# # Shorewall6 version 5 - Sample Zones File for one-interface IPv6 configuration. # Copyright (C) 2006-2015 by the Shorewall Team # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public # License as published by the Free Software Foundation; either # version 2.1 of the License, or (at your option) any later version. # # See the file README.txt for further details. #----------------------------------------------------------------------------- # For information about entries in this file, type "man shorewall6-zones" ############################################################################### # # The /etc/shorewall/zones file declares your network zones. You specify the # hosts in each zone through entries in /etc/shorewall/interfaces or /etc/ # shorewall/hosts. # # The columns in the file are as follows (where the column name is followed by a # different name in parentheses, the different name is used in the alternate # specification syntax). # # ZONE - zone[:parent-zone[,parent-zone]...] # # Name of the zone. Must start with a letter and consist of letters, digits # or '_'. The names "all", "none", "any", "SOURCE" and "DEST" are reserved # and may not be used as zone names. The maximum length of a zone name is # determined by the setting of the LOGFORMAT option in shorewall.conf(5). # With the default LOGFORMAT, zone names can be at most 5 characters long. # # The maximum length of an iptables log prefix is 29 bytes. As explained # in shorewall.conf (5), the legacy default LOGPREFIX formatting string # is âShorewall:%s:%s:â where the first %s is replaced by the chain name # and the second is replaced by the disposition. # # â The "Shorewall:%s:%s:" formatting string has 12 fixed characters # ("Shorewall" and three colons). # # â The longest of the standard dispositions are ACCEPT and REJECT # which have 6 characters each. # # â The canonical name for the chain containing the rules for traffic # going from zone 1 to zone 2 is "<zone 1>2<zone 2>" or "<zone 1>- # <zone 2>". # # â So if M is the maximum zone name length, such chains can have # length 2*M + 1. # # 12 + 6 + 2*M + 1 = 29 which reduces to # 2*M = 29 - 12 - 6 - 1 = 10 or # M = 5 # # In Shorewall 5.1.0, the LOGFORMAT in the default and sample # shorewall.conf files was changed to "%s:%s ". # # â That formatting string has 2 fixed characters (":" and a space). # # â So the maximum zone name length M is calculated as: # # 2 + 6 + 2*M + 1 = 29 # 2M = 29 - 2 - 6 - 1 = 20 # M = 10 # # The order in which Shorewall matches addresses from packets to zones is # determined by the order of zone declarations. Where a zone is nested in one # or more other zones, you may either ensure that the nested zone precedes # its parents in this file, or you may follow the (sub)zone name by ":" and a # comma-separated list of the parent zones. The parent zones must have been # declared in earlier records in this file. See shorewall-nesting(5) for # additional information. # # Example: # # #ZONE TYPE OPTIONS IN OPTIONS OUT OPTIONS # a ip # b ip # c:a,b ip # # Currently, Shorewall uses this information to reorder the zone list so that # parent zones appear after their subzones in the list. The IMPLICIT_CONTINUE # option in shorewall.conf(5) can also create implicit CONTINUE policies to/ # from the subzone. # # Where an ipsec zone is explicitly included as a child of an ip zone, the # ruleset allows CONTINUE policies (explicit or implicit) to work as # expected. # # In the future, Shorewall may make additional use of nesting information. # # TYPE # # ip # # This is the standard Shorewall zone type and is the default if you # leave this column empty or if you enter "-" in the column. # Communication with some zone hosts may be encrypted. Encrypted hosts # are designated using the 'ipsec' option in shorewall-hosts(5). For # clarity, this zone type may be specified as ipv4 in IPv4 configurations # and ipv6 in IPv6 configurations. # # ipsec # # Communication with all zone hosts is encrypted. Your kernel and # iptables must include policy match support. For clarity, this zone type # may be specified as ipsec4 in IPv4 configurations and ipsec6 in IPv6 # configurations. # # firewall # # Designates the firewall itself. You must have exactly one 'firewall' # zone. No options are permitted with a 'firewall' zone. The name that # you enter in the ZONE column will be stored in the shell variable $FW # which you may use in other configuration files to designate the # firewall zone. # # bport # # The zone is associated with one or more ports on a single bridge. For # clarity, this zone type may be specified as bport4 in IPv4 # configurations and bport6 in IPv6 configurations. # # vserver # # Added in Shorewall 4.4.11 Beta 2 - A zone composed of Linux-vserver # guests. The zone contents must be defined in shorewall-hosts (5). # # Vserver zones are implicitly handled as subzones of the firewall zone. # # loopback # # Added in Shorewall 4.5.17. # # Normally, Shorewall treats the loopback interface (lo) in the following # way: # # â By default, all traffic through the interface is ACCEPTed. # # â If a $FW -> $FW policy is defined or $FW -> $FW rules are defined, # they are placed in a chain named ${FW}2${F2} or ${FW}-${FW} (e.g., # 'fw2fw' or 'fw-fw' ) depending on the ZONE2ZONE setting in # shorewall.conf(5). # # â $FW -> $FW traffic is only filtered in the OUTPUT chain. # # By defining a loopback zone and associating it with the loopback # interface in shorewall-interfaces(5), you can effect a slightly # different model. Suppose that the loopback zone name is 'local'; then: # # â Both $FW -> local and local -> $FW chains are created. # # â The $FW -> local and local -> $FW policies may be different. # # â Both $FW -> local and local -> $FW rules may be specified. # # Rules to/from the loopback zone and any zone other than the firewall # zone are ignored with a warning. # # loopback zones may be nested within other loopback zones. # # local # # Added in Shorewall 4.5.17. local is the same as ipv4 with the exception # that the zone is only accessible from the firewall and vserver zones. # # OPTIONS, IN OPTIONS and OUT OPTIONS (options, in_options, out_options) - [ # option[,option]...] # # A comma-separated list of options. With the exception of the mss and # blacklist options, these only apply to TYPE ipsec zones. # # dynamic_shared # # Added in Shorewall 4.5.9. May only be specified in the OPTIONS column # and indicates that only a single ipset should be created for this zone # if it has multiple dynamic entries in shorewall-hosts(5). Without this # option, a separate ipset is created for each interface. # # reqid=number # # where number is specified using setkey(8) using the 'unique:number # option for the SPD level. # # spi=<number> # # where number is the SPI of the SA used to encrypt/decrypt packets. # # proto=ah|esp|ipcomp # # IPSEC Encapsulation Protocol # # mss=number # # sets the MSS field in TCP packets. If you supply this option, you # should also set FASTACCEPT=No in shorewall.conf(5) to insure that both # the SYN and SYN,ACK packets have their MSS field adjusted. # # mode=transport|tunnel # # IPSEC mode # # tunnel-src=address[/mask] # # only available with mode=tunnel # # tunnel-dst=address[/mask] # # only available with mode=tunnel # # strict # # Means that packets must match all rules. # # next # # Separates rules; can only be used with strict # # The options in the OPTIONS column are applied to both incoming and outgoing # traffic. The IN OPTIONS are applied to incoming traffic (in addition to # OPTIONS) and the OUT OPTIONS are applied to outgoing traffic. # # If you wish to leave a column empty but need to make an entry in a # following column, use "-". # ############################################################################### #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ipv6