'\" t .\" Title: shorewall6-exclusion .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.75.2 .\" Date: 06/28/2012 .\" Manual: [FIXME: manual] .\" Source: [FIXME: source] .\" Language: English .\" .TH "SHOREWALL6\-EXCLUSIO" "5" "06/28/2012" "[FIXME: source]" "[FIXME: manual]" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" exclusion \- Exclude a set of hosts from a definition in a shorewall6 configuration file\&. .SH "SYNOPSIS" .HP \w'\ 'u \fB!\fR\fIaddress\-or\-range\fR[,\fIaddress\-or\-range\fR]... .HP \w'\ 'u \fB!\fR\fIzone\-name\fR[,\fIzone\-name\fR]... .SH "DESCRIPTION" .PP Exclusion is used when you wish to exclude one or more addresses from a definition\&. An exclaimation point is followed by a comma\-separated list of addresses\&. The addresses may be single host addresses (e\&.g\&., fe80::2a0:ccff:fedb:31c4) or they may be network addresses in CIDR format (e\&.g\&., fe80::2a0:ccff:fedb:31c4/64)\&. If your kernel and ip6tables include iprange support, you may also specify ranges of ip addresses of the form \fIlowaddress\fR\-\fIhighaddress\fR .PP No embedded whitespace is allowed\&. .PP Exclusion can appear after a list of addresses and/or address ranges\&. In that case, the final list of address is formed by taking the first list and then removing the addresses defined in the exclusion\&. .PP Beginning in Shorewall 4\&.4\&.13, the second form of exclusion is allowed after \fBall\fR and \fBany\fR in the SOURCE and DEST columns of /etc/shorewall/rules\&. It allows you to omit arbitrary zones from the list generated by those key words\&. .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBWarning\fR .ps -1 .br .PP If you omit a sub\-zone and there is an explicit or explicit CONTINUE policy, a connection to/from that zone can still be matched by the rule generated for a parent zone\&. .PP For example: .PP /etc/shorewall6/zones: .sp .if n \{\ .RS 4 .\} .nf #ZONE TYPE z1 ip z2:z1 ip \&.\&.\&. .fi .if n \{\ .RE .\} .PP /etc/shorewall6/policy: .sp .if n \{\ .RS 4 .\} .nf #SOURCE DEST POLICY z1 net CONTINUE z2 net REJECT .fi .if n \{\ .RE .\} .PP /etc/shorewall6/rules: .sp .if n \{\ .RS 4 .\} .nf #ACTION SOURCE DEST PROTO DEST # PORT(S) ACCEPT all!z2 net tcp 22 .fi .if n \{\ .RE .\} .PP In this case, SSH connections from \fBz2\fR to \fBnet\fR will be accepted by the generated \fBz1\fR to net ACCEPT rule\&. .sp .5v .RE .SH "FILES" .PP /etc/shorewall6/hosts .PP /etc/shorewall6/masq .PP /etc/shorewall6/rules .PP /etc/shorewall6/tcrules .SH "SEE ALSO" .PP shorewall6(8), shorewall6\-accounting(5), shorewall6\-actions(5), shorewall6\-blacklist(5), shorewall6\-hosts(5), shorewall6\-interfaces(5), shorewall6\-maclist(5), shoewall6\-netmap(5),shorewall6\-params(5), shorewall6\-policy(5), shorewall6\-providers(5), shorewall6\-rtrules(5), shorewall6\-routestopped(5), shorewall6\-rules(5), shorewall6\&.conf(5), shorewall6\-secmarks(5), shorewall6\-tcclasses(5), shorewall6\-tcdevices(5), shorewall6\-tcrules(5), shorewall6\-tos(5), shorewall6\-tunnels(5), shorewall\-zones(5)