2
# Shorewall6 version 4 - Hosts file
4
# For information about entries in this file, type "man shorewall6-hosts"
6
# The manpage is also online at
7
# http://www.shorewall.net/manpages6/shorewall6-hosts.html
9
###############################################################################
11
# This file is used to define zones in terms of subnets and/or
12
# individual IP addresses. Most simple setups don't need to
13
# (should not) place anything in this file.
15
# The order of entries in this file is not significant in
16
# determining zone composition. Rather, the order that the zones
17
# are declared in shorewall6-zones(5) determines the order in
18
# which the records in this file are interpreted.
22
# The only time that you need this file is when you have more
23
# than one zone connected through a single interface.
27
# If you have an entry for a zone and interface in
28
# shorewall6-interfaces(5) then do not include any entries in
29
# this file for that same (zone, interface) pair.
31
# The columns in the file are as follows.
34
# The name of a zone declared in shorewall6-zones(5). You
35
# may not list the firewall zone in this column.
38
# interface:[{[{address-or-range[,address-or-range]...|+ip
40
# The name of an interface defined in the
41
# shorewall6-interfaces(5) file followed by a colon (":")
42
# and a comma-separated list whose elements are either:
44
# a. The IPv6 address of a host.
45
# b. A network in CIDR format.
46
# c. An IP address range of the form
47
# low.address-high.address. Your kernel and ip6tables
48
# must have iprange match support.
49
# d. The name of an ipset.
51
# You may also exclude certain hosts through use of an
52
# exclusion (see shorewall6-exclusion(5).
54
# OPTIONS (Optional) - [option[,option]...]
55
# A comma-separated list of options from the following
56
# list. The order in which you list the options is not
57
# significant but the list must have no embedded white
61
# shorewall6 should set up the infrastructure to
62
# pass packets from this/these address(es) back to
63
# themselves. This is necessary if hosts in this
64
# group use the services of a transparent proxy that
65
# is a member of the group or if DNAT is used to
66
# send requests originating from this group to a
67
# server in the group.
70
# This option only makes sense for ports on a
71
# bridge. As of Shorewall 4.4.13, its is ignored
72
# with a warning message:
74
# WARNING: The "blacklist" host option is no longer supported
75
# and will be ignored.
77
# Check packets arriving on this port against the
78
# shorewall6-blacklist(5) file.
81
# Packets arriving from these hosts are checked for
82
# certain illegal combinations of TCP flags. Packets
83
# found to have such a combination of flags are
84
# handled according to the setting of
85
# TCP_FLAGS_DISPOSITION after having been logged
86
# according to the setting of TCP_FLAGS_LOG_LEVEL.
89
# The zone is accessed via a kernel 2.6 ipsec SA.
90
# Note that if the zone named in the ZONE column is
91
# specified as an IPSEC zone in the
92
# shorewall6-zones(5) file then you do NOT need to
93
# specify the 'ipsec' option here.
95
###############################################################################