2
# Shorewall6 version 4 - Sample Zones File for one-interface IPv6 configuration.
3
# Copyright (C) 2006,2008 by the Shorewall Team
5
# This library is free software; you can redistribute it and/or
6
# modify it under the terms of the GNU Lesser General Public
7
# License as published by the Free Software Foundation; either
8
# version 2.1 of the License, or (at your option) any later version.
10
# See the file README.txt for further details.
11
#-----------------------------------------------------------------------------
12
# For information about entries in this file, type "man shorewall6-zones"
13
###############################################################################
15
# The /etc/shorewall6/zones file declares your network zones. You
16
# specify the hosts in each zone through entries in
17
# /etc/shorewall6/interfaces or /etc/shorewall6/hosts.
19
# The columns in the file are as follows.
21
# ZONE - zone[:parent-zone[,parent-zone]...]
22
# Name of the zone. The names "all", "none", "SOURCE" and
23
# "DEST" are reserved and may not be used as zone names.
24
# The maximum length of a zone name is determined by the
25
# setting of the LOGFORMAT option in shorewall6.conf(5).
26
# With the default LOGFORMAT, zone names can be at most 5
29
# The maximum length of an iptables log prefix is 29 bytes. As
30
# explained in shorewall6.conf (5), the default LOGPREFIX
31
# formatting string is "Shorewall:%s:%s:" where the first %s
32
# is replaced by the chain name and the second is replaced by
34
# + The default formatting string has 12 fixed characters
35
# ("Shorewall" and three colons).
36
# + The longest of the standard dispositions are ACCEPT
37
# and REJECT which have 6 characters each.
38
# + The canonical name for the chain containing the rules
39
# for traffic going from zone 1 to zone 2 is "<zone
41
# + So if M is the maximum zone name length, such chains
42
# can have length 2*M + 1.
44
# 12 + 6 + 2*M + 1 = 29 which reduces to
45
# 2*M = 29 - 12 - 6 - 1 = 10 or
48
# The order in which Shorewall6 matches addresses from
49
# packets to zones is determined by the order of zone
50
# declarations. Where a zone is nested in one or more
51
# other zones, you may either ensure that the nested zone
52
# precedes its parents in this file, or you may follow the
53
# (sub)zone name by ":" and a comma-separated list of the
54
# parent zones. The parent zones must have been declared
55
# in earlier records in this file. See
56
# shorewall6-nesting(5) for additional information.
60
# #ZONE TYPE OPTIONS IN OPTIONS OUT OPTIONS
65
# Currently, Shorewall6 uses this information to reorder
66
# the zone list so that parent zones appear after their
67
# subzones in the list. The IMPLICIT_CONTINUE option in
68
# shorewall6.conf(5) can also create implicit CONTINUE
69
# policies to/from the subzone.
71
# Where an ipsec zone is explicitly included as a child of
72
# an ipv6 zone, the ruleset allows CONTINUE policies
73
# (explicit or implicit) to work as expected.
75
# In the future, Shorewall6 may make additional use of
76
# nesting information.
81
# This is the standard Shorewall6 zone type and is
82
# the default if you leave this column empty or if
83
# you enter "-" in the column. Communication with
84
# some zone hosts may be encrypted. Encrypted hosts
85
# are designated using the 'ipsec'option in
86
# shorewall6-hosts(5).
89
# Communication with all zone hosts is encrypted.
90
# Your kernel and ip6tables must include policy
94
# Designates the firewall itself. You must have
95
# exactly one 'firewall' zone. No options are
96
# permitted with a 'firewall' zone. The name that
97
# you enter in the ZONE column will be stored in the
98
# shell variable $FW which you may use in other
99
# configuration files to designate the firewall
103
# The zone is associated with one or more ports on a
107
# Added in Shorewall 4.4.11 Beta 2 - A zone composed
108
# of Linux-vserver guests. The zone contents must be
109
# defined in shorewall-hosts (5).
111
# Vserver zones are implicitly handled as subzones
112
# of the firewall zone.
114
# OPTIONS, IN OPTIONS and OUT OPTIONS - [option[,option]...]
115
# A comma-separated list of options. With the exception of
116
# the mss and blacklist options, these only apply to TYPE
120
# Added in Shorewall 4.4.13. May not be specified
121
# for firewall or vserver zones.
123
# When specified in the IN_OPTIONS column, causes
124
# all traffic from this zone to be passed against
125
# the src entries in shorewall6-blacklist(5).
127
# When specified in the OUT_OPTIONS column, causes
128
# all traffic to this zone to be passed against the
129
# dst entries in shorewall6-blacklist(5).
131
# Specifying this option in the OPTIONS column is
132
# equivalent to entering it in both of the
133
# IN_OPTIONS and OUT_OPTIONS column.
136
# where number is specified using setkey(8) using
137
# the 'unique:number option for the SPD level.
140
# where number is the SPI of the SA used to
141
# encrypt/decrypt packets.
143
# proto=ah|esp|ipcomp
144
# IPSEC Encapsulation Protocol
147
# sets the MSS field in TCP packets. If you supply
148
# this option, you should also set FASTACCEPT=No in
149
# shorewall6.conf(5) to insure that both the SYN and
150
# SYN,ACK packets have their MSS field adjusted.
152
# mode=transport|tunnel
155
# tunnel-src=address[/mask]
156
# only available with mode=tunnel
158
# tunnel-dst=address[/mask]
159
# only available with mode=tunnel
162
# Means that packets must match all rules.
165
# Separates rules; can only be used with strict
167
# The options in the OPTIONS column are applied to both
168
# incoming and outgoing traffic. The IN OPTIONS are
169
# applied to incoming traffic (in addition to OPTIONS) and
170
# the OUT OPTIONS are applied to outgoing traffic.
172
# If you wish to leave a column empty but need to make an
173
# entry in a following column, use "-".
175
###############################################################################
176
#ZONE TYPE OPTIONS IN OUT