\h'+01'\c .\} .el \{\ .sp -1 .IP " 1." 4.2 .\} The IPv6 \fIaddress\fR of a host\&. .RE .sp .RS 4 .ie n \{\ \h'-04' 2.\h'+01'\c .\} .el \{\ .sp -1 .IP " 2." 4.2 .\} A network in CIDR format\&. .RE .sp .RS 4 .ie n \{\ \h'-04' 3.\h'+01'\c .\} .el \{\ .sp -1 .IP " 3." 4.2 .\} An IP address range of the form [\fIlow\&.address\fR]\-[\fIhigh\&.address\fR]\&. Your kernel and ip6tables must have iprange match support\&. .RE .sp .RS 4 .ie n \{\ \h'-04' 4.\h'+01'\c .\} .el \{\ .sp -1 .IP " 4." 4.2 .\} The name of an \fIipset\fR\&. .RE .sp .RS 4 .ie n \{\ \h'-04' 5.\h'+01'\c .\} .el \{\ .sp -1 .IP " 5." 4.2 .\} The word \fBdynamic\fR which makes the zone dynamic in that you can use the \fBshorewall add\fR and \fBshorewall delete\fR commands to change to composition of the zone\&. This capability was added in Shorewall 4\&.4\&.21\&. .RE .sp You may also exclude certain hosts through use of an \fIexclusion\fR (see \m[blue]\fBshorewall6\-exclusion\fR\m[]\&\s-2\u[3]\d\s+2(5)\&. .RE .PP OPTIONS \- [\fIoption\fR[\fB,\fR\fIoption\fR]\&.\&.\&.] .RS 4 An optional comma\-separated list of options from the following list\&. The order in which you list the options is not significant but the list must have no embedded white\-space\&. .PP \fBblacklist\fR .RS 4 Check packets arriving on this port against the \m[blue]\fBshorewall6\-blacklist\fR\m[]\&\s-2\u[4]\d\s+2(5) file\&. .RE .PP \fBipsec\fR .RS 4 The zone is accessed via a kernel 2\&.6 ipsec SA\&. Note that if the zone named in the ZONE column is specified as an IPSEC zone in the \m[blue]\fBshorewall6\-zones\fR\m[]\&\s-2\u[1]\d\s+2(5) file then you do NOT need to specify the \*(Aqipsec\*(Aq option here\&. .RE .PP \fBmss\fR=\fImss\fR .RS 4 Added in Shorewall 4\&.5\&.2\&. When present, causes the TCP mss for new connections to/from the hosts given in the HOST(S) column to be clamped at the specified \fImss\fR\&. .RE .PP \fBrouteback\fR .RS 4 shorewall6 should set up the infrastructure to pass packets from this/these address(es) back to themselves\&. This is necessary if hosts in this group use the services of a transparent proxy that is a member of the group or if DNAT is used to send requests originating from this group to a server in the group\&. .RE .PP \fBtcpflags\fR .RS 4 Packets arriving from these hosts are checked for certain illegal combinations of TCP flags\&. Packets found to have such a combination of flags are handled according to the setting of TCP_FLAGS_DISPOSITION after having been logged according to the setting of TCP_FLAGS_LOG_LEVEL\&. .RE .RE .SH "FILES" .PP /etc/shorewall6/hosts .SH "SEE ALSO" .PP \m[blue]\fBhttp://www\&.shorewall\&.net/configuration_file_basics\&.htm#Pairs\fR\m[]\&\s-2\u[5]\d\s+2 .PP shorewall6(8), shorewall6\-accounting(5), shorewall6\-actions(5), shorewall6\-blacklist(5), shorewall6\-interfaces(5), shorewall6\-maclist(5), shorewall6\-netmap(5),shorewall6\-params(5), shorewall6\-policy(5), shorewall6\-providers(5), shorewall6\-rtrules(5), shorewall6\-routestopped(5), shorewall6\-rules(5), shorewall6\&.conf(5), shorewall6\-secmarks(5), shorewall6\-tcclasses(5), shorewall6\-tcdevices(5), shorewall6\-mangle(5), shorewall6\-tos(5), shorewall6\-tunnels(5), shorewall\-zones(5) .SH "NOTES" .IP " 1." 4 shorewall6-zones .RS 4 \%http://www.shorewall.net/manpages6/shorewall6-zones.html .RE .IP " 2." 4 shorewall6-interfaces .RS 4 \%http://www.shorewall.net/manpages6/shorewall6-interfaces.html .RE .IP " 3." 4 shorewall6-exclusion .RS 4 \%http://www.shorewall.net/manpages6/shorewall6-exclusion.html .RE .IP " 4." 4 shorewall6-blacklist .RS 4 \%http://www.shorewall.net/manpages6/shorewall6-blacklist.html .RE .IP " 5." 4 http://www.shorewall.net/configuration_file_basics.htm#Pairs .RS 4 \%http://www.shorewall.net/configuration_file_basics.htm#Pairs .RE